Application of Sequential Analysis on Runtime Behavior for Ransomware Classification
Main Article Content
Abstract
The unprecedented development and massive proliferation of Internet technology, computing /storage capability and emerging business model, like cloud and IoT, brings not only incredible changes to human lifestyle but also numerous, complex and continuing cyber security threats, one noticeable example among them is malware. Static analysis has been popular and widely used in many anti-virus engine. However, static analysis can be avoided using techniques such as packing, polymorphism, and metamorphism. In this paper, I propose a novel method focuses on the feature extraction, which exploits the inherent encryption behaviour of ransomwares. Specifically, runtime malicious sequential analysis is adopted to establish the desired feature set, which further facilitate the identification of the inherent encryption function. With the proposed method, an accuracy level of 96% was achieved
Article Details
Issue
Section

This work is licensed under a Creative Commons Attribution 4.0 International License.
Deprecated: json_decode(): Passing null to parameter #1 ($json) of type string is deprecated in /home/u273879158/domains/mesopotamian.press/public_html/journals/plugins/generic/citations/CitationsPlugin.php on line 68
How to Cite
References
[1] O. A. Aminat, M. O. Adaobi, C. A. Chukwuka, et al., "Design and Implementation of a Malware Detection System On Smartphones," International Journal of Information, Business and Management, vol. 14, no. 1, pp. 171–181, 2022.
[2] M. Saqib, P. Fournier-Viger, M. Zohaib, G. Chen, and Y. Wu, "MalSPM: Metamorphic malware behavior analysis and classification using sequential pattern mining," Computers & Security, vol. 118, p. 102741, 2022.
[3] N. Milošević, "History of malware," arXiv preprint arXiv:1302.5392, 2013.
[4] Ö. Aslan, M. Ozkan-Okay, and D. Gupta, "Intelligent behavior-based malware detection system on cloud computing environment," IEEE Access, vol. 9, pp. 83252–83271, 2021.
[5] K. Cabaj, M. Gregorczyk, and W. Mazurczyk, "Software-defined networking-based crypto ransomware detection using HTTP traffic characteristics," Computers & Electrical Engineering, vol. 66, pp. 353–368, 2018.
[6] S. Mohurle and M. Patil, "A brief study of wannacry threat: Ransomware attack 2017," International Journal of Advanced Research in Computer Science, vol. 8, no. 5, 2017.
[7] S. Mujeye, "Ransomware: To Pay or Not to Pay? The results of what IT professionals recommend," in Proceedings, pp. 76–81, 2022.
[8] C. Moore, "Detecting ransomware with honeypot techniques," in Proceedings, pp. 77–81, IEEE, 2016.
[9] S. P. Choudhary and M. D. Vidyarthi, "A simple method for detection of metamorphic malware using dynamic analysis and text mining," Procedia Computer Science, vol. 54, pp. 265–270, 2015.
[10] G. Kakisim, S. Gulmez, and I. Sogukpinar, "Sequential opcode embedding-based malware detection method," Computers & Electrical Engineering, vol. 98, p. 107703, 2022.
[11] A. S. Al-rimy, M. A. Maarof, and S. Z. M. Shaid, "Ransomware threat success factors, taxonomy, and countermeasures: a survey and research directions," Computers & Security, vol. 74, pp. 144–166, 2018.
[12] R. Kaur and M. Singh, "A Survey on Zero-Day Polymorphic Worm Detection Techniques," IEEE communications surveys and tutorials, vol. 16, no. 3, pp. 1520–1549, 2014.
[13] U. Urooj, B. A. S. Al-rimy, A. Zainal, F. A. Ghaleb, and M. A. Rassam, "Ransomware detection using dynamic analysis and machine learning: A survey and research directions," Applied Sciences, vol. 12, no. 1, p. 172, 2021.
[14] Y. Ding, X. Xia, S. Chen, and Y. Li, "A malware detection method based on family behavior graph," Computers & Security, vol. 73, pp. 73–86, 2018.
[15] J. Hwang, J. Kim, S. Lee, and K. Kim, "Two-stage ransomware detection using dynamic analysis and machine learning techniques," Wireless Personal Communications, vol. 112, pp. 2597–2609, 2020.
[16] M. Jain and P. Bajaj, "Techniques in detection and analyzing malware executables: A review," International Journal of Computer Science and Mobile Computing, vol. 3, no. 5, pp. 930–935, 2014.
[17] C. Kruegel, "Full system emulation: Achieving successful automated dynamic analysis of evasive malware," in Proceedings, pp. 1–7, 2014.
[18] R. Tian, R. Islam, L. Batten, and S. Versteeg, "Differentiating malware from cleanware using behavioural analysis," in Proceedings, pp. 23–30, IEEE, 2010.
[19] Y. Ki, E. Kim, and H. K. Kim, "A novel approach to detect malware based on API call sequence analysis," International Journal of Distributed Sensor Networks, vol. 11, no. 6, p. 659101, 2015.
[20] S. A. Hofmeyr, S. Forrest, and A. Somayaji, "Intrusion detection using sequences of system calls," Journal of computer security, vol. 6, no. 3, pp. 151–180, 1998.
[21] Y. Ye, D. Wang, T. Li, D. Ye, and Q. Jiang, "An intelligent PE-malware detection system based on association mining," Journal in computer virology, vol. 4, no. 4, pp. 323–334, 2008.
[22] M. A. Ammar, "LOB and CPM integrated method for scheduling repetitive projects," Journal of construction engineering and management, vol. 139, no. 1, pp. 44–50, 2012.
[23] M. Bailey, J. Oberheide, J. Andersen, Z. M. Mao, F. Jahanian, and J. Nazario, "Automated classification and analysis of internet malware," in Proceedings, pp. 178–197, Springer, 2007.
[24] A. Mohaisen, O. Alrawi, and M. Mohaisen, "Amal: High-fidelity, behavior-based automated malware analysis and classification," Computers & Security, vol. 52, pp. 251–266, 2015.
[25] A. Fattori, A. Lanzi, D. Balzarotti, and E. Kirda, "Hypervisor-based malware protection with accessminer," Computers & Security, vol. 52, pp. 33–50, 2015.
[26] A. Pektaş and T. Acarman, "Malware classification based on API calls and behaviour analysis," IET Information Security, vol. 12, no. 2, pp. 107–117, 2017.
[27] J. Wainer, "Comparison of 14 different families of classification algorithms on 115 binary datasets," arXiv preprint arXiv:1606.00930, 2016.
[28] G. Cusack, O. Michel, and E. Keller, "Machine Learning-Based Detection of Ransomware Using SDN," in Proceedings, pp. 1–6, 2018.
[29] R. Shire, S. Shiaeles, K. Bendiab, B. Ghita, and N. Kolokotronis, “Malware squid: A novel IoT malware traffic analysis framework using convolutional neural network and binary visualisation,” in Proc. Int. Conf. Next Generation Wired/Wireless Networking, Cham, Switzerland: Springer International Publishing, pp. 65–76, 2019.
[30] P. Peng, L. Yang, L. Song, and G. Wang, “Opening the blackbox of VirusTotal: Analyzing online phishing scan engines,” in Proc. Internet Meas. Conf. (IMC), pp. 478–485, 2019.
[31] Virusshare.com, "Virusshare.com," 2016.
[32] M.-L. Zhang and Z.-H. Zhou, "A Review on Multi-Label Learning Algorithms," IEEE Transactions on Knowledge and Data Engineering, vol. 26, no. 8, pp. 1819–1837, 2014.
[33] L. Prokhorenkova, G. Gusev, A. Vorobev, A. V. Dorogush, and A. Gulin, "CatBoost: unbiased boosting with categorical features," Advances in neural information processing systems, vol. 31, 2018.
[34] M.-L. Zhang and Z.-H. Zhou, "ML-KNN: A lazy learning approach to multi-label learning," Pattern recognition, vol. 40, no. 7, pp. 2038–2048, 2007.
[35] R. Kohavi, "Scaling up the accuracy of Naive-Bayes classifiers: a decision-tree hybrid," in Proceedings, pp. 202–207, 1996.
[36] A. Guryanov, "Histogram-based algorithm for building gradient boosting ensembles of piecewise linear decision trees," in Proceedings of the X Conference, Springer, 2019, pp. 39–50.
[37] P. Geurts, D. Ernst, and L. Wehenkel, "Extremely randomized trees," Machine Learning, vol. 63, no. 1, pp. 3–42, 2006.
[38] A. Liaw and M. Wiener, "Classification and regression by randomForest," R News, vol. 2, no. 3, pp. 18–22, 2002.
[39] T. Chen and C. Guestrin, "Xgboost: A scalable tree boosting system," in Proceedings of the X Conference, 2016, pp. 785–794.
[40] J. H. Friedman, "Greedy function approximation: A gradient boosting machine," Annals of Statistics, vol. 29, no. 5, pp. 1189–1232, 2001.
[41] A. Kharraz, S. Arshad, C. Mulliner, W. K. Robertson, and E. Kirda, "UNVEIL: A Large-Scale, Automated Approach to Detecting Ransomware," in Proceedings of the X Conference, 2016, pp. 757–772.
[42] S. Maniath, A. Aravind, P. Prabaharan, V. G. Sujadevi, A. U. P. Sankar, and S. Jan, "Deep learning LSTM based ransomware detection," in Proceedings of the Y Conference, 2017.
[43] A. K. Jain and B. B. Gupta, "A machine learning based approach for phishing detection using hyperlinks information," Journal of Ambient Intelligence and Humanized Computing, pp. 1–14, 2018.
[44] D. Octaviano and M. Iqbal, Cuckoo Malware Analysis. Packt Publishing Ltd, 2013.