| With the development of the Internet,more and more computers are interconnected through the network.On the one hand,these computers have brought great convenience to people,on the other hand,people also facing threats from various malware and viruses.Among them,a series of high-tech and destructive ransomware represented by Wannacry had drawn attention to people around the world.Ransomware hijacks users’ assets or resources and extorts money from victims,which has caused serious damage to society and cyberspace security.At the same time,hackers become more and more prudent and ransomware samples present family characteristics.The traditional ransomware detection and classification methods are becoming more and more fragile,and ransomware detection and classification are facing new challenges.By combining behavior-based dynamic analysis technology and image visualization analysis technology,this paper proposes the following two ransomware detection and classification methods:(1)In the research of ransomware detection,we introduce the API critical sequence by solving the shortcoming of traditional method using a redundant API sequence.The proposed method takes advantage of the obvious dynamic behavior characteristics of ransomware.Aiming at the deficiency of extracting a large number of redundant API calls in API sequence in the traditional dynamic detection.We removed the API sequence of the non-payload processes and pay close attention to the API critical sequence.By combining the process sequence with the API critical sequence,a new feature sequence is used in ransomware detection.The N-gram algorithm and TF-IDF algorithm are used to extract and select features to detect ransomware.The test results showed that the recall of ransomware was 100% and the overall F1-score was 98.7%,the running time was greatly decreased.(2)In the research of ransomware classification,aiming at solving the problems of feature extraction and relying on a unique feature,a ransomware combination classification method based on image visualization is proposed.By converting ransomware samples into gray images,extracting the GIST feature,and combining with local texture feature and neural network feature.Besides,a classification model based on different classifiers is constructed and the classifier results are combined by the soft voting method.In the classification of ransomware,the effect of the combination classifier is close to or better than that of the best score classifier.Compared with the classifier using only a single feature,combination classifiers show better stability. |
PDF Full Text Request