International Journal of Web Portals

Volume 12 • Issue 1 • January-June 2020

Ransomware Traffic Classification

Using Deep Learning Models:
Ransomware Traffic Classification
Arivudainambi D., Anna University, Tamil Nadu, India
Varun Kumar K.A., Anna University, Tamil Nadu, India
Vinoth Kumar R., Vel Tech Rangarajan Dr. Sagunthala R&D Institute of Science and Technology, Chennai, India
Visu P., Velammal College of Engineering, Chennai, India

ABSTRACT

Ransomware is a malware which affects the systems data with modern encryption techniques, and the
data is recovered once a ransom amount is paid. In this research, the authors show how ransomware
propagates and infects devices. Live traffic classifications of ransomware have been meticulously
analyzed. Further, a novel method for the classification of ransomware traffic by using deep learning
methods is presented. Based on classification, the detection of ransomware is approached with the
characteristics of the network traffic and its communications. In more detail, the behavior of popular
ransomware, Crypto Wall, is analyzed and based on this knowledge, a real-time ransomware live
traffic classification model is proposed.

Keywords
Convolution Neural Network, Ransomware, Recurrent Neural Network, Traffic Analysis

INTRODUCTION

Network traffic classification is a very crucial factor for network management and security. The
points which network monitoring tools are located will ensure the success rate in the identification
of anomalies. But unfortunately, hardware components are not available for the virtual environments,
because the entire network runs and managed in a centralized environment. Network traffic is classified
into various types through an automated process. To differentiate a packet flows, various protocols,
and rules to be implemented for flow detection. The quality has to be maintained for the generalized
traffic flow detection or else it affects the entire architecture. Normally classifiers are used to fix in
ingress point whether the packets enter into the network or egress point which packets after enters
inside the network. It allows packets to check the granularity and separate the flows.
The port number plays a vital role in traffic classification because of its low resource consumption.
Application payload is not implemented through these port numbers and it is supported by various
network devices. It does not compromise the user’s policies. The classification of networks traffic is
classified through the relationship between the different traffic classes and their numerical properties,
It describes the no of bytes and number of packets flow for a particular number of applications. A
heuristic is also applied for transport layer traffic classification. But it does not get expected results
which are not satisfactory.

DOI: 10.4018/IJWP.2020010101

Copyright © 2020, IGI Global. Copying or distributing in print or electronic forms without written permission of IGI Global is prohibited.


1
International Journal of Web Portals
Volume 12 • Issue 1 • January-June 2020

Traffic control system is used widespread devices deployed in a number of network infrastructures.
It categorizes the packet flows using some filters and rules. Internet services are rapidly growing
day by day, traffic classification needs high accuracy over its algorithms. Normally classification
algorithm supports the range match, prefix match, accurate match. Parameters for classifications are
protocol, source IP, destination IP, source port and destination port of packet headers that predicts
the packets belongs to which category. Traditional packet classification methods are outdated, the
new network and service applications required new algorithms which produce an exact result and it
should be classified the packet as normal or benign.

LITERATURE REVIEW

Ezhilchelvan and Mitrani Paul (2017) presented a ransomware detection model by observing different
kinds of ransomware families over the 2 years and evaluate the growth and impact of ransomware in
IOT environment. The presented detection model is for crypto locker ransomware which the model
monitors the incoming TCP/IP packets through server then seize the packet header and used command
and control server which blacklisted the detected ransomware attacks. Sajad et al. (2017) described
the threat detection model by collecting the sample logs for different ransomware families. By using
the maximal frequent pattern method, they mine the entire log files by different classification method
and extract instances of ransomware that achieved a 95% result for detecting ransomware samples. It
also helps for practicality that pattern mining is useful in the detection of ransomware families and
construction a threat detection model for given ransomware families.
Vinayakumar, Soman, Velany, and Ganorkar (2017) presented a ransomware classification
technique by using a Multi-Layer Perceptron classifier. It characterizes and differentiates benign
and ransomware families which attains an accuracy of 1.0 for detecting the ransomware and 0.98%
over the categories obtained. It suggested MLP is far better than standard classifiers for dealing
with ransomware. Karimi and Moattar (2017) used an LDA has two-phase and presented an optimal
approach for identifying ransomware. In the first phase, the extraction of features is done through
LDA and In the second phase training process is done with LDA for prediction. The 97% of accuracy
is obtained through this method which outperforms all other techniques. Yalew, Maguire, Haridi,
and Correia (2017) designed a ransomdroid secure backup system for Android mobile devices. It
gives security from malware which it takes backup of every system files and stored in a backup of
the full system from whatever updated backup. The prototype is tested for performance evaluation
in IMx3 development board.
Kanwal, Thakur, and Lashkari (2017) developed an android application for detection and
protection against ransomware over Android mobile devices with the help of static analysis, code
analysis, and fire databases, they developed a highly secured application against ransomware over
smartphones and it was evaluated and achieved better results. Min et al. (2018) presented an automatic
backup SSD system called amoeba. It has hardware accelerator which detects the infected pages. It
is tested with Microsoft SSD simulator and obtained results are better than state of art SSD. Cabaj
and Mazurczyk (2016) suggested two real-time mitigation methods through SDN with Open flow
against ransomware. They tested their techniques with crypto locker ransomware and achieved results
are efficient and feasible.
Lopez-Martin, Carro, Sanchez-Esguevillas, and Lloret (2017) presented a technique to classify
IOT traffic by using deep learning models. They used RNN (Recurrent Neural Network) with
(Convolution Neural Network) combined to achieve better results than any other state of art algorithm.
They also presented a complete study of architectures and its impact of features chosen and network
packets used for training. Rahul, Anjali, Menon, and Soman (2017) presented deep learning models
which are used for classification of network traffic and protocols. Own datasets are used for training
and testing purposes. Results showed that current techniques are outperformed by proposed deep
learning models and it confuses the attacker hence bypassing is difficult for the attacker which using

2
 International Journal of Web Portals
Volume 12 • Issue 1 • January-June 2020

deep learning for network flow. Gafir et al. (2018) presented a BotDet framework which is used to
detect the advanced persistent threats, botnet and malwares. The BotDet has command and control
traffic detection method which is used to protect against botnet abnormal traffic. They have detected
four modules to protect against botnets and correlation framework is developed to reduce the rate of
false alarms with 83.3%.
Javeheri, Zadeh, and Rahmani (2018) proposed a spyware detection model which tracks the
spywares, malwares and obfuscate them. The proposed method used dynamic behavioral analysis and
monitoring system level kernel routines to track the spywares and abnormal malwares. The proposed
method efficiency is calculated with accuracy and represented with the ROC curve. The detection rate
is 93% of using this proposed system and error rate is of 7%. The hit rate of protecting the operating
system from the spyware with this proposed model is of 82%. Caporusso, Chea, and Abukhaled
(2018) proposed an game theory based ransomware detection system. The game theory approach not
decrypts the files that are affected with ransomware. It also analyse the human controlled attacks and
helps to prevention against ransomware attacks. It is also used to analyze different cyber-attacks and
crimes. Li, Xiong, Chin, and Hu (2018) presented a machine learning based approach to detect domain
generation attacks in a network. Traditional techniques like blacklisting, port scanning are insufficient
to combat against domain generation attacks. They monitored and processed a threat data for over a
period of one year. The proposed model consistsof two levels one for classifying DGA domains from
a normal domain and clustering algorithm is used to generate DGA domains. The prediction model
is based on time series which they used HMM. They achieve an accuracy of 95.5% for classification
and 97% for prediction. Hsu, Huang, and Chen (2010) proposed a hybrid method to identify Fast
flux domain detection. Fast flux service is used as proxy for phishing websites. They used reverse
DNS traffic to detect a Fast flux service by combined real time and long term monitoring. The results
achieved through this method significantly higher accuracy than state of art algorithms used for Fast
flux service detection method. The performance evaluation is carried out in their universities lab that
successfully identified the Fast flux service by proposed method.
Lekshmi and Sajeev (2010) presented a flow based classifier to classify Peer to Peer network
and Non Peer to Peer network. For malware detection and network traffic management P2P network
classification methods are essential. Existing P2P classifications are based on port based, signature
based, Pattern based and statistical methods. The proposed classification method is flow based which
classifies whether internet traffic is P2P or Non P2P.The achieved results through proposed method
is better than traditional methods. Stevanovic and Pedersen (2015) presented a traffic classification
method for detection of botnets. They proposed three traffic classification methods based on random
forest based classification method. The performance is evaluated through used a sample of 40 botnets
and malicious applications. The experimental results proved the proposed method is far better than
traditional methods for classification of botnets traffic.

MOTIVATION TOWARDS WORK

A huge number of literatures are available on ransomware traffic classification techniques. It is

predominantly based on statistical features and machine learning techniques. It is a time-consuming
process and range of accuracies varies with a number of methods used for feature extraction and
classification. Wang et al. presented deep learning models for traffic classification which motivates us
to take up the work of ransomware traffic classification. The feature extraction and classification is a
core part of an entire work, identification of ransomware traffic is purely based on features extracted
from real-time data and it is given for classification. The network data packets are directly given as an
input to the tool which features extraction and classification is done by fully connected dense layers.
The reason for flaws in the malware classification is manually extracted handcrafted features. The
three important features which are extracted from kaggle dataset by Microsoft malware challenge
winners are opcode 2.3, 4-grams, segment line count and Asm pixel intensity features. The accuracy

3
International Journal of Web Portals
Volume 12 • Issue 1 • January-June 2020

achieved by using these features is 99%, but it fails to classify a polymorphic and metamorphic
malware. Computational methods which are related to gene classification are also tried on malware.
Ransomware and its families classification are possible with features which are selected and give it
as an input for training and testing.

BACKGROUND

Convolution Neural Network

A multi-layer convolution network was implemented with four convolutional and four fully connected
layers (Figure 1). The CNN architecture used for classification of network applications, protocols, jobs,
ransomware is given in Table 1 respectively with weight dimensions. The input vector size, Number
of filters in the first four convolutional layers, fully connected layers and output layer are also given
in Table 1. The CNN network is used to extract the features from input data with given weights which
learn through the filters in convolutional layers. The extracted features are able to differentiate the
classes. The linear activation function is used to extract the features and finds the convergence point
by adjusting the weights using the bias across fully connected layers. The convergence data point is
fixed as a corresponding label for a particular class. To avoid overfitting, we used PCA enabled and
we used kebana tool to implement our neural network.

Max Pooling Layer

Maxpooling layer is present in between convolution layer in CNN architecture. It is mainly used
to reduce the spatial size and representation to reduce parameters. The pooling layer reduces the
computation in the network. Sometimes it is also helpful in overfitting problem. The Maxpooling layer
operates in every input in depth, slice of height and width. It represents 75% of activation functions.
In CNN architecture, after the features are passed in to pooling layers. It goes through each and every
output to select the best features for train with the 4x4 layer filters. After the feature selection the
input vectors are transferred to softmax function.

Softmax Layer
Softmax is a generalization technique which is used to handle multiple classes, In CNN, different
binary classes are labelled and normalize the classes to reduce the cost function by using training
input data. Softmax is used to normalize the function over different distributions. It always results
in sum of all the values in 1.
Z i ∈ (1…m ) Where m is the number of classes.

Figure 1. Convolutional neural network architecture

4
 International Journal of Web Portals
Volume 12 • Issue 1 • January-June 2020

{( ) (
Training set  Ai , B i , , Ac , B c )} of c labelled examples,
Input features are Ai ∈ M n , so the labels are Z i ∈ {0, 1} .

Recurrent Neural Network

The second model analyzed in a Figure 2 was RNN, LSTM .variant of RNN is used to train a input
vectors. It is useful in removing the gradient problem. Normally LSTM is trained with two dimensions
of matrix values such as temporal dimension and vector features. The network packets are transformed
in to initial vectors. LSTM runs with sequential features network cell with two additional vectors with
hidden states and cells states. The cells always correspond to final hidden states with output value.
So, the output layer of hidden states is same. In Figure 3 two fully connected layer are added at end,
which is fully forwarded and connected to the consecutive layer, normally fully connected layer have
the link with all the nodes in the network. So, the combined network such as CNN is collaborated
with RNN for a particular problem in a kebana. In CNN, several chains are reshaped in to matrix and
given as a input to RNN. So these combined LSTM behaves in a sequential manner. These sequences
of vectors have grouped in timely manner forming the entry point to LSTM’s next layer.

EXPERIMENTATION

The data packets are collected through Wireshark and entire live traffic is routed to the kebana.
Protocols are classified through as HTTP, SSL, SMTP protocols. packets are classified from the tapped
packets. Classification of entire traffic is very complex process due to increase in computational time.
We tried to set up a metadata with packet attributes. It contains important information of payloads.
It is converted in to decimal format for given to the network.

Data Preprocessing
The complete ransomware payload is collected Tcpdump and extracted it. Tcpdump collects its
header packets and data of each packets link level header. From that we organize a table to collect the
information regarding different web applications. It consists of ransomware families like crypto wall,
Wannacry, Bad rabbit. The total number of packets obtained through these applications are 45678
in which crypto wall occurs in 21345, WannaCry occurs in 19654 and Bad rabbit occurs in 4679.

RESULTS AND DISCUSSIONS

The system traffic is collected and logged using agents such as packetbeat, metricbeat and heartbeat.
Further, the logged traffic is then considered and indexed using logstash to form a defined format.
Finally, the formatted data with multiple attributes are given as input to the proposed system running
in hybrid neural model. Each layer in the hybrid model has its own weighting mechanism where the

Table 1. Architecture for CNN used classification for the specific task

Process Input vector Number Number of Number of Number Fully Output Layer
size of Filters Filters in Filters in third of Filters connected layer
in the first the second convolutional in fourth neurons
convolutional convolutional layer convolutional
layer layer layer
Protocols 1024 256 128 64 32 8 3
Application 2048 256 128 64 32 8 3
Jobs 7831 256 128 64 32 8 3
Ransomware 350 128 64 32 16 8 2

5
International Journal of Web Portals
Volume 12 • Issue 1 • January-June 2020

Figure 2. Combined CNN with RNN sample network

weights are added based on the obtained results. Further, the model incorporates backpropagation
mechanism to re-learn and updating the weights in order to minimize the false positives. Figure 3 to
Figure 7 shows the result of the traffic classification
From the above Figure 3 it is clear that the abnormal traffic generated at the test host is
comparatively high. Red color defines the normal traffic whereas the blue color shows the abnormal
traffic generated at the system.
Figure 4 shows the total number of processes on execution in the test host. From the Figure 4, it
is clear that the count of process executed in the system is high and total count reaches nearly 100.
From the above Figure 5 it is shown that the traffic generated by the malware utilizes various
domains which got reported nearly about 1L records. Further, the http exfiltration takes place nearly
about 0.5L records.
Figure 6 shows the total number of sites visited frequently from the test host.
Figure 7 shows the health metric of the test host. From the figure, it can be seen that the total
number of incoming bytes (MB) is higher, which exhibits that the he traffic is hitting the test host.
Further, the system memory and CPU utilization are also maximum.

CONCLUSION

In this paper, a novel traffic analysis model which predicts the abnormal ransomware traffic is proposed.
The existing mitigation techniques against ransomwares are failed to detect the abnormal traffic
which infiltrate through ransomwares. The proposed model is used to detect the ransomware traffic
with the help of deep learning methods like Convolution Neural Network combined with Recurrent
Neural Network. A proposed model is tested with kibana and achieved a result of 96.5% accuracy over
prediction of ransomware traffic. The existing works in the literature are been with machine learning
techniques which are imposed to detect ransomware traffic, but here, Deep Learning is used to fasten
the classification and neural network process and to increase the accuracy of the proposed model. In
future, the model is to be built to mitigate the ransomware traffic over the network.

6
 International Journal of Web Portals
Volume 12 • Issue 1 • January-June 2020

Figure 3. Network traffic (normal vs abnormal traffic)

7
International Journal of Web Portals
Volume 12 • Issue 1 • January-June 2020

Figure 4. Process count

Figure 5. Dashboard – traffic analysis

Figure 6. Sites visited

8
 International Journal of Web Portals
Volume 12 • Issue 1 • January-June 2020

Figure 7. Health metric of the test host

9
International Journal of Web Portals
Volume 12 • Issue 1 • January-June 2020

REFERENCES

Cabaj, K., & Mazurczyk, W. (2016). Using software-defined networking for ransomware mitigation: The case
of cryptowall. IEEE Network, 30(6), 14–20.
Caporusso, N., Chea, S., & Abukhaled, R. (2018, July). A game-theoretical model of ransomware. Proceedings
of the International Conference on Applied Human Factors and Ergonomics (pp. 69-78). Cham: Springer.
Chin, T., Xiong, K., Hu, C., & Li, Y. (2018, August). A machine learning framework for studying domain
generation algorithm (DGA)-based malware. Proceedings of the International Conference on Security and
Privacy in Communication Systems (pp. 433-448). Cham: Springer.
Ezhilchelvan, P. D., & Mitrani, I. (2015). Evaluating the probability of Malicious co-residency in public clouds.
IEEE Transactions on Cloud Computing, 5(3), 420–427.
Ghafir, I., Prenosil, V., Hammoudeh, M., Baker, T., Jabbar, S., Khalid, S., & Jaf, S. (2018). BotDet: A system for
real time botnet command and control traffic detection. IEEE Access : Practical Innovations, Open Solutions, 6.
Homayoun, S., Dehghantanha, A., Ahmadzadeh, M., Hashemi, S., & Khayami, R. (2017). Know abnormal, find
evil: Frequent pattern mining for ransomware threat hunting and intelligence. IEEE Transactions on Emerging
Topics in Computing.
Hsu, C. H., Huang, C. Y., & Chen, K. T. (2010). Fast-Flux Bot Detection in Real Time. In S. Jha, R. Sommer,
& C. Kreibich (Eds.), Recent Advances in Intrusion Detection. RAID 2010. Berlin: Springer; . doi:10.1007/978-
3-642-15512-3_24
Javaheri, D., Hosseinzadeh, M., & Rahmani, A. M. (2018). Detection and Elimination of Spyware and Ransomware
by Intercepting Kernel-Level System Routines. IEEE Access : Practical Innovations, Open Solutions, 6.
Kanwal, M., & Thakur, S. (2017, May). An app based on static analysis for android ransomware. Proceedings of
the 2017 International Conference on Computing, Communication and Automation (ICCCA) (pp. 813-818). IEEE.
Lopez-Martin, M., Carro, B., Sanchez-Esguevillas, A., & Lloret, J. (2017). Network Traffic Classifier with
Convolutional and Recurrent Neural Networks for Internet of Things. IEEE Access : Practical Innovations,
Open Solutions, 5.
Min, D., Park, D., Ahn, J., Walker, R., Lee, J., Park, S., & Kim, Y. (2018). Amoeba: An Autonomous Backup
and Recovery SSD for Ransomware Attack Defense. IEEE Computer Architecture Letters, 17(2), 245–248.
Rahul, R. K., Anjali, T., Menon, V. K., & Soman, K. P. (2017, September). Deep learning for network flow
analysis and malware classification. Proceedings of the International Symposium on Security in Computing and
Communication (pp. 226-235). Springer Singapore.
Sajeev, G. P., & Nair, L. M. (2016, September). Laser: A novel hybrid peer to peer network traffic classification
technique. Proceedings of the 2016 International Conference on Advances in Computing, Communications and
Informatics (ICACCI) (pp. 1364-1370). IEEE. doi:10.1109/ICACCI.2016.7732238
Stevanovic, M., & Pedersen, J. M. (2015). An analysis of network traffic classification for botnet detection.
Proceedings of the 2015 International Conference on Cyber Situational Awareness Data Analytics and Assessment
(CyberSA) (pp. 1–8). Academic Press; . doi:10.1109/CyberSA.2015.7361120
Vinayakumar, R., Soman, K. P., Velan, K. S., & Ganorkar, S. (2017, September). Evaluating shallow and deep
networks for ransomware detection and classification. Proceedings of the 2017 International Conference on
Advances in Computing, Communications and Informatics (ICACCI) (pp. 259-265). IEEE.
Yalew, S. D., Maguire, G. Q., Haridi, S., & Correia, M. (2017, October). Hail to the Thief: Protecting data from
mobile ransomware with ransomsafedroid. Proceedings of the 2017 IEEE 16th International Symposium on
Network Computing and Applications (NCA) (pp. 1-8). IEEE.

10
 International Journal of Web Portals
Volume 12 • Issue 1 • January-June 2020

Arivudainambi D. is currently a Professor in the Department of Mathematics, Anna University, Chennai, Tamilnadu.
He received his Post-Doctoral in University of Toronto in 2004. He received his Ph.D. degree from Anna University,
in 2002 and his research interest includes computer networks, queuing theory, stochastic processes and its
applications, operations research, cloud computing, wireless sensor networks, evolutionary algorithms, and adhoc
networks.

Varunkumar K.A. is currently pursuing his Ph.D. in Anna University, Chennai. His research interest includes network
security, malware analysis, cloud security, software defined network security, and image processing.

Vinoth Kumar is currently working in Veltech R&D institute of Science and Technology, Chennai. His research
interest includes artificial intelligence, cyber security, and network security.

P. Visu is currently working as an associate professor in Velammal College of Engineering. His research interests
include wireless security, image processing, and wireless sensor networks.

11