Evaluation metric for crypto-ransomware detection using machine learning

Abstract

Ransomware is a type of malware that blocks access to its victim's resources until a ransom is paid. Crypto-ransomware is a type of ransomware that blocks access to its victim's files by the use of an encryption algorithm. This encrypted file remains permanently blocked, even if the victim is able to remove the ransomware from the infected file. This has forced victims to pay the ransom demanded in exchange for a decryption key, although the decryption key provided is not guaranteed to work. To address this situation, we propose a pre-encryption detection algorithm (PEDA) for detecting crypto-ransomware prior to the occurrence of any encryption. The PEDA has two levels of detection. The first is a signature repository (SR) that identifies any matches of the signature with that of known ransomware. The second detection level uses a learning algorithm (LA) that can detect both known and unknown crypto-ransomware. LA uses a machine learning approach to train the predictive model using data from the application program interface (API). In order to understand PEDA functionality, LA is being evaluated using conventional metrics and unconventional metrics. Conventional metrics such as the true positive rate, accuracy, and precision can provide important performance indicator, but not comprehensive enough to assess the LA capability. Six new metrics had been proposed to provide greater insight. Based on the results, it can be concluded that LA had achieved its objective of detecting crypto-ransomware before the encryption is viable and that its performance is robust with a high net benefit.