Research On Ransomware Detection Method Based On Machine Learning

In recent years,with the rapid development of Internet technology and the digital economy,cyber attacks against high-value assets have gradually increased.Ransomware,as the main actor in such attacks,has become a major threat to current cyberspace security.Ransomware is a special kind of malware that can cause irreversible data loss or blockade of system resources in the victim system,and cause huge economic losses to the victim system.At present,researchers have proposed a variety of ransomware detection methods,but the detection objects of network-based ransomware detection methods are relatively single,and the detection based on static host detection methods is not good for ransomware and its variants.The host detection method takes a long time to detect,which cannot meet the needs of timely detection of ransomware.Based on the machine learning ransomware detection framework,the static and dynamic features are extracted from the static and dynamic perspectives to construct a ransomware detection model.First,in order to reduce feature engineering and improve the detection effect of ransomware,a ransomware detection method based on image features is proposed.The method visualizes the ransomware byte sequence as a RGB image,and establish a detection model SEVGG based on Squeeze and Excitation block and Visual Geome Stry Group 16,and input the visualized RGB image into SEVGG for model training and detection.Secondly,in order to further improve the detection effect of unknown ransomware samples and meet the timeliness requirements of dynamic detection of ransomware,by analyzing the running process of different families of ransomware,from the perspective of timely detection of ransomware,the concept of“Critical Time Periods for ransomware detection(CTP)” is proposed,And further proposed a Ransomware Early Detection Method based on API Sequence(REDMS).The method uses the API sequence by the software to execute in the CTP as the analysis object,through the n-gram model and the Term FrequencyInverse Document Frequency algorithm calculates the collected API sequence to generate feature vectors,and then uses machine learning algorithms to establish a detection model for early detection of ransomware.Finally,the experiment was verified by setting up an experimental environment.The experiment results show that a ransomware detection method based on image features can detect ransomware and its family with high accuracy;REDMS can detect the known and unknown ransomware sample in a short period of time with high accuracy,and it also has a certain detection effect in multiple types of malware.