Ransomware between proactive using detection lab and reactive using machine learning
Ransomware is a type of malware attack that encrypts a victim's data to enable attackers to demand payment to restore access. As the frequency of ransomware attacks increases in sophistication and frequency, the effective detection and prevention of this type of attack are crucial to the mitigation of the impact of ransomware. Machine learning and dynamic analysis are approaches for detecting and classifying ransomware based on the behavior and characteristics of files and programs. The present study aimed to compare the effectiveness of machine learning and dynamic analysis in detecting ransomware systems. Accordingly, the researcher used various approaches to the examination of this problem. The detection lab involved the creation and connection of hosts in a virtual environment and infecting them with ransomware delivered through the macros of a Microsoft Word file. By contrast, the machine learning-based ransomware detection technique used data to train models and algorithms to detect ransomware in computer networks. The results of the analysis suggest that both machine learning and dynamic analysis are effective in detecting ransomware. However, dynamic analysis is more effective because it can identify novel ransomware by emphasizing the behavior and characteristics of ransomware. Machine learning-based ransomware detection is effective, but the need for datasets to train models and algorithms limits its application in the detection of new ransomware. Therefore, the use of machine learning and dynamic analysis for ransomware detection shows excellent results, with high accuracy rates in detecting the attackers, but the effectiveness of machine learning models depends on the availability, quality, and quantity of data used for the training and evaluation of a system. Furthermore, the choice of the parameters for ransomware detection affects the accuracy of machine learning models. The use of a detection lab offers a more realistic and controlled approach to ransomware detection, and it offers a mechanism for receiving real-time alerts to enable cybersecurity analysts to take action quickly, reducing the impact of ransomware attacks on organizations.
1 Introduction This chapter introduces ransomware and the detection techniques of dynamic analysis and machine learning. It also includes research aims, scope, objectives, ethical considerations, research questions, and novelty. Lastly, the dissertation structure of the following chapters. 1.1 Introduction Ransomware is a major challenge influencing the security of data and computer systems in modern organizations. The common use of this type of attack is to completely encrypt files and data, resulting in user inaccessibility (Liska and Gallo, 2016). After the successful installation of ransomware in computer systems, a message appears directing users on the actions they should, often paying a ransom to regain access. The problem has necessitated the creation of techniques for discovering ransomware in computers. Some of the techniques for detecting ransomware are dynamic analysis and machine learning. Each of the techniques involves different aspects of detecting ransomware to enable system administrators to take corrective actions. Dynamic analysis focuses on the monitoring of systems by identifying malicious changes or abnormalities in system performance that may indicate the presence of a threat. According to Sihwail et al. (2019), dynamic analysis emphasizes the inspection of processes, registry entries, and files for anomalies. The anomalies may occur in the form of an unexpected number of processes, the introduction of unexpected values in the registry, or the introduction of new files. Unless the administrator or a person with authorization is responsible for such processes, an organization should be aware of the possible existence of ransomware in a system. Besides, dynamic analysis can be useful for detecting unusual activities in the network. For example, it can support the detection of high rates of data transfer or the unusual number of connections, which signifies the existence of ransomware. Machine learning is another technique that has become increasingly common for detecting ransomware on computer systems. Machine learning uses models and algorithms that can be trained to identify harmful code, unusual activities, and other aspects of network or system performance that could indicate the presence of ransomware (Fernando et al. 2020). However, the effectiveness of various machine learning models and algorithms in ransomware detection depends on different factors, such as the specific application and the environment. For example, supervised learning algorithms are useful for identifying malicious activity by examining network traffic, user behavior, and system processes. By contrast, unsupervised learning algorithms are valuable in clustering data points and identifying anomalies in behavior. The capabilities of machine learning indicate its potential in enabling organizations to detect ransomware in computer systems. Although machine learning and dynamic analysis are useful techniques for ransomware detection, researchers have given minimal attention to the comparison of these techniques to identify the most effective method. The examination is essential to the realization of high standards of cybersecurity in businesses. As the nature of threats keeps changing, it is essential for cybersecurity experts to determine the most effective method of detecting ransomware to maintain the security of computer systems. Accordingly, this research aimed to compare the effectiveness of dynamic analysis and machine learning in the detection of ransomware. Through this analysis, it will be possible to determine the best approach to the protection of computer systems against ransomware attacks. The level of accuracy of each of the techniques is a key element that researchers should examine to ensure the security of systems and data. 1.2 Research Aim, scope, and objectives 1.2.1 Research aim This research aims to compare the effectiveness of machine learning versus dynamic analysis in the detection of ransomware in computer systems. By comparing the two techniques, it will be possible to guide cybersecurity experts and system administrators on the best practices for ransomware detection in computer systems. 1.2.2 Research Scope The study will compare the two techniques for ransomware detection, dynamic analysis, and machine learning. Machine learning and dynamic analysis provide the benefit of automating the ransomware detection process, but machine learning requires data for training. Dynamic analysis faces a limitation related to scaling to enable the fast comparison of code and the identification of new malware on time. The study will collect data from a specific network to train and test the machine learning models used in this study, and it will depend on Detection Lab for the dynamic analysis technique. The goal of the Detection Lab is to create a virtual environment and use Splunk for the detection of ransomware. The accuracy of the two tools in detecting ransomware, including novel threats, will provide answers on the most effective technique for ransomware detection in computer systems. 1.2.3 Research Objectives The comparison of the effectiveness of machine learning versus dynamic analysis in detecting ransomware in computer systems will be guided by three objectives. These objectives are as indicated below. 1. To compare the effectiveness of dynamic analysis and machine learning techniques for detecting ransomware by measuring their accuracy, recall, and F1-score. 2. To identify the benefits and limitations of dynamic analysis and machine learning for ransomware detection and offer insights into which technique is more effective in detecting ransomware under various conditions. 3. To contribute to the development of a more effective ransomware detection technique by providing recommendations for improving the performance of dynamic analysis and machine learning in detecting ransomware. 1.3 Ethical legal and review This research does not include any human and animal interaction. Also, there is no desire to violate copyright laws. Furthermore, this research has used some public resources such as the dataset which I have collected from Kaggle website. 1.4 Research Questions The following research questions will be answered in this research to enable the realization of the research objectives and aim. 1. How do the accuracy, recall, and F1-score of dynamic analysis and machine learning techniques compare when detecting ransomware? 2. What are the advantages and limitations of dynamic analysis and machine learning for detecting ransomware? 3. What features are most effective for detecting ransomware using dynamic analysis and machine learning techniques, and how do these features contribute to the accuracy of the detection process? 1.5 Novelty The study is novel research because it aims to compare machine learning and dynamic analysis to determine the most effective technique for ransomware detection. Previous research examined the problem from different viewpoints. Some researchers explored this subject by using machine learning models and algorithms to detect ransomware, while others assessed dynamic analysis to detect ransomware in computer systems. However, there has been little effort to compare machine learning and dynamic analysis to understand the differences in their capabilities. Accordingly, the research is a novel study because it aims to compare the two techniques. Through the comparison, the researcher can make recommendations on the most appropriate method for detecting ransomware in computers and networks. 1.6 Structure of the Dissertation The dissertation comprises several sections that contain various aspects of the examination of this issue. First, it provides an introduction that provides an overview of the topic, the aim of the study, the research objectives, the research questions, and the novelty of the research. Besides, it offers a structure of this dissertation. Second, the research will provide a literature review that examines issues from previous studies related to the subject under investigation. Third, the study provides a discussion of the techniques used in the Detection Lab and the machine learning techniques for identifying ransomware in computers and networks. Fourth, the research will present the results of the analysis, showing the effectiveness of both methods in detecting ransomware. Fifth, the research will present the discussion and evaluation of the results. Lastly, the paper will offer a conclusion that summarizes the findings and provides directions for future research.
Ransomware between proactive using detection lab and reactive using machine learning