Behaviour-based detection ofransomware attacks in the Cloud usingmachine learning

Popryho, Yaroslav, Popryho, Leonid

January 2023

Background: Ransomware attacks are a significant threat to digital informa-tion, and with the increasing adoption of cloud storage services, attackers now targetcloud environments. The existing literature on ransomware detection has primarilyfocused on local environments, and there is a limited body of research on applyingthese approaches to the cloud environment. Objectives: In this thesis, we aim to develop a behavior-based ransomware de-tection system for cloud environments, specifically focusing on Google Drive, usingmachine learning techniques. We will create a dedicated Google Workspace and uti-lize the Google Cloud Platform for developing the anomaly detection classifier. Methods: We will review related work in ransomware detection and machinelearning approaches to select suitable techniques for our research. Our anomaly de-tection classifier will analyze user activities in the cloud, such as file access patternsand permission changes, to detect deviations indicative of ransomware attacks. Results: We will validate our system’s performance by conducting experimentsin our Google Workspace, emulating ransomware attacks, and comparing the classi-fier’s performance against existing techniques. Conclusions: Our thesis aims to contribute a novel, behavior-based detectionsystem for ransomware attacks in cloud environments, advancing the state-of-the-artand providing a scalable solution for various cloud storage providers.Keywords: ransomware detection, cloud environments, behavior-based detec-tion, machine learning, Google Drive.

ransomware detection

cloud environments

behavior-based detec- tion

machine learning

Google Drive

Computer Sciences

Datavetenskap (datalogi)

Ransomware Detection Using Windows API Calls and Machine Learning

Karanam, Sanjula

31 May 2023

Ransomware is an ever-growing issue that has been affecting individuals and corporations since its inception, leading to losses of the order of billions each year. This research builds upon the existing body of research pertaining to ransomware detection for Windows-based platforms through behavioral analysis using sandboxing techniques and classification using machine learning (ML), considering the various predefined function calls, known as API (Application Programming Interface) calls, made by ransomware and benign samples as classifying features. The primary aim of this research is to study the effect of the frequency of API calls made by ransomware samples spanning across a large number of ransomware families exhibiting varied behavior, and benign samples on the classification accuracy of various ML algorithms. Conducting an experiment based on this, a quantitative analysis of the ML classification algorithms was performed, for the frequency of API calls based input and binary input based on the existence of an API call, resulting in the conclusion that considering the frequency of API calls marginally improves the ransomware recall rate. The secondary research question posed by this research aims to justify the ML classification of ransomware by conducting behavioral analysis of ransomware and goodware in the context of the API calls that had a major effect on the classification of ransomware. This research was able to provide meaningful insights into the runtime behavior of ransomware and goodware, and how such behavior including API calls and their frequencies were in line with the MLbased classification of ransomware. / Master of Science / Ransomware is an ever-growing issue that has been affecting individuals and corporations since its inception, leading to losses of the order of billions each year. It infects a user machine, encrypts user files or locks the user out of their machine, or both, demanding ransom in exchange for decrypting or unlocking user data. Analyzing ransomware either statically or behaviorally is a prerequisite for building detection and countering mechanisms. Behavioral analysis of ransomware is the basis for this research, wherein ransomware is analyzed by executing it on a safe sandboxed environment such as a virtual machine to avoid infecting a real-user machine, and its runtime characteristics are extracted for analysis. Among these characteristics, the various predefined function calls, known as API (Application Programming Interface) calls, made to the system by ransomware will serve as the basis for the classification of ransomware and benign software. After analyzing ransomware samples across various families, and benign samples in a sandboxed environment, and considering API calls as features, the curated dataset was fed to a set of ML algorithms that have the capability to extract useful information from the dataset to take classification decisions without human intervention. The research will consider the importance of the frequency of API calls on the classification accuracy and also state the most important APIs for classification along with their potential use in the context of ransomware and goodware to justify ML classification. Zero-Day detection, which refers to testing the accuracy of trained ML models on unknown ransomware samples and families was also performed.

Ransomware Detection

Behavioral Analysis

Windows OS

API Calls

API Call Frequency

Machine Learning

Sandboxing

Feature Importance