Publication:
Crypto-ransomware detection using machine learning models in file-sharing network scenarios with encrypted traffic

dc.contributor.authorBerrueta Irigoyen, Eduardo
dc.contributor.authorMorató Osés, Daniel
dc.contributor.authorMagaña Lizarrondo, Eduardo
dc.contributor.authorIzal Azcárate, Mikel
dc.contributor.departmentIngeniería Eléctrica, Electrónica y de Comunicaciónes_ES
dc.contributor.departmentIngeniaritza Elektrikoa, Elektronikoaren eta Telekomunikazio Ingeniaritzareneu
dc.contributor.funderUniversidad Pública de Navarra / Nafarroako Unibertsitate Publikoaes
dc.date.accessioned2023-01-30T09:09:01Z
dc.date.available2023-01-30T09:09:01Z
dc.date.issued2022
dc.date.updated2023-01-30T08:44:55Z
dc.description.abstractRansomware is considered as a significant threat for home users and enterprises. In corporate scenarios, users’ computers usually store only system and program files, while all the documents are accessed from shared servers. In these scenarios, one crypto-ransomware infected host is capable of locking the access to all shared files it has access to, which can be the whole set of files from a workgroup of users. We propose a tool to detect and block crypto-ransomware activity based on file-sharing traffic analysis. The tool monitors the traffic exchanged between the clients and the file servers and using machine learning techniques it searches for patterns in the traffic that betray ransomware actions while reading and overwriting files. This is the first proposal designed to work not only for clear text protocols but also for encrypted file-sharing protocols. We extract features from network traffic that describe the activity opening, closing, and modifying files. The features allow the differentiation between ransomware activity and high activity from benign applications. We train and test the detection model using a large set of more than 70 ransomware binaries from 33 different strains and more than 2,400 h of ‘not infected’ traffic from real users. The results reveal that the proposed tool can detect all ransomware binaries described, including those not used in the training phase. This paper provides a validation of the algorithm by studying the false positive rate and the amount of information from user files that the ransomware could encrypt before being detecteden
dc.description.sponsorshipThis work was supported by Spanish Ministry of Science and Innovation through project PID2019-104451RB-C22/AEI/10.13039/ 501100011033. Open access funding provided by Universidad Pública de Navarra.en
dc.format.mimetypeapplication/pdfen
dc.identifier.citationBerrueta, E., Morato, D., Magaña, E., & Izal, M. (2022). Crypto-ransomware detection using machine learning models in file-sharing network scenarios with encrypted traffic. Expert Systems with Applications, 209, 118299. https://doi.org/10.1016/j.eswa.2022.118299en
dc.identifier.doi10.1016/j.eswa.2022.118299
dc.identifier.issn0957-4174
dc.identifier.urihttps://academica-e.unavarra.es/handle/2454/44627
dc.language.isoengen
dc.publisherElsevieren
dc.relation.ispartofExpert Systems with Applications 209 (2022) 118299en
dc.relation.projectIDinfo:eu-repo/grantAgreement/AEI/Plan Estatal de Investigación Científica y Técnica y de Innovación 2017-2020/PID2019-104451RB-C22/ES/en
dc.relation.publisherversionhttps://doi.org/10.1016/j.eswa.2022.118299
dc.rights© 2022 The Author(s). This is an open access article under the CC BY licenseen
dc.rights.accessRightsAcceso abierto / Sarbide irekiaes
dc.rights.accessRightsinfo:eu-repo/semantics/openAccessen
dc.rights.urihttp://creativecommons.org/licenses/by/4.0/
dc.subjectCrypto-ransomwareen
dc.subjectFile-sharing trafficen
dc.subjectNetwork securityen
dc.titleCrypto-ransomware detection using machine learning models in file-sharing network scenarios with encrypted trafficen
dc.typeArtículo / Artikuluaes
dc.typeinfo:eu-repo/semantics/articleen
dc.type.versionVersión publicada / Argitaratu den bertsioaes
dc.type.versioninfo:eu-repo/semantics/publishedVersionen
dspace.entity.typePublication
relation.isAuthorOfPublication66d6a070-df96-4f8b-ba63-cb0a93f576ce
relation.isAuthorOfPublicationcd454059-725e-480a-b896-894e79f307a5
relation.isAuthorOfPublicationc521bf55-a1e7-47b2-ac98-5fbf8c286f7a
relation.isAuthorOfPublicationf829a159-0938-45d1-a352-d28fb297ed0b
relation.isAuthorOfPublication.latestForDiscovery66d6a070-df96-4f8b-ba63-cb0a93f576ce

Files

Original bundle
Now showing 1 - 1 of 1
Loading...
Thumbnail Image
Name:
Berrueta_CrytpoRansomware_1674634234160_42177.pdf
Size:
1.11 MB
Format:
Adobe Portable Document Format
License bundle
Now showing 1 - 1 of 1
No Thumbnail Available
Name:
license.txt
Size:
1.78 KB
Format:
Item-specific license agreed to upon submission
Description: