Ransomware classification using patch-based CNN and self-attention network on embedded N-grams of opcodes

Zhang, Bin; Xiao, Wentao; Xiao, Xi; Sangaiah, Arun Kumar; Zhang, Weizhe; Zhang, Jiajia

doi:10.1016/j.future.2019.09.025

Cited by 96 publications

(63 citation statements)

References 20 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…Authors of [35], [36] have analyzed and discussed static, dynamic, hybrid and machine learning-based methods, pros, and cons of using them and the limitations of current research works. Bin Zhang et.al [9] proposes a convolution neural network (CNN) based approaches to detect ransomware using static analysis. Hanqi Zhang et.al [10] proposes N-gram model using opcode sequence to detect ransomware using a static analysis approach to map ransomware into families.…”

Section: Literature Reviewmentioning

confidence: 99%

“…Static analysis approach analyzes [9], [10] the structure of ransomware from the source code and binary string, identifies execution paths and constructing the control flow graph (CFG), application program interface (API) calls and opcode sequences to extract significant feature space that can represent the ransomware families. In [9], [10], Bin Zhang, Wentao Xiao et.al used static analysis technique based on opcode sequence, N-gram opcode sequence and deep learning to detect ransomware. Static analysis [9], [10] has limitations that it requires an expensive manual process to build signatures of malware for supervised detection engine.…”

Section: Introductionmentioning

confidence: 99%

“…In [9], [10], Bin Zhang, Wentao Xiao et.al used static analysis technique based on opcode sequence, N-gram opcode sequence and deep learning to detect ransomware. Static analysis [9], [10] has limitations that it requires an expensive manual process to build signatures of malware for supervised detection engine. In addition to this, malware authors always generate new variants by using packing and code obfuscation techniques which makes it very difficult to prepare the signatures of new variants manually as soon as they are released and thereby leaving a gap for the high possibility of new infections.…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Avoiding Future Digital Extortion Through Robust Protection Against Ransomware Threats Using Deep Learning Based Adaptive Approaches

et al. 2020

View full text Add to dashboard Cite

Digital extortion has become a major cyber risk for many organizations; small-medium enterprises (SME) to large enterprises business and individual entrepreneurs. Ransomware is a kind of malware that is the main threat to digital extortion and has caused many organizations to lose huge revenue by paying much bigger ransom demands to the cybercriminals in recent years. The explosive growth of ransomware is due to the existing large infection vector such as social engineering, email attachment, zip file download, browsing malicious site, infected search engine which are boosted dramatically by easily available cryptographic tools, Ransomware As a Service (RaaS), increased cloud storage and off-the-self ransomware toolkits. The large infection vector and available toolkits not only grew ransomware extremely, but also made them more obfuscated, encrypted and varying patterns in the new variants. This, in turn, caused the conventional supervised analysis and detection engine to fail to detect the new variants of ransomware. This paper addresses the limitations of conventional supervised detection engine and proposes semi-supervised framework to compute the inherent latent sources of the varying patterns in the new variants in an unsupervised way using deep learning approaches. The proposed framework extracts the inherent characteristics in the varying patterns from the unlabelled ransomware obtained from the wild which is scalable to accommodate upcoming malicious executables. Then the unsupervised learned model is combined with supervised classification, thus constructing an adaptive detection model. The proposed framework has been verified using real ransomware data with a dynamic analysis testbed. Our extensive experimental results and discussion demonstrate that the proposed adaptive framework can successfully identify different variants of ransomware and achieve higher performance than existing supervised approaches.

show abstract

Section: Literature Reviewmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Avoiding Future Digital Extortion Through Robust Protection Against Ransomware Threats Using Deep Learning Based Adaptive Approaches

et al. 2020

View full text Add to dashboard Cite

show abstract

“…During recent times, the use of Attention based mechanisms have started to come to the forefront. Significant work has gone into using different kinds of Attention networks for byte level information as well as converted image malware datasets [22]. In this paper, we explore the use of Residual Attention and compare it with the existing techniques of Texture analysis and CNN based architecture.…”

Section: Related Workmentioning

confidence: 99%

Robust Malware Detection using Residual Attention Network

Ganesan¹,

Ravi²,

Krichen³

et al. 2020

Preprint

View full text Add to dashboard Cite

In this paper, we explore the use of an attention based mechanism known as Residual Attention for malware detection and compare this with existing CNN based methods and conventional Machine Learning algorithms with the help of GIST features. The proposed method outperformed traditional malware detection methods which use Machine Learning and CNN based Deep Learning algorithms, by demonstrating an accuracy of 99.25%.

show abstract

“…值得注意的是, 有些恶意样本可能被加固, 因此其真实 DEX 文件被隐藏, apktool 无法正常进行反编译, 此类加固样本不在我们的数据集范围中. 针对该类型样本现如今有一些专门进行脱壳分析的研究工作, 典型的有 PackerGrind [49] , DexHunter [50] , DroidUnpack [ (3) 为了解决上述两个问题, 我们首先基于字符串编辑距离 [52] 在字节码特征中, 最为常见的是将 k-gram 技术 [77] 应用到操作码序列上, 通过步长为 k 的滑动窗口将操作码序列划分为以 k 个操作码为单位组成的特征, 从而提高特征的鲁棒性 [78,79] . 但是该类方法随着 k 值的增大, 其特征个数呈指数型增长.…”

Section: 恶意软件数据集unclassified