Crypto-ransomware detection using machine learning models in file-sharing network scenario with encrypted traffic

TL;DR

This paper presents a machine learning-based tool for detecting ransomware in file-sharing networks, capable of identifying infections in both encrypted and unencrypted traffic with high accuracy.

Contribution

It introduces a novel detection method analyzing file-sharing traffic patterns using machine learning, effective against multiple ransomware strains, including unseen variants.

Findings

Detects all tested ransomware binaries, including unseen strains

Works with both encrypted and clear text protocols

Maintains low false positive rate

Abstract

Ransomware is considered as a significant threat for most enterprises since the past few years. In scenarios wherein users can access all files on a shared server, one infected host can lock the access to all shared files. We propose a tool to detect ransomware infection based on file-sharing traffic analysis. The tool monitors the traffic exchanged between the clients and the file servers and using machine learning techniques it searches for patterns in the traffic that betray ransomware actions while reading and overwriting files. The proposal is designed to work for clear text and for encrypted file-sharing protocols. We compare three machine learning models and choose the best for validation. We train and test the detection model using more than 70 ransomware binaries from 26 different strains and more than 2500 hours of not infected traffic from real users. The results reveal that the proposed tool can detect all ransomware binaries, including those not used in training phase (unseen). This paper provides a validation of the algorithm by studying the false positive rate and the amount of information from user files that the ransomware could encrypt before being detected.