Dynamic Ransomware Detection for Windows Platform Using Machine Learning Classifiers

Abstract

Ransomware attacks are also rising in this growing technological advancement world. This threat often affects the finance of individuals, organizations, and financial sectors. To effectively detect and block these ransomware threats, the dynamic analysis strategy was proposed and carried out as the approach of this research. This paper aims to detect ransomware attacks with dynamic analysis and classify the attacks using various machine learning classifiers: Random Forest, Naïve Bayes, J48, Decision Table, and Hoeffding Trees. The TON IoT Datasets from the University of New South Wales (UNSW) were used to capture ransomware attack features on Windows 7. During the experiment, a testbed was configured with numerous virtual Windows 7 machines and a single attacker host to carry out the ransomware attack. Seventy-seven classification features are selected based on the changes before and after the attack. Random Forest and J48 classifiers outperformed other classifiers with the highest accuracy results of 99.74%. The confusion matrix highlights that both Random Forest and J48 classifiers can accurately classify the ransomware attacks with the AUC value of 0.997, respectively. Our experimental result also suggests that dynamic analysis with a machine learning classifier is an effective solution to detect ransomware with an accuracy percentage exceeding 98%.