Ransomware Analysis using Feature Engineering and Deep Neural Networks

Detection and Analysis of a potential malware specifically, used for ransom is a challenging task. Recently, intruders are utilizing advance cryptographic techniques to get hold of digital assets and then demand ransom. It is believed that generally, the files comprise of some attributes, states, and patterns that can be recognized by a machine learning technique. This work thus focuses on detection of Ransomware by performing feature engineering, which helps in analyzing vital attributes and behaviors of the malware. The main contribution of this work is the identification of important and distinct characteristics of Ransomware that can help in detecting them. Finally, based on the selected features, both conventional machine learning techniques and Transfer Learning based Deep Convolutional Neural Networks have been used to detect Ransomware. In order to perform feature engineering and analysis, two separate datasets (static and dynamic) were generated. The static dataset has 3646 samples (1700 Ransomware and 1946 Goodware). On the other hand, the dynamic dataset comprised of 3444 samples (1455 Ransomware and 1989 Goodware). Through various experiments, it is observed that the Registry changes, API calls, and DLLs are the most important features for Ransomware detection. Additionally, important sequences are found with the help of N Gram technique. It is also observed that in case of Registry Delete operation, if a malicious file tries to delete registries, it follows a specific and repeated sequence. However for the benign file, it doesnt follow any specific sequence or repetition. Similarly, an interesting observation made through this study is that there is no common Registry deleted sequence between malicious and benign file. And thus this discernible fact can be readily exploited for Ransomware detection. The relevant Python code and dataset are available at github.

[1]  Asifullah Khan,et al.  A New Channel Boosted Convolution Neural Network using Transfer Learning , 2018, ArXiv.

[2]  Bernhard Schölkopf,et al.  Learning with Kernels: Support Vector Machines, Regularization, Optimization, and Beyond , 2005, IEEE Transactions on Neural Networks.

[3]  Yibin Liao,et al.  PE-Header-Based Malware Study and Detection , 2012 .

[4]  Asifullah Khan,et al.  A Recent Survey on the Applications of Genetic Programming in Image Processing , 2019, ArXiv.

[5]  Daniele Sgandurra,et al.  Automated Dynamic Analysis of Ransomware: Benefits, Limitations and use for Detection , 2016, ArXiv.

[6]  Muhammad Hanif Durad,et al.  Intrusion detection using deep sparse auto-encoder and self-taught learning , 2019, Neural Computing and Applications.

[7]  Muhammad Hanif Durad,et al.  Static and Dynamic Malware Analysis Using Machine Learning , 2019, 2019 16th International Bhurban Conference on Applied Sciences and Technology (IBCAST).

[8]  Wojciech Mazurczyk,et al.  Software-Defined Networking-based Crypto Ransomware Detection Using HTTP Traffic Characteristics , 2016, Comput. Electr. Eng..

[9]  Sung-Bae Cho,et al.  Zero-day malware detection using transferred generative adversarial networks based on deep autoencoders , 2018, Inf. Sci..

[10]  Fuhui Long,et al.  Feature selection based on mutual information criteria of max-dependency, max-relevance, and min-redundancy , 2003, IEEE Transactions on Pattern Analysis and Machine Intelligence.

[11]  Yuval Elovici,et al.  Detection of malicious code by applying machine learning classifiers on static features: A state-of-the-art survey , 2009, Inf. Secur. Tech. Rep..

[12]  Claudia Eckert,et al.  Deep Learning for Classification of Malware System Call Sequences , 2016, Australasian Conference on Artificial Intelligence.

[13]  Konstantin Berlin,et al.  Deep neural network based malware detection using two dimensional binary program features , 2015, 2015 10th International Conference on Malicious and Unwanted Software (MALWARE).

[14]  Robert A. Bridges,et al.  Automated Behavioral Analysis of Malware: A Case Study of WannaCry Ransomware , 2017, 2017 16th IEEE International Conference on Machine Learning and Applications (ICMLA).

[15]  Salvatore J. Stolfo,et al.  Data mining methods for detection of new malicious executables , 2001, Proceedings 2001 IEEE Symposium on Security and Privacy. S&P 2001.

[16]  Aqeel Khalique,et al.  A SURVEY ON RANSOMEWARE: EVOLUTION, GROWTH, AND IMPACT , 2018 .

[17]  Asifullah Khan,et al.  A survey of the recent architectures of deep convolutional neural networks , 2019, Artificial Intelligence Review.

[18]  Jian Sun,et al.  Deep Residual Learning for Image Recognition , 2015, 2016 IEEE Conference on Computer Vision and Pattern Recognition (CVPR).

[19]  Fuchun Peng,et al.  N-GRAM-BASED AUTHOR PROFILES FOR AUTHORSHIP ATTRIBUTION , 2003 .

[20]  Asifullah Khan,et al.  Network anomaly detection using channel boosted and residual learning based deep convolutional neural network , 2019, Appl. Soft Comput..