Ransomware Detection Based on an Improved Double-Layer Negative Selection Algorithm

  • Tianliang Lu
  • Yanhui DuEmail author
  • Jing Wu
  • Yuxuan Bao
Conference paper
Part of the Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering book series (LNICST, volume 309)


The encrypting ransomware using public key cryptography is almost impossible to decrypt, so early detection and prevention is more important. Signature matching technology has low detection rate for unknown or polymorphic ransomware, and some intelligent algorithms have been proposed for solving this problem. Inspired by the Artificial Immune System (AIS), an improved double-layer negative selection algorithm (DL-NSA) was proposed which can reduce the number of holes in NSA and increase the detection rate. To obtain the behavior characteristics (e.g., files read or write, cryptography APIs call and network connection) of ransomware, a Cuckoo sandbox was built to simulate the malicious code running environment. After dynamic analysis, the behavior characteristics of ransomware were encoded to antigens. The improved double-layer negative selection algorithm has two sets of immune detectors. The first layer detectors set was generated by the original negative selection algorithm using r-contiguous bits matching. The second layer detectors set was directional generated holes’ detectors using r-chunk matching with variable matching threshold. Simulation result shows that comparing with NSA this algorithm can achieve high-rate space coverage for non-self, and can increase the detection rate of ransomware.


Ransomware Negative selection algorithm API call sequence Artificial Immune System Cuckoo sandbox 



This work was supported by the National Key R&D Program of China (2016YFB0801100), the National Natural Science Foundation of China (61602489), the Fundamental Research Funds for the Central Universities of PPSUC (2019JKF108) and the National Cryptography Development Fund (MMJJ20180108).


  1. 1.
    Muhammad, U.K., Jantan, A.: The age of ransomware: understanding ransomware and its countermeasures. In: Artificial Intelligence and Security Challenges in Emerging Networks, pp. 1–4. IGI Global, Pennsylvania (2019)Google Scholar
  2. 2.
    Masarah, P.C., Bernhard, H., Benoit, D.: Ransomware payments in the bitcoin ecosystem. In: Proceeding of the 17th Annual Workshop on the Economics of Information Security (WEIS), pp. 1–10. Innsbruck (2018)Google Scholar
  3. 3.
    Rehman, H., Yafi, E., Nazir, M., Mustafa, K.: Security assurance against cybercrime Ransomware. In: Vasant, P., Zelinka, I., Weber, G.-W. (eds.) ICO 2018. AISC, vol. 866, pp. 21–34. Springer, Cham (2019). Scholar
  4. 4.
    Maigida, A.M., Abdulhamid, S.M., Olalere, M., et al.: Systematic literature review and metadata analysis of ransomware attacks and detection mechanisms. J. Reliable Intell. Environ. 5(2), 67–89 (2019)CrossRefGoogle Scholar
  5. 5.
    Hull, G., John, H., Arief, B.: Ransomware deployment methods and analysis: views from a predictive model and human responses. Crime Sci. 8(1), 1–22 (2019)CrossRefGoogle Scholar
  6. 6.
    Santos, I., Brezo, F., Ugarte-Pedrero, X., et al.: Opcode sequences as representation of executables for data-mining-based unknown malware detection. Inf. Sci. 231(9), 203–216 (2013)MathSciNetGoogle Scholar
  7. 7.
    Wang, T., Xu, N.: Malware variants detection based on opcode image recognition in small training set. In: Proceedings of the 2nd IEEE International Conference on Cloud Computing and Big Data Analysis, pp. 328–332. IEEE, Piscataway (2017)Google Scholar
  8. 8.
    Zhang, H., Xiao, X., Mercaldo, F.: Classification of ransomware families with machine learning based on n-gram of opcodes. Future Gener. Comput. Syst. 90(2019), 211–221 (2019)CrossRefGoogle Scholar
  9. 9.
    Sgandurra, D., Muñoz-González, L., Mohsen, R., et al.: Automated dynamic analysis of ransomware: benefits, limitations and use for detection. arXiv preprint arXiv:1609.03020. Accessed 1 December 2016
  10. 10.
    Xu, Z., Ray, S., Subramanyan, P., et al.: Malware detection using machine learning based analysis of virtual memory access patterns. In: Proceedings of the 2017 Design, Automation & Test in Europe Conference & Exhibition (DATE), pp. 169–174. IEEE, Piscataway (2017)Google Scholar
  11. 11.
    Scaife, N., Carter, H., Traynor, P., et al.: CryptoLock (and drop it): stopping ransomware attacks on user data. In: Proceedings of the 36th International Conference on Distributed Computing Systems, pp. 303–312. IEEE, Piscataway (2016)Google Scholar
  12. 12.
    Hampton, N., Baig, Z., Zeadally, S.: Ransomware behavioural analysis on windows platforms. J. Inf. Secur. Appl. 40(2018), 44–51 (2018)Google Scholar
  13. 13.
    Lu, T.L., Zhang, L., Wang, S.Y., et al.: Ransomware detection based on V-detector negative selection algorithm. In: Proceedings of the 2017 International Conference on Security, Pattern Analysis, and Cybernetics (SPAC), pp. 531–536. IEEE, Piscataway (2017)Google Scholar
  14. 14.
    Gao, X.Z., Chow, M.Y., Pelta, D., et al.: Theory and applications of artificial immune systems. Neural Comput. Appl. 19(8), 1101–1102 (2010)CrossRefGoogle Scholar
  15. 15.
    Dasgupta, D., Yu, S., Nino, F.: Recent advances in artificial immune systems: models and applications. Appl. Soft Comput. 11(2011), 1574–1587 (2011)CrossRefGoogle Scholar
  16. 16.
    Lu, T.L., Zhang, L., Fu, Y.X.: A novel immune-inspired shellcode detection algorithm based on hyper-ellipsoid detectors. Secur. Commun. Netw. 8(2018), 1–10 (2018)CrossRefGoogle Scholar
  17. 17.
    Tan, Y.: Artificial Immune System: Applications in Computer Security. IEEE Computer Society Press, Piscataway (2016)CrossRefGoogle Scholar
  18. 18.
    Hooks, D., Yuan, X., Roy, K., et al.: Applying artificial immune system for intrusion detection. In: Proceedings of IEEE Fourth International Conference on Big Data Computing Service and Applications (BigDataService), pp. 287–292. IEEE, Piscataway (2018)Google Scholar
  19. 19.
    Brown, J., Anwar, M., Dozier, G.: Detection of mobile malware: an artificial immunity approach. In: Proceedings of 2016 IEEE Security and Privacy Workshops (SPW), pp. 74–80. IEEE, Piscataway (2016)Google Scholar
  20. 20.
    Iqbal, M., Abid, M.M., Ahmad, M.: Catching Webspam Traffic with Artificial Immune System (AIS) classification algorithm. In: Proceedings of the 7th IEEE International Conference on Software Engineering and Service Science (ICSESS), pp. 402–405. IEEE, Piscataway (2017)Google Scholar
  21. 21.
    Forrest, S., Perelson, A.S., Allen, L., et al.: Self-nonself discrimination in a computer. In: Proceedings of 1994 IEEE Symposium on Research in Security and Privacy, pp. 202–212. IEEE, Piscataway (1994)Google Scholar
  22. 22.
    Hofmeyr, S.A.: An immunological model of distributed detection and its application to computer security. Department of Computer Sciences, University of New Mexico (1999)Google Scholar
  23. 23.
    Zhang, H., Wu, L.F., Zhang, R.S., et al.: An algorithm of r-adjustable negative selection algorithm and its simulation analysis. Chin. J. Comput. 28(10), 1614–1619 (2005)Google Scholar
  24. 24.
    Ji, Z., Dasgupta, D.: Revisiting negative selection algorithms. Evol. Comput. 5(2), 223–251 (2007)CrossRefGoogle Scholar
  25. 25.
    Stibor, T., Mohr, P., Timmis, J.: Is negative selection appropriate for anomaly detection. In: Proceedings of Genetic and Evolutionary Computation Conference (GECCO), pp. 321–328. ACM, New York (2005)Google Scholar
  26. 26.
    Liu, X.B., Cai, Z.X.: Properties assessments of holes in anomaly detection systems. J. Cent. South Univ. (Sci. Technol.) 40(4), 986–992 (2009)Google Scholar
  27. 27.
    Kirda E.: UNVEIL: a large-scale, automated approach to detecting ransomware (Keynote). In: Proceedings of IEEE 24th International Conference on Software Analysis, Evolution and Reengineering (SANER), p. 1. IEEE, Piscataway (2017)Google Scholar

Copyright information

© ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering 2020

Authors and Affiliations

  1. 1.People’s Public Security University of ChinaBeijingChina

Personalised recommendations