Ransomware is a special type of malware that can lock victims’ screen and/or encrypt their files to obtain ransoms, resulting in great damage to users. Mapping ransomware into families is useful for identifying the variants of a known ransomware sample and for reducing analysts’ workload. However, ransomware that can fingerprint the environment can evade the precious work of dynamic analysis. To the best of our knowledge, to overcome this shortcoming, we are the first to propose an approach based on static analysis to classifying ransomware. First, opcode sequences from ransomware samples are transformed into N-gram sequences. Then, Term frequency-Inverse document frequency (TF-IDF) is calculated for each N-gram to select feature N-grams so that these N-grams exhibit better discrimination between families. Finally, we treat the vectors composed of the TF values of the feature N-grams as the feature vectors and subsequently feed them to five machine-learning methods to perform ransomware classification. Six evaluation criteria are employed to validate the model. Thorough experiments performed using real datasets demonstrate that our approach can achieve the best Accuracy of 91.43%. Furthermore, the average F1-measure of the “wannacry” ransomware family is up to 99%, and the Accuracy of binary classification is up to 99.3%. The proposed method can detect and classify ransomware that can fingerprint the environment. In addition, we discover that different feature dimensions are required for achieving similar classifier performance with feature N-grams of diverse lengths. © 2018 Elsevier B.V.

Arun Kumar S

Department of Information Security

School of Computer Science and Engineering

Vellore Campus

Zhang H

Xiao X

Mercaldo F

Ni S

Martinelli F

Vellore Institute of Technology (VIT) is a private university located in&nbsp;Tamil Nadu, India. Founded in 1984, as Vellore Engineering College, the institution offers 20 undergraduate, 34 postgraduate, four integrated and four research programs. It has campuses in Vellore, Amravati, Bhopal and Chennai.

VIT is one of the top ranked private universities in India according to NIRF, THE and QS Rankings.&nbsp;Govt. of India has recognized&nbsp;VIT, Vellore as an&nbsp;Institution of Eminence. This has allowed VIT to take independent quality initiatives and move up in world ranking.

&nbsp;

&nbsp;

VIT University

Future Generation Computer Systems

Ransomware is a special kind of malware, which leads to irreversible data losses and incurs enormous economic costs. It is an urgent task to detect ransomware nowadays. Further, in order to achieve appropriate defenses and reduce analysts’ workloads, ransomware must be not only detected, but also classified into families. Some ransomware, e.g., fingerprinting ransomware, can fingerprint the run-time environment and evade dynamic analysis. To detect this type of ransomware and speed up the processing in comparison to dynamic analyses, we propose a static analysis framework based on N-gram opcodes with deep learning. Since opcode sequences obtained from executable files have rich context and semantic information, we view the opcode sequence from a natural language sentences perspective. However, the lengths of the N-gram opcode sequences are widely different, ranging from hundreds to millions. Among them, the extremely long sequences are far beyond the ability of most of the deep neural network based sequence classifier, such as RNN. To address this problem and enhance the scalability of our framework, we partition the N-gram sequence into many patches and feed each patch into a self-attention based convolution neural network named SA-CNN. Subsequently, the outputs of SA-CNNs are concatenated and put into a bi-directional self-attention network to get the ransomware classification result. Compared with CNN and RNN, the self-attention mechanism exhibits the brilliant ability to capture complementary information of the distance-aware dependencies with high computational efficiency. To the best of our knowledge, we are the first to exploit self-attention mechanism on opcode sequences for ransomware classification. With the partition strategy and the power of the self-attention network, the framework captures rich context and semantic information from the extremely long sequence. The comprehensive experiments on a real-world dataset show that the proposed framework outperforms the state-of-the-art methods in many evaluations. © 2019 Elsevier B.V.

Ransomware classification using patch-based CNN and self-attention network on embedded N-grams of opcodes

Python® Machine Learning

Getting Started with Scikit-learn for Machine Learning

A deep Recurrent Neural Network based approach for Internet of Things malware threat hunting

Journal of Ambient Intelligence and Humanized Computing

Detecting crypto-ransomware in IoT networks based on energy consumption footprint

Computers in Biology and Medicine

Survey on deep learning for radiotherapy

Computers & Security

Ransomware threat success factors, taxonomy, and countermeasures: A survey and research directions

Classification of ransomware families with machine learning based on N-gram of opcodes

Journal	Data powered by TypesetFuture Generation Computer Systems
Publisher	Data powered by TypesetElsevier BV
ISSN	0167-739X
Open Access	0