Detection and Prediction of Ransomware Based on Network Behavior Using Machine Learning رسالة ماجستير

Abstract

Computer malware has been growing at a rapid way in recent years, with ransomware emerging as a particularly powerful threat. Numerous victims, including companies, hospitals, and individuals, have suffered large financial losses as a result of the fast spread of ransomware. Due to the fact that they frequently rely on infection detection, traditional ransomware detection techniques have often proven ineffective. Using network behavior analysis to preventatively identify ransomware incidents provides a more effective solution to this problem. However, weaknesses identified in the literature review include limited sample sizes, reliance on few protocols, excessive feature usage leading to higher execution times, and experiments conducted in outdated environments. Addressing these gaps, this research offers a robust framework for ransomware detection and analysis, contributing significantly to the cybersecurity domain. This thesis uses a dataset of 145 ransomware samples from four different families to give an extensive analysis of network behavior with a particular focus on ransomware. A dedicated, isolated testbed was built to support this study. A traffic recording and information extraction from compromised host device from the testbed are part of the study. The investigation employs three machine learning algorithms - Random Forest (RF), k-Nearest Neighbors (KNN), and Gradient Boosting - to analyze the recorded data. This thesis presents a rigorous investigation into four ransomware families, achieving exceptional accuracy in binary and multiclass detection with notable execution time efficiency. The study also explores a diverse range of communication protocols used by ransomware such as HTTP, and TCP with focus on the use of the flags SYN, ACK, and RST.