MFMCNS: a multi-feature and multi-classifier network-based system for ransomworm detection

Ransomware is a type of advanced malware that can encrypt a user's files or lock a computer system until a ransom has been paid. Ransomworm is a type of malware that combines the payload of ransomware with the propagation feature of a computer worm. Most host-based detection methods require the host to be infected and the payload to be executed first to be able to identify anomalies and detect the malware. By the time of infection, it might too late as some of the system's assets would have been already encrypted or exfiltrated by the malware. On the contrary, the network-based methods can be one of the crucial means in detecting ransomworm activities when it attempts to spread to infect other networks before executing the payload. Therefore, a thorough analysis of ransomworm network traffic can be one of the essential means for early detection. This paper presents a comprehensive behavioral analysis of ransomworm network traffic, taking WannaCry, which launched a worldwide cyberattack, and NotPetya as a case study. Two sets of related features were extracted based on two independent flow levels: session-based and time-based. On top of each set, an independent classifier was built. Moreover, to improve the reliability, a multi-feature and multi-classifier network-based system, MFMCNS, has been proposed. MFMCNS employs these classifiers working in parallel on different flow levels, then it adopts a fusion rule to combine the classifiers' decisions. The experimental results prove that MFMCNS is reliable and has high detection accuracy.