An ensemble-based anomaly-behavioural crypto-ransomware pre-encryption detection model

Crypto-ransomware is a malware that leverages cryptography to encrypt files for extortion purposes. Even after neutralizing such attacks, the targeted files remain encrypted. This irreversible effect on the target is what distinguishes crypto-ransomware attacks from traditional malware. Thus, it is imperative to detect such attacks during pre-encryption phase. However, existing crypto-ransomware early detection solutions are not effective due to inaccurate definition of the pre-encryption phase boundaries, insufficient data at that phase and the misuse-based approach that the solutions employ, which is not suitable to detect new (zero-day) attacks. Consequently, those solutions suffer from low detection accuracy and high false alarms. Therefore, this research addressed these issues and developed an Ensemble-Based Anomaly-Behavioural Pre-encryption Detection Model (EABDM) to overcome data insufficiency and improve detection accuracy of known and novel crypto-ransomware attacks. In this research, three phases were used in the development of EABDM. In the first phase, a Dynamic Pre-encryption Boundary Definition and Features Extraction (DPBD-FE) scheme was developed by incorporating Rocchio feedback and vector space model to build a pre-encryption boundary vector. Then, an improved term frequency-inverse document frequency technique was utilized to extract the features from runtime data generated during the pre-encryption phase of crypto-ransomware attacks’ lifecycle. In the second phase, a Maximum of Minimum-Based Enhanced Mutual Information Feature Selection (MM-EMIFS) technique was used to select the informative features set, and prevent overfitting caused by high dimensional data. The MM-EMIFS utilized the developed Redundancy Coefficient Gradual Upweighting (RCGU) technique to overcome data insufficiency during pre-encryption phase and improve feature’s significance estimation. In the final phase, an improved technique called incremental bagging (iBagging) built incremental data subsets for anomaly and behavioural-based detection ensembles. The enhanced semi-random subspace selection (ESRS) technique was then utilized to build noise-free and diverse subspaces for each of these incremental data subsets. Based on the subspaces, the base classifiers were trained for each ensemble. Both ensembles employed the majority voting to combine the decisions of the base classifiers. After that, the decision of the anomaly ensemble was combined into behavioural ensemble, which gave the final decision. The experimental evaluation showed that, DPBD-FE scheme reduced the ratio of crypto-ransomware samples whose pre-encryption boundaries were missed from 18% to 8% as compared to existing works. Additionally, the features selected by MM-EMIFS technique improved the detection accuracy from 89% to 96% as compared to existing techniques. Likewise, on average, the EABDM model increased detection accuracy from 85% to 97.88% and reduced the false positive alarms from 12% to 1% in comparison to existing early detection models. These results demonstrated the ability of the EABDM to improve the detection accuracy of crypto-ransomware attacks early and before the encryption takes place to protect files from being held to ransom

The Impact of Mobile DIS and Rank-Decreased Attacks in Internet of Things Networks

With a predicted 50 billion devices by the end of 2020, the Internet of things has grown exponentially in the last few years. This growth has seen an increasing demand for mobility support in low power and lossy sensor networks, a type of network characterized by several limitations in terms of their resources including CPU, memory and batter, causing manufactures to push products out to the market faster, without the necessary security features. IoT networks rely on the Routing Protocol for Low Power and Lossy Network (RPL) for communication, designed by the Internet Engineering Task Force (IETF). This protocol has been proven to be efficient in relation to the handling of routing in such constrained networks, However, research studies revealed that RPL was inherently designed for static networks, indicating poor handling of mobile or dynamic topologies which is worsen when introducing mobile attacker. In this paper, two IoT routing attacks are evaluated under a mobile attacker with the aim of providing a critical evaluation of the impact the attacks have on the network in comparison to the case with static attacker. The first attack is the Rank attack in which the attacker announces false routing information to its neighbour attracting them to forward their data via the attacker. The second attack is the DIS attack in which the attacker floods the network with DIS messages triggering them to reset their transmission timers and sending messages more frequently. The comparison were conducted in terms of average power consumption and also the packet delivery ratio (PDR). Based on the results collected from the simulations, it was established that when an attacking node is mobile, there’s an average increase of 36.6 in power consumption and a decrease of 14 for packet delivery ratios when compared to a static attacking node

A Fuzzy-Based Context-Aware Misbehavior Detecting Scheme for Detecting Rogue Nodes in Vehicular Ad Hoc Network

A vehicular ad hoc network (VANET) is an emerging technology that improves road safety, traffic efficiency, and passenger comfort. VANETs’ applications rely on co-operativeness among vehicles by periodically sharing their context information, such as position speed and acceleration, among others, at a high rate due to high vehicles mobility. However, rogue nodes, which exploit the co-operativeness feature and share false messages, can disrupt the fundamental operations of any potential application and cause the loss of people’s lives and properties. Unfortunately, most of the current solutions cannot effectively detect rogue nodes due to the continuous context change and the inconsideration of dynamic data uncertainty during the identification. Although there are few context-aware solutions proposed for VANET, most of these solutions are data-centric. A vehicle is considered malicious if it shares false or inaccurate messages. Such a rule is fuzzy and not consistently accurate due to the dynamic uncertainty of the vehicular context, which leads to a poor detection rate. To this end, this study proposed a fuzzy-based context-aware detection model to improve the overall detection performance. A fuzzy inference system is constructed to evaluate the vehicles based on their generated information. The output of the proposed fuzzy inference system is used to build a dynamic context reference based on the proposed fuzzy inference system. Vehicles are classified into either honest or rogue nodes based on the deviation of their evaluation scores calculated using the proposed fuzzy inference system from the context reference. Extensive experiments were carried out to evaluate the proposed model. Results show that the proposed model outperforms the state-of-the-art models. It achieves a 7.88% improvement in the overall performance, while a 16.46% improvement is attained for detection rate compared to the state-of-the-art model. The proposed model can be used to evict the rogue nodes, and thus improve the safety and traffic efficiency of crewed or uncrewed vehicles designed for different environments, land, naval, or air

Zero-Day Aware Decision Fusion-Based Model for Crypto-Ransomware Early Detection

Crypto-ransomware employs the cryptography to lock user personal files and demands ransom to release them. By utilizing several technological utilities like cyber-currency and cloud-based developing platforms, crypto-ransomware has gained high popularity among adversaries. Motivated by the monetary revenue, crypto-ransomware developers continuously produce many variants of such malicious programs to evade the detection. Consequently, the rate of crypto-ransomware novel attacks is continuously increasing. As such, it is imperative for detection solutions to be able to discover these novel attacks, also called zero-day attacks. While anomaly detection-based solutions are able to deal with this problem, they suffer the high rate of false alarms. Thus, this paper puts forward a detection model that incorporates anomaly with behavioral detection approaches. In this model, two types of detection estimators were built. The first type is an ensemble of behavioral-based classifiers whereas the second type is an anomaly-based estimator. The decisions of both types of estimators were combined using fusion technique. The proposed model is able to detect the novel attack while maintaining low false alarms rate. By applying the proposed model, the detection rate was increased from 96% to 99% and the false positive rate was as low as 2.4 %

An Adaptive Early Stopping Technique for DenseNet169-Based Knee Osteoarthritis Detection Model

Knee osteoarthritis (OA) detection is an important area of research in health informatics that aims to improve the accuracy of diagnosing this debilitating condition. In this paper, we investigate the ability of DenseNet169, a deep convolutional neural network architecture, for knee osteoarthritis detection using X-ray images. We focus on the use of the DenseNet169 architecture and propose an adaptive early stopping technique that utilizes gradual cross-entropy loss estimation. The proposed approach allows for the efficient selection of the optimal number of training epochs, thus preventing overfitting. To achieve the goal of this study, the adaptive early stopping mechanism that observes the validation accuracy as a threshold was designed. Then, the gradual cross-entropy (GCE) loss estimation technique was developed and integrated to the epoch training mechanism. Both adaptive early stopping and GCE were incorporated into the DenseNet169 for the OA detection model. The performance of the model was measured using several metrics including accuracy, precision, and recall. The obtained results were compared with those obtained from the existing works. The comparison shows that the proposed model outperformed the existing solutions in terms of accuracy, precision, recall, and loss performance, which indicates that the adaptive early stopping coupled with GCE improved the ability of DenseNet169 to accurately detect knee OA

Ransomware detection using the dynamic analysis and machine learning: A survey and research directions

Ransomware is an ill-famed malware that has received recognition because of its lethal and irrevocable effects on its victims. The irreparable loss caused due to ransomware requires the timely detection of these attacks. Several studies including surveys and reviews are conducted on the evolution, taxonomy, trends, threats, and countermeasures of ransomware. Some of these studies were specifically dedicated to IoT and android platforms. However, there is not a single study in the available literature that addresses the significance of dynamic analysis for the ransomware detection studies for all the targeted platforms. This study also provides the information about the datasets collection from its sources, which were utilized in the ransomware detection studies of the diverse platforms. This study is also distinct in terms of providing a survey about the ransomware detection studies utilizing machine learning, deep learning, and blend of both techniques while capitalizing on the advantages of dynamic analysis for the ransomware detection. The presented work considers the ransomware detection studies conducted from 2019 to 2021. This study provides an ample list of future directions which will pave the way for future research

Malware detection issues, challenges, and future directions: A survey

The evolution of recent malicious software with the rising use of digital services has increased the probability of corrupting data, stealing information, or other cybercrimes by malware attacks. Therefore, malicious software must be detected before it impacts a large number of computers. Recently, many malware detection solutions have been proposed by researchers. However, many challenges limit these solutions to effectively detecting several types of malware, especially zero-day attacks due to obfuscation and evasion techniques, as well as the diversity of malicious behavior caused by the rapid rate of new malware and malware variants being produced every day. Several review papers have explored the issues and challenges of malware detection from various viewpoints. However, there is a lack of a deep review article that associates each analysis and detection approach with the data type. Such an association is imperative for the research community as it helps to determine the suitable mitigation approach. In addition, the current survey articles stopped at a generic detection approach taxonomy. Moreover, some review papers presented the feature extraction methods as static, dynamic, and hybrid based on the utilized analysis approach and neglected the feature representation methods taxonomy, which is considered essential in developing the malware detection model. This survey bridges the gap by providing a comprehensive state-of-the-art review of malware detection model research. This survey introduces a feature representation taxonomy in addition to the deeper taxonomy of malware analysis and detection approaches and links each approach with the most commonly used data types. The feature extraction method is introduced according to the techniques used instead of the analysis approach. The survey ends with a discussion of the challenges and future research directions

Deep Kalman neuro fuzzy-based adaptive broadcasting scheme for Vehicular Ad Hoc Network: A context-aware approach

Vehicular Ad Hoc Networks (VANETs) are among the main enablers for future Intelligent Transportation Systems (ITSs) as they facilitate information sharing, which improves road safety, traffic efficiency, and provides passengers' comfort. Due to the dynamic nature of VANETs, vehicles need to exchange the Cooperative Awareness Messages (CAMs) more frequently to maintain network agility and preserve applications' performance. However, in many situations, broadcasting at a high rate leads to congest the communication channel, rendering VANET unreliable. Existing broadcasting schemes designed for VANET use partial context variables to control the broadcasting rate. Additionally, CAMs uncertainty, which is context-dependent has been neglected and a predefined fixed certainty threshold has been used instead, which is not suitable for the highly dynamic context. Consequently, vehicles disseminate a high rate of unnecessary CAMs which degrades VANET performance. A good broadcasting scheme should accurately determine which and when CAMs are broadcasted. To this end, this study proposes a Context-Aware Adaptive Cooperative Awareness Messages Broadcasting Scheme (CA-ABS) using combinations of Adaptive Kalman Filter, Autoregression, and Sequential Deep Learning and Fuzzy inference system. Four context variables have been used to represent the vehicular context, namely, individual driving behaviors, CAMs uncertainty, vehicle density, and traffic flow. Kalman Filter and Autoregression are used to estimate and predict the CAMs messages respectively. The deep learning model has been constructed to estimate the CAMs' uncertainties which is an important context variable that has been neglected in the previous research. Fuzzy Inference System takes context variables as input and determines an accurate broadcasting threshold and broadcasting interval. Extensive simulations have been conducted to evaluate the proposed scheme. Results show that the proposed scheme improves the CAMs delivery ratio and decreases the CAMs prediction errors

An adaptive protection of flooding attacks model for complex network environments

Currently, online organizational resources and assets are potential targets of several types of attack, the most common being flooding attacks. We consider the Distributed Denial of Service (DDoS) as the most dangerous type of flooding attack that could target those resources. The DDoS attack consumes network available resources such as bandwidth, processing power, and memory, thereby limiting or withholding accessibility to users. The Flash Crowd (FC) is quite similar to the DDoS attack whereby many legitimate users concurrently access a particular service, the number of which results in the denial of service. Researchers have proposed many different models to eliminate the risk of DDoS attacks, but only few efforts have been made to differentiate it from FC flooding as FC flooding also causes the denial of service and usually misleads the detection of the DDoS attacks. In this paper, an adaptive agent-based model, known as an Adaptive Protection of Flooding Attacks (APFA) model, is proposed to protect the Network Application Layer (NAL) against DDoS flooding attacks and FC flooding traffics. The APFA model, with the aid of an adaptive analyst agent, distinguishes between DDoS and FC abnormal traffics. It then separates DDoS botnet from Demons and Zombies to apply suitable attack handling methodology. There are three parameters on which the agent relies, normal traffic intensity, traffic attack behavior, and IP address history log, to decide on the operation of two traffic filters. We test and evaluate the APFA model via a simulation system using CIDDS as a standard dataset. The model successfully adapts to the simulated attack scenarios' changes and determines 303,024 request conditions for the tested 135,583 IP addresses. It achieves an accuracy of 0.9964, a precision of 0.9962, and a sensitivity of 0.9996, and outperforms three tested similar models. In addition, the APFA model contributes to identifying and handling the actual trigger of DDoS attack and differentiates it from FC flooding, which is rarely implemented in one model