Leveraging Machine Learning Techniques for Windows Ransomware Network Traffic Detection

TL;DR

This paper introduces NetConverse, a machine learning approach that analyzes Windows ransomware network traffic to achieve high detection accuracy, addressing evasion tactics and improving cybersecurity defenses.

Contribution

The paper presents a novel machine learning method, NetConverse, utilizing conversation-based network features for effective ransomware detection on Windows systems.

Findings

Achieved 97.1% true positive detection rate

Utilized conversation-based network traffic features

Demonstrated robustness against evasion techniques

Abstract

Ransomware has become a significant global threat with the ransomware-as-a-service model enabling easy availability and deployment, and the potential for high revenues creating a viable criminal business model. Individuals, private companies or public service providers e.g. healthcare or utilities companies can all become victims of ransomware attacks and consequently suffer severe disruption and financial loss. Although machine learning algorithms are already being used to detect ransomware, variants are being developed to specifically evade detection when using dynamic machine learning techniques. In this paper, we introduce NetConverse, a machine learning analysis of Windows ransomware network traffic to achieve a high, consistent detection rate. Using a dataset created from conversation-based network traffic features we achieved a true positive detection rate of 97.1% using the Decision Tree (J48) classifier.