Service Incident: New DOI registrations are working again. Re-registration of failed DOI registrations (~500) are still affected by the service incident at DataCite (our DOI registration agency).
Published September 17, 2018 | Version 1.0
Dataset Restricted

Dataset of "Extinguishing Ransomware - A Hybrid Approach to Android Ransomware Detection"

  • 1. ALaRI, Faculty of Informatics, Università della Svizzera italiana
  • 2. Institute for Informatics and Telematics, National Research Council of Italy (CNR)
  • 3. Institute of Telecommunications, TU Wien

Description

Protection against ransomware is particularly relevant in systems running the Android operating system, due to its huge users' base and, therefore, its potential for monetization from the attackers. In "Extinguishing Ransomware - A Hybrid Approach to Android Ransomware Detection" (see references for details), we describe a hybrid (static + dynamic) malware detection method that has extremely good accuracy (100% detection rate, with false positive below 4%).

 

We release a dataset related to the dynamic detection part of the aforementioned methods and containing execution traces of ransomware Android applications, in order to facilitate further research as well as to facilitate the adoption of dynamic detection in practice. The dataset contains execution traces from 666 ransomware applications taken from the Heldroid project [https://github.com/necst/heldroid] (the app repository is unavailable at the moment). Execution records were obtained by running the applications, one at a time, on the Android emulator. For each application, a maximum of 20,000 stimuli were applied with a maximum execution time of 15 minutes. For most of the applications, all the stimuli could be applied in this timeframe. In some of the traces none of the two limits is reached due to emulator hiccups. Collected features are related to the memory and CPU usage, network interaction and system calls and their monitoring is performed with a period of two seconds. The Android emulator of the Android Software Development Kit for Android 4.0 (release 20140702) was used. To guarantee that the system was always in a mint condition when a new sample is started, thus avoiding possible interference (e.g., changed settings, running processes, and modifications of the operating system files) from previously run samples, the Android operating system was each time re-initialized before running each application. The application execution process was automated by means of a shell script that made use of Android Debug Bridge (adb) and that was run on a Linux PC. The Monkey application exerciser was used in the script as a generator of the aforementioned stimuli. The Monkey is a command-line tool that can be run on any emulator instance or on a device; it sends a pseudo-random stream of user events (stimuli) into the system, which acts as a stress test on the application software.

In this dataset, we provide both per-app CSV files as well as unified files, in which CSV files of single applications have been concatenated. The CSV files contain the features extracted from the raw execution record. The provided files are listed below:

  • ransom-per_app-csv.zip - features obtained by executing ransomware applications, one CSV per application

  • ransom-unified-csv.zip - features obtained by executing ransomware applications, only one CSV file

Files

Restricted

The record is publicly accessible, but files are restricted to users with access.

Request access

If you would like to request access to these files, please fill out the form below.

You need to satisfy these conditions in order for this request to be accepted:

The dataset can only be used for research purposes.

You are currently not logged in. Do you have an account? Log in here

Additional details

References

  • Ferrante, A., M. Malek, F. Martinelli, F. Mercaldo, and J. Milosevic, "Extinguishing Ransomware - A Hybrid Approach to Android Ransomware Detection", Foundations and Practice of Security, vol. 10723, Cham, Springer International Publishing, pp. 242-258, 02/2018.