An Empirical Comparison of Supervised Algorithms for Ransomware Identification on Network Traffic

Android mobile systems are currently the main target of malware attacks. In this sense, machine learning is a suitable approach to analyze network traffic, and it generally achieves good results in the identification and detection of malware. However, an underlying problem is creating a dataset with network characteristics that accurately reflect the malwareś behavior. Characterizing adequately the dataset is a relevant process to identify malware with high precision when using traditional machine learning algorithms. This paper compares empirically three supervised machine learning algorithms, in order to identify ransomware traffic based on Android mobile network traffic features. We consider 9 features related to time properties of flows and bidirectional packets in 10 families of ransomware and different benign application Android network traffic. Empirical results show that Random Forest (RF) achieved a 96% accuracy in classifying ransomware, higher than Decision Tree (DT) and K-Nearest Neighbor (KNN) approaches. We conclude that the selected features allow us to identify ransomware traffic and differentiate it from the traffic of benign applications.