LSTM-Based Ransomware Detection Using API Call Information

Abstract

In this paper, we propose a ransomware detection method based on API IDs and call intervals. In the proposed method, to detect ransomware, when each API call occurs, we input both the API ID and the call interval from the previous call into an LSTM (Long Short Term Memory). By inputting the API IDs and call intervals into LSTM, we can learn the characteristics of the time series change of API calls in the ransomware. Through the experiments using an original dataset, we demonstrated that the accuracy of our proposed method was high and the characteristic learning of the call interval was useful for detecting ransomware.