Ensemble-Based Stegomalware Detection System for Hidden Ransomware Attack

Abstract

Ransomware analysis creates crucial aspects for cybersecurity defense mechanisms. Recently, attackers are confusing the parts of ransomware attack code using steganography to carry malicious JavaScript and even deliver cryptominers. It can be used to understand a system, to leak sensitive information, and to run a command and control channel without being detected by any anti-malware agents. It means a cyberattack can operate without detection, bypassing all defenses that are based on detection or analysis. Many approaches have been used and most of them include the analysis of the portable executable (PE) file of the malware executable which are injected directly into the target system. However, all of these existing systems fail to detect the ransomware when they are obfuscated. In this article, a stegomalware detection system is proposed to find the presence of hidden payloads from input images, to extract the hidden payloads, and to verify whether the hidden payload is the subject of stegoransomware attack. The proposed system uses three phases such as hidden payload detection, hidden payload extraction, and classification to detect the stegoware. Ant colony optimization algorithm is used in the detection phase to find an optimal subset of features to detect obfuscation. Stegorepository images are decoded to extract the items hidden inside the input steganographically. A two-stage ensemble classifier is used to process the extracted payloads. Initially, a binary classifier is used to find whether the extracted payload is a benign or malignant file. If it is found as malignant, the exact percentage of its malicious activity that it can provide to the target host system is further calculated using a fuzzy C-means clustering algorithm. Simulation observations describe that the proposed system drastically reduces dimensionality and significantly improves classification accuracy.