Professional Documents
Culture Documents
Smartphone use and popularity have grown over the past few years, making them the primary communication tool.
Attackers keep an eye on cellphones to steal sensitive data and information from them using a variety of malware
attacks that target systems, networks, devices, and applications
Ransomware is one of the newest and greatest dangers to cybersecurity (Ransomware)
The CICAndMal2017 dataset, which consists of benign and various types of android malware samples, is subjected
to the application of six ML methods
Introduction
-The Android operating system currently covers the world with 85% of the smart device market. And continues to
grow
-The reasons for recent developments and the spread of smartphones under the conditions of COVID-19 are due
to these reasons, which made the Android operating system the main target of the attackers
-Especially since the Android system maintains openness and does not impose restrictions on users to load and
download the application, it leaves the safety of the devices in the hands of the user by allowing him to decide
whether to install the application or not, so smartphones becomes more vulnerable to cyber-attacks, and this
hackers get benefits from the platform for the Android operating system to inject malicious code using
ransomware, which is a type of malware that infects the victim’s device with malicious code and blocked data,
that mean the screen is locked (Locker ransomware) or encrypted (Crypto ransomware)
Introduction
Then, the victim is prevented from using the device and demands a ransom to unlock the
device, and this is done by transferring personal data, including files, photos, etc. to the
command and control server, where the attacker executes commands to control the device
remotely, then displays a threatening message on the screen to pay the ransom in the form of
Bitcoin
Machine learning is one of the methods used to detect network traffic, and it is considered one
of the effective solutions and plays a vital role in detecting malicious patterns of ransom virus
Statement of the Problem
Analysis and discovery of the constantly emerging Android operating is a major problem that makes the
device subject to learning techniques useless in detecting samples for which training data is not available
Important features must be selected and new information processed in Advance. Moreover, machine learning
techniques rely on antivirus software vendors to explicitly mark samples
Research Aim
The aim of this study to evaluate the detect o ransomware attack in android
system use based on their behavior history using the ml-based classification
approaches.
Research Objective
Malware
Malware is short for malicious software, and as its name implies, malware is
designed to damage computers and Malware specifically targets internet-based
programs.
Malware can take many different forms, but it can be broadly classified
into many classes and we will explain Ransomware attack.
Ransomware
Ransomware
Is a type of virus that infects computers and then
prevents the user from accessing the operating system
or encrypts all data stored on the computer, and asks
the user to “ransom” or a special request, often to pay
a specified amount of money.
Ransomware Enablers:
Several factors have contributed to the recent
surge in ransomware assaults.Financial revenue, the
availability of cryptographic techniques, untraceable
payment methods, open development kits.
Type of Ransomware
Type of Ransomware:
Ransomware is classified based on several aspects, including its
severity method of extortion, people targeted, and systems affected:
Scareware ●
Scareware is a bogus notification that threatens the victim by making
false.
Detrimental Ransomware ●
In contrast to scareware, harmful ransomware is a serious dange:
Locker-Ransomware ●
Locker-Ransomware takes control of one or more services on the
victim's system.
Crypto-Ransomware ●
encrypts the victim's files using cryptography.
encryption to create a hybrid kind known as the hybrid key.
Type of Ransomware
Follw:
●Ransomware using Symmetric Cryptography (SCR):
Symmetric Crypto-Ransomware (SCR), as the name suggests, is a form
of crypto-ransomware that uses a single private key for both encryption
and decryption.
●Asymmetric Crypto-Ransomware (ACR):
which utilize a pair of keys, the
public key for encryption and the private key for decryption.
●Hybrid Key Crypto-Ransomware (HCR)
crypto-ransomware developers combine symmetric and asymmetric
Ransomware lifecycle
Static and Dynamin
Static Analysis:
Static analysis is a passive approach that examines the payload of a sample without running
its code in order to extract structural elements from the source code.
Dynamic Analysis:
Dynamic analysis is the process of analyzing malicious code while it is
being executed.
Related Work
Related Work:
First data mining system-based for automatic detection and analysis of ransomware "based
on dynamic API. Then used static feature analysis to classify ransomware.The authors first
converted opcode sequences from ransomware samples into N-gram sequences.in 2019
provides a thorough analysis of crypto ransomware network traffic and proposes an advanced
ransomware detection method.In 2020, Sangal et al. used ML methods for newAndroid
malware detection. They applied many techniques (RF, KNN, SVM, and NB) . In 2021
detection system called Peeler, which uses system behaviors based detection (e.g. malicious
commands detector and I/O pattern matcher) .
Part Three 3
Chapter 3
► monitoring network traffic that enters the network and leaves it, intra-network traffic and
device activity, provides significant and beneficial information for detecting malicious
behavior. The dataset used in this research have been gotten from the Canadian Institute
for Cybersecurity
► this research concentrate on the network traffic feature for detecting ransomware
applications. 650000 ransomware and benign data samples were extracted with network
flow features that consists of six columns for each flow (Flow ID, Source IP, Destination
IP, Source Port, Destination Port, and Protocol) and 79 network traffic features [
Dataset used based network flow traffic
the network traffic has been captured in pcap files during three states
► Installation :The first state of data capturing which occurs immediately after installing malware (1-3 min).
► 2. Before restart :The second state of data capturing which occurs 15 min before rebooting phones.
► 3. After restart: The last state of data capturing which occurs 15 min after rebooting phones
Ransomware Dataset
► In this research, 259110 ransomware samples were used with 85 features which were
collected from 10 popular ransomware families. Table I lists the behavior and
characteristics of ransomware and the number of samples utilized for each one of the
families.
Benign Dataset
► The benign applications used in this research were published in 2015, 2016 and 2017 in
Google play market
► These applications are more than six thousand and they have been collected based on the
popularity of the applications for each class available in the market.
► 400000 benign samples with 85 features of network traffic were extracted and utilized in
this research. These features can be classified into categories like (Flow-ID, Packetbased,
Byte-based, Flow-based, Time-based).
Data Analysis&&cleans
► This dataset based network traffic flow is rich in quantity because has 85 features in it
with 10 kind of Ransomware. Also, its contains static features such as permissions and
intents and API calls as dynamic features
► It is necessary to cleans up the dataset from any form of errors or faults that may be
found in the selected dataset (CI-CAndMal2017) to get more accurate and required
results
Implementation processes for detecting
Ransomware
Implementation Phase
Feature Selection
Classification
Evaluation
Results
The dataset utilized in this study was divided into 80% for training the algorithms, and
the rest for testing by used train_test _split from sklearn librarary. Then, Shuffle and
Cross validation methods with 10 kfold were used to dividing the dataset.
Data preprocessing
The dataset is devoid of any null values. After have been getting rid of the useless features and splitting the dataset
then dataset was checking whatever the columns contains null or infinite values, it was found that the dataset does
not contain null values for any of the attributes in all its fields. However, the dataset was checked after each data
transformation or processing to ensure that changes have not occurred or are processed.
Data preprocessing
► The technique of removing columns with low variance is utilized to improve the model effectiveness. The Variance
Threshold technique which was provided by sklearn was utilized in this research. VarianceThreshold is a simple basic
feature selector that deletes the lowvariance columns. This technique only handles the input columns (X), not to the
target column (y), and it is most useful when used for unsupervised learning
Data preprocessing
Table 2:The features with low variance (zero values in all columns).
► Feature scaling is the operation of transforming the features using normalization. It is a way that is used to improve the
performance of the ML system
► The CICAndMal2017 dataset include features with very different values, ranges, and scales
► These lead feature selection techniques to bias towards features with larger values over other features with smaller
values
Feature Selection is known as the operation of locating and choosing a subset of input variables that are most
attached to the target label, and thus, reducing the statically and mathematical processes
It is very important to use feature selection technique for improve equality of dataset in ordering increase efficiency
of the classification and detection system especially when the dataset is very huge with more dimensionality that
may lead to a complex classification model
Univariate Feature Selection Technique
► Statistical tests are used in univariate feature selection to choose the columns that have the best correlation with the
output variable. When using univariate statistical tests, univariate selection selects the most important features. It
disregards other features and compares the features to the determined target to see if there is any relationship between
them. Each feature is given a weight, and all of the weights are ultimately compared.
► Then f-test or (f- statistic) method was ued to select features with top scores.
► f-test is a method that is used when the input data is in numerical form and the output is categorical. Then the features
with the highest scores were chosen using the f-test or (f- statistic) approach.
Select from model technique
A technique called SelectFromModel is used with an estimator (model) that has the
feature importunate attribute. According to feature weights, the best features those that
are the most crucial are chosen
Implementation of Machine Learning
classifiers
Logistic Regression (LR)
► Statistical learning is the foundation of the LR algorithm. It is utilized for classification and regression problems.
LR is a probability-based prediction method that transforms the output using the sigmoid function and returns the
probability value. It creates a barrier between the samples to divide them
► The choice is made when LR analyzes the new samples to determine which side of the hyperplane they are situated
on.
►
Decision Tree (DT)
► DT is a straightforward classification and regression technique. It is a supervised machine learning (ML) sequential
model where the data is continuously separated according to a given parameter with a series of tests,
► A class label is held in the leaf node, and each branch of the tree indicates a test result
Implementation of Machine Learning classifiers
► tree, which in this research is 50, is the input for the decision tree algorithm. The root of
the DT will be the most significant feature, and other features will be dispersed from the
top to the bottom of the DT based on the answers to a series of questions (decisions), as
well as the outcomes of information gained
Random Forest (RF)
► DTs and bagging procedures are the foundation of and constituent parts of the ensemble
method known as RF.
► Bagging mandates that each DT be trained on a portion of the entire dataset. Each tree
is classified, and the
► The number of decision trees and the maximum tree depth used to train the dataset are
the inputs for the random forest technique
Implementation of Machine Learning
classifiers
Neighbor (k-NN)
It is a supervised machine learning technique used for regression and classification tasks. It presumes that related
things are located nearby
When it receives the portion of test data, it makes the prediction after storing the portion of training data. When the
instance of test data is obtained, the prediction process is initiated Next, it searches the training data for the k most
similar neighbors
A lot of machine learning (ML) applications have recently utilized this open-source library. It offers a high-
performance implementation of gradient boosted DT to quickly and accurately address a variety of data science
problems.
Implementation of Machine Learning
classifiers
XGBoost (XGB)
A lot of machine learning (ML) applications have recently utilized this open-source library. It offers a high-performance
implementation of gradient boosted DT to quickly and accurately address a variety of data science problems. To improve
the prediction, many subpar DTs must be trained at subsequent steps. When numerous weak learners are selectively
integrated to create a much more potent learning model, a bad DT model can only perform effectively on a portion of the
training data.
Multi-Layer Perceptron (MLP)
A type of feedforward ANN is called the Deep Learning MLP. For training, it applies the supervised learning method of
backpropagation. It has at least three layers of nodes (input, hidden, and output), each with a different type of activation
function (linear or nonlinear). Each node in each layer is linked to every node in the layer above it
Implementation of Machine Learning
classifiers
• AUC (Area Under the Curve): it is the calculated area under ROC curve. ROC (Receiver Operating
Characteristics) curve is another common tool used with binary classifiers. It is very similar to the
True Negative Rate (TNR): this measure calculates the percentage of benign occurrences that the algorithm
accurately detects when comparing correctly predicted negative samples to all negative samples.
Performance Evaluation Measurements and
Tools
This study used seven metrics to evaluate ML classifiers based on confusion matrix. All these criteria have
Precision: it is the ratio of correctly classified data as the attack to total data classified as the attack.
Recall (Sensitivity): it is the ratio of correctly classified data as the
attack to total attack in data
Result:
The final outcomes M of the algorithms
will be contrasted in this section F1-
Measure.
Measure and AUC will serve as the
primary metrics for comparison.
Thereason F1-Measure was chosen
over accuracy is that it provides a
better indicator of cases that were
erroneously classified.
Result
Conclusion
Conclusion:
This study was aimed to utilize CICAndMal2017 dataset and some machine learning algorithms
to compare between six algorithms and find the best. one. to develop a system for detecting
various types. of Ransomware attacks,. It is crucial to emphasize how this research differs
from other studies that only use a particular type of network traffic. The best features from the
entire feature set are the focus of this study. The best features were chosen for the proposed
model using a variety of preprocessing techniques, and ML classifiers were then applied to
these features.the results showed that the detection accuracy was (99.80%, 99%), and the FPR
was (0.08%,0.08%) for XGB and RF respectively. Therefore, we can use the CICAndMal2017
dataset to create the proposed System employing XGB and Random Forest.
Fulture Work
Future Works
CICAndMal2017 dataset has various types of ransomware 3- In designing a novel detection framework a
attacks. So, studying all types of attacks inside the dataset will real system that captures network packets and
help us to detect and determine all types of them. To classify tests them to determine if they are benign or
them to any type of ransomware attacks, ransomware to stop attack packets from
entering the network would be another future
1-we can use multi-class classification to do this purpose. task for our study that would make the findings
Also another future work is using network traffic features for of our study accurate.
detect and classify other types of android malware.
2- In addition to applying the ML models on one or more of
other types of features such as logs, API calls, utilizing
memory dump, permission, etc.