Computer Science ›› 2023, Vol. 50 ›› Issue (3): 391-398.doi: 10.11896/jsjkx.220200182

• Information Security • Previous Articles    

Ransomware Early Detection Method Based on Deep Learning

LIU Wenjing, GUO Chun, SHEN Guowei, XIE Bo, LYU Xiaodan   

  1. State Key Laboratory of Public Big Data,College of Computer Science and Technology,Guizhou University,Guiyang 550025,China
  • Received:2022-02-28 Revised:2022-06-20 Online:2023-03-15 Published:2023-03-15
  • About author:LIU Wenjing,born in 1996,postgra-duate,is a member of China Computer Federation.Her main research interests include network and information secu-rity.
    GUO Chun,born in 1986,Ph.D,asso-ciate professor,is a member of China Computer Federation.His main research interests include malware analysis,data mining and intrusion detection.
  • Supported by:
    National Natural Science Foundation of China(62162009),Science and Technology Foundation of Guizhou Pro-vince,China([2020]1Y268) and Guizhou Provincial Science and Technology Project([2018]3001).

Abstract: In recent years,ransomware is becoming increasingly prevalent,causing serious economic losses.Since files encrypted by ransomware are difficult to recover,how to timely and accurately detect ransomware is a hot point nowadays.To improve the timeliness and accuracy of ransomware detection,this paper analyzes the behavior of ransomware family and benign software in the early stage of operation and proposes a ransomware early detection method based on deep learning(REDMDL).REDMDL takes a certain length of application programming interface(API) sequence that is obtained by software running at the initial stage as input,combines word vector and position vector to vectorize the collected API sequence,and then constructs a convolutional neural network-long short term memory(CNN-LSTM) neural network model for early detection of ransomware.Experimental results show that REDMDL can accurately determine whether the software is ransomware or benign within seconds after it star-ting to run.

Key words: Ransomware, Early detection, CNN, LSTM, API

CLC Number: 

  • TP309
[1]GREENGARDS.The worsening state of ransomware[J].Communications of the ACM,2021,64(4):15-17.
[2]MOUSSAILEB R,CUPPENS N,LANET J L,et al.A Survey onWindows-based Ransomware Taxonomy and Detection Mechanisms[J].ACM Computing Surveys,2022,54(6):1-36.
[3]FreeBuf.FBI透露,近六年里支付给勒索攻击者的赎金超过1.4亿美金[EB/OL].(2020-02-28) [2021-10-27].https://www.freebuf.com/news/228665.html.
[4]WANG H Z,CHEN J,CHEN X Y,et al.An Android Ransomware Detection Scheme Based on Evidence Chain Generation[J].Chinese Journal of Computers,2018,41(10):2344-2358.
[5]HWANG J,KIM J,LEE S,et al.Two-Stage Ransomware Detec-tion Using Dynamic Analysis and Machine Learning Techniques[J].Wireless Personal Communications,2020,2020(2):1-13.
[6]YILMAZ Y,CETIN O,ARIEFB,et al.Investigating the impact of ransomware splash screens[J].Journal of Information Security and Applications,2021,61:102934.
[7]Al-RIMY B A S,MAAROF M A,SHAID S Z M.Ransomwarethreat success factors,taxonomy,and countermeasures:a survey and research directions[J].Computers & Security,2018,74:144-166.
[8]ZIMBA A,WANG Z S,CHISHIMBA M.Addressing Crypto-Ransomware Attacks:Before You Decide whether To-Pay or Not-To[J].Journal of Computer Information Systems,2021,61(1):53-63.
[9]XIA T,SUN Y,ZHU S,et al.Toward A Network-Assisted Approach for Effective Ransomware Detection[J/OL].EAI Endorsed Transactions on Security and Safety,2021,7(24):e3.https://eudl.eu/doi/10.4108/eai.28-1-2021.168506.
[10]HAYES K.Ransomware:a growing geopolitical threat[J].Net-work Security,2021,2021(8):11-13.
[11]BAJPAI P,ENBODY R.Dissecting.NET ransomware:key ge-neration,encryption and operation[J].Network Security,2020,2020(2):8-14.
[12]LIU H,GUO C,CUI Y,et al.2-SPIFF:a 2-stage packer identification method based on function call graph and file attributes[J].Applied Intelligence,2021,51(12):9038-9053.
[13]SUN G S,QIAN Q.Deep Learning and Visualization for Identi-fying Malware Families[J].IEEE Transactions on Dependable and Secure Computing,2021,18(18):283-295.
[14]KHAMMAS B.Ransomware Detection using Random ForestTechnique[J].ICT Express,2020,6(4):325-331.
[15]GUO C,CHEN C Q,SHEN G Y,et al.A Ransomware Classification Method Based on Visualization[J].Netinfo Security,2020,20(4):31-39.
[16]ZHANG H,XIAO X,MERCALDO F,et al.Classification of ransomware families with machine learning based on N-gram of opcodes[J].Future Generation Computer Systems,2019,90:211-221.
[17]XIAO W,ZHANG B,XIAO X,et al.Ransomware classification using patch-based CNN and self-attention network on embedded N-grams of opcodes[J].Future Generation Computer Systems,2020,110:708-720.
[18]HSU C M,YANG C C,CHENG H H,et al.Enhancing File Entropy Analysis to Improve Machine Learning Detection Rate of Ransomware[J].IEEE Access,2021,9:138345-138351.
[19]KHARRAZ A,ARSHAD S,MULLINERC,et al.UNVEIL:A Large-Scale,Automated Approach to Detecting Ransomware[C]//USENIX Security Symposium.Austin:Association,2016:757-772.
[20]RAMESH G,MENEN A.Automated dynamic approach for detecting ransomware using finite-state machine[J/OL].Decision Support Systems,2020,138:113400.https://www.sciencedirect.com/science/article/abs/pii/S016792362030155X?via%3Dihub.
[21]PEÑA A J,ULLAH F,JAVAID Q,et al.Modified DecisionTree Technique for Ransomware Detection at Runtime through API Calls[J].Scientific Programming,2020,2020:8845833.
[22]DAKU H,ZAVARSKY P,MALIK Y.Behavioral-Based Classification and Identification of Ransomware Variants Using Machine Learning[C]//2018 17th IEEE International Conference On Trust,Security And Privacy In Computing And Communications.Washington:IEEE Computer Society,2018:1560-1564.
[23]SCAIFE N,CARTER H,TRAYNOR P,et al.Cryptolock(and drop it):stopping ransomware attacks on user data[C]//2016 IEEE 36th International Conference on Distributed Computing Systems(ICDCS).Washington:IEEE Computer Society,2016:303-312.
[24]MORATO D,BERRUETA E,MAGAÑA E,et al.Ransomware early detection by the analysis of file sharing traffic[J].Journal of Network and Computer Applications,2018,124:14-32.
[25]AL-RIMY B,MAAROF M A,ALAZAB M,et al.Redundancy Coefficient Gradual Up-weighting-based Mutual Information Feature Selection technique for Crypto-ransomware early detection[J].Future Generation Computer Systems,2021,115:641-658.
[26]CHEN C Q,GUO C,CUI Y H,et al.Ransomw-are Early Detection Method Based on Short API Sequence[J].Acta Electronica Sinica,2021,49(3):586-595.
[27]VIVEKANANDAN K,PRAVEENA N.Hybrid convolutionalneural network(CNN) and long-short term memory(LSTM) based deep learning model for detecting shilling attack in the social-aware network[J].Journal of Ambient Intelligence and Humanized Computing,2021,12(1):1197-1210.
[28]BORAH P,BHATTACHARYYA D K,KALITA J K.Cost Effective Method for Ransomware Detection:An Ensemble Approach[C]//International Conference on Distributed Computing and Internet Technology 2021.Washington:IEEE Computer Society,2021,12582:203-219.
[29]Al-RIMY B,MAAROF M A,SHAID S.Crypto-ransomwareearly detection model using novel incremental bagging with enhanced semi-random subspace selection[J].Future Generation Computer Systems,2019,101:476-491.
[30]LI Z Q,LI T.Query-by-Example with Acoustic Word Embeddings Using wav2vec Pretraining[J].Computer Science,2022,49(1):59-64.
[31]SUDHAKAR,KUMAR S.MCFT-CNN:Malware classification with fine-tune convolution neural networks using traditional and transfer learning in Internet of Things[J].Future Generation Computer Systems,2021,125:334-351.
[32]YOUSFI S,RHANOUI M,MIKRAM M.Comparative Study of CNN and LSTM for Opinion Mining in Long Text[J].Journal of Automation,2019,14(3):50-55.
[33]LIU X X,JI Y,LIU C P.Voiceprint Recognition Based onLSTM Neural Network[J].Computer Science,2021,48(S2):270-274.
[34]HOCHREITER S,SCHMIDHUBER J.Long Short-Term Me-mory[J].Neural Computation,1997,9(8):1735-1780.
[35]QIN B,WANG Y,MA C.API Call Based Ransomware Dynamic Detection Approach UsingTextCNN[C]//2020 International Conference on Big Data,Artificial Intelligence and Internet of Things Engineering(ICBAIE).Washington:IEEE Computer Society,2020:162-166.
[1] LI Shuai, XU Bin, HAN Yike, LIAO Tongxin. SS-GCN:Aspect-based Sentiment Analysis Model with Affective Enhancement and Syntactic Enhancement [J]. Computer Science, 2023, 50(3): 3-11.
[2] ZHANG Yuan, KANG Le, GONG Zhao-hui, ZHANG Zhi-hong. Related Transaction Behavior Detection in Futures Market Based on Bi-LSTM [J]. Computer Science, 2022, 49(7): 31-39.
[3] JIN Fang-yan, WANG Xiu-li. Implicit Causality Extraction of Financial Events Integrating RACNN and BiLSTM [J]. Computer Science, 2022, 49(7): 179-186.
[4] ZHU Wen-tao, LAN Xian-chao, LUO Huan-lin, YUE Bing, WANG Yang. Remote Sensing Aircraft Target Detection Based on Improved Faster R-CNN [J]. Computer Science, 2022, 49(6A): 378-383.
[5] YUE Qing, YIN Jian-yu, WANG Sheng-sheng. Automatic Detection of Pulmonary Nodules in Low-dose CT Images Based on Improved CNN [J]. Computer Science, 2022, 49(6A): 54-59.
[6] LIN Xi, CHEN Zi-zhuo, WANG Zhong-qing. Aspect-level Sentiment Classification Based on Imbalanced Data and Ensemble Learning [J]. Computer Science, 2022, 49(6A): 144-149.
[7] YU Ben-gong, ZHANG Zi-wei, WANG Hui-ling. TS-AC-EWM Online Product Ranking Method Based on Multi-level Emotion and Topic Information [J]. Computer Science, 2022, 49(6A): 165-171.
[8] WANG Shan, XU Chu-yi, SHI Chun-xiang, ZHANG Ying. Study on Cloud Classification Method of Satellite Cloud Images Based on CNN-LSTM [J]. Computer Science, 2022, 49(6A): 675-679.
[9] ZHAO Zheng-peng, LI Jun-gang, PU Yuan-yuan. Low-light Image Enhancement Based on Retinex Theory by Convolutional Neural Network [J]. Computer Science, 2022, 49(6): 199-209.
[10] DING Feng, SUN Xiao. Negative-emotion Opinion Target Extraction Based on Attention and BiLSTM-CRF [J]. Computer Science, 2022, 49(2): 223-230.
[11] WANG Yi, CHEN Ying-ren, CHEN Xing, LIN Bin, MA Yun. Automating Release of Android APIs Based on Computational Reflection [J]. Computer Science, 2022, 49(12): 136-145.
[12] WEI Ru-ming, CHEN Ruo-yu, LI Han, LIU Xu-hong. Analysis of Technology Trends Based on Deep Learning and Text Measurement [J]. Computer Science, 2022, 49(11A): 211100119-6.
[13] HUANG Yu-jiao, ZHAN Li-chao, FAN Xing-gang, XIAO Jie, LONG Hai-xia. Text Classification Based on Knowledge Distillation Model ELECTRA-base-BiLSTM [J]. Computer Science, 2022, 49(11A): 211200181-6.
[14] LI Kang-le, REN Zhi-lei, ZHOU Zhi-de, JIANG He. Decision Tree Algorithm-based API Misuse Detection [J]. Computer Science, 2022, 49(11): 30-38.
[15] YUAN Jing-ling, DING Yuan-yuan, SHENG De-ming, LI Lin. Image-Text Sentiment Analysis Model Based on Visual Aspect Attention [J]. Computer Science, 2022, 49(1): 219-224.
Viewed
Full text


Abstract

Cited

  Shared   
  Discussed   
No Suggested Reading articles found!