DRTHIS: Deep ransomware threat hunting and intelligence system at the fog layer

Abstract

Ransomware, a malware designed to encrypt data for ransom payments, is a potential threat to fog layer nodes as such nodes typically contain considerably amount of sensitive data. The capability to efficiently hunt abnormalities relating to ransomware activities is crucial in the timely detection of ransomware. In this paper, we present our Deep Ransomware Threat Hunting and Intelligence System (DRTHIS) to distinguish ransomware from goodware and identify their families. Specifically, DRTHIS utilizes Long Short-Term Memory (LSTM) and Convolutional Neural Network (CNN), two deep learning techniques, for classification using the softmax algorithm. We then use 220 Locky, 220 Cerber and 220 TeslaCrypt ransomware samples, and 219 goodware samples, to train DRTHIS. In our evaluations, DRTHIS achieves an F-measure of 99.6% with a true positive rate of 97.2% in the classification of ransomware instances. Additionally, we demonstrate that DRTHIS is capable of detecting previously unseen ransomware samples from new ransomware families in a timely and accurate manner using ransomware from the CryptoWall, TorrentLocker and Sage families. The findings show that 99% of CryptoWall samples, 75% of TorrentLocker samples and 92% of Sage samples are correctly classified.