Critical Feature Selection for Machine Learning Approaches to Detect Ransomware

Abstract

It has been nearly three decades since the first strain of ransomware surfaced online, but still, it is one of the most destructive malwares of all time, costing millions of dollars around the globe each year. Ransomware is a type of malware that encrypts all the data on an infected device using asymmetric encryption algorithms and demands a ransom to decrypt the data. As it is nearly impossible to recover the encrypted data without having a backup, victims end up paying the ransomware or lose the data. Therefore, the best approach is to detect the ransomware at its initial stages and remove it before any damage is done. Traditional methods of signature-based detection are useless against the newer ransomware families as they exhibit polymorphic techniques and change their signatures frequently. This paper critically reviews some of the existing detection methods that use behavioural analysis using machine learning techniques. To test the efficiency and accuracy of various machine learning algorithms, logs from an infected windows machine were analysed using supervised machine learning algorithms to classify it as ransomware or non-ransomware. Secondly, the datasets were split into training and testing set to check the accuracy of the trained models and finally the most important behavioural features were determined that are most crucial in classifying differentiating a log file from a ransomware infected machine to that of an uninfected machine.