Crypto-ransomware early detection model using novel incremental bagging with enhanced semi-random subspace selection
The irreversible effect is what characterizes crypto-ransomware and distinguishes it from traditional malware. That is, even after neutralizing the attack, the targeted files remain encrypted and cannot be accessed without the decryption key. Thus, it is imperative to detect such a threat early, i.e...
Saved in:
| Main Authors: | , , |
|---|---|
| Format: | Article |
| Published: |
Elsevier B.V.
2019
|
| Subjects: | |
| Online Access: | http://eprints.utm.my/id/eprint/89407/ http://dx.doi.org/10.1016/j.future.2019.06.005 |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| Institution: | Universiti Teknologi Malaysia |
| id |
my.utm.89407 |
|---|---|
| record_format |
eprints |
| spelling |
my.utm.894072021-02-22T06:04:36Z http://eprints.utm.my/id/eprint/89407/ Crypto-ransomware early detection model using novel incremental bagging with enhanced semi-random subspace selection Al-rimy, Bander Ali Saleh Maarof, Mohd. Aizaini Mohd. Shaid, Syed Zainudeen QA75 Electronic computers. Computer science The irreversible effect is what characterizes crypto-ransomware and distinguishes it from traditional malware. That is, even after neutralizing the attack, the targeted files remain encrypted and cannot be accessed without the decryption key. Thus, it is imperative to detect such a threat early, i.e. in the initial phases before the encryption takes place. However, the lack of sufficient information in initial phases of the attack is the main challenge to early detection, leading to low detection accuracy and a high rate of false alarms. This is due to the way that the existing solutions have been designed based on, which assumes the availability of complete information about the behavior of such attacks at detection time. Nevertheless, this does not hold for early detection that takes place while the attack is underway, and data are not fully available. To address such limitations, this paper proposes two novel techniques; incremental bagging (iBagging) and enhanced semi-random subspace selection (ESRS), and incorporates them into an ensemble-based detection model. The proposed iBagging was firstly used to build incremental subsets in a way that reflects the progression of crypto-ransomware behavior during its different attack phases. ESRS was then used to build optimal, noise-free and diverse features subspaces, by which, a pool of classifiers was trained. Finally, a grid search was employed to select the best combination of base classifiers. Majority voting was utilized for the final decision. The experimental evaluation of the proposed techniques and model was conducted and compared with the existing crypto-ransomware early detection solutions. The results demonstrate that the proposed techniques and model overcame the data limitation in the early phases of the attacks and achieved higher detection accuracy than existing solutions. Elsevier B.V. 2019-12 Article PeerReviewed Al-rimy, Bander Ali Saleh and Maarof, Mohd. Aizaini and Mohd. Shaid, Syed Zainudeen (2019) Crypto-ransomware early detection model using novel incremental bagging with enhanced semi-random subspace selection. Future Generation Computer Systems, 101 . pp. 476-491. ISSN 0167-739X http://dx.doi.org/10.1016/j.future.2019.06.005 DOI:10.1016/j.future.2019.06.005 |
| institution |
Universiti Teknologi Malaysia |
| building |
UTM Library |
| collection |
Institutional Repository |
| continent |
Asia |
| country |
Malaysia |
| content_provider |
Universiti Teknologi Malaysia |
| content_source |
UTM Institutional Repository |
| url_provider |
http://eprints.utm.my/ |
| topic |
QA75 Electronic computers. Computer science |
| spellingShingle |
QA75 Electronic computers. Computer science Al-rimy, Bander Ali Saleh Maarof, Mohd. Aizaini Mohd. Shaid, Syed Zainudeen Crypto-ransomware early detection model using novel incremental bagging with enhanced semi-random subspace selection |
| description |
The irreversible effect is what characterizes crypto-ransomware and distinguishes it from traditional malware. That is, even after neutralizing the attack, the targeted files remain encrypted and cannot be accessed without the decryption key. Thus, it is imperative to detect such a threat early, i.e. in the initial phases before the encryption takes place. However, the lack of sufficient information in initial phases of the attack is the main challenge to early detection, leading to low detection accuracy and a high rate of false alarms. This is due to the way that the existing solutions have been designed based on, which assumes the availability of complete information about the behavior of such attacks at detection time. Nevertheless, this does not hold for early detection that takes place while the attack is underway, and data are not fully available. To address such limitations, this paper proposes two novel techniques; incremental bagging (iBagging) and enhanced semi-random subspace selection (ESRS), and incorporates them into an ensemble-based detection model. The proposed iBagging was firstly used to build incremental subsets in a way that reflects the progression of crypto-ransomware behavior during its different attack phases. ESRS was then used to build optimal, noise-free and diverse features subspaces, by which, a pool of classifiers was trained. Finally, a grid search was employed to select the best combination of base classifiers. Majority voting was utilized for the final decision. The experimental evaluation of the proposed techniques and model was conducted and compared with the existing crypto-ransomware early detection solutions. The results demonstrate that the proposed techniques and model overcame the data limitation in the early phases of the attacks and achieved higher detection accuracy than existing solutions. |
| format |
Article |
| author |
Al-rimy, Bander Ali Saleh Maarof, Mohd. Aizaini Mohd. Shaid, Syed Zainudeen |
| author_facet |
Al-rimy, Bander Ali Saleh Maarof, Mohd. Aizaini Mohd. Shaid, Syed Zainudeen |
| author_sort |
Al-rimy, Bander Ali Saleh |
| title |
Crypto-ransomware early detection model using novel incremental bagging with enhanced semi-random subspace selection |
| title_short |
Crypto-ransomware early detection model using novel incremental bagging with enhanced semi-random subspace selection |
| title_full |
Crypto-ransomware early detection model using novel incremental bagging with enhanced semi-random subspace selection |
| title_fullStr |
Crypto-ransomware early detection model using novel incremental bagging with enhanced semi-random subspace selection |
| title_full_unstemmed |
Crypto-ransomware early detection model using novel incremental bagging with enhanced semi-random subspace selection |
| title_sort |
crypto-ransomware early detection model using novel incremental bagging with enhanced semi-random subspace selection |
| publisher |
Elsevier B.V. |
| publishDate |
2019 |
| url |
http://eprints.utm.my/id/eprint/89407/ http://dx.doi.org/10.1016/j.future.2019.06.005 |
| _version_ |
1692991779230449664 |