Deep learning LSTM based ransomware detection

There is a growing interest in academia and industry to employ dynamic analysis for automating malwares analysis. In dynamic analysis, Application Programming Interface (API) calls made by the executable is a promising source to identify the behavior of an application. The list of API calls made by a process can be considered as a word sequence. This work aims to detect ransomware behavior by employing Long-Short Term Memory (LSTM) networks for binary sequence classification of API calls. We present an automated approach to extract API calls from the log of modified sandbox environment and detect ransomware behavior. The proposed approach is expected to improve the automated analysis of large volume of malwares samples.

[1]  Razvan Pascanu,et al.  Malware classification with recurrent networks , 2015, 2015 IEEE International Conference on Acoustics, Speech and Signal Processing (ICASSP).

[2]  Christopher Krügel,et al.  Limits of Static Analysis for Malware Detection , 2007, Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007).

[3]  Claudia Eckert,et al.  Deep Learning for Classification of Malware System Call Sequences , 2016, Australasian Conference on Artificial Intelligence.

[4]  Sheng Chen,et al.  Application of Deep Belief Networks for opcode based malware detection , 2016, 2016 International Joint Conference on Neural Networks (IJCNN).

[5]  Nathan S. Netanyahu,et al.  DeepSign: Deep learning for automatic malware signature generation and classification , 2015, 2015 International Joint Conference on Neural Networks (IJCNN).

[6]  Sakir Sezer,et al.  Evolution of ransomware , 2018, IET Networks.

[7]  Xin Li,et al.  DeepAM: a heterogeneous deep learning framework for intelligent malware detection , 2018, Knowledge and Information Systems.

[8]  Siu-Ming Yiu,et al.  A multi-task learning model for malware classification with useful file access pattern from API call sequence , 2016, ArXiv.