论文信息 - Ransomware detection by mining API call usage

Ransomware detection by mining API call usage

In the recent past one of the harmful forms of malware seen is the Ransomware. The year 2016 has seen a huge rise in ransomware attacks. According to the study by Tripwire, Ransomware has done the most amount of damage to organizations in 2017, followed by DDoS, Malicious Insiders, Phishing, and Known/Unknown Vulnerabilities. In this work, Application Programming Interface (API) calls are extracted from the executables and the most discriminating API calls are used to train a classifier to detect unknown ransomware. We have tested our method on various classifiers like Decision trees, KNN, Random forest. Class imbalance due to the difference in the number of samples available in two classes - Ransomware and benign is also considered. It is seen that Random forest with smote for class imbalance has given a detection rate of over 98%. A large number of ransomware samples have been analyzed and the discriminating API calls have been identified.

Shina Sheen | Ashwitha Yadav | Shina Sheen | Ashwitha Yadav

[1] Antonella Santone,et al. Ransomware Steals Your Phone. Formal Methods Rescue It , 2016, FORTE.

[2] Sung-Ryul Kim,et al. Automatic Ransomware Detection and Analysis Based on Dynamic API Calls Flow Graph , 2017, RACS.

[3] Patrick Traynor,et al. CryptoLock (and Drop It): Stopping Ransomware Attacks on User Data , 2016, 2016 IEEE 36th International Conference on Distributed Computing Systems (ICDCS).

[4] Md. Rafiqul Islam,et al. Differentiating malware from cleanware using behavioural analysis , 2010, 2010 5th International Conference on Malicious and Unwanted Software.

[5] Leyla Bilge,et al. Cutting the Gordian Knot: A Look Under the Hood of Ransomware Attacks , 2015, DIMVA.

[6] Edward Raff,et al. Malware Classification and Class Imbalance via Stochastic Hashed LZJD , 2017, AISec@CCS.

[7] Engin Kirda,et al. UNVEIL: A large-scale, automated approach to detecting ransomware (keynote) , 2016, SANER.

[8] Nitesh V. Chawla,et al. SMOTE: Synthetic Minority Over-sampling Technique , 2002, J. Artif. Intell. Res..