Crypto-ransomware early detection model using novel incremental bagging with enhanced semi-random subspace selection

The irreversible effect is what characterizes crypto-ransomware and distinguishes it from traditional malware. That is, even after neutralizing the attack, the targeted files remain encrypted and cannot be accessed without the decryption key. Thus, it is imperative to detect such a threat early, i.e. in the initial phases before the encryption takes place. However, the lack of sufficient information in initial phases of the attack is the main challenge to early detection, leading to low detection accuracy and a high rate of false alarms. This is due to the way that the existing solutions have been designed based on, which assumes the availability of complete information about the behavior of such attacks at detection time. Nevertheless, this does not hold for early detection that takes place while the attack is underway, and data are not fully available. To address such limitations, this paper proposes two novel techniques; incremental bagging (iBagging) and enhanced semi-random subspace selection (ESRS), and incorporates them into an ensemble-based detection model. The proposed iBagging was firstly used to build incremental subsets in a way that reflects the progression of crypto-ransomware behavior during its different attack phases. ESRS was then used to build optimal, noise-free and diverse features subspaces, by which, a pool of classifiers was trained. Finally, a grid search was employed to select the best combination of base classifiers. Majority voting was utilized for the final decision. The experimental evaluation of the proposed techniques and model was conducted and compared with the existing crypto-ransomware early detection solutions. The results demonstrate that the proposed techniques and model overcame the data limitation in the early phases of the attacks and achieved higher detection accuracy than existing solutions.