Research On Classification Of Ransomware Families Based On Behavior Features

In recent years,ransomware attacks have occurred frequently,and the technologies used are more diverse and the attack methods are more professional.Most of them are variants of known families,and new types of families appear less frequently.And their targets have shifted to enterprises.These mean that ransomware will pose a serious threat to the Cyber Security.How to detect and identify ransomware has become a current hot topic.When a ransomware emerges,determine its family quickly,and then analyze and crack it targeted and referentially,which can effectively reduce the spread and harm of ransomware.Although machine learning and other algorithms have been used in ransomware detection,some mainstream anti-virus software companies still need to improve the identification and determination of ransomware and families.In the field of ransomware research,there are relatively few studies on the classification of ransomware families,and most of them are based on static features.Therefore,for the classification of ransomware families,based on the in-depth analysis and summary of the file encryption behavior,network behavior,registry behavior,process behavior mechanisms during the dynamic execution of the ransomware,this thesis builds a Cuckoo Sandbox-based ransomware dynamic behavior analysis platform to batch process the collected ransomware samples to obtain sample behavior analysis reports,and then summarizes the behavior features of each family and the behavior differences between families,to extract behavior features for the ransomware families classification model.Based on these,two family classification methods are proposed,as follows:The first method is to use the API function category sequence extracted during the dynamic runtime of the ransomware to characterize its behavior,and delete the repeated subsequences in the sequence,and then use the Multi-Sequence Alignment Algorithm and set the different consensus on the training sets,combining local alignment algorithm and fingerprint determination algorithms,to extract candidate fingerprint sequences from samples from the same ransomware family.The best is used as a family fingerprint sequence to construct a family fingerprint sequence library.For unknown samples,the similarity between the sample sequence and the family fingerprint sequence in the family fingerprint sequence library is calculated using a local alignment algorithm to determine the sample's family.The second method is to extract the features of behavioural significance from the five dimensions of the file encryption feature,network feature,registry feature,process feature,and other features of the ransomware,to construct the ransomware behaviour feature engineering.Based on the framework of Random Forests,use the out-of-bag error method to select the optimal feature subset,and adjust the model parameters to optimize the family classification model.After experimental verification,the F1-score is 97.3%,the AUC is 0.998 and the mlogloss is 0.188 on the test sets.Finally,we used the proposed method to compare with several common machine learning algorithms and some anti-virus detection platforms to verify its effectiveness.This thesis is aimed at crypto-ransomware of the Windows platform.There are a total of1096 and 13 family categories.Through experimental verification,two methods above both have high accuracy rates for the classification of ransomware families,which proves that the methods proposed in this thesis have a certain value in the classification of ransomware families.