Ransomware is malware that encrypts data without permission,demanding payment for access.Detecting ransomware on Android platforms is challenging due to evolving malicious techniques and diverse application behaviors....Ransomware is malware that encrypts data without permission,demanding payment for access.Detecting ransomware on Android platforms is challenging due to evolving malicious techniques and diverse application behaviors.Traditional methods,such as static and dynamic analysis,suffer from polymorphism,code obfuscation,and high resource demands.This paper introduces a multi-stage approach to enhance behavioral analysis for Android ransomware detection,focusing on a reduced set of distinguishing features.The approach includes ransomware app collection,behavioral profile generation,dataset creation,feature identification,reduction,and classification.Experiments were conducted on∼3300 Android-based ransomware samples,despite the challenges posed by their evolving nature and complexity.The feature reduction strategy successfully reduced features by 80%,with only a marginal loss of detection accuracy(0.59%).Different machine learning algorithms are employed for classification and achieve 96.71%detection accuracy.Additionally,10-fold cross-validation demonstrated robustness,yielding an AUC-ROC of 99.3%.Importantly,latency and memory evaluations revealed that models using the reduced feature set achieved up to a 99%reduction in inference time and significant memory savings across classifiers.The proposed approach outperforms existing techniques by achieving high detection accuracy with a minimal feature set,also suitable for deployment in resource-constrained environments.Future work may extend datasets and include iOS-based ransomware applications.展开更多
Ransomware attacks pose a significant threat to critical infrastructures,demanding robust detection mechanisms.This study introduces a hybrid model that combines vision transformer(ViT)and one-dimensional convolutiona...Ransomware attacks pose a significant threat to critical infrastructures,demanding robust detection mechanisms.This study introduces a hybrid model that combines vision transformer(ViT)and one-dimensional convolutional neural network(1DCNN)architectures to enhance ransomware detection capabilities.Addressing common challenges in ransomware detection,particularly dataset class imbalance,the synthetic minority oversampling technique(SMOTE)is employed to generate synthetic samples for minority class,thereby improving detection accuracy.The integration of ViT and 1DCNN through feature fusion enables the model to capture both global contextual and local sequential features,resulting in comprehensive ransomware classification.Tested on the UNSW-NB15 dataset,the proposed ViT-1DCNN model achieved 98%detection accuracy with precision,recall,and F1-score metrics surpassing conventional methods.This approach not only reduces false positives and negatives but also offers scalability and robustness for real-world cybersecurity applications.The results demonstrate the model’s potential as an effective tool for proactive ransomware detection,especially in environments where evolving threats require adaptable and high-accuracy solutions.展开更多
Ransomware,particularly crypto-ransomware,remains a significant cybersecurity challenge,encrypting victim data and demanding a ransom,often leaving the data irretrievable even if payment is made.This study proposes an...Ransomware,particularly crypto-ransomware,remains a significant cybersecurity challenge,encrypting victim data and demanding a ransom,often leaving the data irretrievable even if payment is made.This study proposes an early detection approach to mitigate such threats by identifying ransomware activity before the encryption process begins.The approach employs a two-tiered approach:a signature-based method using hashing techniques to match known threats and a dynamic behavior-based analysis leveraging Cuckoo Sandbox and machine learning algorithms.A critical feature is the integration of the most effective Application Programming Interface call monitoring,which analyzes system-level interactions such as file encryption,key generation,and registry modifications.This enables the detection of both known and zero-day ransomware variants,overcoming limitations of traditional methods.The proposed technique was evaluated using classifiers such as Random Forest,Support Vector Machine,and K-Nearest Neighbors,achieving a detection accuracy of 98%based on 26 key ransomware attributes with an 80:20 training-to-testing ratio and 10-fold cross-validation.By combining minimal feature sets with robust behavioral analysis,the proposed method outperforms existing solutions and addresses current challenges in ransomware detection,thereby enhancing cybersecurity resilience.展开更多
Digital integration within healthcare systems exacerbates their vulnerability to sophisticated ransomware threats, leading to severe operational disruptions and data breaches. Current defenses are typically categorize...Digital integration within healthcare systems exacerbates their vulnerability to sophisticated ransomware threats, leading to severe operational disruptions and data breaches. Current defenses are typically categorized into active and passive measures that struggle to achieve comprehensive threat mitigation and often lack real-time response effectiveness. This paper presents an innovative ransomware defense system, ERAD, designed for healthcare environments that apply the MITRE ATT&CK Matrix to coordinate dynamic, stage-specific countermeasures throughout the ransomware attack lifecycle. By systematically identifying and addressing threats based on indicators of compromise (IOCs), the proposed system proactively disrupts the attack chain before serious damage occurs. Validation is provided through a detailed analysis of a system deployment against LockBit 3.0 ransomware, illustrating significant enhancements in mitigating the impact of the attack, reducing the cost of recovery, and strengthening the cybersecurity framework of healthcare organizations, but also applicable to other non-health sectors of the business world.展开更多
Ransomware is considered one of the most threatening cyberattacks.Existing solutions have focused mainly on discriminating ransomware by analyzing the apps themselves,but they have overlooked possible ways of hiding r...Ransomware is considered one of the most threatening cyberattacks.Existing solutions have focused mainly on discriminating ransomware by analyzing the apps themselves,but they have overlooked possible ways of hiding ransomware apps and making them difficult to be detected and then analyzed.Therefore,this paper proposes a novel ransomware hiding model by utilizing a block-based High-Efficiency Video Coding(HEVC)steganography approach.The main idea of the proposed steganography approach is the division of the secret ransomware data and cover HEVC frames into different blocks.After that,the Least Significant Bit(LSB)based Hamming Distance(HD)calculation is performed amongst the secret data’s divided blocks and cover frames.Finally,the secret data bits are hidden into the marked bits of the cover HEVC frame-blocks based on the calculated HD value.The main advantage of the suggested steganography approach is the minor impact on the cover HEVC frames after embedding the ransomware while preserving the histogram attributes of the cover video frame with a high imperceptibility.This is due to the utilization of an adaptive steganography cost function during the embedding process.The proposed ransomware hiding approach was heavily examined using subjective and objective tests and applying different HEVC streams with diverse resolutions and different secret ransomware apps of various sizes.The obtained results prove the efficiency of the proposed steganography approach by achieving high capacity and successful embedding process while ensuring the hidden ransomware’s undetectability within the video frames.For example,in terms of embedding quality,the proposed model achieved a high peak signal-to-noise ratio that reached 59.3 dB and a low mean-square-error of 0.07 for the examined HEVC streams.Also,out of 65 antivirus engines,no engine could detect the existence of the embedded ransomware app.展开更多
Ransomware has emerged as a critical cybersecurity threat,characterized by its ability to encrypt user data or lock devices,demanding ransom for their release.Traditional ransomware detection methods face limitations ...Ransomware has emerged as a critical cybersecurity threat,characterized by its ability to encrypt user data or lock devices,demanding ransom for their release.Traditional ransomware detection methods face limitations due to their assumption of similar data distributions between training and testing phases,rendering them less effective against evolving ransomware families.This paper introduces TLERAD(Transfer Learning for Enhanced Ransomware Attack Detection),a novel approach that leverages unsupervised transfer learning and co-clustering techniques to bridge the gap between source and target domains,enabling robust detection of both known and unknown ransomware variants.The proposed method achieves high detection accuracy,with an AUC of 0.98 for known ransomware and 0.93 for unknown ransomware,significantly outperforming baseline methods.Comprehensive experiments demonstrate TLERAD’s effectiveness in real-world scenarios,highlighting its adapt-ability to the rapidly evolving ransomware landscape.The paper also discusses future directions for enhancing TLERAD,including real-time adaptation,integration with lightweight and post-quantum cryptography,and the incorporation of explainable AI techniques.展开更多
Ransomware is a type of malicious software that blocks access to a computer by encrypting user’s files until a ransom is paid to the attacker.There have been several reported high-profile ransomware attacks including...Ransomware is a type of malicious software that blocks access to a computer by encrypting user’s files until a ransom is paid to the attacker.There have been several reported high-profile ransomware attacks including WannaCry,Petya,and Bad Rabbit resulting in losses of over a billion dollars to various individuals and businesses in the world.The analysis of ransomware is often carried out via sandbox environments;however,the initial setup and configuration of such environments is a challenging task.Also,it is difficult for an ordinary computer user to correctly interpret the complex results presented in the reports generated by such environments and analysis tools.In this research work,we aim to develop a user-friendly model to understand the taxonomy and analysis of ransomware attacks.Also,we aim to present the results of analysis in the form of summarized reports that can easily be understood by an ordinary computer user.Our model is built on top of the well-known Cuckoo sandbox environment for identification of the ransomware as well as generation of the summarized reports.In addition,for evaluating the usability and accessibility of our proposed model,we conduct a comprehensive user survey consisting of participants from various fields,e.g.,professional developers from software houses,people from academia(professors,students).Our evaluation results demonstrate a positive feedback of approximately 92%on the usability of our proposed model.展开更多
This article presents an asset-based security system where security practitioners build their systems based on information they own and not solicited by observing attackers’behavior.Current security solutions rely on...This article presents an asset-based security system where security practitioners build their systems based on information they own and not solicited by observing attackers’behavior.Current security solutions rely on information coming from attackers.Examples are current monitoring and detection security solutions such as intrusion prevention/detection systems and firewalls.This article envisions creating an imbalance between attackers and defenders in favor of defenders.As such,we are proposing to flip the security game such that it will be led by defenders and not attackers.We are proposing a security system that does not observe the behavior of the attack.On the contrary,we draw,plan,and follow up our own protection strategy regardless of the attack behavior.The objective of our security system is to protect assets rather than protect against attacks.Virtual machine introspection is used to intercept,inspect,and analyze system calls.The system callbased approach is utilized to detect zero-day ransomware attacks.The core idea is to take advantage of Xen and DRAKVUF for system call interception,and leverage system calls to detect illegal operations towards identified critical assets.We utilize our vision by proposing an asset-based approach to mitigate zero-day ransomware attacks.The obtained results are promising and indicate that our prototype will achieve its goals.展开更多
With the advent of the Internet of Things(IoT),several devices like sensors nowadays can interact and easily share information.But the IoT model is prone to security concerns as several attackers try to hit the networ...With the advent of the Internet of Things(IoT),several devices like sensors nowadays can interact and easily share information.But the IoT model is prone to security concerns as several attackers try to hit the network and make it vulnerable.In such scenarios,security concern is the most prominent.Different models were intended to address these security problems;still,several emergent variants of botnet attacks like Bashlite,Mirai,and Persirai use security breaches.The malware classification and detection in the IoT model is still a problem,as the adversary reliably generates a new variant of IoT malware and actively searches for compromise on the victim devices.This article develops a Sine Cosine Algorithm with Deep Learning based Ransomware Detection and Classification(SCADL-RWDC)method in an IoT environment.In the presented SCADL-RWDCtechnique,the major intention exists in recognizing and classifying ransomware attacks in the IoT platform.The SCADL-RWDC technique uses the SCA feature selection(SCA-FS)model to improve the detection rate.Besides,the SCADL-RWDC technique exploits the hybrid grey wolf optimizer(HGWO)with a gated recurrent unit(GRU)model for ransomware classification.A widespread experimental analysis is performed to exhibit the enhanced ransomware detection outcomes of the SCADL-RWDC technique.The comparison study reported the enhancement of the SCADL-RWDC technique over other models.展开更多
In recent years,as the popularity of anonymous currencies such as Bitcoin has made the tracking of ransomware attackers more difficult,the amount of ransomware attacks against personal computers and enterprise product...In recent years,as the popularity of anonymous currencies such as Bitcoin has made the tracking of ransomware attackers more difficult,the amount of ransomware attacks against personal computers and enterprise production servers is increasing rapidly.The ransomware has a wide range of influence and spreads all over the world.It is affecting many industries including internet,education,medical care,traditional industry,etc.This paper uses the idea of virus immunity to design an immunization solution for ransomware viruses to solve the problems of traditional ransomware defense methods(such as anti-virus software,firewalls,etc.),which cannot meet the requirements of rapid detection and immediate prevention of new outbreaks attacks.Our scheme includes two parts:server and client.The server provides an immune configuration file and configuration file management functions,including a configuration file module,a cryptography algorithm module,and a display module.The client obtains the immunization configuration file from server in real time,and performs the corresponding operations according to the configuration file to make the computer have an immune function for a specific ransomware,including an update module,a configuration file module,a cryptography algorithm module,a control module,and a log module.This scheme controls mutexes,services,files and registries respectively,to destroy the triggering conditions of the virus and finally achieve the purpose of immunizing a computer from a specific ransomware.展开更多
A ransomware attack that interrupted the operation of Colonial Pipeline(a large U.S.oil pipeline company),showed that security threats by malware have become serious enough to affect industries and social infrastructu...A ransomware attack that interrupted the operation of Colonial Pipeline(a large U.S.oil pipeline company),showed that security threats by malware have become serious enough to affect industries and social infrastructure rather than individuals alone.The agents and characteristics of attacks should be identified,and appropriate strategies should be established accordingly in order to respond to such attacks.For this purpose,the first task that must be performed is malware classification.Malware creators are well aware of this and apply various concealment and avoidance techniques,making it difficult to classify malware.This study focuses on new features and classification techniques to overcome these difficulties.We propose a behavioral performance visualization method using utilization patterns of system resources,such as the central processing unit,memory,and input/output,that are commonly used in performance analysis or tuning of programs.We extracted the usage patterns of the system resources for ransomware to performbehavioral performance visualization.The results of the classification performance evaluation using the visualization results indicate an accuracy of at least 98.94%with a 3.69%loss rate.Furthermore,we designed and implemented a framework to perform the entire process—from data extraction to behavioral performance visualization and classification performance measurement—that is expected to contribute to related studies in the future.展开更多
The Internet of Things(IoT)has gained more popularity in research because of its large-scale challenges and implementation.But security was the main concern when witnessing the fast development in its applications and...The Internet of Things(IoT)has gained more popularity in research because of its large-scale challenges and implementation.But security was the main concern when witnessing the fast development in its applications and size.It was a dreary task to independently set security systems in every IoT gadget and upgrade them according to the newer threats.Additionally,machine learning(ML)techniques optimally use a colossal volume of data generated by IoT devices.Deep Learning(DL)related systems were modelled for attack detection in IoT.But the current security systems address restricted attacks and can be utilized outdated datasets for evaluations.This study develops an Artificial Algae Optimization Algorithm with Optimal Deep Belief Network(AAA-ODBN)Enabled Ransomware Detection in an IoT environment.The presented AAAODBN technique mainly intends to recognize and categorize ransomware in the IoT environment.The presented AAA-ODBN technique follows a three-stage process:feature selection,classification,and parameter tuning.In the first stage,the AAA-ODBN technique uses AAA based feature selection(AAA-FS)technique to elect feature subsets.Secondly,the AAA-ODBN technique employs the DBN model for ransomware detection.At last,the dragonfly algorithm(DFA)is utilized for the hyperparameter tuning of the DBN technique.A sequence of simulations is implemented to demonstrate the improved performance of the AAA-ODBN algorithm.The experimental values indicate the significant outcome of the AAA-ODBN model over other models.展开更多
Ransomware attacks have been spreading broadly in the last few years,where attackers deny users’access to their systems and encrypt their files until they pay a ransom,usually in Bitcoin.Of course,that is the worst t...Ransomware attacks have been spreading broadly in the last few years,where attackers deny users’access to their systems and encrypt their files until they pay a ransom,usually in Bitcoin.Of course,that is the worst thing that can happen;especially for organizations having sensitive information.In this paper we proposed a cyber security awareness program intended to provide end-users with a rescue checklist in case of being attacked with a ransomware as well as preventing the attack and ways to recover from it.The program aimed at providing cyber security knowledge to 15 employees in a Sudanese trading and investment company.According to their cyber behaviour before the program,the participants showed a low level cyber security awareness that with 72%they are likely of being attacked by a ransomware from a phishing email,which is well known for spreading ransomware attacks.The results revealed that the cyber security awareness program greatly diminished the probability of being attacked by a ransomware with an average of 28%.This study can be used as a real-life ransomware attack rescue plan.展开更多
Crypto-ransomware remains a significant threat to governments and companies alike, with high-profile cyber security incidents regularly making headlines. Many different detection systems have been proposed as solution...Crypto-ransomware remains a significant threat to governments and companies alike, with high-profile cyber security incidents regularly making headlines. Many different detection systems have been proposed as solutions to the ever-changing dynamic landscape of ransomware detection. In the majority of cases, these described systems propose a method based on the result of a single test performed on either the executable code, the process under investigation, its behaviour, or its output. In a small subset of ransomware detection systems, the concept of a scorecard is employed where multiple tests are performed on various aspects of a process under investigation and their results are then analysed using machine learning. The purpose of this paper is to propose a new majority voting approach to ransomware detection by developing a method that uses a cumulative score derived from discrete tests based on calculations using algorithmic rather than heuristic techniques. The paper describes 23 candidate tests, as well as 9 Windows API tests which are validated to determine both their accuracy and viability for use within a ransomware detection system. Using a cumulative score calculation approach to ransomware detection has several benefits, such as the immunity to the occasional inaccuracy of individual tests when making its final classification. The system can also leverage multiple tests that can be both comprehensive and complimentary in an attempt to achieve a broader, deeper, and more robust analysis of the program under investigation. Additionally, the use of multiple collaborative tests also significantly hinders ransomware from masking or modifying its behaviour in an attempt to bypass detection. The results achieved by this research demonstrate that many of the proposed tests achieved a high degree of accuracy in differentiating between benign and malicious targets and suggestions are offered as to how these tests, and combinations of tests, could be adapted to further improve the detection accuracy.展开更多
File entropy is one of the major indicators of crypto-ransomware because the encryption by ransomware increases the randomness of file contents.However,entropy-based ransomware detection has certain limitations;for ex...File entropy is one of the major indicators of crypto-ransomware because the encryption by ransomware increases the randomness of file contents.However,entropy-based ransomware detection has certain limitations;for example,when distinguishing ransomware-encrypted files from normal files with inherently high-level entropy,misclassification is very possible.In addition,the entropy evaluation cost for an entire file renders entropy-based detection impractical for large files.In this paper,we propose two indicators based on byte frequency for use in ransomware detection;these are termed EntropySA and DistSA,and both consider the interesting characteristics of certain file subareas termed“sample areas”(SAs).For an encrypted file,both the sampled area and the whole file exhibit high-level randomness,but for a plain file,the sampled area embeds informative structures such as a file header and thus exhibits relatively low-level randomness even though the entire file exhibits high-level randomness.EntropySA and DistSA use“byte frequency”and a variation of byte frequency,respectively,derived from sampled areas.Both indicators cause less overhead than other entropy-based detection methods,as experimentally proven using realistic ransomware samples.To evaluate the effectiveness and feasibility of our indicators,we also employ three expensive but elaborate classification models(neural network,support vector machine and threshold-based approaches).Using these models,our experimental indicators yielded an average Fl-measure of 0.994 and an average detection rate of 99.46%for file encryption attacks by realistic ransomware samples.展开更多
Small and Medium-sized Enterprises (SMEs) are considered the backbone of global economy, but they often face cyberthreats which threaten their financial stability and operational continuity. This work aims to offer a ...Small and Medium-sized Enterprises (SMEs) are considered the backbone of global economy, but they often face cyberthreats which threaten their financial stability and operational continuity. This work aims to offer a proactive cybersecurity approach to safeguard SMEs against these threats. Furthermore, to mitigate these risks, we propose a comprehensive framework of practical and scalable cybersecurity measurements/protocols specifically for SMEs. These measures encompass a spectrum of solutions, from technological fortifications to employee training initiatives and regulatory compliance strategies, in an effort to cultivate resilience and awareness among SMEs. Additionally, we introduce a specially designed a Java-based questionnaire software tool in order to provide an initial framework for essential cybersecurity measures and evaluation for SMEs. This tool covers crucial topics such as social engineering and phishing attempts, implementing antimalware and ransomware defense mechanisms, secure data management and backup strategies and methods for preventing insider threats. By incorporating globally recognized frameworks and standards like ISO/IEC 27001 and NIST guidelines, this questionnaire offers a roadmap for establishing and enhancing cybersecurity measures.展开更多
Malware is a‘malicious software program that performs multiple cyberattacks on the Internet,involving fraud,scams,nation-state cyberwar,and cybercrime.Such malicious software programs come under different classificat...Malware is a‘malicious software program that performs multiple cyberattacks on the Internet,involving fraud,scams,nation-state cyberwar,and cybercrime.Such malicious software programs come under different classifications,namely Trojans,viruses,spyware,worms,ransomware,Rootkit,botnet malware,etc.Ransomware is a kind of malware that holds the victim’s data hostage by encrypting the information on the user’s computer to make it inaccessible to users and only decrypting it;then,the user pays a ransom procedure of a sum of money.To prevent detection,various forms of ransomware utilize more than one mechanism in their attack flow in conjunction with Machine Learning(ML)algorithm.This study focuses on designing a Learning-Based Artificial Algae Algorithm with Optimal Machine Learning Enabled Malware Detection(LBAAA-OMLMD)approach in Computer Networks.The presented LBAAA-OMLMDmodelmainly aims to detect and classify the existence of ransomware and goodware in the network.To accomplish this,the LBAAA-OMLMD model initially derives a Learning-Based Artificial Algae Algorithm based Feature Selection(LBAAA-FS)model to reduce the curse of dimensionality problems.Besides,the Flower Pollination Algorithm(FPA)with Echo State Network(ESN)Classification model is applied.The FPA model helps to appropriately adjust the parameters related to the ESN model to accomplish enhanced classifier results.The experimental validation of the LBAAA-OMLMD model is tested using a benchmark dataset,and the outcomes are inspected in distinct measures.The comprehensive comparative examination demonstrated the betterment of the LBAAAOMLMD model over recent algorithms.展开更多
Attacks on the cyber space is getting exponential in recent times.Illegal penetrations and breaches are real threats to the individuals and organizations.Conventional security systems are good enough to detect the kno...Attacks on the cyber space is getting exponential in recent times.Illegal penetrations and breaches are real threats to the individuals and organizations.Conventional security systems are good enough to detect the known threats but when it comes to Advanced Persistent Threats(APTs)they fails.These APTs are targeted,more sophisticated and very persistent and incorporates lot of evasive techniques to bypass the existing defenses.Hence,there is a need for an effective defense system that can achieve a complete reliance of security.To address the above-mentioned issues,this paper proposes a novel honeypot system that tracks the anonymous behavior of the APT threats.The key idea of honeypot leverages the concepts of graph theory to detect such targeted attacks.The proposed honey-pot is self-realizing,strategic assisted which withholds the APTs actionable tech-niques and observes the behavior for analysis and modelling.The proposed graph theory based self learning honeypot using the resultsγ(C(n,1)),γc(C(n,1)),γsc(C(n,1))outperforms traditional techniques by detecting APTs behavioral with detection rate of 96%.展开更多
This research paper analyzes data breaches in the human service sector. The hypothesis for the solution to this problem is that there will be a significant reduction in data breaches in the human service sector due to...This research paper analyzes data breaches in the human service sector. The hypothesis for the solution to this problem is that there will be a significant reduction in data breaches in the human service sector due to an increase in information assurance. The hypothesis is tested using data from the United States Department of Health and Human Services data breach notification repository during January 2018-December 2020. Our result shows that without the increased mitigation of information assurance, data breaches in the human service sector will continue to increase.展开更多
基金supported by the Basic Science Research Program through the National Research Foundation of Korea(NRF)funded by the Ministry of Education(2021R1I1A3049788).
文摘Ransomware is malware that encrypts data without permission,demanding payment for access.Detecting ransomware on Android platforms is challenging due to evolving malicious techniques and diverse application behaviors.Traditional methods,such as static and dynamic analysis,suffer from polymorphism,code obfuscation,and high resource demands.This paper introduces a multi-stage approach to enhance behavioral analysis for Android ransomware detection,focusing on a reduced set of distinguishing features.The approach includes ransomware app collection,behavioral profile generation,dataset creation,feature identification,reduction,and classification.Experiments were conducted on∼3300 Android-based ransomware samples,despite the challenges posed by their evolving nature and complexity.The feature reduction strategy successfully reduced features by 80%,with only a marginal loss of detection accuracy(0.59%).Different machine learning algorithms are employed for classification and achieve 96.71%detection accuracy.Additionally,10-fold cross-validation demonstrated robustness,yielding an AUC-ROC of 99.3%.Importantly,latency and memory evaluations revealed that models using the reduced feature set achieved up to a 99%reduction in inference time and significant memory savings across classifiers.The proposed approach outperforms existing techniques by achieving high detection accuracy with a minimal feature set,also suitable for deployment in resource-constrained environments.Future work may extend datasets and include iOS-based ransomware applications.
文摘Ransomware attacks pose a significant threat to critical infrastructures,demanding robust detection mechanisms.This study introduces a hybrid model that combines vision transformer(ViT)and one-dimensional convolutional neural network(1DCNN)architectures to enhance ransomware detection capabilities.Addressing common challenges in ransomware detection,particularly dataset class imbalance,the synthetic minority oversampling technique(SMOTE)is employed to generate synthetic samples for minority class,thereby improving detection accuracy.The integration of ViT and 1DCNN through feature fusion enables the model to capture both global contextual and local sequential features,resulting in comprehensive ransomware classification.Tested on the UNSW-NB15 dataset,the proposed ViT-1DCNN model achieved 98%detection accuracy with precision,recall,and F1-score metrics surpassing conventional methods.This approach not only reduces false positives and negatives but also offers scalability and robustness for real-world cybersecurity applications.The results demonstrate the model’s potential as an effective tool for proactive ransomware detection,especially in environments where evolving threats require adaptable and high-accuracy solutions.
基金funded by the National University of Sciences and Technology(NUST)supported by the Basic Science Research Program through the National Research Foundation of Korea(NRF),funded by the Ministry of Education(2021R1IIA3049788).
文摘Ransomware,particularly crypto-ransomware,remains a significant cybersecurity challenge,encrypting victim data and demanding a ransom,often leaving the data irretrievable even if payment is made.This study proposes an early detection approach to mitigate such threats by identifying ransomware activity before the encryption process begins.The approach employs a two-tiered approach:a signature-based method using hashing techniques to match known threats and a dynamic behavior-based analysis leveraging Cuckoo Sandbox and machine learning algorithms.A critical feature is the integration of the most effective Application Programming Interface call monitoring,which analyzes system-level interactions such as file encryption,key generation,and registry modifications.This enables the detection of both known and zero-day ransomware variants,overcoming limitations of traditional methods.The proposed technique was evaluated using classifiers such as Random Forest,Support Vector Machine,and K-Nearest Neighbors,achieving a detection accuracy of 98%based on 26 key ransomware attributes with an 80:20 training-to-testing ratio and 10-fold cross-validation.By combining minimal feature sets with robust behavioral analysis,the proposed method outperforms existing solutions and addresses current challenges in ransomware detection,thereby enhancing cybersecurity resilience.
文摘Digital integration within healthcare systems exacerbates their vulnerability to sophisticated ransomware threats, leading to severe operational disruptions and data breaches. Current defenses are typically categorized into active and passive measures that struggle to achieve comprehensive threat mitigation and often lack real-time response effectiveness. This paper presents an innovative ransomware defense system, ERAD, designed for healthcare environments that apply the MITRE ATT&CK Matrix to coordinate dynamic, stage-specific countermeasures throughout the ransomware attack lifecycle. By systematically identifying and addressing threats based on indicators of compromise (IOCs), the proposed system proactively disrupts the attack chain before serious damage occurs. Validation is provided through a detailed analysis of a system deployment against LockBit 3.0 ransomware, illustrating significant enhancements in mitigating the impact of the attack, reducing the cost of recovery, and strengthening the cybersecurity framework of healthcare organizations, but also applicable to other non-health sectors of the business world.
文摘Ransomware is considered one of the most threatening cyberattacks.Existing solutions have focused mainly on discriminating ransomware by analyzing the apps themselves,but they have overlooked possible ways of hiding ransomware apps and making them difficult to be detected and then analyzed.Therefore,this paper proposes a novel ransomware hiding model by utilizing a block-based High-Efficiency Video Coding(HEVC)steganography approach.The main idea of the proposed steganography approach is the division of the secret ransomware data and cover HEVC frames into different blocks.After that,the Least Significant Bit(LSB)based Hamming Distance(HD)calculation is performed amongst the secret data’s divided blocks and cover frames.Finally,the secret data bits are hidden into the marked bits of the cover HEVC frame-blocks based on the calculated HD value.The main advantage of the suggested steganography approach is the minor impact on the cover HEVC frames after embedding the ransomware while preserving the histogram attributes of the cover video frame with a high imperceptibility.This is due to the utilization of an adaptive steganography cost function during the embedding process.The proposed ransomware hiding approach was heavily examined using subjective and objective tests and applying different HEVC streams with diverse resolutions and different secret ransomware apps of various sizes.The obtained results prove the efficiency of the proposed steganography approach by achieving high capacity and successful embedding process while ensuring the hidden ransomware’s undetectability within the video frames.For example,in terms of embedding quality,the proposed model achieved a high peak signal-to-noise ratio that reached 59.3 dB and a low mean-square-error of 0.07 for the examined HEVC streams.Also,out of 65 antivirus engines,no engine could detect the existence of the embedded ransomware app.
文摘Ransomware has emerged as a critical cybersecurity threat,characterized by its ability to encrypt user data or lock devices,demanding ransom for their release.Traditional ransomware detection methods face limitations due to their assumption of similar data distributions between training and testing phases,rendering them less effective against evolving ransomware families.This paper introduces TLERAD(Transfer Learning for Enhanced Ransomware Attack Detection),a novel approach that leverages unsupervised transfer learning and co-clustering techniques to bridge the gap between source and target domains,enabling robust detection of both known and unknown ransomware variants.The proposed method achieves high detection accuracy,with an AUC of 0.98 for known ransomware and 0.93 for unknown ransomware,significantly outperforming baseline methods.Comprehensive experiments demonstrate TLERAD’s effectiveness in real-world scenarios,highlighting its adapt-ability to the rapidly evolving ransomware landscape.The paper also discusses future directions for enhancing TLERAD,including real-time adaptation,integration with lightweight and post-quantum cryptography,and the incorporation of explainable AI techniques.
基金support of Security Testing-Innovative Secured Systems Lab(ISSL)established at University of Engineering&Technology,Peshawar,Pakistan under the Higher Education Commission initiative of National Center for Cyber Security(Grant No.2(1078)/HEC/M&E/2018/707).
文摘Ransomware is a type of malicious software that blocks access to a computer by encrypting user’s files until a ransom is paid to the attacker.There have been several reported high-profile ransomware attacks including WannaCry,Petya,and Bad Rabbit resulting in losses of over a billion dollars to various individuals and businesses in the world.The analysis of ransomware is often carried out via sandbox environments;however,the initial setup and configuration of such environments is a challenging task.Also,it is difficult for an ordinary computer user to correctly interpret the complex results presented in the reports generated by such environments and analysis tools.In this research work,we aim to develop a user-friendly model to understand the taxonomy and analysis of ransomware attacks.Also,we aim to present the results of analysis in the form of summarized reports that can easily be understood by an ordinary computer user.Our model is built on top of the well-known Cuckoo sandbox environment for identification of the ransomware as well as generation of the summarized reports.In addition,for evaluating the usability and accessibility of our proposed model,we conduct a comprehensive user survey consisting of participants from various fields,e.g.,professional developers from software houses,people from academia(professors,students).Our evaluation results demonstrate a positive feedback of approximately 92%on the usability of our proposed model.
基金This project is funded by King Abdulaziz City for Science and Technology(KACST)under the National Science,Technology,and Innovation Plan(Project Number 11-INF1657-04).
文摘This article presents an asset-based security system where security practitioners build their systems based on information they own and not solicited by observing attackers’behavior.Current security solutions rely on information coming from attackers.Examples are current monitoring and detection security solutions such as intrusion prevention/detection systems and firewalls.This article envisions creating an imbalance between attackers and defenders in favor of defenders.As such,we are proposing to flip the security game such that it will be led by defenders and not attackers.We are proposing a security system that does not observe the behavior of the attack.On the contrary,we draw,plan,and follow up our own protection strategy regardless of the attack behavior.The objective of our security system is to protect assets rather than protect against attacks.Virtual machine introspection is used to intercept,inspect,and analyze system calls.The system callbased approach is utilized to detect zero-day ransomware attacks.The core idea is to take advantage of Xen and DRAKVUF for system call interception,and leverage system calls to detect illegal operations towards identified critical assets.We utilize our vision by proposing an asset-based approach to mitigate zero-day ransomware attacks.The obtained results are promising and indicate that our prototype will achieve its goals.
基金This work was funded by the Deanship of Scientific Research at Princess Nourah bint Abdulrahman University,through the Research Groups Program Grant No.(RGP-1443-0051).
文摘With the advent of the Internet of Things(IoT),several devices like sensors nowadays can interact and easily share information.But the IoT model is prone to security concerns as several attackers try to hit the network and make it vulnerable.In such scenarios,security concern is the most prominent.Different models were intended to address these security problems;still,several emergent variants of botnet attacks like Bashlite,Mirai,and Persirai use security breaches.The malware classification and detection in the IoT model is still a problem,as the adversary reliably generates a new variant of IoT malware and actively searches for compromise on the victim devices.This article develops a Sine Cosine Algorithm with Deep Learning based Ransomware Detection and Classification(SCADL-RWDC)method in an IoT environment.In the presented SCADL-RWDCtechnique,the major intention exists in recognizing and classifying ransomware attacks in the IoT platform.The SCADL-RWDC technique uses the SCA feature selection(SCA-FS)model to improve the detection rate.Besides,the SCADL-RWDC technique exploits the hybrid grey wolf optimizer(HGWO)with a gated recurrent unit(GRU)model for ransomware classification.A widespread experimental analysis is performed to exhibit the enhanced ransomware detection outcomes of the SCADL-RWDC technique.The comparison study reported the enhancement of the SCADL-RWDC technique over other models.
基金This work is supported in part by the National Natural Science Foundation of China under grant No.61872069in part by the Fundamental Research Funds for the Central Universities(N2017012)。
文摘In recent years,as the popularity of anonymous currencies such as Bitcoin has made the tracking of ransomware attackers more difficult,the amount of ransomware attacks against personal computers and enterprise production servers is increasing rapidly.The ransomware has a wide range of influence and spreads all over the world.It is affecting many industries including internet,education,medical care,traditional industry,etc.This paper uses the idea of virus immunity to design an immunization solution for ransomware viruses to solve the problems of traditional ransomware defense methods(such as anti-virus software,firewalls,etc.),which cannot meet the requirements of rapid detection and immediate prevention of new outbreaks attacks.Our scheme includes two parts:server and client.The server provides an immune configuration file and configuration file management functions,including a configuration file module,a cryptography algorithm module,and a display module.The client obtains the immunization configuration file from server in real time,and performs the corresponding operations according to the configuration file to make the computer have an immune function for a specific ransomware,including an update module,a configuration file module,a cryptography algorithm module,a control module,and a log module.This scheme controls mutexes,services,files and registries respectively,to destroy the triggering conditions of the virus and finally achieve the purpose of immunizing a computer from a specific ransomware.
基金This work was supported by the Institute of Information&Communications Technology Planning&Evaluation(IITP)(Project No.2019-0-00426%,10%)the ICT R&D Program of MSIT/IITP(Project No.2021-0-01816,A Research on Core Technology of Autonomous Twins for Metaverse,10%)National Research Foundation of Korea(NRF)grant funded by the Korean government(Project No.NRF-2020R1A2C4002737%,80%).
文摘A ransomware attack that interrupted the operation of Colonial Pipeline(a large U.S.oil pipeline company),showed that security threats by malware have become serious enough to affect industries and social infrastructure rather than individuals alone.The agents and characteristics of attacks should be identified,and appropriate strategies should be established accordingly in order to respond to such attacks.For this purpose,the first task that must be performed is malware classification.Malware creators are well aware of this and apply various concealment and avoidance techniques,making it difficult to classify malware.This study focuses on new features and classification techniques to overcome these difficulties.We propose a behavioral performance visualization method using utilization patterns of system resources,such as the central processing unit,memory,and input/output,that are commonly used in performance analysis or tuning of programs.We extracted the usage patterns of the system resources for ransomware to performbehavioral performance visualization.The results of the classification performance evaluation using the visualization results indicate an accuracy of at least 98.94%with a 3.69%loss rate.Furthermore,we designed and implemented a framework to perform the entire process—from data extraction to behavioral performance visualization and classification performance measurement—that is expected to contribute to related studies in the future.
基金This work was funded by the Deanship of Scientific Research at Princess Nourah bint Abdulrahman University,through the Research Groups Program Grant no.(RGP-1443-0048).
文摘The Internet of Things(IoT)has gained more popularity in research because of its large-scale challenges and implementation.But security was the main concern when witnessing the fast development in its applications and size.It was a dreary task to independently set security systems in every IoT gadget and upgrade them according to the newer threats.Additionally,machine learning(ML)techniques optimally use a colossal volume of data generated by IoT devices.Deep Learning(DL)related systems were modelled for attack detection in IoT.But the current security systems address restricted attacks and can be utilized outdated datasets for evaluations.This study develops an Artificial Algae Optimization Algorithm with Optimal Deep Belief Network(AAA-ODBN)Enabled Ransomware Detection in an IoT environment.The presented AAAODBN technique mainly intends to recognize and categorize ransomware in the IoT environment.The presented AAA-ODBN technique follows a three-stage process:feature selection,classification,and parameter tuning.In the first stage,the AAA-ODBN technique uses AAA based feature selection(AAA-FS)technique to elect feature subsets.Secondly,the AAA-ODBN technique employs the DBN model for ransomware detection.At last,the dragonfly algorithm(DFA)is utilized for the hyperparameter tuning of the DBN technique.A sequence of simulations is implemented to demonstrate the improved performance of the AAA-ODBN algorithm.The experimental values indicate the significant outcome of the AAA-ODBN model over other models.
文摘Ransomware attacks have been spreading broadly in the last few years,where attackers deny users’access to their systems and encrypt their files until they pay a ransom,usually in Bitcoin.Of course,that is the worst thing that can happen;especially for organizations having sensitive information.In this paper we proposed a cyber security awareness program intended to provide end-users with a rescue checklist in case of being attacked with a ransomware as well as preventing the attack and ways to recover from it.The program aimed at providing cyber security knowledge to 15 employees in a Sudanese trading and investment company.According to their cyber behaviour before the program,the participants showed a low level cyber security awareness that with 72%they are likely of being attacked by a ransomware from a phishing email,which is well known for spreading ransomware attacks.The results revealed that the cyber security awareness program greatly diminished the probability of being attacked by a ransomware with an average of 28%.This study can be used as a real-life ransomware attack rescue plan.
文摘Crypto-ransomware remains a significant threat to governments and companies alike, with high-profile cyber security incidents regularly making headlines. Many different detection systems have been proposed as solutions to the ever-changing dynamic landscape of ransomware detection. In the majority of cases, these described systems propose a method based on the result of a single test performed on either the executable code, the process under investigation, its behaviour, or its output. In a small subset of ransomware detection systems, the concept of a scorecard is employed where multiple tests are performed on various aspects of a process under investigation and their results are then analysed using machine learning. The purpose of this paper is to propose a new majority voting approach to ransomware detection by developing a method that uses a cumulative score derived from discrete tests based on calculations using algorithmic rather than heuristic techniques. The paper describes 23 candidate tests, as well as 9 Windows API tests which are validated to determine both their accuracy and viability for use within a ransomware detection system. Using a cumulative score calculation approach to ransomware detection has several benefits, such as the immunity to the occasional inaccuracy of individual tests when making its final classification. The system can also leverage multiple tests that can be both comprehensive and complimentary in an attempt to achieve a broader, deeper, and more robust analysis of the program under investigation. Additionally, the use of multiple collaborative tests also significantly hinders ransomware from masking or modifying its behaviour in an attempt to bypass detection. The results achieved by this research demonstrate that many of the proposed tests achieved a high degree of accuracy in differentiating between benign and malicious targets and suggestions are offered as to how these tests, and combinations of tests, could be adapted to further improve the detection accuracy.
基金supported in part by the National Natural Science Foundation of China under Grant No.61806142the Natural Science Foundation of Tianjin under Grant No.18JCYBJC44000+1 种基金the Tianjin Science and Technology Program under Grant No.19PTZWHZ00020the Institute for Information&Communications Technology Planning&Evaluation(IITP)grant funded by the Korea government(MSIT)(Training Key Talents in Industrial Convergence Security)under Grant No.2019-0-01343.
文摘File entropy is one of the major indicators of crypto-ransomware because the encryption by ransomware increases the randomness of file contents.However,entropy-based ransomware detection has certain limitations;for example,when distinguishing ransomware-encrypted files from normal files with inherently high-level entropy,misclassification is very possible.In addition,the entropy evaluation cost for an entire file renders entropy-based detection impractical for large files.In this paper,we propose two indicators based on byte frequency for use in ransomware detection;these are termed EntropySA and DistSA,and both consider the interesting characteristics of certain file subareas termed“sample areas”(SAs).For an encrypted file,both the sampled area and the whole file exhibit high-level randomness,but for a plain file,the sampled area embeds informative structures such as a file header and thus exhibits relatively low-level randomness even though the entire file exhibits high-level randomness.EntropySA and DistSA use“byte frequency”and a variation of byte frequency,respectively,derived from sampled areas.Both indicators cause less overhead than other entropy-based detection methods,as experimentally proven using realistic ransomware samples.To evaluate the effectiveness and feasibility of our indicators,we also employ three expensive but elaborate classification models(neural network,support vector machine and threshold-based approaches).Using these models,our experimental indicators yielded an average Fl-measure of 0.994 and an average detection rate of 99.46%for file encryption attacks by realistic ransomware samples.
文摘Small and Medium-sized Enterprises (SMEs) are considered the backbone of global economy, but they often face cyberthreats which threaten their financial stability and operational continuity. This work aims to offer a proactive cybersecurity approach to safeguard SMEs against these threats. Furthermore, to mitigate these risks, we propose a comprehensive framework of practical and scalable cybersecurity measurements/protocols specifically for SMEs. These measures encompass a spectrum of solutions, from technological fortifications to employee training initiatives and regulatory compliance strategies, in an effort to cultivate resilience and awareness among SMEs. Additionally, we introduce a specially designed a Java-based questionnaire software tool in order to provide an initial framework for essential cybersecurity measures and evaluation for SMEs. This tool covers crucial topics such as social engineering and phishing attempts, implementing antimalware and ransomware defense mechanisms, secure data management and backup strategies and methods for preventing insider threats. By incorporating globally recognized frameworks and standards like ISO/IEC 27001 and NIST guidelines, this questionnaire offers a roadmap for establishing and enhancing cybersecurity measures.
基金Princess Nourah bint Abdulrahman University Researchers Supporting Project number(PNURSP2022R319)PrincessNourah bint Abdulrahman University,Riyadh,Saudi Arabia.The authors would like to thank the Deanship of Scientific Research at Umm Al-Qura University for supporting this work by Grant Code:22UQU4310373DSR34The authors are thankful to the Deanship of Scientific Research at Najran University for funding thiswork under theResearch Groups Funding program Grant Code(NU/RG/SERC/11/4).
文摘Malware is a‘malicious software program that performs multiple cyberattacks on the Internet,involving fraud,scams,nation-state cyberwar,and cybercrime.Such malicious software programs come under different classifications,namely Trojans,viruses,spyware,worms,ransomware,Rootkit,botnet malware,etc.Ransomware is a kind of malware that holds the victim’s data hostage by encrypting the information on the user’s computer to make it inaccessible to users and only decrypting it;then,the user pays a ransom procedure of a sum of money.To prevent detection,various forms of ransomware utilize more than one mechanism in their attack flow in conjunction with Machine Learning(ML)algorithm.This study focuses on designing a Learning-Based Artificial Algae Algorithm with Optimal Machine Learning Enabled Malware Detection(LBAAA-OMLMD)approach in Computer Networks.The presented LBAAA-OMLMDmodelmainly aims to detect and classify the existence of ransomware and goodware in the network.To accomplish this,the LBAAA-OMLMD model initially derives a Learning-Based Artificial Algae Algorithm based Feature Selection(LBAAA-FS)model to reduce the curse of dimensionality problems.Besides,the Flower Pollination Algorithm(FPA)with Echo State Network(ESN)Classification model is applied.The FPA model helps to appropriately adjust the parameters related to the ESN model to accomplish enhanced classifier results.The experimental validation of the LBAAA-OMLMD model is tested using a benchmark dataset,and the outcomes are inspected in distinct measures.The comprehensive comparative examination demonstrated the betterment of the LBAAAOMLMD model over recent algorithms.
文摘Attacks on the cyber space is getting exponential in recent times.Illegal penetrations and breaches are real threats to the individuals and organizations.Conventional security systems are good enough to detect the known threats but when it comes to Advanced Persistent Threats(APTs)they fails.These APTs are targeted,more sophisticated and very persistent and incorporates lot of evasive techniques to bypass the existing defenses.Hence,there is a need for an effective defense system that can achieve a complete reliance of security.To address the above-mentioned issues,this paper proposes a novel honeypot system that tracks the anonymous behavior of the APT threats.The key idea of honeypot leverages the concepts of graph theory to detect such targeted attacks.The proposed honey-pot is self-realizing,strategic assisted which withholds the APTs actionable tech-niques and observes the behavior for analysis and modelling.The proposed graph theory based self learning honeypot using the resultsγ(C(n,1)),γc(C(n,1)),γsc(C(n,1))outperforms traditional techniques by detecting APTs behavioral with detection rate of 96%.
文摘This research paper analyzes data breaches in the human service sector. The hypothesis for the solution to this problem is that there will be a significant reduction in data breaches in the human service sector due to an increase in information assurance. The hypothesis is tested using data from the United States Department of Health and Human Services data breach notification repository during January 2018-December 2020. Our result shows that without the increased mitigation of information assurance, data breaches in the human service sector will continue to increase.
