Abstract
The encrypting ransomware using public key cryptography is almost impossible to decrypt, so early detection and prevention is more important. Signature matching technology has low detection rate for unknown or polymorphic ransomware, and some intelligent algorithms have been proposed for solving this problem. Inspired by the Artificial Immune System (AIS), an improved double-layer negative selection algorithm (DL-NSA) was proposed which can reduce the number of holes in NSA and increase the detection rate. To obtain the behavior characteristics (e.g., files read or write, cryptography APIs call and network connection) of ransomware, a Cuckoo sandbox was built to simulate the malicious code running environment. After dynamic analysis, the behavior characteristics of ransomware were encoded to antigens. The improved double-layer negative selection algorithm has two sets of immune detectors. The first layer detectors set was generated by the original negative selection algorithm using r-contiguous bits matching. The second layer detectors set was directional generated holes’ detectors using r-chunk matching with variable matching threshold. Simulation result shows that comparing with NSA this algorithm can achieve high-rate space coverage for non-self, and can increase the detection rate of ransomware.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Muhammad, U.K., Jantan, A.: The age of ransomware: understanding ransomware and its countermeasures. In: Artificial Intelligence and Security Challenges in Emerging Networks, pp. 1–4. IGI Global, Pennsylvania (2019)
Masarah, P.C., Bernhard, H., Benoit, D.: Ransomware payments in the bitcoin ecosystem. In: Proceeding of the 17th Annual Workshop on the Economics of Information Security (WEIS), pp. 1–10. Innsbruck (2018)
Rehman, H., Yafi, E., Nazir, M., Mustafa, K.: Security assurance against cybercrime Ransomware. In: Vasant, P., Zelinka, I., Weber, G.-W. (eds.) ICO 2018. AISC, vol. 866, pp. 21–34. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-00979-3_3
Maigida, A.M., Abdulhamid, S.M., Olalere, M., et al.: Systematic literature review and metadata analysis of ransomware attacks and detection mechanisms. J. Reliable Intell. Environ. 5(2), 67–89 (2019)
Hull, G., John, H., Arief, B.: Ransomware deployment methods and analysis: views from a predictive model and human responses. Crime Sci. 8(1), 1–22 (2019)
Santos, I., Brezo, F., Ugarte-Pedrero, X., et al.: Opcode sequences as representation of executables for data-mining-based unknown malware detection. Inf. Sci. 231(9), 203–216 (2013)
Wang, T., Xu, N.: Malware variants detection based on opcode image recognition in small training set. In: Proceedings of the 2nd IEEE International Conference on Cloud Computing and Big Data Analysis, pp. 328–332. IEEE, Piscataway (2017)
Zhang, H., Xiao, X., Mercaldo, F.: Classification of ransomware families with machine learning based on n-gram of opcodes. Future Gener. Comput. Syst. 90(2019), 211–221 (2019)
Sgandurra, D., Muñoz-González, L., Mohsen, R., et al.: Automated dynamic analysis of ransomware: benefits, limitations and use for detection. arXiv preprint arXiv:1609.03020. Accessed 1 December 2016
Xu, Z., Ray, S., Subramanyan, P., et al.: Malware detection using machine learning based analysis of virtual memory access patterns. In: Proceedings of the 2017 Design, Automation & Test in Europe Conference & Exhibition (DATE), pp. 169–174. IEEE, Piscataway (2017)
Scaife, N., Carter, H., Traynor, P., et al.: CryptoLock (and drop it): stopping ransomware attacks on user data. In: Proceedings of the 36th International Conference on Distributed Computing Systems, pp. 303–312. IEEE, Piscataway (2016)
Hampton, N., Baig, Z., Zeadally, S.: Ransomware behavioural analysis on windows platforms. J. Inf. Secur. Appl. 40(2018), 44–51 (2018)
Lu, T.L., Zhang, L., Wang, S.Y., et al.: Ransomware detection based on V-detector negative selection algorithm. In: Proceedings of the 2017 International Conference on Security, Pattern Analysis, and Cybernetics (SPAC), pp. 531–536. IEEE, Piscataway (2017)
Gao, X.Z., Chow, M.Y., Pelta, D., et al.: Theory and applications of artificial immune systems. Neural Comput. Appl. 19(8), 1101–1102 (2010)
Dasgupta, D., Yu, S., Nino, F.: Recent advances in artificial immune systems: models and applications. Appl. Soft Comput. 11(2011), 1574–1587 (2011)
Lu, T.L., Zhang, L., Fu, Y.X.: A novel immune-inspired shellcode detection algorithm based on hyper-ellipsoid detectors. Secur. Commun. Netw. 8(2018), 1–10 (2018)
Tan, Y.: Artificial Immune System: Applications in Computer Security. IEEE Computer Society Press, Piscataway (2016)
Hooks, D., Yuan, X., Roy, K., et al.: Applying artificial immune system for intrusion detection. In: Proceedings of IEEE Fourth International Conference on Big Data Computing Service and Applications (BigDataService), pp. 287–292. IEEE, Piscataway (2018)
Brown, J., Anwar, M., Dozier, G.: Detection of mobile malware: an artificial immunity approach. In: Proceedings of 2016 IEEE Security and Privacy Workshops (SPW), pp. 74–80. IEEE, Piscataway (2016)
Iqbal, M., Abid, M.M., Ahmad, M.: Catching Webspam Traffic with Artificial Immune System (AIS) classification algorithm. In: Proceedings of the 7th IEEE International Conference on Software Engineering and Service Science (ICSESS), pp. 402–405. IEEE, Piscataway (2017)
Forrest, S., Perelson, A.S., Allen, L., et al.: Self-nonself discrimination in a computer. In: Proceedings of 1994 IEEE Symposium on Research in Security and Privacy, pp. 202–212. IEEE, Piscataway (1994)
Hofmeyr, S.A.: An immunological model of distributed detection and its application to computer security. Department of Computer Sciences, University of New Mexico (1999)
Zhang, H., Wu, L.F., Zhang, R.S., et al.: An algorithm of r-adjustable negative selection algorithm and its simulation analysis. Chin. J. Comput. 28(10), 1614–1619 (2005)
Ji, Z., Dasgupta, D.: Revisiting negative selection algorithms. Evol. Comput. 5(2), 223–251 (2007)
Stibor, T., Mohr, P., Timmis, J.: Is negative selection appropriate for anomaly detection. In: Proceedings of Genetic and Evolutionary Computation Conference (GECCO), pp. 321–328. ACM, New York (2005)
Liu, X.B., Cai, Z.X.: Properties assessments of holes in anomaly detection systems. J. Cent. South Univ. (Sci. Technol.) 40(4), 986–992 (2009)
Kirda E.: UNVEIL: a large-scale, automated approach to detecting ransomware (Keynote). In: Proceedings of IEEE 24th International Conference on Software Analysis, Evolution and Reengineering (SANER), p. 1. IEEE, Piscataway (2017)
Acknowledgments
This work was supported by the National Key R&D Program of China (2016YFB0801100), the National Natural Science Foundation of China (61602489), the Fundamental Research Funds for the Central Universities of PPSUC (2019JKF108) and the National Cryptography Development Fund (MMJJ20180108).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2020 ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering
About this paper
Cite this paper
Lu, T., Du, Y., Wu, J., Bao, Y. (2020). Ransomware Detection Based on an Improved Double-Layer Negative Selection Algorithm. In: Gao, H., Li, K., Yang, X., Yin, Y. (eds) Testbeds and Research Infrastructures for the Development of Networks and Communications. TridentCom 2019. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 309. Springer, Cham. https://doi.org/10.1007/978-3-030-43215-7_4
Download citation
DOI: https://doi.org/10.1007/978-3-030-43215-7_4
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-43214-0
Online ISBN: 978-3-030-43215-7
eBook Packages: Computer ScienceComputer Science (R0)