Ransomware attack Detection on the Internet of Things
using Machine Learning Algorithm
Abstract. Nowadays, the Internet of things (IoT) devices are
exponentially increased in number and are used across the globe. IoT that
integrates various devices into networks to provide advanced and
intelligent services has to Protect user privacy and cyber-attacks.
Attackers exploit vulnerable end sensors and devices supporting IoT data
transmission to gain unauthorized system privileges and access to
information and connected resources.
This paper investigates how malware attack, especially ransomware
attack, exploits IoT devices. Moreover, we deeply review different
Machine learning solutions that provide IoT security precisely on a
ransomware attack. We focused on How Machine learning solutions
detect malicious incidents, such as a ransomware attack on IoT-
connected networks. The authors perform all the experiments in this
study using a benchmark dataset from the GitHub repository. To evaluate
the performance comparison, we used RF and DT. Finally, we propose a
machine learning detection model with excellent performance and
accuracy.
Keywords: Malware, Ransomware, Random Forest, Cyber-attacks, IoT
Security, Machine learning
1. Introduction
Gartner defines IoT as the supported network of devices embedded with technology to
communicate and interact with the environment, and they exist either internally or
externally. IoT data transmission is supported by the connected device asset's ability to
capture, and process collected data to the organizational cloud data center. Behavioral
analysis and predictive analysis can be enabled to support business intelligence and
real-time digital business processes.
1.1 Related work
1.1.1 Information Security in IoT Technology
The adoption of IoT technology for organizations around the globe to affect sustainable
digital business operations is complex. Huge data sets are transmitted as workload from
connected data centers to end device sensors to relay information to end-users in real-
time [1]. This support requires complex infrastructure and device configuration to
achieve and sustain. IoT device connectivity for organizations around the globe is
projected to be 35.82 billion and will be expected to raise 75 billion in 2025, with
Google home dominating the largest market share at 48 % [2]. Huge datasets
transmitted by these connected networks are expected to rise with the rise of IoT device
connectivity time. Workloads transmitted by the technology are done over internet
connections and are vulnerable to information security attack vectors present on the
internet. Distributed processing allows for real-time device communication and
information processing between connected device nodes in IoT devices. Application
interfaces, database support, and network topology support are among the vectors that
leave IoT devices vulnerable to cybersecurity attacks over internet connections [3].
Integrated applications such as payment platforms on IoT-connected devices are too
affected by information security attacks and challenges posed by hackers. In 2016,
cybercriminals targeted vulnerabilities present in IoT devices such as wearables and
flooded their topology support network with distributed denial of service attacks
disrupting service transmission and denial of domain name system requests [4]. It
caused service disruption from social platforms such as Twitter and payment platforms
such as PayPal connected to the targeted IoT device support networks. These attacks
targeted IoT networks are expected to evolve with technological advancements over
time, and cybersecurity experts are expected to patch discovered vulnerabilities on IoT-
connected systems to ensure attack channels do not expose the technology to
information threats.
1.1.2 Role of Artificial intelligence in Information Security
The Internet of things interconnects many heterogeneous devices sensor nodes to relay
information captured, process, and store big data for decision making without human
intervention [5]. Artificial intelligence analyzes security threats to relayed information
to data centers transmitted by IoT connected devices in cloud networks in real-time
while the transmission occurs. Gartner identifies that more than 25% of information
security attacks in organizational cloud networks are attributed to vulnerabilities
present in IoT device connections. The same report identifies that less than 10% of the
allocated information security budget is set aside to counter issues related to IoT
workload security transmission [6]. It is a growing concern since the prevalence of
information attacks grows with technology advancements and reduces the sustainability
measures to protect information from cyber security threats [2]. Vulnerabilities present
within IoT-connected devices expose the cloud systems to cyber security threats
existing in many forms over the Internet. Organizations that deploy their systems over
internet connection are affected by social engineering attacks, insider attacks,
ransomware, virus attacks, malware attacks, phishing, Business Email 2 | P a g e
compromise(BEC), distributed denial of services, cross-site scripting attacks, and
others. Resource constraints of lower power devices and terminals for the small IoT
devices are small and consume less power, e.g., in edge computing [7]. Cyber attackers
running attack scripts on these IoT devices may easily gain privilege since they have
better devices to pose the attack. Organizations deploy IoT devices in their business
operations to achieve efficiency and sustainable business practices. Ransomware
attacks and other cyber-attacks negatively affect IoT-supported businesses; thus,
artificial intelligence is implemented to support IoT-connected device networks to
counter information security attacks [8]. It is achieved through system automation to
decide what to do in the event of a ransomware attack and automated vulnerability
analysis on the target IoT system.
1.1.3 Machine learning Application to effect Information Security
The interconnection between embedded IoT device systems supports a networked
communication channel to relay organizational process information from sensors and
actuators to the end data centers [6]. These connected devices work under low
computation, storage, and communication bandwidth to process data and thus need to
be connected to external systems to audit their operations as required by organizational
processes. Machine learning techniques are incorporated over IoT supported networks
to leverage deep learning intelligence and allow organizations to gain insights to cope
with operational channels such as information security [2]. Machine learning
techniques allow organizations to gauge security requirements and review attack
vectors to ensure securely relay information in IoT networks. As technology advances,
IoT grows to help organizations gain an economic advantage in their business
operations and achieve huge social and commercial impact from improved service
delivery and better customer relations [9]. Information security gaps and privacy issues
from IoT technology devices arise from vulnerabilities present in their systems. Cyber
attackers use cross-site recovery forgery attacks to enforce ransomware and other
attacks on target network systems. Machine learning allows real-time user
authentication to grant users access to IoT-connected resources and relay information
from them. It allows IoT-connected systems to deprive unauthorized users of access to
connected networks, cloning or copying secret IDs to create attack profiles, and side
channeling software attacks on connected networks [10]. Machine learning techniques
on connected systems enhance Cyber-attack detection and anomaly network traffic
detection in IoT networks. Feature extraction through convolutional neural networks
allows accurate ransomware incident detection and mitigation by familiarizing machine
learning techniques to a pool of locally correlated and convolutional data warehouses
with ransomware attack lists. The machine learning technique allows kernel training
from a mixed input and output matrix that evolves automatically from recorded
ransomware attack lists.
1.2 Research problem
The global mobile data traffic forecast index suggests that device-to-device
communication systems will rise to 27.1 billion by 2021. These connected devices run
under untrusted internet connections, where they are exposed to malicious attacks. IoT
system developers focus on improved device power management rather than hardware
security, whose improvement is slow. It affects the ability of IoT-connected device
networks to relay captured information from end nodes to data centers and end-users
securely without compromising information integrity by unauthorized user access.
Machine learning algorithms are compared to traditional computing and previous
technologies to counter information security attacks on targeted IoT devices. It is
complex to detect anomaly traffic and topology attacks on target IoT device networks
without the intervention of machine learning techniques compared to previous
technologies. Cyber-attacks on IoT networks in organizations account for more than 25
% of the total cyber-attacks on an organization's network globally, while less than 10%
of total annual spending is dedicated to dealing with these kinds of attacks making their
prevalence high. Ransomware and other attacks on targeted systems affect the
reputation of any target organization to maintain user information privilege and privacy
and hence affect their general economic performance. Academic research should be
implemented on ransomware attack incident detection to bring to light the accuracy of
the convolutional neural network to perform deep learning on IoT intercepted traffic
and detect a potential ransomware attack. Traditional incident detection systems could
not predict the accuracy and precision of ransomware detection on target systems by
machine learning incorporates techniques that support real-time ransomware attack
detection and mitigation. Artificial intelligence supports automated feature extraction
from an input-output-based data warehouse matrix that allows newly detected and
invented ransomware attack scripts to update ransomware lists affecting IoT connected
networks and the best method to counter and mitigate the attack. It allows organizations
whose operations are supported by IoT networks to update their ransomware attack list
and keep their systems ahead of the newly listed ransomware attack methods.
1.3 Research Objectives
To raise academic awareness on the need for machine learning techniques integration
to IoT connected device networks to improve information security on connected
devices to counter ransomware attacks. To show the contrast between previous
technologies and machine learning to counter anomaly traffic, detect ransomware, and
other attacks. To implement a method to counter ransomware and other attacks on
targeted IoT systems and maintain confidentiality, integrity, and privilege for relayed
information to the connected data center and end-user devices. To implement a
convolutional neural network system that predicts the accuracy of machine learning
techniques to counter real-time attacks from a matrix list with ransomware attack
definitions database.
2. Literature Review
2.1 Ransomware attacks on IoT connected device networks
Ransomware is a remotely controlled software script written to override a target system
and disable access to data and system privileges in return for a ransom fee to disable
the script. A targeted IoT system network locks out systems users from access until a
demanded ransom is paid [11]. The complexity of ransomware attacks has evolved with
technological advancements making it harder to crack, and cybercrime magazine
reports that damages could accumulate to 20 billion dollars by 2021, with financial
industries being the most affected.
Ransomware attack software developers work to maximize their financial gain in
ransom fees paid while maintaining anonymity in their identities. The introduction of
financial payments using cryptocurrency makes it harder to identify these attackers
[12]. Ransomware is categorized according to the way it is implemented and its impact
on target networks. Locker ransomware completely locks out systems users from their
target device, preventing them from using it, while crypto ransomware infects specific
files with payloads in a target device, preventing users from accessing them.
Ransomware attackers install malware to gain access and system privileges on targeted
IoT networks. It compromises the target systems and sabotages them exposing the
contained resource to unauthorized access [13]. With IoT devices being resource-
constrained, they are easily overwhelmed by ransomware attacks and intrusions which
may be socially engineered and sent to unknowing users, e.g., staff with system access
through mail attachments with malicious attachments to launch a ransomware attack.
Ransomware attacks are not only launched from external attacks but also aided through
insider threats by rogue employees who cooperate with attackers to target and run
ransomware attacks on organizations' IoT systems. Ransomware attackers exploit
vulnerabilities present in target IoT systems through browser-supported downloads and
other network-accessible downloads, which allow malicious binary installation to
prompt ransomware attacks on victim networks.
Once a ransomware attack is posed to a target IoT network system, the malicious
payload is executed in the backend database system, where it hides its identity using a
dropper file while it executes. The attack payload can also be installed in the reboot
registry key if the system users choose to prompt a system reboot to make it persistent.
Once the malicious payload is installed, it executes itself to control and command the
host IoT network server and encrypts the data on all connected drives and storage media
on the target host server. The encryption process may take some time to complete as
many IoT-supported networks transmit huge volumes of data [14]. Asymmetric
encryption is commonly used to encrypt the host data in the target network as it gives
the attacker the element of authenticity control of the public and private keys involved
to encrypt and decrypt the data.
Ransomware attackers maintain a consistent and secure communication channel
between an infected device system and the command-and-control server through secure
transmission protocols such as HTTPS over the internet [15]. It keeps all
communications between the two parties encrypted, and only the end-user can decrypt
them. Eventually, this makes it difficult to track the ransomware developers.
Fig. 1. Ransomware exploit process.
Hybrid encryption allows the ransomware developer to trigger a payload that encrypts
files in the target device with an asymmetric public from the remote control and
command center alongside the symmetric key [4]. It encrypts larger files on the target
device network faster than asymmetric encryption security. With hybrid encryption, the
communication by the ransomware author between the remote control and command
server and the target infected device network system is secured through onion browsing
by TOR. TOR browsers support anonymous communication and disable system
functions such as windows updates and operating system error reporting tools.
Once the target system's files are encrypted, backup files are destroyed to ensure that
the system does not recover from the attack without paying the ransom fee. A ransom
message note is prompted on the victim system to inform them that the system has been
hacked and files locked and payment instructions to follow to recover the system [16].
Attackers highly recommend digital payments since the transaction is traceless,
verifiable, and fast, and with the current technology, it is easy to liquidate them back to
cash. Once payment is made, the ransomware author initiates the process of releasing
the private key to decrypt the files and victim device systems.
2.2 Machine learning techniques to counter ransomware attacks
Ransomware attacks are becoming prevalent to target IoT device networks that are
resource constrained. Ransomware is becoming more sophisticated with technological
advancements, thus making them difficult to detect. Machine learning techniques
support real-time incident detection for ransomware on target systems.
Machine learning algorithms use feature engineering, selection, and representation
techniques compared to Previous and traditional machine learning techniques that are
limited to classification and feature engineering [10]. Traditional machine learning
techniques are based on linear regression tools to support vector machines and K-
nearest algorithms for shallow learning. Relevant features extracted from datasets are
applied over machine learning algorithms to counter ransomware attacks.
Malware detection with machine learning is reliable since malware detection is
automated without converting the software to binary code. Ransomware is detected in
a target system without converting it to machine code as it limits the chance to infect
the machine learning system through obfuscation and other anti-analysis methods while
analyzing the traffic [13]. It also reduces the overall complexity of the detection
process. There are several machine learning techniques useful in ransomware detection.
Machine learning uses deep neural networks to develop algorithms that are applied to
solve multiclassification problems that can distinguish different aspects such as
authentic traffic and malware. Detected malware is classified based on an image
derived from computer vision. From this vision, malware is analyzed from the set
properties that ransomware types have similar properties and patterns that can be
recognized by algorithms represented as binary files [9]. There are techniques
developed to compare and visualize detected and mapped malware executable to target
systems. A detected malware is transformed to an 8-bit unsigned integer and organized
in a specific array that the machine learning technique can understand.
Ransomware incident detection systems are incorporated with machine learning
techniques to completely automate cyber defense systems in network and security
operation centers. Machine learning techniques stop ransomware attacks on target
systems and protect IoT systems backup from ransomware targets [15].
Intrusion detection discovers malicious activities within target networks in the
organization from traditional machine learning. Modern machine learning techniques
advocate anomaly detection, threat detection, threat classification, botnet detection, and
domain-general algorithms within the monitored network.
Machine learning techniques reduce the attack surface of ransomware and other cyber-
attacks on target systems. Network servers and storage media supporting IoT device
backup transmission are exposed to ransomware and other attacks [5]. Machine
learning techniques improve system Cohesity that reduces enterprise data footprints by
consolidating backup and disaster recovery components on a single integrated platform.
Software as a service from machine learning architectures has a user interface and
security dashboard that enables a team to automate monitoring, quickly recognize
change, and act fast on the data and applications, regardless of whether they reside on-
premises or are remotely hosted across cloud connections.
Machine learning techniques detect ransomware attacks from recognized attack
patterns from automatic scans and audits by analyzing the frequency of files accessed,
number of files being modified, files added or deleted by a specific user or an
application, and more [12]. These capabilities help ensure a ransomware attack is
detected in real-time as it occurs.
Machine learning functions support Cohesity search to provide and restore session
points in time to recover and restore virtue machines and system files [11]. It is a
disaster recovery plan that requires a robust, modern solution to instantly recover virtue
machines, unlike other solutions that can take longer, increasing efficiency in threat
detection.
Machine learning techniques assist ransomware victim systems to rapidly recover
without the need to cooperate with the attacker and pay ransom to decrypt locked files.
Cohesity migrates the cyber security risk by ensuring detected vulnerabilities are not
reinvested in the device system environment [13]. It includes finding a malicious file
across all workloads and taking necessary action to contain it before it compromises
the IoT device network.
2.3 Proposed Random Forest (RF) Implementation Model to counter
Ransomware Attacks
Random forest is an applicable model for binary, categorical, and numerical features.
It improves bagging because it decorrelates the trees with the introduction of splitting
on a random subset of features. [17]. It means that at each split of the tree, the model
considers only a small subset of features rather than all of the model's features. From
the given dataset of available features n, a subset of m features (m=square root of n) is
selected at random. While we are using RF, it requires very little pre-processing, and
the data does not need to be rescaled or transformed. The model is great with high-
dimensional data since we work with subsets of data.
As used Random forests, it bagged decision tree models that split on a subset of features
on each split. Such data split into smaller data groups based on the data features are
named a decision tree. In Figure four, we will see how we used to have a small enough
set of data that only has data points under one label.
Reducing the number of features and creating new features in a dataset from the existing
one are known to be Feature Extraction. The new reduced set of features should then
be able to summarize most of the information contained in the original set of features.
Fig. 2. Feature extraction by the RF architectures
3. METHODOLOGY
3.1. Data Model
A data model was implemented to derive the accuracy of ransomware incidents
detected from a recorded IoT device malware and other threats. The dataset containing
threats was contained in a CSV file. Exploratory data analysis was done the data set to
build a RF matrix model to derive false positives, true negatives, false negatives, and
true positives to derive the accuracy of the machine learning to detect ransomware
incidents threats on connected IoT systems.
3.2 . Data Source and Tools
Data is extracted from the proc virtual file system. data.csv file contains the process
samples from Ubuntu Desktop environment. Thus, data has the following features,
RUSER (Real user id. Textual or decimal representation), PPID(Select parent process
by process id), UID(User id number), PID (User id), PGRP(Process group id), %CPU
(CPU utilization of the process in ##.# format), %MEM (Memory usage of the process),
VSZ (Total virtual memory size in bytes), TIME (Total accumulated CPU utilization
time for the process), SIZE (Memory size in kilobytes), and legitimate(Labeled as 1 if
the process is legit. Labeled as0 if the process is malware [12] . To implement a machine
learning model , Jupyter Notebook, and Google Colab has been used. Moreover, we
use a necessary python library.
3.3. Data Normalization
The loaded dataset needs to normalize for exploratory analysis to be conducted on it
for analysis and derive insight to the analyst. The imported python libraries organize
the dataset in a format that can be explored by the machine learning model.
3.4. Data Preprocessing
The loaded data set is preprocessed and grouped by name and other attributes. The
recorder threat incidents are grouped by name and number of instances recorded.
3.5. Feature Extraction
The grouped dataset is grouped according to a classifier called legitimate. From the
classified data, legitimate data denoted by 1 are 41323 in the count and malicious data
denoted as 0 are 96724 in the count. The derived vectors legitimate and malicious form
the basis of the feature extraction model on the data set.
3.6. Data Labelling
The input variable for the feature extraction is split into the x-axis and y-axis. The split
sets are trained around the x and y-axis for testing.
3.7. Random Forest
This research uses Random forests machine learning algorithms to get a good predictive
performance, low overfitting, and easy interpretability.
3.8. Performance Analysis
To evaluate and validate the performance of the proposed ransomware detection
classifier i.e., Decision Tree model. we have used different parameters such as
Accuracy, Sensitivity Selectivity, and Specificity from the Decision Tree model
derived, false positive and false negative rates are derived too.
Confusion matrix: A method used to evaluate the model’s performance. In the matrix
classes are scored based on the instances of correct classification for a given class [1]
Recall (Sensitivity)
The ratio of positive correctly identified samples by the classifier to what the actual
label or ground truth was [18]. A perfect recall or sensitivity score equals 1.0 and
implies no false negatives or FNR equal to 0.
= [18]
+
Precision
The ratio of correctly predicted positive observations to the total predicted positive
observations [18]. A perfect precision score equals 1.0 and implies no false positives
or FPR is equal to 0.
= [18]
+
F1 score:
This score is a combination of the aforementioned metrics recall and precision and
is used to compare classifiers or models [18].
= ∗ ( ∗ ) / ( + ) [18]
Accuracy: Accuracy is the number of correct predictions out of the total examples
[18].
= + [18]
+ + 1 +
Where, TP = True Positive , FP = False Positive , FN = False Negative , TN = True
Negative.
4. RESULT & ANALYSIS
Data classification:
The grouped dataset is grouped according to a classifier called legitimate. From the
classified data, legitimate data denoted by 1 are 41323 in the count and malicious data
denoted as 0 are 96724 in the count. The derived vectors legitimate and malicious form
the basis of the feature extraction model on the data set.
Data Labelling and Feature Extraction
The input variable for the feature extraction is split into the x-axis and y-axis. The split
sets are trained around the x and y-axis for testing. Our train: test ratio was 80:20. Thus,
110,437 are trained and the remaining 27,610 sample s are a test set. The accuracy of
the machine learning system to detect ransomware-related incidents and differentiate it
from other attacks relies on feature extraction supported by CNN models. The accuracy
rate of the model ranges from 0 to 1.
Ransomware detection on a target system is crucial before the threat occurs, and it is
hard to detect and counter once executed on a target system. This raises the need to
detect it early before the threat occurs. An automated machine learning system
integrated on an IoT-supported cloud network allows real-time ransomware detection
while system users go about their operation while at their organizations.
From the dataset used in the machine learning model, the machine learning system has
an accuracy of 0.995074 which is 99 % accurate to detect ransomware attacks. Which
means, a score predictor is derived from the RF Accuracy model derived from the
feature extraction. A score of 0.995291 equivalent to 99% is derived for the machine
learning model to predict ransomware incidents.
Performance Analysis
Once the model can derive accuracy in ransomware incidents prediction from other
related attacks, A confusion model matrix is derived from the dataset used in the study
to derive false positives, false negatives, true positives, and true negatives. From the
total listed 138,047 recorded incidents, 96658 records are reported to contain
ransomware which would pose as threats to systems and the machine learning model
recognizes them as malicious. 41261 other files are detected as legitimate files. The
following Figure shows a Confusion Matrix for Binary Classes with Labels and
Percentages.
Fig 3: Visualized confusion matrix
The system negates the classified true negatives, false positives, and false negatives
from the detected incident files. The machine learning model reports the detected true
positive file as potential malicious ransomware, and the following figure visualizes it
in a decision tree to system users for further consideration.
Figure 4: Visualized decision tree
5. CONCLUSION & RECOMMENDATION
This research proves the need to integrate data science and information security to
achieve the best cybersecurity practices to secure IoT systems' organizational data. The
machine learning system is limited to reporting detected ransomware incidents only to
the system user and does not automatically counter the ransomware attacks. This lays
down the foundation of further academic research and industrial innovation to improve
the technology to automatically stop and counter detected ransomware attacks
effectively.
References
[1] W. &. S. Zhang, "IoT security," Ongoing challenges and research opportunities, no.
IEEE 7th international conferenceon service-oriented computing and applications, 2014.
[2] D. &. T. Bughin, "Artificial intelligence:" The next digitalfrontier, 2017.
[3] M. Irshad, " A systematic review of information security frameworks on the internet of
things (IoT)," International Conference on High-Performance Computing and
Communications, no. IEEE 2nd International Conference onData Science and Systems,
2016.
[4] P. &. Lee, "The Effects of Consumers' Information Security Behavior and Information
Privacy Concerns on Usage of IoTTechnology," In Proceedings of the XX International
Conference on Human Computer Interaction, 2019.
[5] L. W. &. W. Ding, "Security information transmission algorithms for IoT based on
cloud computing," ComputerCommunications, 2020.
[6] M. J. &. J. Dhingra, "Role of artificial intelligence in enterprise information security:
A review," 4th internationalconference on parallel, distributed and grid computing
(PDGC), 2016.
[7] T. &. B, " The Role of Artificial Intelligence and Cyber Security for social media.," In
2020 IEEE International Parallel and Distributed Processing Symposium Workshops
(IPDPSW), 2020.
[8] P. &. B. S. Dhamija, "Role of artificial intelligence in operations environment: a review
and bibliometric analysis,"The TQM Journal, 2020.
[9] S. &. M, "A survey of machine learning algorithms and their application in information
security," In Guide to VulnerabilityAnalysis for Computer Networks and Systems, 2018.
[10] P. T. A. &. F. Zambrano, "Technical mapping of the grooming anatomy using machine
learning paradigms," in information security approach, 2019.
[11] D. &. C. Azmoodeh, "Detecting crypto-ransomware in IoT networks based on energy
consumption footprint," Journal ofAmbient Intelligence and Humanized Computing,
2018.
[12] I. A. E. u. R. &. A.-g. Yaqoob, " The rise of ransomware and emerging security
challenges in the Internet of Things," Computer Networks, 2017.
[13] A. &. S. Zahra, "IoT based ransomware growth rate evaluation and detection using
command and control blacklisting," in 23rd international conference on automationand
computing (ICAC), 2017.
[14] A. P. S. &. H. C. Dash, "Ransomware auto-detection in IoTdevices
using machine learning," International Journal of Engineering
Science, 2018.
[15] J. V. D. D. &. S. Su, " Lightweight classification of IoT malware based on image
recognition," in IEEE 42Nd annual computer software and applications conference
(COMPSAC),2018
[16] B. D. Y. S. &. H. J. Wang, "Towards a hybrid IoT honeypot for capturing and analyzing
malware," in IEEE InternationalConference on Communications (ICC), 2020
[17] A. A. &. M. McDole, "Analyzing RF based behavioralmalware detection techniques on
cloud iaas," in In International Conference on Cloud Computing, 2020.
[18] A. Géron, "Hands-on Machine Learning with Scikit-Learn, Keras &
TensorFlow," in Concepts, Tools, and Techniques to Build Intelligent Systems,
Sebastopol, O’Reilly Media, Inc., 2019, p. 92.