Ransomware is a type of malware that encrypts or extorts access to files, demanding a ransom payment from individuals or companies. Among the five stages of ransomware: infection, installation, communication, execution, and extortion, early detection is crucial to prevent extensive file encryption and minimize losses.
Traditional ransomware detection relies on static analysis, which often leads to high rates of both false positives and negatives. The static analysis approach struggles to identify unfamiliar or novel ransomware variants, as the detection focuses on specific ransomware families. While recent dynamic analysis is also getting more popular, the detection focuses on only one stage of ransomware phases, such as using PE binary for detection in the infection stage. On the other hand, ransomware attacks are becoming more sophisticated. Attackers employ zero-day exploits, targeting unseen vulnerabilities.
Anomaly detection offers a powerful tool for identifying unseen attacks, including zero-day exploits. However, it requires robustness and advanced capabilities, as attackers can attempt to evade detection by mimicking normal file access patterns. Therefore, relying on detection for only one stage is risky.
Our research leverages the features related to each stage to better detect ransomware. We propose a stage-based adaptive weighted method of anomaly detection tailored for specific features of each stage. The x-objective is to find the optimum weight w and window size t for each stage. The result of the detection will be context-aware, with extra information on from which stage the ransomware is detected.
We utilize publicly available multiple ransomware datasets. We experiment with Long Short-Term Memory (LSTM) and Convolutional Neural Network (CNN) based autoencoders for detection, along with Random Forest and Support Vector Machines (SVMs) for threshold prediction. The evaluation will be based on True Positive Rate (TPR) and False Negative Rate (FNR).