Datasets
Standard Dataset
Android Crypto Ransomware System Call Dataset
- Citation Author(s):
- Submitted by:
- Christopher Chew
- Last updated:
- Wed, 01/31/2024 - 00:45
- DOI:
- 10.21227/95y1-5h19
- Data Format:
- Links:
- License:
- Categories:
- Keywords:
Abstract
This dataset aims to provide researchers with the essential information to aid in the development and improvement surrounding system call pattern detection for crypto ransomware on Android.
Our dataset provides two sets of extracted and formatted system call logs. The first set consists of system call logs collected from 213 crypto ransomware and the second set consist of 502 benign Android applications.
The ransomware samples were acquired from Koodous and collected over a short period of 3 months (April 2020 to June 2020). For our benign dataset, the samples were acquired from APKPURE and collected over the same period as the ransomware samples.
Set 1: Android Crypto Ransomware
The malicious dataset contains system call logs from 213 Android crypto ransomware, which have been categorised into six families. The six families are listed below followed by the number of samples in the respective family.
- Six Android families:
- Filecoder - 5
- WannaLocker - 51
- WipeLocker - 70
- BlackRoseLucy - 17
- Pletor - 6
- SimpleLocker - 64
Set 2: Benign Dataset
The benign data contains system call logs from 502 benign Android applications from various categories. Two of these logs are included as cache-cleaning applications as they closely resemble behaviours similar to ransomware.
Dataset Folder Structure & Usage
- Raw extracted system call logs - This folder contains the raw system call logs extracted from Strace on an Android emulator running API level 24 with 1536MB RAM.
- Strace log format:
<PID> <Timestamp: HH:MM:SS> <System call>
- Strace log format:
- Formatted system call logs
-
Formatted log format:
<PID>;<timestamp>;<system call>;<arguments>
-
Each sample contains three different files:
Layer_1_syscall_output_<file_hash/file_name>.apk.log
- Filtered out unnecessary system calls, such as clock_gettime() and mprotect() and grouped by PIDsep_chars_syscall_output_<file_hash/file_name>.apk.log
- Formatted system calls using seperation characterssep_char_abs_syscall_output_<file_hash/file_name>.apk.log
- Formatted and abstracted system calls
-
- Detected patterns of formatted system call logs
- There are three different files in this folder. Each file contains the patterns detected for the three different levels of severity (General, Suspicious, and Malicious). The section below lists out the 12 patterns we created to detect ransomware.
Behavioural Patterns
Below are the 12 patterns used to detect crypto ransomware patterns, categorised into their respective severity levels. The 12 behavioural patterns were derived from a pilot test, which observed the system call-level behaviours exhibited from a selected set of Android crypto ransomware and benign applications. Please refer to associated paper for a more in-depth description of the evaluation.
Severity Level: Malicious
- Rename & Unlink User - Renaming and unlinking a file within the user's main directories
- Unlinking User Files - Unlinking a file within the user's main directories
- Unknown File Ext Created - Creation of a file within the user's main directories with an unknown file extension
- Read User File - Reading a file within the user main directories
- Write File Unknown Extension - Writing to a file with an unknown file extension
Severity Level: Suspicious
- IPv4 Connections - Connecting to an external connection in dotted quad notation
- Directory Search - Searching through any directories
- URL to Obfuscated Filename - Writing a URL address to an obfuscated file name
- Socket Create and Connect - Creation of a socket and making external network connections
Severity Level: General
- File Write - Writing to any file from any location
- File Read - Reading any file from any location
- Generic File Unlink - File unlinks not within the user directory
Comments
want it for my research