| With the development of the Internet,information technology has penetrated into various industries and fields of society.However,with the deepening of information technology,there are more and more incidents of using ransomware virus to attack crimes.Especially in recent years,the evolution of ransomware virus has gradually shown characteristics of organization,family and scale,etc.Starting from the same ransomware virus family,it is able to derive a large number of unknown variants of ransomware virus in a short period of time,launching targeted attacks to different fields such as schools,enterprises,governments,hospitals and basic industries to carry out ransom of huge amounts of money.Therefore,it is of great significance how to effectively detect and identify a large number of unknown ransomware viruses,as well as ransomware prevention.At present,although the number of ransomware variants is large,most of them are evolved based on the existing virus families.Therefore,it is possible to construct a ransomware virus feature fingerprint library,extract the feature fingerprints of unknown ransomware viruses,and compare the feature fingerprints of ransomware viruses with the different ransomware virus families in the feature fingerprint library for homology and identification.In this paper,we select the currently popular ransomware families as the research object,and identify ransomware viruses by building a ransomware feature homology analysis model.Compared with other ransomware analysis models or systems,this model extends the dimensionality of ransomware feature extraction from two different perspectives,static feature identification and dynamic behavior analysis.Firstly,PE files are taken as the main research object,and a total of668 samples from 10 different ransomware families are selected,and the batch processing of PE file base information is realized by writing relevant programs.Secondly,we analyze the representative static feature attribute values and dynamic feature functions through relevant inverse tools to analyze the behavior of ransomware API dynamic functions and generate the corresponding base sequences.Based on the base sequence pairs,we determine whether different ransomware viruses are homologous to each other.Then,different weights are assigned to different ransomware features according to their importance,and experimental analysis of ransomware homology is conducted.Finally,from PE files,registry,system files and API calls,the prevention and related experiments on unknown ransomware viruses are conducted,and it is found that homology analysis using API feature fingerprints can effectively detect unknown ransomware viruses,which has certain practical value. |
PDF Full Text Request