Scribd
Upload
36 views2 pages

Detection of Ransomware Attacks Using Federated Learning Based On CNN Model.

This research paper presents a method for detecting ransomware attacks using a Convolutional Neural Network (CNN) model within a federated learning framework. The approach involves converting binary data into image format for analysis, achieving high accuracy while ensuring data privacy by keeping sensitive information local to data owners. The study highlights advantages such as robustness to data decentralization and automatic feature learning, while also noting limitations like dataset size and unequal data distribution.

Uploaded by

balbusarkabhai
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
36 views2 pages

Detection of Ransomware Attacks Using Federated Learning Based On CNN Model.

This research paper presents a method for detecting ransomware attacks using a Convolutional Neural Network (CNN) model within a federated learning framework. The approach involves converting binary data into image format for analysis, achieving high accuracy while ensuring data privacy by keeping sensitive information local to data owners. The study highlights advantages such as robustness to data decentralization and automatic feature learning, while also noting limitations like dataset size and unequal data distribution.

Uploaded by

balbusarkabhai
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd

This research paper focuses on detecting ransomware attacks using a Convolutional Neural

Network (CNN) model based on federated learning.


Here's a summary of the paper, including the requested sections:
Abstract Ransomware continues to be a major threat to computing, requiring immediate action
to prevent its impact. This paper proposes a ransomware attack modeling technique that targets
the disrupted operation of digital substations and examines a ransomware detection method
using artificial intelligence (AI). The approach involves transforming binary data into image data,
which is then fed into a CNN model using federated learning. Experimental results indicate that
this method achieves a high accuracy rate in detecting ransomware.
Implementation The implementation involves several key steps:
●​ Data Collection and Preparation: Approximately 30,000 PE ransomware binaries from
virusshare.com (2010-2017) and recent samples from the Darknet were collected.
Negative examples (benign binaries) were sourced from C:\Windows\System32 (around
600) and the Windows Application Store (around 2400). The final dataset consists of 3000
positive (malicious) and 3000 negative (benign) examples to balance the classes.
●​ Transforming Binaries into Images: Software binaries are converted into image format,
specifically grey images with a size of 300 \times 300 pixels. This process is illustrated in
Figure 4 of the paper. Ransomware binaries often exhibit recognizable patterns in their
image representation due to obfuscation methods and consistent behaviors (e.g., file
encryption).
●​ CNN Model Architecture: A CNN model is developed for binary classification (normal or
ransomware). The CNN has three hidden layers, including one convolution layer, one
Dropout layer, and two fully connected layers. The final output layer is a two-class
classification layer with a Sigmoid activation function. The model incorporates ReLU
activation functions in the convolution layers to prevent overfitting. The fully connected
layer uses a sigmoid activation function for the final prediction.
●​ Federated Learning Setup: The federated learning task simulates training data on
different servers to address data privacy and decentralization concerns. The model is
trained on each server using its local data, and then the model weights are aggregated to
update a global model. This ensures data privacy as the raw data never leaves the
owner's premises.
●​ Training Parameters: The dataset is split into 80% for training, 10% for validation, and
10% for testing. For the CNN model training, the mini-batch size is 64, the learning rate is
0.006, and the epoch count is 10. For federated learning, the hyperparameters include 3
clients, 30 NUM_ROUNDS, 30 NUM_EPOCHS, and a BATCH_SIZE of 64.
Algorithm Used The core algorithm used is a Convolutional Neural Network (CNN) for image
classification. This is combined with Federated Learning, a distributed machine learning
approach, to enable collaborative model training without centralizing sensitive data.
Technology Used The paper primarily discusses the use of:
●​ Artificial Intelligence (AI) and Machine Learning (ML) techniques.
●​ Convolutional Neural Networks (CNN) as a deep learning model.
●​ Federated Learning as a collaborative and privacy-preserving training paradigm.
Advantages
●​ High Accuracy: The proposed technique using CNN and federated learning
demonstrates a high accuracy rate in detecting ransomware.
●​ Privacy-Preserving: Federated learning ensures that training data remains local to the
data owners (e.g., individual computers or servers) and is never exposed or shared with a
central server, addressing privacy concerns.
●​ Robustness to Data Decentralization: The federated learning approach allows for
training a global model using distributed data across different devices or organizations,
which is crucial for real-world scenarios where data is decentralized.
●​ Automatic Feature Learning: CNN models can automatically learn relevant features
from the image-transformed binary data, which is an advantage over methods requiring
manual feature engineering.
●​ Handles Data Variability: CNNs are robust to data variability, making them suitable for
detecting diverse ransomware samples.
Drawbacks
●​ Dataset Size Limitation: The current dataset size is relatively small, which might lead to
an overemphasis on the robustness of the federated learning algorithm. Future work will
address this by considering a larger dataset.
●​ Unequal Data Distribution: The current experimental dataset is mostly equally
distributed among clients, which may not reflect real-world scenarios where data is
unequally distributed. This will be considered in future work.
●​ Limited Class Complexity: The experiment simplifies data into two distinct labels
(normal and abnormal). Real-world data can be far more complex with numerous classes,
which will be a focus for future research.
●​ Bias Risk with Small/Zipped Binaries: There's a high risk of learning biases because
ransomware binaries are often small and compressed with tools like UPX to evade
signature-based detection. Careful dataset creation is necessary to mitigate this.

You might also like