Early prediction of ransomware API calls behaviour based on GRU-TCN in healthcare IoT

Abstract

The healthcare industry is collecting considerable patient and medical data by using Internet of Things (IoT) devices. Consequently, ransomware attacks to encrypt healthcare systems or leak such data have increased recently. Many studies are aiming to predict ransomware behaviours early to protect the healthcare IoT environment from such attacks. However, previous studies analysed ransomware behaviours for long periods of time, and systems would already get infected and encrypted meanwhile. To avoid this problem, this study proposes an early prediction scheme of ransomware behaviour (EPS-Ran) to reduce the likelihood of systems being infected during behavioural analysis. EPS-Ran analyses behaviours for 30 s to extract the opcode and API calls sequence. The extracted behaviour features are entered into a hybrid deep learning model that combines the bidirectional gated recurrent unit (Bi-GRU) model and the temporal convolutional network (TCN) model to predict a future 90 s API calls sequence. The MAE, MSE, and RMSE of the prediction performance of EPS-Ran were measured to be 0.3438, 0.5648, and 0.6342, respectively. EPS-Ran predicted ransomware behaviours early with a low error rate even when the analysis time was reduced from 120 s to 30 s.

KEYWORDS:

• Healthcare internet of things (IoT)
• ransomware
• behaviour analysis
• early prediction
• deep learning

1. Introduction

The Internet of Things (IoT) has recently been applied in the healthcare sector for patient monitoring and medical equipment and healthcare supply chain management by collecting considerable patient, medical, and other data to provide improved healthcare services (Tariq et al., 2022; Manikandan et al., 2022; Hussain et al., 2021; Alshammari et al., 2020).

However, with the expanding use of IoT devices, the number of ransomware attacks has increased sharply, making it necessary to secure patient and medical data that is vulnerable to leakage and manipulation (He et al., 2021; Oz et al., 2022). Furthermore, the introduction of ransomware as a service (RaaS) has lowered the barriers to entry for ransomware attacks, and new and diverse ransomware is being created rapidly. Ransomware, in addition to damaging the target IoT devices by encrypting files and leaking critical data, causes secondary damage by also damaging PCs and mobile devices (Ryan et al., 2022; McIntosh et al., 2021; Poudyal & Dasgupta, 2021; Connolly & Borrion, 2022). In the healthcare sector, ransomware attacks can cause financial damage and, in the worst case, threaten the lives of patients (Wazid et al., 2023; Tariq et al., 2022).

In this light, many studies have been conducted to detect ransomware in advance by analysing them to protect the healthcare sector from attacks (Said, 2022; McIntosh et al., 2021; Alqahtani & Sheldon, 2022). Ransomware analysis techniques include static analysis, dynamic analysis, and hybrid analysis. Static analysis extracts and analyses assembly code; this takes a short time but is less effective when applied to obfuscated ransomware (Ibrahim et al., 2022; Balram et al., 2019). By contrast, dynamic analysis executes a file to monitor behaviour in real time; however, it requires a longer time compared to that of static analysis (Kara & Aydos, 2021; Sharmeen et al., 2020). Hybrid analysis uses both static and dynamic analyses in a complementary manner to overcome the drawbacks of each technique (Ding et al., 2021; Jeon et al., 2022). However, it still requires as much time as does dynamic analysis, and therefore, the system may get infected during the analysis.

In this light, the present study proposes the early prediction scheme of ransomware behaviour (EPS-Ran) to predict long-term behaviours by analysing behaviour features for only a short time. EPS-Ran first extracts the operation code (opcode) sequence through static analysis and then performs dynamic analysis for 30 s to extract the application programming interface (API) calls sequence. The extracted opcode and API calls sequence are entered in the bidirectional gated recurrent unit (Bi-GRU) model and extracted as short-term features. Finally, EPS-Ran combines two short-term features into one and then enters it into the temporal convolutional network (TCN) model to predict the future API calls sequence.

These EPS-Ran provides a solution that can strengthen the security of the healthcare IoT environment by predicting the long-term behaviour of ransomware based on short-term behavioural features using a deep learning model. This allows healthcare organisations to take proactive measures to protect their systems and minimise potential damage caused by ransomware attacks.

The main contributions of EPS-Ran proposed in this study are as follows.

• EPS-Ran is proposed as a model to predict the behaviour of ransomware that threatens the healthcare environment.

• EPS-Ran uses opcodes and API calls as a feature to analyse the structure of an executable file and detect specific behaviours of ransomware.

• EPS-Ran learns various behaviours of ransomware by utilising the Bi-GRU model that considers bidirectional behavioural information and the TCN model optimised for processing long time-series data.

• EPS-Ran predicts long-term behaviour relatively accurately through short-term behaviour analysis compared to other SOTA models.

• By analysing the PE file for a short period of time, EPS-Ran prevents the healthcare IoT environment from being encrypted by ransomware.

The rest of this paper is organised as follows. Section 2 analyses previous studies on ransomware behaviour classification and prediction. Section 3 describes the overall scheme of the proposed EPS-Ran model. Section 4 describes the implementation of EPS-Ran. Section 5 presents the prediction performance results of EPS-Ran. Finally, Section 6 presents the conclusions of this study and discusses future studies.

2. Related works

Various studies are being conducted to protect healthcare IoT systems from ransomware attacks. This section analyses studies on artificial intelligence (AI)-based ransomware classification and prediction, and provides an in-depth analysis of deep learning models specialised in time-series forecasting (TFS).

2.1. Ransomware classification

To effectively prevent intelligent ransomware attacks, studies are being conducted to classify ransomware. The following are some representative studies on ransomware classification.

Rhode et al. (2018) proposed a ransomware early-stage classification technique that utilised early analytical data to detect ransomware behaviours in advance. First, dynamic analysis of portable executable (PE) files was performed to extract machine activity metrics such as CPU usage, packets, and processes for up to 20 s. Subsequently, the proposed technique was used to train a recurrent neural network (RNN) model on the metrics to classify ransomware before the system was infected.

Al-rimy et al. (2019) proposed an ensemble-based early detection model that used two machine learning models to detect crypto-ransomware in the early stages of system encryption. The proposed model first divided API calls into subsets using incremental bagging. They also used the enhanced semi-random subspace selection technique to screen the most important features. Finally, they trained various machine-learning-based classifiers on the features to classify ransomware. The proposed model addressed the lack of initial feature information through machine learning and detected ransomware with high accuracy.

Abbasi et al. (2022) proposed an automated feature selection technique that utilised the particle swarm optimisation technique to improve the ransomware classification performance. The proposed technique used the mutual information ranking-based feature selection technique to screen the features of the top rank and then selected the optimal feature number using the wrapper technique. By using the proposed technique, machine-based classifiers such as regularised logistic regression (RLR), random forest (RF), decision tree (DT), support vector machine (SVM), and k-nearest neighbourhood (KNN) were used to classify ransomware families with high accuracy.

However, the system becomes infected due to the long analysis time required to extract ransomware features.

2.2. Ransomware behaviour prediction

To detect and prevent ransomware at an early stage, various studies are being conducted to predict the behaviour of ransomware. The studies on predicting ransomware behaviour is as follows.

Molina et al. (2022) proposed a technique for predicting the order of evasion API calls to detect ransomware that avoids behaviour analysis in a virtual environment. First, they converted the initial API calls sequence into a categorical vector, and then, they used Bernoulli’s naive Bayes (BNB), kNN, artificial neural network (ANN), and long short-term memory (LSTM) models to predict the paranoid activities that occurred before the system was encrypted.

Amer and Zelinka (2020) proposed a Markov-chain-based predictive model to detect malware that generates an unnecessary API calls sequence to avoid analysis. The proposed model first used the Word2Vec model to extract the contextual relationship features between API calls sequences. It reduced the dimension of the embedding vector by using the K-means algorithm. Finally, it predicted the malignancy of the API calls sequence by using a Markov chain and prevented the execution of malicious payloads early.

Gogineni et al. (2022) proposed Foreseer to forecast system events and thereby detect malware early. Foreseer converted the system’s event log into a N-dimensional feature vector by using a temporal-feature-based event embedding technique. An attention-based LSTM model was trained with the generated vector to predict future system event series with high accuracy.

However, achieving high accuracy in predicting the long-term behaviour of ransomware requires long-term analysis data, posing a challenge to preventing system infections. Therefore, to improve this problem, study is needed to predict long-term behaviour accurately using short-term analysis data.

2.3 Prediction model based on deep learning

The accurate analysis and prediction of ransomware features consisting of complex patterns require a deep learning model specialised for TFS. The followings are some deep learning models that have recently been studied for accurate TSF.

Zhou et al. (2021) proposed Informer, a transformer-based deep learning model, for accurately predicting long sequences. Informer utilised a multi-encoder-decoder structure that combines self-attention and convolutional attention mechanisms to extract temporal and spatial dependencies, and analyse time-series data. However, accurate training of Informer requires a large amount of data and high computational complexity.

Zeng et al. (2022) proposed DLinear, a deep learning model composed of linear networks, to address several problems with transformer-based models. DLinear decomposed time-series data into trends and remainder to consider temporal features, and then analysed them through a linear network. Compared to existing transformer-based prediction models, DLinear reduced the amount of computation and improved prediction accuracy.

Liu et al. (2021) proposed a sample convolution and interaction network (SCINet) with a hierarchical structure to accurately predict time-series data. To repeatedly extract and analyse temporal features, SCINet reconstructed sub-sequences by downsampling the input sequence and performed interaction learning through different 1D-convolutional modules. SCINet predicted time-series data composed of various lengths more accurately than existing deep learning models specialised for TSF, such as Longformer and Informer.

The proposed EPS-Ran technique trains a deep learning model on the opcode and API calls sequence extracted from hybrid analysis to predict the future API calls sequence. Table 1 shows a comparison of EPS-Ran with previous AI-based ransomware classification and prediction techniques in terms of the behaviour analysis technique used, features that represent the ransomware behaviour, and AI techniques used to classify and predict the ransomware.

Table 1. Comparison of EPS-Ran with previous ransomware classification and prediction techniques.

Related works	Analysis technique	Feature	AI technique
Rhode et al. (2018)	Dynamic analysis	CPU usage, packets, bytes, memory, swap, process	GRU
Al-rimy et al. (2019)	Dynamic analysis	API calls	AdaBoost, KNN, SVM, LR, RF, DT, Perceptron
Abbasi et al. (2022)	Hybrid analysis	API calls, registry, file operation, strings	RLR, RF, DT, SVM, KNN
Molina et al. (2022)	Dynamic analysis	API calls	BNB, KNN, ANN, LSTM
Amer and Zelinka (2020)	Dynamic analysis	API calls	Markov chain model
Gogineni et al. (2022)	Dynamic analysis	Raw system events	LSTM
EPS-Ran	Hybrid analysis	Opcode, API calls	Bi-GRU, TCN

3. EPS-Ran scheme

To solve the problem of conventional prediction models that require long periods of time to analyse ransomware behaviour, this study proposes EPS-Ran that predicts a 90 s long-term API calls behaviour by analysing ransomware behaviours within 30 s. Figure 1 shows its overall scheme.

Figure 1. Early prediction scheme of ransomware behaviour (EPS-Ran).

EPS-Ran involves four main stages: hybrid analysis for extracting behaviour information from the PE file, data vectorisation for converting the data format from a string to a sparse vector, short-term feature extraction for extracting major patterns from the extracted opcode and API calls sequence, and long-term API calls prediction for predicting the API calls behaviour from the analysed behaviours.

3.1. Hybrid analysis

The hybrid analysis stage extracts behaviour information by simultaneously performing static and dynamic analyses of PE files. EPS-Ran uses static analysis to extract the opcode sequence, a command that the CPU processor must perform, from the file structure. Furthermore, it uses dynamic analysis to extract an API calls sequence used to access a variety of resources by running a PE file in a virtual environment.

3.2. Data vectorization

In the data vectorisation stage, EPS-Ran converts the opcode and API calls sequence from a string format into a sparse vector format. First, EPS-Ran uses the FastText technique to generate a fixed-size embedding vector for each character in the opcode and API calls. This technique divides strings into subwords to generate a vector; thus, it also generates an embedding vector for out-of-vocabulary (OoV) words (Bojanowski et al., 2017).

3.3. Short-term feature extraction

In the short-term feature extraction stage, the primary pattern is extracted from the opcode and API calls sequence vector by dividing it into static/dynamic short-term feature extraction blocks to predict the future behaviour. Toward this end, EPS-Ran first uses a distilling technique such as that given by Equation 1(1) $x_{l+1}^t=\text{MaxPool}\left(\text{ELU}\left(\text{Convolution }1\text{d}\left(x_l^t\right)\right)\right)$(1) to reduce the dimension of the opcode and API calls sequences vector. Here, $x_l^t$ denotes the t^th embedding vector of the l^th layer, and $x_{l+1}^t$ denotes the output embedding vector with reduced dimensions. This distilling technique was used to reduce the dimensionality of prob-sparse self-attention blocks, but in this study, it was applied to reduce the dimensionality of high dimensional opcodes and API calls sequences, it improves the gradient vanishing and gradient exploding problems with RNN-based deep learning models (Zhou et al., 2021). (1) $x_{l+1}^t=\text{MaxPool}\left(\text{ELU}\left(\text{Convolution }1\text{d}\left(x_l^t\right)\right)\right)$(1) In addition, EPS-Ran extracts many behaviour features through the Bi-GRU model by considering the sequence of behaviour vectors in both directions to improve the long-term dependency (Jeong et al., 2023). For the cells in Bi-GRU, sequential features are considered through the reset gate and update gate. Equation 2(2) $\{\begin{array}{ll}\overrightarrow{h_t}=\text{GR}{\text{U}}_{\text{forward}}\left(v_t,\overrightarrow{h_{t-1}}\right)& \\ \overleftarrow{h_t}=\text{GR}{\text{U}}_{\text{backward}}\left(v_t,\overleftarrow{h_{t+1}}\right)\end{array}$(2) shows the process by which the Bi-GRU model calculates the forward GRU output vector $\overrightarrow{h_t}$ and backward GRU output vector $\overleftarrow{h_t}$ from the t^th embedding vector $v_t$ and the previous state vectors $\overrightarrow{h_{t-1}}$ and $\overleftarrow{h_{t+1}}$. (2) $\{\begin{array}{ll}\overrightarrow{h_t}=\text{GR}{\text{U}}_{\text{forward}}\left(v_t,\overrightarrow{h_{t-1}}\right)& \\ \overleftarrow{h_t}=\text{GR}{\text{U}}_{\text{backward}}\left(v_t,\overleftarrow{h_{t+1}}\right)\end{array}$(2) Through these two types of short-term feature extraction blocks, EPS-Ran generates static and dynamic feature tensors, which have a major pattern in the opcode and API calls sequence, respectively. Figure 2 shows the overall structure of the short-term feature extraction block that consists of the distilling technique and Bi-GRU model. In this case, the short-term feature extraction blocks for opcode and API calls data have same structure.

Figure 2. Structure of static short-term feature extraction block.

3.4. Long-term API calls prediction

The long-term API calls prediction stage combines the static and dynamic short-term feature tensors into a single tensor and then enters the TCN model to predict the long-term API calls sequence. This TCN model utilises the dilated causal convolution technique and the temporal block consisting of residual blocks to extract a sequential feature of a certain length (Lea et al., 2017; Bai et al., 2018). EPS-Ran thus keeps the size of the embedding vector dimension constant while increasing the output channel to the length of the API calls sequence. Figure 3 shows the structure of a TCN model that predicts an API calls embedding vector of 90 s from two short-term feature tensors.

Figure 3. Overall structure of TCN model in long-term API calls prediction stage.

EPS-Ran prevents cumulative errors because it predicts the long-term API calls only by one forward propagation, unlike the conventional prediction model that performs step-by-step inference of the encoder-decoder structure (Bai et al., 2018).

4. EPS-Ran implementation

To protect the vast volume of medical data collected in healthcare IoT environments, this study implemented EPS-Ran on a computer with an Intel Core i9-10800 K processor and GeForce RTX 3090 graphics card that ran the Ubuntu server 18.04 operating system. EPS-Ran built the virtual environment consisting of a guest operating system in the Ubuntu 20.04 and a nested guest operating system in Windows 7 to prevent the infection of the analytical environment when performing dynamic analysis. To prevent the analysis environment from being infected when performing dynamic analysis, EPS-Ran built a virtual environment consisting of a guest operating system in the Ubuntu 20.04 environment and a nested guest operating system in the Windows 7 environment.

To predict the behaviour of ransomware running in the healthcare application in the Windows environment, we collected 5,850 ransomware samples from VirusShare. At this time, we selected only PE file format ransomware samples among various ransomware samples provided by VirusShare. In addition, we also collected 5,850 benign samples to accurately analyse the behaviour of ransomware. To build EPS-Ran and evaluate its performance, we divided the collected 11,700 PE files into 9,360 training sets, 1,170 validation sets, and 1,170 test sets.

4.1. Hybrid analysis

To perform static analysis for PE files in the hybrid analysis stage, EPS-Ran used a Python-based pydasm disassembler to extract the opcode sequence from the “.text” section of the file structure. Moreover, EPS-Ran built a cuckoo sandbox environment to perform dynamic analysis of the PE file for 120 s.

Here, the sequence length for each feature was reduced by removing continuously duplicated opcode and API calls to improve the predictive accuracy of EPS-Ran (Kakisim et al., 2022; Angelo et al., 2021).

4.2. Data vectorization

In the data vectorisation stage, the extracted API calls sequence was divided into a 30 s input sequence and a 90 s ground truth sequence to train EPS-Ran. API calls sequence extracted from each section had different lengths for each PE file.

Most deep-learning-based prediction models show lower prediction performance when the input sequence length increases (Baek et al., 2021). Thus, this study fixed the maximum length for the input sequence of the opcode, input sequence of the API calls, and output sequence to 110, 674, and 473, respectively, which corresponded to 60% of the total dataset. In addition, we built a FastText model based on the hyper parameters listed in Table 2 to convert the opcode and API calls into vectors.

Table 2. Hyper parameters used to build FastText model.

Parameters	Value
Embedding dimension	256
Training algorithm	Continuous Bag of Words (CBOW)
Activation function	Hierarchical softmax
Sliding window size	5
Negative sampling	5
N-gram minimum	3
N-gram maximum	6

These data vectorisation stage ensures that EPS-Ran does not generate different embedding vectors for each epoch due to the backward propagation of the learning process.

4.3. Short-term feature extraction

In the short-term feature extraction stage, EPS-Ran used 1D-convolution, an exponential linear unit (ELU) activation function, and max pooling to configure the distilling layer. Here, the kernel size of 1D-convolution was set to 3, stride size to 1, kernel size of max pooling to 3, and stride size to 2.

Table 3 shows the process of reducing the dimension of the embedding vector when the opcode and API calls sequence pass the distilling layer. Here, the static short-term feature extraction block has two distilling layers because the opcode sequence length is shorter than the API calls sequence length. The dynamic short-term feature extraction block contained four distilling layers.

Table 3. Vector dimensions of opcode and API calls sequence according to distilling layer.

Layers		Opcode sequence dimension	API calls sequence dimension
Distilling #1	Conv 1D	110	674
	Max Pooling	108	672
Distilling #2	Conv 1D	53	335
	Max Pooling	51	333
Distilling #3	Conv 1D	-	166
	Max Pooling	-	164
Distilling #4	Conv 1D	-	81
	Max Pooling	-	79
Distilling Output		25	39

Furthermore, EPS-Ran extracted sequential features from the opcode and API calls sequence vector in both directions by adding three Bi-GRU layers and two fully connected layers to each short-term feature extraction block. At this time, the hidden vector dimension of the cell in Bi-GRU was finally set to 128 through the validation process. Also, a fully connected layer adjusted the 128-dimensional Bi-GRU output layer to the same dimension as the 256-dimensional embedding vector.

4.4. Long-term API calls prediction

Finally, in the long-term API calls prediction stage, EPS-Ran combined the feature tensors extracted from each short-term extraction block and then trained the TCN model consisting of four temporal blocks to predict long-term API calls. Each temporal block consisted of 1D convolution, rectified linear unit (ReLU) activation function, and dropout, which were performed two times each. Here, the kernel size of 1D convolution was set to 3, stride size to 1, and dropout probability to 0.2. The structure of the TCN model with the highest prediction performance was selected as shown in Table 4 through the verification process of EPS-Ran.

Table 4. Overall structure of TCN model.

Layers	Dilation	Input shape	Output shape
Temporal block #1	1	[32, 64, 256]	[32, 256, 256]
Temporal block #2	2	[32, 256, 256]	[32, 512, 256]
Temporal block #3	4	[32, 512, 256]	[32, 1024, 256]
Temporal block #4	8	[32, 1024, 256]	[32, 473, 256]

To keep the 1D convolution output dimension of the temporal block constant at 256, EPS-Ran performed a dilated causal convolution with padding. Also, EPS-Ran configured the output channel of the temporal block to be 256, 512, 1024, and 473 for each layer so that the output channel of TCN is the same as the API calls sequence length.

5. Performance evaluation

We used the mean absolute error (MAE), mean squared error (MSE), and root mean square error (RMSE) to assess the performance of EPS-Ran for the early detection of ransomware that threatens the healthcare IoT environment. These evaluation metrics are respectively calculated using Equations 3, 4, and 5, where $Y_i$ denotes the actual API calls vector and $\widehat{Y_i}$, the API calls vector predicted by EPS-Ran. (3) $\begin{array}{rl}\text{MAE}& =\frac{1}{n}\sum _{i=1}^n\left(|Y_i-\widehat{Y_i}|\right)\end{array}$(3) (4) $\begin{array}{rl}\text{MSE}& =\frac{1}{n}\sum _{i=1}^n(Y_i-\widehat{Y_i}{)}^2\end{array}$(4) (5) $\begin{array}{rl}\text{RMSE}& =\sqrt{\frac{1}{n}\sum _{i=1}^n(Y_i-\widehat{Y_i}{)}^2}\end{array}$(5)

Table 5 shows the prediction performance of EPS-Ran according to the analysis time of the PE file. At this time, we considered different intervals of the input range and output range in three cases. The input range refers to the time spent on the analysis, and the output range refers to the predicted time. Case 1 predicts an output range of 90 s from an input range of 30 s, case 2 predicts an output range of 60 s from an input range of 60 s, and case 3 predicts an output range of 30 s from an input range of 90 s. Because less time was spent on static analysis, this study only considered the dynamic analysis time for extracting API calls.

Table 5. Prediction performance of EPS-Ran according to input and output ranges.

	Train			Validation			Test
Case	MAE	MSE	RMSE	MAE	MSE	RMSE	MAE	MSE	RMSE
Case 1.	0.3518	0.5620	0.7442	0.3601	0.5695	0.6453	0.3438	0.5648	0.6342
Case 2.	0.3419	0.5579	0.7411	0.3465	0.5582	0.6390	0.3501	0.5849	0.6406
Case 3.	0.3324	0.5385	0.7264	0.3162	0.4952	0.6198	0.3164	0.5036	0.6208

When a 90 s API calls sequence was predicted from behaviour features analysed for 30 s, the prediction errors were generally smaller than when EPS-Ran’s performance was based on a 60 s analysis. However, the prediction performance was lower than that when the data was analysed for over 90 s. With an input range of 90 s, we predicted the short-term behaviour accurately because we analysed many behaviours over a long period of time; however, there was a high risk of getting infected with ransomware. By contrast, even with an input range of 30 s, EPS-Ran used behaviours analysed over a short period of time to predict the long-term behaviour relatively accurately.

Table 6 shows a comparison of the prediction performance of state-of-the-art (SOTA) long-term prediction models, namely, Informer (Zhou et al., 2021), DLinear (Zeng et al., 2022), SCINet (Liu et al., 2021), and EPS-Ran. Unlike EPS-RAN, existing SOTA models do not have hybrid structures that combine the opcode sequence and API calls sequence. Therefore, for this comparison, we built EPS–Ran + that uses only the API calls sequence. Additionally, we performed training for 100 epochs with the hyper parameters of all models set identically to Adam optimiser, learning rate of 0.001, dropout probability of 0.2, and batch size of 32.

Table 6. Comparison of prediction performance of SOTA models with EPS-$Ran$ and EPS-Ran.

	Train			Validation			Test
Model	MAE	MSE	RMSE	MAE	MSE	RMSE	MAE	MSE	RMSE
Informer	0.3890	0.6273	0.7875	0.3776	0.6023	0.6684	0.3762	0.6140	0.6647
DLinear	0.3968	0.6547	0.8042	0.3947	0.6540	0.7016	0.3971	0.6781	0.7032
SCINet	0.3775	0.6100	0.7765	0.3644	0.5887	0.6629	0.3614	0.5974	0.6576
EPS-$Ran$	0.3536	0.5669	0.7470	0.3433	0.5572	0.6400	0.3407	0.5665	0.6356
EPS-Ran	0.3518	0.5620	0.7442	0.3601	0.5695	0.6453	0.3438	0.5648	0.6342

Compared with the other models, EPS-$Ran$ generally predicted the API calls sequence accurately for 90 s from an API calls sequence of 30 s. The predicted error of EPS-Ran was slightly larger or similar to that of EPS-$Ran$ because it used different types of behaviour features.

Figure 4 shows the MSE produced during each epoch when training and validation was performed for the five types of models.

Figure 4. MSE calculated from each model through (a) training and (b) validation.

According to the training results of each model, the larger the epoch in general, the smaller was the prediction error. In addition, when the epoch was 100, EPS-Ran had the lowest MSE (0.5314) among all models. For validation, the MSE of EPS-Ran was slightly higher than or similar to that of EPS-$Ran$. Unlike other models, DLinear’s validation MSE increased steadily from the 2 epoch. The measured prediction error was high because DLinear failed to extract the trend and remainder from the API calls sequence with the time stamp not fixed.

These EPS-Ran demonstrated high performance even though it predicted a long-term API call sequence using only two types of behaviours analysed for 30 s, and outperformed other deep learning models.

6. Conclusions

To prevent the damage caused by ransomware in healthcare IoT environments, this study proposed EPS-Ran that uses deep learning models for the early prediction of ransomware behaviours. EPS-Ran extracted the opcode and API calls sequence monitored for a short period of less than 30 s and then successively used Bi-GRU and TCN models to predict the 90 s API calls sequence. When the performance of EPS-Ran was evaluated, the MAE, MSE, and RMSE outperformed other state-of-the-art prediction models as they had small error rates of 0.3438, 0.5648, and 0.6342, respectively.

EPS-Ran complements the problem that existing prediction models have difficulty predicting ransomware behaviour through short-term behavioural features. Also, it analyses and predicts ransomware behaviour before the system is encrypted, it can be used in real system environments rather than in isolated analytical environments. By applying EPS-Ran to the healthcare environment, healthcare organisations can strengthen their security measures against ransomware, protecting sensitive patient data and preventing potentially life-threatening situations.

However, the proposed EPS-Ran accurately predicts long-term API call behaviour with a small error based on short-term analysed behaviour, but does not detect whether the corresponding behaviour is ransomware or benign. Accordingly, in the future, we plan to conduct additional study to classify ransomware and benign with high accuracy based on the predicted API call sequence. In addition, we will improve the prediction performance of EPS-Ran by adding techniques to remove unnecessary behaviour information.

Disclosure statement

No potential conflict of interest was reported by the author(s).

Additional information

Funding

This research was supported by the National Research Foundation of Korea(NRF) funded by the Ministry of Science and ICT. (2022K1A3A1A61015020).