Leveraging Machine Learning Techniques for Windows Ransomware Network Traffic Detection

Ransomware has become a significant global threat with the ransomware-as-a-service model enabling easy availability and deployment, and the potential for high revenues creating a viable criminal business model. Individuals, private companies or public service providers e.g. healthcare or utilities companies can all become victims of ransomware attacks and consequently suffer severe disruption and financial loss. Although machine learning algorithms are already being used to detect ransomware, variants are being developed to specifically evade detection when using dynamic machine learning techniques. In this paper, we introduce NetConverse, a machine learning analysis of Windows ransomware network traffic to achieve a high, consistent detection rate. Using a dataset created from conversation-based network traffic features we achieved a true positive detection rate of 97.1% using the Decision Tree (J48) classifier.

💡 Research Summary

The paper “Leveraging Machine Learning Techniques for Windows Ransomware Network Traffic Detection” introduces a novel detection framework called NetConverse that focuses on identifying Windows‑based ransomware by analyzing its network traffic rather than relying on static file signatures or dynamic host‑based behaviors. The authors motivate their work by highlighting the rapid growth of ransomware‑as‑a‑service (RaaS) and the consequent surge in ransomware incidents worldwide. Traditional detection methods, especially those based on static analysis or dynamic sandboxing, are increasingly evaded by sophisticated ransomware families that employ obfuscation, anti‑analysis tricks, and rapid code mutation. By shifting the detection surface to the network layer, the authors aim to capture the communication patterns that ransomware must exhibit when contacting command‑and‑control (C2) servers, payment portals, or distribution sites.

Data Collection and Pre‑processing
The authors built a balanced dataset comprising 210 malicious samples drawn from nine well‑known ransomware families (Cerber, Cryptowall, Cryptolocker, CTB‑Locker, Locky, Padcrypt, Paycrypt, Teslacrypt, Torrentlocker) and 264 benign Windows applications (goodware). All samples were sourced from VirusTotal Intelligence, ensuring that each malicious sample had an associated PCAP capture of its network activity, while benign samples were selected based on zero AV detections. The raw PCAP files were processed with TShark (the command‑line version of Wireshark) using the “conversation” export feature, which aggregates traffic into bidirectional flows defined by the 5‑tuple (protocol, source IP, source port, destination IP, destination port). Thirteen basic statistical features were initially extracted: protocol, source/destination IPs, source/destination ports, total packets, total bytes, packets and bytes in each direction, relative start time, and duration.

Cleaning steps removed entries with source IP 0.0.0.0, DNS traffic (port 53), and the time‑related fields (packets, bytes, relative start, duration) that were deemed noisy for the classification task. IP addresses were converted to decimal integers to make them numeric for the classifiers. After cleaning, nine features remained: protocol, source IP, source port, destination IP, destination port, packets A→B, bytes A→B, packets B→A, bytes B→A. The final dataset contained 75,618 training instances (≈61 % of the data) and 48,526 test instances (≈39 %). The data were saved in ARFF format for use with the WEKA machine‑learning suite.

Machine‑Learning Experiments
Six classifiers were evaluated: Bayes Network, Multilayer Perceptron (MLP), J48 (C4.5 decision tree), IBK (k‑Nearest Neighbours), Random Forest, and Logistic Model Tree (LMT). All classifiers were run with their default WEKA parameters. Two experimental phases were conducted: (1) 10‑fold cross‑validation using all ten extracted attributes, and (2) 10‑fold cross‑validation after removing the two packet‑count attributes (Packets A→B and Packets B→A). After each cross‑validation run, the model was also evaluated on the held‑out test set to obtain realistic performance numbers.

Performance metrics reported were True Positive Rate (TPR), False Positive Rate (FPR), Precision, Recall, and F‑measure. The J48 decision‑tree consistently achieved the highest scores: TPR 97.10 %, FPR 1.60 %, Precision 97.30 %, Recall 97.10 %, and F‑measure 97.10 %. Feature reduction (from 10 to 8 attributes) did not affect J48’s results, indicating robustness to the removal of the packet‑count features. LMT was a close second with a TPR of 96.80 % and an FPR of 3.90 %. Random Forest, K‑NN, MLP, and Bayes Network all fell in the 95–96 % TPR range, with higher false‑positive rates (3–6 %). Training time varied dramatically: MLP required ~48 seconds for the full feature set, while J48 trained in under a second; after feature reduction, J48’s training time dropped to 0.18 seconds, highlighting its efficiency for real‑time deployment.

Discussion of Results and Contributions
The authors claim three primary contributions: (a) a comprehensive evaluation of network traffic from nine ransomware families versus benign Windows traffic, (b) a comparative study of six machine‑learning classifiers grouped by algorithmic family, and (c) the extraction and selection of a compact set of nine network‑level features that enable high‑accuracy detection. The reported 97.1 % detection rate with a low 1.6 % false‑positive rate positions NetConverse favorably against prior work that focused on dynamic host‑based features (e.g., EldeRan, UNVEIL) which reported TPRs around 96 % but often with higher computational overhead. The authors also note that their approach can be integrated into existing intrusion‑detection systems (IDS) as a lightweight, flow‑based module.

Limitations and Future Work
While the results are promising, several limitations are acknowledged. The dataset size is modest (210 malicious samples), and each ransomware family is represented by roughly the same number of samples, which may not reflect real‑world prevalence or the diversity of newer variants. The reliance on IP addresses as numeric features could be brittle against the use of proxies, VPNs, or fast‑flux techniques that mask true C2 endpoints. The experimental environment used virtual machines with limited network complexity; thus, performance on high‑throughput, encrypted, or mixed‑protocol enterprise traffic remains untested. Moreover, the feature set does not include higher‑level protocol metadata (e.g., TLS Server Name Indication, HTTP Host headers) that could improve resilience against traffic‑padding or port‑hopping evasion tactics.

Future research directions suggested include expanding the dataset with more recent ransomware families and larger sample counts, incorporating temporal and sequence‑based flow features (inter‑arrival times, burstiness), adding encrypted‑traffic‑friendly attributes (TLS fingerprinting, certificate analysis), and exploring online learning or concept‑drift detection to maintain effectiveness as ransomware tactics evolve. The authors also propose investigating privacy‑preserving feature engineering (e.g., hashing IPs) to comply with data‑protection regulations while retaining detection power.

Conclusion
NetConverse demonstrates that a modest set of network‑flow features, when fed to a well‑chosen decision‑tree classifier, can achieve ransomware detection performance comparable to more heavyweight dynamic analysis systems, with the added benefit of low computational cost and suitability for real‑time deployment in network monitoring infrastructures. The study contributes a reproducible methodology, a publicly described dataset, and a clear benchmark against multiple classifiers, laying groundwork for future enhancements that could make network‑based ransomware detection a standard component of enterprise cyber‑defense arsenals.