A Weighted Minimum Redundancy Maximum Relevance Technique for Ransomware Early Detection in Industrial IoT

Ransomware attacks against Industrial Internet of Things (IIoT) have catastrophic consequences not only to the targeted infrastructure, but also the services provided to the public. By encrypting the operational data, the ransomware attacks can disrupt the normal operations, which represents a serio...

Full description

Saved in:
Bibliographic Details
Published in:Sustainability 2022-02, Vol.14 (3), p.1231
Main Authors: Ahmed, Yahye Abukar, Huda, Shamsul, Al-rimy, Bander Ali Saleh, Alharbi, Nouf, Saeed, Faisal, Ghaleb, Fuad A., Ali, Ismail Mohamed
Format: Article
Language:English
Subjects:
Algorithms
Computer viruses
Decision trees
Evaluation
Experimentation
Feature selection
Industrial applications
Internet of Things
Machine learning
Malware
Methods
Neural networks
Ransomware
Security
Support vector machines
Sustainability
Writers
Citations: Items that this one cites
Items that cite this one
Online Access:Get full text
Tags: Add Tag
No Tags, Be the first to tag this record!
cited_by cdi_FETCH-LOGICAL-c295t-9531a32cdb8a5f0a7b7aca2e9469c16f96c1f31ce10edaa1c3b487b50e9e07df3
cites cdi_FETCH-LOGICAL-c295t-9531a32cdb8a5f0a7b7aca2e9469c16f96c1f31ce10edaa1c3b487b50e9e07df3
container_end_page
container_issue 3
container_start_page 1231
container_title Sustainability
container_volume 14
creator Ahmed, Yahye Abukar
Huda, Shamsul
Al-rimy, Bander Ali Saleh
Alharbi, Nouf
Saeed, Faisal
Ghaleb, Fuad A.
Ali, Ismail Mohamed
description Ransomware attacks against Industrial Internet of Things (IIoT) have catastrophic consequences not only to the targeted infrastructure, but also the services provided to the public. By encrypting the operational data, the ransomware attacks can disrupt the normal operations, which represents a serious problem for industrial systems. Ransomware employs several avoidance techniques, such as packing, obfuscation, noise insertion, irrelevant and redundant system call injection, to deceive the security measures and make both static and dynamic analysis more difficult. In this paper, a Weighted minimum Redundancy maximum Relevance (WmRmR) technique was proposed for better feature significance estimation in the data captured during the early stages of ransomware attacks. The technique combines an enhanced mRMR (EmRmR) with the Term Frequency-Inverse Document Frequency (TF-IDF) so that it can filter out the runtime noisy behavior based on the weights calculated by the TF-IDF. The proposed technique has the capability to assess whether a feature in the relevant set is important or not. It has low-dimensional complexity and a smaller number of evaluations compared to the original mRmR method. The TF-IDF was used to evaluate the weights of the features generated by the EmRmR algorithm. Then, an inclusive entropy-based refinement method was used to decrease the size of the extracted data by identifying the system calls with strong behavioral indication. After extensive experimentation, the proposed technique has shown to be effective for ransomware early detection with low-complexity and few false-positive rates. To evaluate the proposed technique, we compared it with existing behavioral detection methods.
doi_str_mv 10.3390/su14031231
format article
fullrecord <record><control><sourceid>proquest_cross</sourceid><recordid>TN_cdi_proquest_journals_2627843342</recordid><sourceformat>XML</sourceformat><sourcesystem>PC</sourcesystem><sourcerecordid>2627843342</sourcerecordid><originalsourceid>FETCH-LOGICAL-c295t-9531a32cdb8a5f0a7b7aca2e9469c16f96c1f31ce10edaa1c3b487b50e9e07df3</originalsourceid><addsrcrecordid>eNpNkE9LAzEQxYMoWGovfoKAN6GaSfZPcyy1aqFFKBWPy2x21qbsZmuyq_bbu9KCzuUNjx8zj8fYNYg7pbS4Dx1EQoFUcMYGUqQwBhGL83_7JRuFsBP9KAUakgHbTfkb2fdtSwVfWWfrruZrKjpXoDMHvsLvk1XRZ-8Q35DZOvvRES8bz9foQlN_oSc-R18d-AO1ZFrbOG4dX7iiC623WPFFs7liFyVWgUYnHbLXx_lm9jxevjwtZtPl2Egdt2MdK0AlTZFPMC4FpnmKBiXpKNEGklInBkoFhkBQgQhG5dEkzWNBmkRalGrIbo53977pc4Y22zWdd_3LTCYynURKRbKnbo-U8U0Insps722N_pCByH7rzP7qVD9kzmhi</addsrcrecordid><sourcetype>Aggregation Database</sourcetype><iscdi>true</iscdi><recordtype>article</recordtype><pqid>2627843342</pqid></control><display><type>article</type><title>A Weighted Minimum Redundancy Maximum Relevance Technique for Ransomware Early Detection in Industrial IoT</title><source>Publicly Available Content Database (Proquest) (PQ_SDU_P3)</source><creator>Ahmed, Yahye Abukar ; Huda, Shamsul ; Al-rimy, Bander Ali Saleh ; Alharbi, Nouf ; Saeed, Faisal ; Ghaleb, Fuad A. ; Ali, Ismail Mohamed</creator><creatorcontrib>Ahmed, Yahye Abukar ; Huda, Shamsul ; Al-rimy, Bander Ali Saleh ; Alharbi, Nouf ; Saeed, Faisal ; Ghaleb, Fuad A. ; Ali, Ismail Mohamed</creatorcontrib><description>Ransomware attacks against Industrial Internet of Things (IIoT) have catastrophic consequences not only to the targeted infrastructure, but also the services provided to the public. By encrypting the operational data, the ransomware attacks can disrupt the normal operations, which represents a serious problem for industrial systems. Ransomware employs several avoidance techniques, such as packing, obfuscation, noise insertion, irrelevant and redundant system call injection, to deceive the security measures and make both static and dynamic analysis more difficult. In this paper, a Weighted minimum Redundancy maximum Relevance (WmRmR) technique was proposed for better feature significance estimation in the data captured during the early stages of ransomware attacks. The technique combines an enhanced mRMR (EmRmR) with the Term Frequency-Inverse Document Frequency (TF-IDF) so that it can filter out the runtime noisy behavior based on the weights calculated by the TF-IDF. The proposed technique has the capability to assess whether a feature in the relevant set is important or not. It has low-dimensional complexity and a smaller number of evaluations compared to the original mRmR method. The TF-IDF was used to evaluate the weights of the features generated by the EmRmR algorithm. Then, an inclusive entropy-based refinement method was used to decrease the size of the extracted data by identifying the system calls with strong behavioral indication. After extensive experimentation, the proposed technique has shown to be effective for ransomware early detection with low-complexity and few false-positive rates. To evaluate the proposed technique, we compared it with existing behavioral detection methods.</description><identifier>ISSN: 2071-1050</identifier><identifier>EISSN: 2071-1050</identifier><identifier>DOI: 10.3390/su14031231</identifier><language>eng</language><publisher>Basel: MDPI AG</publisher><subject>Algorithms ; Computer viruses ; Decision trees ; Evaluation ; Experimentation ; Feature selection ; Industrial applications ; Internet of Things ; Machine learning ; Malware ; Methods ; Neural networks ; Ransomware ; Security ; Support vector machines ; Sustainability ; Writers</subject><ispartof>Sustainability, 2022-02, Vol.14 (3), p.1231</ispartof><rights>2022 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https://creativecommons.org/licenses/by/4.0/). Notwithstanding the ProQuest Terms and Conditions, you may use this content in accordance with the terms of the License.</rights><lds50>peer_reviewed</lds50><oa>free_for_read</oa><woscitedreferencessubscribed>false</woscitedreferencessubscribed><citedby>FETCH-LOGICAL-c295t-9531a32cdb8a5f0a7b7aca2e9469c16f96c1f31ce10edaa1c3b487b50e9e07df3</citedby><cites>FETCH-LOGICAL-c295t-9531a32cdb8a5f0a7b7aca2e9469c16f96c1f31ce10edaa1c3b487b50e9e07df3</cites><orcidid>0000-0002-2822-1708 ; 0000-0002-1468-0655 ; 0000-0003-3048-5961 ; 0000-0002-1006-605X</orcidid></display><links><openurl>$$Topenurl_article</openurl><openurlfulltext>$$Topenurlfull_article</openurlfulltext><thumbnail>$$Tsyndetics_thumb_exl</thumbnail><linktopdf>$$Uhttps://www.proquest.com/docview/2627843342/fulltextPDF?pq-origsite=primo$$EPDF$$P50$$Gproquest$$Hfree_for_read</linktopdf><linktohtml>$$Uhttps://www.proquest.com/docview/2627843342?pq-origsite=primo$$EHTML$$P50$$Gproquest$$Hfree_for_read</linktohtml><link.rule.ids>314,780,784,25753,27924,27925,37012,44590,75126</link.rule.ids></links><search><creatorcontrib>Ahmed, Yahye Abukar</creatorcontrib><creatorcontrib>Huda, Shamsul</creatorcontrib><creatorcontrib>Al-rimy, Bander Ali Saleh</creatorcontrib><creatorcontrib>Alharbi, Nouf</creatorcontrib><creatorcontrib>Saeed, Faisal</creatorcontrib><creatorcontrib>Ghaleb, Fuad A.</creatorcontrib><creatorcontrib>Ali, Ismail Mohamed</creatorcontrib><title>A Weighted Minimum Redundancy Maximum Relevance Technique for Ransomware Early Detection in Industrial IoT</title><title>Sustainability</title><description>Ransomware attacks against Industrial Internet of Things (IIoT) have catastrophic consequences not only to the targeted infrastructure, but also the services provided to the public. By encrypting the operational data, the ransomware attacks can disrupt the normal operations, which represents a serious problem for industrial systems. Ransomware employs several avoidance techniques, such as packing, obfuscation, noise insertion, irrelevant and redundant system call injection, to deceive the security measures and make both static and dynamic analysis more difficult. In this paper, a Weighted minimum Redundancy maximum Relevance (WmRmR) technique was proposed for better feature significance estimation in the data captured during the early stages of ransomware attacks. The technique combines an enhanced mRMR (EmRmR) with the Term Frequency-Inverse Document Frequency (TF-IDF) so that it can filter out the runtime noisy behavior based on the weights calculated by the TF-IDF. The proposed technique has the capability to assess whether a feature in the relevant set is important or not. It has low-dimensional complexity and a smaller number of evaluations compared to the original mRmR method. The TF-IDF was used to evaluate the weights of the features generated by the EmRmR algorithm. Then, an inclusive entropy-based refinement method was used to decrease the size of the extracted data by identifying the system calls with strong behavioral indication. After extensive experimentation, the proposed technique has shown to be effective for ransomware early detection with low-complexity and few false-positive rates. To evaluate the proposed technique, we compared it with existing behavioral detection methods.</description><subject>Algorithms</subject><subject>Computer viruses</subject><subject>Decision trees</subject><subject>Evaluation</subject><subject>Experimentation</subject><subject>Feature selection</subject><subject>Industrial applications</subject><subject>Internet of Things</subject><subject>Machine learning</subject><subject>Malware</subject><subject>Methods</subject><subject>Neural networks</subject><subject>Ransomware</subject><subject>Security</subject><subject>Support vector machines</subject><subject>Sustainability</subject><subject>Writers</subject><issn>2071-1050</issn><issn>2071-1050</issn><fulltext>true</fulltext><rsrctype>article</rsrctype><creationdate>2022</creationdate><recordtype>article</recordtype><sourceid>PIMPY</sourceid><recordid>eNpNkE9LAzEQxYMoWGovfoKAN6GaSfZPcyy1aqFFKBWPy2x21qbsZmuyq_bbu9KCzuUNjx8zj8fYNYg7pbS4Dx1EQoFUcMYGUqQwBhGL83_7JRuFsBP9KAUakgHbTfkb2fdtSwVfWWfrruZrKjpXoDMHvsLvk1XRZ-8Q35DZOvvRES8bz9foQlN_oSc-R18d-AO1ZFrbOG4dX7iiC623WPFFs7liFyVWgUYnHbLXx_lm9jxevjwtZtPl2Egdt2MdK0AlTZFPMC4FpnmKBiXpKNEGklInBkoFhkBQgQhG5dEkzWNBmkRalGrIbo53977pc4Y22zWdd_3LTCYynURKRbKnbo-U8U0Insps722N_pCByH7rzP7qVD9kzmhi</recordid><startdate>20220201</startdate><enddate>20220201</enddate><creator>Ahmed, Yahye Abukar</creator><creator>Huda, Shamsul</creator><creator>Al-rimy, Bander Ali Saleh</creator><creator>Alharbi, Nouf</creator><creator>Saeed, Faisal</creator><creator>Ghaleb, Fuad A.</creator><creator>Ali, Ismail Mohamed</creator><general>MDPI AG</general><scope>AAYXX</scope><scope>CITATION</scope><scope>4U-</scope><scope>ABUWG</scope><scope>AFKRA</scope><scope>AZQEC</scope><scope>BENPR</scope><scope>CCPQU</scope><scope>DWQXO</scope><scope>PIMPY</scope><scope>PQEST</scope><scope>PQQKQ</scope><scope>PQUKI</scope><scope>PRINS</scope><orcidid>https://orcid.org/0000-0002-2822-1708</orcidid><orcidid>https://orcid.org/0000-0002-1468-0655</orcidid><orcidid>https://orcid.org/0000-0003-3048-5961</orcidid><orcidid>https://orcid.org/0000-0002-1006-605X</orcidid></search><sort><creationdate>20220201</creationdate><title>A Weighted Minimum Redundancy Maximum Relevance Technique for Ransomware Early Detection in Industrial IoT</title><author>Ahmed, Yahye Abukar ; Huda, Shamsul ; Al-rimy, Bander Ali Saleh ; Alharbi, Nouf ; Saeed, Faisal ; Ghaleb, Fuad A. ; Ali, Ismail Mohamed</author></sort><facets><frbrtype>5</frbrtype><frbrgroupid>cdi_FETCH-LOGICAL-c295t-9531a32cdb8a5f0a7b7aca2e9469c16f96c1f31ce10edaa1c3b487b50e9e07df3</frbrgroupid><rsrctype>articles</rsrctype><prefilter>articles</prefilter><language>eng</language><creationdate>2022</creationdate><topic>Algorithms</topic><topic>Computer viruses</topic><topic>Decision trees</topic><topic>Evaluation</topic><topic>Experimentation</topic><topic>Feature selection</topic><topic>Industrial applications</topic><topic>Internet of Things</topic><topic>Machine learning</topic><topic>Malware</topic><topic>Methods</topic><topic>Neural networks</topic><topic>Ransomware</topic><topic>Security</topic><topic>Support vector machines</topic><topic>Sustainability</topic><topic>Writers</topic><toplevel>peer_reviewed</toplevel><toplevel>online_resources</toplevel><creatorcontrib>Ahmed, Yahye Abukar</creatorcontrib><creatorcontrib>Huda, Shamsul</creatorcontrib><creatorcontrib>Al-rimy, Bander Ali Saleh</creatorcontrib><creatorcontrib>Alharbi, Nouf</creatorcontrib><creatorcontrib>Saeed, Faisal</creatorcontrib><creatorcontrib>Ghaleb, Fuad A.</creatorcontrib><creatorcontrib>Ali, Ismail Mohamed</creatorcontrib><collection>CrossRef</collection><collection>University Readers</collection><collection>ProQuest Central (Alumni)</collection><collection>ProQuest Central</collection><collection>ProQuest Central Essentials</collection><collection>AUTh Library subscriptions: ProQuest Central</collection><collection>ProQuest One Community College</collection><collection>ProQuest Central</collection><collection>Publicly Available Content Database (Proquest) (PQ_SDU_P3)</collection><collection>ProQuest One Academic Eastern Edition (DO NOT USE)</collection><collection>ProQuest One Academic</collection><collection>ProQuest One Academic UKI Edition</collection><collection>ProQuest Central China</collection><jtitle>Sustainability</jtitle></facets><delivery><delcategory>Remote Search Resource</delcategory><fulltext>fulltext</fulltext></delivery><addata><au>Ahmed, Yahye Abukar</au><au>Huda, Shamsul</au><au>Al-rimy, Bander Ali Saleh</au><au>Alharbi, Nouf</au><au>Saeed, Faisal</au><au>Ghaleb, Fuad A.</au><au>Ali, Ismail Mohamed</au><format>journal</format><genre>article</genre><ristype>JOUR</ristype><atitle>A Weighted Minimum Redundancy Maximum Relevance Technique for Ransomware Early Detection in Industrial IoT</atitle><jtitle>Sustainability</jtitle><date>2022-02-01</date><risdate>2022</risdate><volume>14</volume><issue>3</issue><spage>1231</spage><pages>1231-</pages><issn>2071-1050</issn><eissn>2071-1050</eissn><abstract>Ransomware attacks against Industrial Internet of Things (IIoT) have catastrophic consequences not only to the targeted infrastructure, but also the services provided to the public. By encrypting the operational data, the ransomware attacks can disrupt the normal operations, which represents a serious problem for industrial systems. Ransomware employs several avoidance techniques, such as packing, obfuscation, noise insertion, irrelevant and redundant system call injection, to deceive the security measures and make both static and dynamic analysis more difficult. In this paper, a Weighted minimum Redundancy maximum Relevance (WmRmR) technique was proposed for better feature significance estimation in the data captured during the early stages of ransomware attacks. The technique combines an enhanced mRMR (EmRmR) with the Term Frequency-Inverse Document Frequency (TF-IDF) so that it can filter out the runtime noisy behavior based on the weights calculated by the TF-IDF. The proposed technique has the capability to assess whether a feature in the relevant set is important or not. It has low-dimensional complexity and a smaller number of evaluations compared to the original mRmR method. The TF-IDF was used to evaluate the weights of the features generated by the EmRmR algorithm. Then, an inclusive entropy-based refinement method was used to decrease the size of the extracted data by identifying the system calls with strong behavioral indication. After extensive experimentation, the proposed technique has shown to be effective for ransomware early detection with low-complexity and few false-positive rates. To evaluate the proposed technique, we compared it with existing behavioral detection methods.</abstract><cop>Basel</cop><pub>MDPI AG</pub><doi>10.3390/su14031231</doi><orcidid>https://orcid.org/0000-0002-2822-1708</orcidid><orcidid>https://orcid.org/0000-0002-1468-0655</orcidid><orcidid>https://orcid.org/0000-0003-3048-5961</orcidid><orcidid>https://orcid.org/0000-0002-1006-605X</orcidid><oa>free_for_read</oa></addata></record>
fulltext fulltext
identifier ISSN: 2071-1050
ispartof Sustainability, 2022-02, Vol.14 (3), p.1231
issn 2071-1050
2071-1050
language eng
recordid cdi_proquest_journals_2627843342
source Publicly Available Content Database (Proquest) (PQ_SDU_P3)
subjects Algorithms
Computer viruses
Decision trees
Evaluation
Experimentation
Feature selection
Industrial applications
Internet of Things
Machine learning
Malware
Methods
Neural networks
Ransomware
Security
Support vector machines
Sustainability
Writers
title A Weighted Minimum Redundancy Maximum Relevance Technique for Ransomware Early Detection in Industrial IoT
url http://sfxeu10.hosted.exlibrisgroup.com/loughborough?ctx_ver=Z39.88-2004&ctx_enc=info:ofi/enc:UTF-8&ctx_tim=2025-01-01T16%3A03%3A40IST&url_ver=Z39.88-2004&url_ctx_fmt=infofi/fmt:kev:mtx:ctx&rfr_id=info:sid/primo.exlibrisgroup.com:primo3-Article-proquest_cross&rft_val_fmt=info:ofi/fmt:kev:mtx:journal&rft.genre=article&rft.atitle=A%20Weighted%20Minimum%20Redundancy%20Maximum%20Relevance%20Technique%20for%20Ransomware%20Early%20Detection%20in%20Industrial%20IoT&rft.jtitle=Sustainability&rft.au=Ahmed,%20Yahye%20Abukar&rft.date=2022-02-01&rft.volume=14&rft.issue=3&rft.spage=1231&rft.pages=1231-&rft.issn=2071-1050&rft.eissn=2071-1050&rft_id=info:doi/10.3390/su14031231&rft_dat=%3Cproquest_cross%3E2627843342%3C/proquest_cross%3E%3Cgrp_id%3Ecdi_FETCH-LOGICAL-c295t-9531a32cdb8a5f0a7b7aca2e9469c16f96c1f31ce10edaa1c3b487b50e9e07df3%3C/grp_id%3E%3Coa%3E%3C/oa%3E%3Curl%3E%3C/url%3E&rft_id=info:oai/&rft_pqid=2627843342&rft_id=info:pmid/&rfr_iscdi=true