Skip to main content

Research Repository

Advanced Search

Reducing false negatives in ransomware detection: A critical evaluation of machine learning algorithms

Bold, Robert; Al-Khateeb, Haider; Ersotelos, Nikolaos

Reducing false negatives in ransomware detection: A critical evaluation of machine learning algorithms Thumbnail


Authors

Robert Bold

Haider Al-Khateeb

Nikolaos Ersotelos



Contributors

Robert Bold
Researcher

Nikolaos Ersotelos
Supervisor

Haider Al-Khateeb
Supervisor

Abstract

Technological achievement and cybercriminal methodology are two parallel growing paths; protocols such as Tor and i2p (designed to offer confidentiality and anonymity) are being utilised to run ransomware companies operating under a Ransomware as a Service (RaaS) model. RaaS enables criminals with a limited technical ability to launch ransomware attacks. Several recent high-profile cases, such as the Colonial Pipeline attack and JBS Foods, involved forcing companies to pay enormous amounts of ransom money, indicating the difficulty for organisations of recovering from these attacks using traditional means, such as restoring backup systems. Hence, this is the benefit of intelligent early ransomware detection and eradication. This study offers a critical review of the literature on how we can use state-of-the-art machine learning (ML) models to detect ransomware. However, the results uncovered a tendency of previous works to report precision while overlooking the importance of other values in the confusion matrices, such as false negatives. Therefore, we also contribute a critical evaluation of ML models using a dataset of 730 malware and 735 benign samples to evaluate their suitability to mitigate ransomware at different stages of a detection system architecture and what that means in terms of cost. For example, the results have shown that an Artificial Neural Network (ANN) model will be the most suitable as it achieves the highest precision of 98.65%, a Youden’s index of 0.94, and a net benefit of 76.27%, however, the Random Forest model (lower precision of 92.73%) offered the benefit of having the lowest false-negative rate (0.00%). The risk of a false negative in this type of system is comparable to the unpredictable but typically large cost of ransomware infection, in comparison with the more predictable cost of the resources needed to filter false positives.

Journal Article Type Article
Acceptance Date Dec 10, 2022
Online Publication Date Dec 16, 2022
Publication Date Dec 16, 2022
Deposit Date Mar 13, 2023
Publicly Available Date Mar 13, 2023
Journal Applied Sciences
Electronic ISSN 2076-3417
Publisher MDPI
Peer Reviewed Peer Reviewed
Volume 12
Issue 24
Article Number 12941
Series Title This article belongs to the Special Issue AI-Enabled Cyber Defence in IoT Deployments: Challenges and Opportunities
DOI https://doi.org/10.3390/app122412941
Keywords Article, artificial intelligence, incident response, cyber kill chain, destructive malware
Public URL https://uwe-repository.worktribe.com/output/10296999
Publisher URL https://www.mdpi.com/2076-3417/12/24/12941
Related Public URLs https://www.mdpi.com/journal/applsci/special_issues/4C3O8HN0OT

Files





You might also like



Downloadable Citations