ALaRI Hang Glider

Search form

Education and Innovation in Embedded Systems Design

USI Università della Svizzera italiana, USI Faculty of Informatics, Advanced Learning and Research Institute USI Università della Svizzera italiana USI Faculty of Informatics USI Advanced Learning and Research Institute
TitleExtinguishing Ransomware - A Hybrid Approach to Android Ransomware Detection
Publication TypeBook Chapter
Year of Publication2018
AuthorsFerrante, A., M. Malek, F. Martinelli, F. Mercaldo, and J. Milosevic
EditorImine, A., J. M. Fernandez, J-Y. Marion, L. Logrippo, and J. Garcia-Alfaro
Book TitleFoundations and Practice of Security
PublisherSpringer International Publishing
ISBN Number978-3-319-75650-9

Mobile ransomware is on the rise and effective defense from it is of utmost importance to guarantee security of mobile users' data. Current solutions provided by antimalware vendors are signature-based and thus ineffective in removing ransomware and restoring the infected devices and files. Also, current state-of-the art literature offers very few solutions to effectively detecting and blocking mobile ransomware. Starting from these considerations, we propose a hybrid method able to effectively counter ransomware. The proposed method first examines applications to be used on a device prior to their installation (static approach) and then observes their behavior at runtime and identifies if the system is under attack (dynamic approach). To detect ransomware, the static detection method uses the frequency of opcodes while the dynamic detection method considers CPU usage, memory usage, network usage and system call statistics. We evaluate the performance of our hybrid detection method on a dataset that contains both ransomware and legitimate applications. Additionally, we evaluate the performance of the static and dynamic stand-alone methods for comparison. Our results show that although both static and dynamic detection methods perform well in detecting ransomware, their combination in a form of a hybrid method performs best, being able to detect ransomware with 100{%} precision and having a false positive rate of less than 4{%}.