Ransomware attacks against the Industrial Internet of Things (IIoT) have catastrophic consequences not only to the targeted infrastructure, but also to the services provided to the public. By
encrypting the operational data, the ransomware attacks can disrupt normal operations, which
represents a serious problem for industrial systems. Ransomware employs several avoidance techniques, such as packing, obfuscation, noise insertion, irrelevant and redundant system call injection,
to deceive the security measures and make both static and dynamic analysis more difficult.
In this paper, a Weighted minimum Redundancy Maximum Relevance (WmRmR) technique was proposed
for better feature significance estimation in the data captured during the early stages of ransomware
attacks. The technique combines an enhanced mRMR (EmRmR) with the Term Frequency-Inverse
Document Frequency (TF-IDF) so that it can filter out the runtime noisy behavior based on the weights
calculated by the TF-IDF.
The proposed technique has the capability to assess whether a feature in
the relevant set is important or not. It has low-dimensional complexity and a smaller number of
evaluations compared to the original mRmR method. The TF-IDF was used to evaluate the weights
of the features generated by the EmRmR algorithm. Then, an inclusive entropy-based refinement
method was used to decrease the size of the extracted data by identifying the system calls with
strong behavioral indications. After extensive experimentation, the proposed technique has shown
to be effective for ransomware early detection with low complexity and few false-positive rates. To
evaluate the proposed technique, we compared it with the existing behavioral detection methods. Proceed here to read the article.