A NOVEL MULTI-STAGED DEEP LEARNING METHOD TO DETECT RANSOMWARE

Abstract

Ransomware has emerged as one of the most significant cyber threats, capable of causing irreversible damage to critical data and systems. Unlike traditional malware, ransomware employs encryption to lock files, making it difficult to detect and mitigate its effects. Early detection within the narrow pre-encryption window is crucial yet challenging due to the insufficiency of attack pattern data and the polymorphic nature of ransomware. The study develops a multi-phase model for early ransomware detection, which improves accuracy and reduces false positives compared to traditional methods. The model addresses the abovementioned challenges by developing a comprehensive ransomware detection framework that integrates data augmentation using Generative Adversarial Networks (GANs), adaptive feature selection techniques, and improved Deep Belief Networks (DBNs) for higher detection accuracy. The methodology is structured into three main phases each of which introduces one contribution. First phase, data augmentation using improved GANs to create artificial attack patterns that resemble real ransomware behavior. The contribution in this phase is the development of a Bi-Gradual Minimax GAN (BGM-GAN) for ransomware data augmentation, addressing the data insufficiency during the early phases of ransomware attacks. In the second phase, the IMIS technique processes data in batches, dynamically updating feature relevance to accommodate the evolving characteristics of ransomware. The contribution in this phase is the dynamicity of IMIS that can adapt to the evolving nature of ransomware behavior. This technique reduces computational load and enhances the model’s adaptability to new attack patterns, ensuring precise selection of relevant and non-redundant features. The third phase, the DBN-based ransomware detection model is trained using the augmented dataset and selected features. The model's parameters, such as early stopping criteria, are consequently tuned (optimized) to prevent overfitting and improve detection accuracy. The contribution in this phase is the Uncertainty-Aware Dynamic Early Stopping (UA-DES) technique that optimizes the number of epochs which helps to prevent the overfitting and the underfitting when training the ransomware early detection model. The results obtained by the model show improvements in detection accuracy and false positive rates through data augmentation, feature selection, and model training, contributing to addressing evolving ransomware detection challenges. The BGM-GAN technique enhanced the ability of the model to produce synthetic ransomware patterns that mimic real attack behaviors prior to encryption. The technique improved the accuracy from 90% (achieved by related work) to 94% by generating more accurate synthetic data, hence boosting its ability to detect ransomware attacks, particularly in cases where true attack data is scarce. The IMIS approach shows better performance in terms of accuracy and false positive rates when compared to related techniques. The accuracy increased to 96%, compared to 94% obtained by the related work, and the false positive rate was reduced from 15.4% to 14%, highlighting the significance of dynamic and adaptive feature selection. The UA-DES increased detection accuracy to 98.6%, up from the 95.8% obtained by related work, and decreased the false positive rate to 10%, improving upon the 11% achieved by related research. This underscores the ability of UA-DES to optimize the number of training epochs and avoid overfitting.