Dynamic Ransomware Detection for Windows Platform Using Machine Learning Classifiers

M. Izham Jaya - Universiti Malaysia Pahang, 26600 Pekan, Pahang, Malaysia
Mohd Faizal Ab. Razak - Universiti Malaysia Pahang, 26600 Pekan, Pahang, Malaysia

Citation Format:

DOI: http://dx.doi.org/10.30630/joiv.6.2-2.1093


In this world of growing technological advancements, ransomware attacks are also on the rise. This threat often affects the finance of individuals, organizations, and financial sectors. In order to effectively detect and block these ransomware threats, the dynamic analysis strategy was proposed and carried out as the approach of this research. This paper aims to detect ransomware attacks with dynamic analysis and classify the attacks using various machine learning classifiers namely: Random Forest, Naïve Bayes, J48, Decision Table and Hoeffding Tree. The TON IoT Datasets from the University of New South Wales' (UNSW) were used to capture ransomware attack features on Windows 7. During the experiment, a testbed was configured with numerous virtual Windows 7 machines and a single attacker host to carry out the ransomware attack. A total of 77 classification features are selected based on the changes before and after the attack. Random Forest and J48 classifiers outperformed other classifiers with the highest accuracy results of 99.74%. The confusion matrix highlights that both Random Forest and J48 classifiers are able to accurately classify the ransomware attacks with the AUC value of 0.997 respectively.  Our experimental result also suggests that dynamic analysis with machine learning classifier is an effective solution to detect ransomware with the accuracy percentage exceeds 98%.

Full Text:



J. Zhu, J. Jang-Jaccard, A. Singh, I. Welch, H. AI-Sahaf, and S. Camtepe, “A few-shot meta-learning based Siamese neural network using entropy features for ransomware classification,” Computers and Security, vol. 117, Jun. 2022, doi: 10.1016/J.COSE.2022.102691.

M. Mohd Azuwan Efendy, A. R. Mohd Faizal, and A. R. Munirah, “Malware Detection System Using Cloud Sandbox, Machine Learning,” International Journal of Software Engineering and Computer Systems, vol. 8, no. 2, pp. 25–32, Jul. 2022, doi: 10.15282/IJSECS.8.2.2022.3.0100.

R. Almohaini, I. Almomani, and A. Alkhayer, “Hybrid-Based Analysis Impact on Ransomware Detection for Android Systems,” Applied Sciences, vol. 11, no. 22, p. 10976, Nov. 2021, doi: 10.3390/APP112210976.

S. Mahdavifar, D. Alhadidi, and A. A. Ghorbani, “Effective and Efficient Hybrid Android Malware Classification Using Pseudo-Label Stacked Auto-Encoder,” Journal of Network and Systems Management, vol. 30, p. 22, 2022, doi: 10.1007/s10922-021-09634-4.

I. Kara and M. Aydos, “The rise of ransomware: Forensic analysis for windows based ransomware attacks,” Expert Systems with Applications, vol. 190, p. 116198, Mar. 2022, doi: 10.1016/J.ESWA.2021.116198.

Y. T. HuangID, Y. S. Sun, and M. Chang Chen, “TagSeq: Malicious behavior discovery using dynamic analysis,” PLOS ONE, vol. 17, no. 5, p. e0263644, May 2022, doi: 10.1371/JOURNAL.PONE.0263644.

G. McDonald, P. Papadopoulos, N. Pitropakis, J. Ahmad, and W. J. Buchanan, “Ransomware: Analysing the Impact on Windows Active Directory Domain Services,” Sensors 2022, Vol. 22, Page 953, vol. 22, no. 3, p. 953, Jan. 2022, doi: 10.3390/S22030953.

Statista Research Department, “Global ransomware victimization rate since 2018 to 2021,” Statista Research Department. https://www.statista.com/statistics/204457/businesses-ransomware-attack-rate/ (accessed Jul. 18, 2022).

J. Singh and J. Singh, “Assessment of supervised machine learning algorithms using dynamic API calls for malware detection,” International Journal of Computers and Applications, vol. 44, no. 3, pp. 270–277, 2022, doi: 10.1080/1206212X.2020.1732641.

J. Palša et al., “MLMD-A Malware-Detecting Antivirus Tool Based on the XGBoost Machine Learning Algorithm,” Applied Sciences, vol. 12, no. 13, p. 6672, Jul. 2022, doi: 10.3390/APP12136672.

J. Mohamad Arif, M. F. Ab Razak, S. R. Tuan Mat, S. Awang, N. S. N. Ismail, and A. Firdaus, “Android mobile malware detection using fuzzy AHP,” Journal of Information Security and Applications, vol. 61, p. 102929, Sep. 2021, doi: 10.1016/J.JISA.2021.102929.

Omar M.K. Alhawi, James Baldwin, and A. Dehghantanha, “Leveraging Machine Learning Techniques for Windows Ransomware Network Traffic Detection,” in Cyber Threat Intelligence. Advances in Information Security, vol. 70, A. Dehghantanha, M. Conti, and T. Dargahi, Eds. Springer, Cham, 2018. doi: 10.1007/978-3-319-73951-9_5.

Y. Takeuchi, K. Sakai, and S. Fukumoto, “Detecting ransomware using support vector machines,” in ICPP ’18: Proceedings of the 47th International Conference on Parallel Processing Companion, Aug. 2018, vol. 1. doi: 10.1145/3229710.3229726.

K. Rieck, P. Trinius, C. Willems, and T. Holz, “Automatic analysis of malware behavior using machine learning,” Journal of Computer Security, vol. 19, no. 4, pp. 639–668, Jan. 2011, doi: 10.3233/JCS-2010-0410.

S. Touch and J.-N. Colin, “A Comparison of an Adaptive Self-Guarded Honeypot with Conventional Honeypots,” Applied Sciences, vol. 12, no. 10, p. 5224, May 2022, doi: 10.3390/APP12105224.

J. Pavithra and S. Selvakumara Samy, “A Comparative Study on Detection of Malware and Benign on the Internet Using Machine Learning Classifiers,” Mathematical Problems in Engineering, vol. 2022, pp. 1–8, Jun. 2022, doi: 10.1155/2022/4893390.

E. Kolodenker, W. Koch, G. Stringhini, and M. Egele, “PayBreak: Defense Against Cryptographic Ransomware,” in Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security, 2017, pp. 599–611. doi: 10.1145/3052973.3053035.

M. Al-Dwairi, A. S. Shatnawi, O. Al-Khaleel, and B. Al-Duwairi, “Ransomware-Resilient Self-Healing XML Documents,” Future Internet, vol. 14, no. 4, p. 115, Apr. 2022, doi: 10.3390/FI14040115.

H. M. Chuang, F. Liu, and C.-H. Tsai, “Early Detection of Abnormal Attacks in Software-Defined Networking Using Machine Learning Approaches,” Symmetry (Basel), vol. 14, no. 6, p. 1178, Jun. 2022, doi: 10.3390/SYM14061178.

G. Cusack, O. Michel, and E. Keller, “Machine Learning-Based Detection of Ransomware Using SDN,” in Proceedings of the 2018 ACM International Workshop on Security in Software Defined Networks & Network Function Virtualization, 2018, vol. 18, pp. 1–6. doi: 10.1145/3180465.3180467.

D. Sgandurra, L. Muñoz-González, R. Mohsen, and E. C. Lupu, “Automated Dynamic Analysis of Ransomware: Benefits, Limitations and use for Detection,” Cryptography and Security, arXiv 2016, Accessed: Jul. 18, 2022. [Online]. Available: https://arxiv.org/abs/1609.03020v1

“The TON_IoT Datasets | UNSW Research,” UNSW Canberra at ADFA, 2021. https://research.unsw.edu.au/projects/toniot-datasets (accessed Jul. 18, 2022).

S. Madugula, S. Kiran, V. Chandra Shekhar Rao, S. Venkatramulu, M. S. B. Phridviraj, and S. Pratapagiri, “Advanced Machine Learning Scenarios for Real World Applications using Weka Platform,” Proceedings of the International Conference on Electronics and Renewable Systems, ICEARS 2022, pp. 1215–1218, 2022, doi: 10.1109/ICEARS53579.2022.9752368.

N. Thushika and S. Premaratne, “A Data Mining Approach for Parameter Optimization in Weather Prediction,” International Journal of Data Science, vol. 1, no. 1, pp. 1–13, Apr. 2020, doi: 10.18517/IJODS.1.1.1-13.2020.

A. A. R. Melvin et al., “Dynamic malware attack dataset leveraging virtual machine monitor audit data for the detection of intrusions in cloud,” Transactions on Emerging Telecommunications Technologies, vol. 33, no. 4, p. e4287, Apr. 2022, doi: 10.1002/ETT.4287.

J. Pattee, S. M. Anik, and B. K. Lee, “Performance Monitoring Counter Based Intelligent Malware Detection and Design Alternatives,” IEEE Access, vol. 10, pp. 28685–28692, 2022, doi: 10.1109/ACCESS.2022.3157812.

D. W. Fernando and N. Komninos, “FeSA: Feature selection architecture for ransomware detection under concept drift,” Computers & Security, vol. 116, p. 102659, May 2022, doi: 10.1016/J.COSE.2022.102659.

M. Sulistiyono, L. A. Wirasakti, and Y. Pristyanto, “The Effect of Adaptive Synthetic and Information Gain on C4.5 and Naive Bayes in Imbalance Class Dataset,” International Journal of Advanced Science Computing and Engineering, vol. 4, no. 1, pp. 1–11, Jan. 2022, doi: 10.30630/IJASCE.4.1.70.

U. Ahmed, J. C. W. Lin, and G. Srivastava, “Mitigating adversarial evasion attacks of ransomware using ensemble learning,” Computers and Electrical Engineering, vol. 100, p. 107903, May 2022, doi: 10.1016/J.COMPELECENG.2022.107903

S. A. EL_Rahman, R. A. AlRashed, D. N. AlZunaytan, N. J. AlHarbi, S. A. AlThubaiti, and M. K. AlHejeelan, “Chronic Diseases System Based on Machine Learning Techniques,” International Journal of Data Science, vol. 1, no. 1, pp. 18–36, Apr. 2020, doi: 10.18517/IJODS.1.1.18-36.2020.

N. M. Hatta, Z. A. Shah, and S. Kasim, “Evaluate the Performance of SVM Kernel Functions for Multiclass Cancer Classification,” International Journal of Data Science, vol. 1, no. 1, pp. 37–41, May 2020, doi: 10.18517/IJODS.1.1.37-41.2020.


  • There are currently no refbacks.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.

JOIV : International Journal on Informatics Visualization
ISSN 2549-9610  (print) | 2549-9904 (online)
Organized by Department of Information Technology - Politeknik Negeri Padang, and Institute of Visual Informatics - UKM and Soft Computing and Data Mining Centre - UTHM
W : http://joiv.org
E : joiv@pnp.ac.id, hidra@pnp.ac.id, rahmat@pnp.ac.id

View JOIV Stats

Creative Commons License is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.