JISE


  [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14]


Journal of Information Science and Engineering, Vol. 40 No. 6, pp. 1161-1172


Detecting and Classifying Ransomware Using Network Packet Analysis and Machine Learning


TAI-HUNG LAI1, WEN-TSUNG TSAI1, SHAO-RU LIN2,
TE-MIN LIU3 AND CHAO-LUNG CHOU4,+
1Department of Computer Science and Information Engineering
Chung Cheng Institute of Technology
National Defense University
Taoyuan, 335 Taiwan

2National Chung-Shan Institute of Science and Technology
Taoyuan, 325 Taiwan

3Network Traffic Packets Analysis Association
Taipei, 106 Taiwan

4Department of Information Engineering and Computer Science Feng Chia University
Taichung, 407 Taiwan
E-mail: {sudolai; wentsung.tsai; oceankeep; dmliu99999; chaolung.chou
+}@gmail.com


This study examines on the abnormal behaviors exhibited by ransomware attacks in network environments. We proposed two features based on the number of network packets containing ransomware-associated files and the instances of access being denied to shared files, to detect whether computers within the same local area network are under attack from ransomware. The two features are further trained by various machine learning algorithms, such as decision trees, sequential minimal optimization, and simple logistic regression, to classify different types of ransomware. The experiment employs three well-known ran-somware families: WannaCry, Conti, and Maze. After 600 experiments, the results show that the average classification accuracy rate exceeds 99.25%, proving the effectiveness of the proposed method in detecting and classifying ransomware.


Keywords: abnormal behaviors, ransomware, packet analysis, machine learning, WannaCry

  Retrieve PDF document (JISE_202406_01.pdf)