RanSAP: An open dataset of ransomware storage access patterns for training machine learning models

Abstract

Ransomware, the malicious software that encrypts user files to demand a ransom payment, is one of the most common and persistent threats. Cyber-criminals create new ransomware variants to evade protections shortly after anti-virus software vendors updated their signature (e.g., static feature obtained from binaries) database. Therefore, many ransomware detection systems today begin to employ behavioral features, or dynamic features, in addition to static features. However, even though ransomware detection using dynamic features can deal with ransomware variants, it has the following limitations: (1) it requires the ransomware to be executed, (2) ransomware may behave differently in a real environment that differs from the controlled environment, and (3) a ransomware sample can become deactivated when command and control (C&C) servers are taken down; hence, they make it impossible to compare multiple detection systems proposed by researchers under identical conditions.To address the limitations, we present ransap, our new open dataset of ransomware storage access patterns. The dataset is currently available in a public repository. To our best knowledge, the dataset is one of the few open datasets consisting of dynamic features of ransomware.Our new open dataset includes storage access patterns of 7 significant ransomware samples and 5 popular benign software samples on various types and conditions of storage devices. Moreover, the dataset provides access patterns of ransomware variants, those on a different version of an operating system, and those on storage devices with a full drive encryption function enabled. We first present a hypervisor-based monitoring system of storage access patterns followed by a design and an implementation of a feature extractor and machine learning models for ransomware detection. Next, a detailed analysis and evaluation of our dataset are presented. Finally, limitations of our new dataset, comparison with other dynamic analysis methods, state-of-the-art ransomware detection, and future research direction are presented.