Sheldon, FrederickAlqahtani, Abdullah2024-09-102024-09-102024-08https://hdl.handle.net/20.500.14154/73041Ransomware attacks pose a substantial threat to individuals, businesses, and governments, causing significant damage through data encryption and ransom demands. Early detection is crucial for effective prevention and mitigation. However, current detection techniques face limitations due to the dynamic nature of ransomware behavior and the scarcity of data in the initial attack stages. This dissertation addresses these limitations by developing three efficient techniques for early ransomware detection. The first technique, Temporal Data Correlation (TDC), leverages the temporal relationship between API calls and I/O Request Packets (IRPs) to accurately delineate the pre-encryption boundary. By constructing a vector of API-IRP pairs, TDC captures the crucial pre-encryption phase, enabling earlier and more accurate detection. Additionally, the Improved Pre-Encryption Feature Extraction (IPFE) technique extracts relevant features from the pre-encryption data, further enhancing detection capabilities. The technique shows that on average the accuracy was improved from 88.6% to 92%. The second technique, enhanced Mutual Information Feature Selection (eMIFS), addresses the challenge of perceiving common characteristics among features in datasets with limited attack patterns. eMIFS incorporates a normalized hyperbolic function to improve redundancy coefficient estimation and adapt the MIFS technique for early ransomware detection. This approach considers the individual characteristics of features, leading to a more robust and accurate detection model. On average, the technique shows that the accuracy increased to 95%. The third technique presents a novel approach using an enhanced Long Short-Term Memory (LSTM) model with a multi-head self-attention mechanism. This model utilizes a multi-head self-attention LSTM network to improve feature selection and focus on the most relevant aspects of the data for accurate detection. A comprehensive dataset of ransomware samples and benign applications is used for training and evaluation, demonstrating significant improvement in accuracy and efficiency compared to existing methods. On average, the improved model increased the accuracy to 96.5% Through experimental evaluations, these techniques have been shown to effectively detect ransomware attacks at an early stage, contributing to the advancement of cybersecurity measures. The importance of early detection in mitigating the impact of ransomware attacks on individuals, businesses, and governmental institutions is emphasized. The developed methods for 1) pre-encryption boundary delineation, 2) feature selection, and 3) enhanced LSTM modeling improve the reliability and effectiveness of early ransomware detection. These advancements have the potential to enhance computer system security, mitigate the detrimental consequences of ransomware attacks, and safeguard valuable digital assets. Further refinement and development of these techniques will continue to contribute to the advancement of cybersecurity ransomware countermeasures.142en-USCYBERSECURITYCRYPTO-RANSOMWAREDETECTIONPREVENTIONThesis