{"title":"利用可移植可执行文件导入检测勒索软件","authors":"Tanatswa Ruramai Dendere, Avinash Singh","doi":"10.34190/iccws.19.1.2031","DOIUrl":null,"url":null,"abstract":"In recent years, there has been a substantial surge in ransomware attacks, wreaking havoc on both organizations and individuals. These attacks, driven by the lure of profits, particularly with the widespread use of cryptocurrencies, have prompted attackers to continuously develop innovative evasion techniques and obfuscation tactics to avoid detection. Ransomware, employing seemingly benign functions such as encryption and file-locking, poses a formidable challenge for detection as it evolves beyond traditional signature-based methods. Consequently, there is a growing need to identify previously unexplored and unstudied ransomware strains, necessitating the deployment of artificial intelligence (AI) to discern the unique characteristics and objectives of ransomware. The adoption of AI hinges on the prior selection of distinguishing features. Given that ransomware's intent fundamentally differs from that of benign files, there are variations in the structure of Portable Executables (PE) files. This study posits that the imports used by PE files can serve as a discriminating factor between ransomware and benign files. This research explored using machine learning models to detect ransomware by analysing and deriving insights from the PE Imports structure. To achieve this, the study trains seven machine learning classifiers, namely Random Forest, Logistic Regression, Naïve Bayes, Support Vector Machine, K-Nearest Neighbors, Gradient Boost, and Decision Tree. These models are trained on a dataset of carefully selected features derived from PE imports. The classifiers are benchmarked and ranked based on several evaluation metrics, including latency, accuracy, and confidence levels. For a model to be effective in ransomware detection, it should offer near real-time and highly confident accuracy. In other words, it should exhibit low latency, high accuracy, and strong AUC rates. Among the models, Logistic Regression emerges as the top performer, identifying ransomware programs with an impressive 98.5% accuracy and a confidence level of 98.6% within a mere 0.998-millisecond latency. This study conclusively affirms the efficacy of employing PE imports for ransomware detection.","PeriodicalId":429427,"journal":{"name":"International Conference on Cyber Warfare and Security","volume":" 22","pages":""},"PeriodicalIF":0.0000,"publicationDate":"2024-03-21","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":"{\"title\":\"Ransomware Detection Using Portable Executable Imports\",\"authors\":\"Tanatswa Ruramai Dendere, Avinash Singh\",\"doi\":\"10.34190/iccws.19.1.2031\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"In recent years, there has been a substantial surge in ransomware attacks, wreaking havoc on both organizations and individuals. These attacks, driven by the lure of profits, particularly with the widespread use of cryptocurrencies, have prompted attackers to continuously develop innovative evasion techniques and obfuscation tactics to avoid detection. Ransomware, employing seemingly benign functions such as encryption and file-locking, poses a formidable challenge for detection as it evolves beyond traditional signature-based methods. Consequently, there is a growing need to identify previously unexplored and unstudied ransomware strains, necessitating the deployment of artificial intelligence (AI) to discern the unique characteristics and objectives of ransomware. The adoption of AI hinges on the prior selection of distinguishing features. Given that ransomware's intent fundamentally differs from that of benign files, there are variations in the structure of Portable Executables (PE) files. This study posits that the imports used by PE files can serve as a discriminating factor between ransomware and benign files. This research explored using machine learning models to detect ransomware by analysing and deriving insights from the PE Imports structure. To achieve this, the study trains seven machine learning classifiers, namely Random Forest, Logistic Regression, Naïve Bayes, Support Vector Machine, K-Nearest Neighbors, Gradient Boost, and Decision Tree. These models are trained on a dataset of carefully selected features derived from PE imports. The classifiers are benchmarked and ranked based on several evaluation metrics, including latency, accuracy, and confidence levels. For a model to be effective in ransomware detection, it should offer near real-time and highly confident accuracy. In other words, it should exhibit low latency, high accuracy, and strong AUC rates. Among the models, Logistic Regression emerges as the top performer, identifying ransomware programs with an impressive 98.5% accuracy and a confidence level of 98.6% within a mere 0.998-millisecond latency. This study conclusively affirms the efficacy of employing PE imports for ransomware detection.\",\"PeriodicalId\":429427,\"journal\":{\"name\":\"International Conference on Cyber Warfare and Security\",\"volume\":\" 22\",\"pages\":\"\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2024-03-21\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"0\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"International Conference on Cyber Warfare and Security\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.34190/iccws.19.1.2031\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"International Conference on Cyber Warfare and Security","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.34190/iccws.19.1.2031","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 0
摘要
近年来,勒索软件攻击激增,给组织和个人造成了严重破坏。在利益的诱惑下,特别是随着加密货币的广泛使用,这些攻击促使攻击者不断开发创新的规避技术和混淆策略,以避免被发现。勒索软件采用加密和文件锁定等看似无害的功能,但由于其发展超越了传统的基于签名的方法,因此给检测带来了巨大的挑战。因此,越来越需要识别以前未探索和未研究过的勒索软件菌株,这就需要部署人工智能(AI)来识别勒索软件的独特特征和目标。人工智能的采用取决于事先对识别特征的选择。鉴于勒索软件的意图与良性文件根本不同,因此可移植可执行文件(PE)的结构也存在差异。本研究认为,PE 文件使用的导入方式可以作为区分勒索软件和良性文件的因素。本研究通过分析 PE 导入结构并从中获得启示,探索使用机器学习模型来检测勒索软件。为此,该研究训练了七种机器学习分类器,即随机森林、逻辑回归、奈夫贝叶斯、支持向量机、K-近邻、梯度提升和决策树。这些模型是在从 PE 进口中精心挑选的特征数据集上进行训练的。这些分类器根据多项评估指标(包括延迟、准确性和置信度)进行基准测试和排名。一个模型要想在勒索软件检测中发挥有效作用,就必须提供近乎实时和高置信度的准确性。换句话说,它应该表现出低延迟、高准确性和高 AUC 率。在这些模型中,逻辑回归模型表现最出色,它能在仅 0.998 毫秒的延迟时间内识别出 98.5% 的准确率和 98.6% 的置信度,令人印象深刻。这项研究最终证实了利用 PE 导入检测勒索软件的有效性。
Ransomware Detection Using Portable Executable Imports
In recent years, there has been a substantial surge in ransomware attacks, wreaking havoc on both organizations and individuals. These attacks, driven by the lure of profits, particularly with the widespread use of cryptocurrencies, have prompted attackers to continuously develop innovative evasion techniques and obfuscation tactics to avoid detection. Ransomware, employing seemingly benign functions such as encryption and file-locking, poses a formidable challenge for detection as it evolves beyond traditional signature-based methods. Consequently, there is a growing need to identify previously unexplored and unstudied ransomware strains, necessitating the deployment of artificial intelligence (AI) to discern the unique characteristics and objectives of ransomware. The adoption of AI hinges on the prior selection of distinguishing features. Given that ransomware's intent fundamentally differs from that of benign files, there are variations in the structure of Portable Executables (PE) files. This study posits that the imports used by PE files can serve as a discriminating factor between ransomware and benign files. This research explored using machine learning models to detect ransomware by analysing and deriving insights from the PE Imports structure. To achieve this, the study trains seven machine learning classifiers, namely Random Forest, Logistic Regression, Naïve Bayes, Support Vector Machine, K-Nearest Neighbors, Gradient Boost, and Decision Tree. These models are trained on a dataset of carefully selected features derived from PE imports. The classifiers are benchmarked and ranked based on several evaluation metrics, including latency, accuracy, and confidence levels. For a model to be effective in ransomware detection, it should offer near real-time and highly confident accuracy. In other words, it should exhibit low latency, high accuracy, and strong AUC rates. Among the models, Logistic Regression emerges as the top performer, identifying ransomware programs with an impressive 98.5% accuracy and a confidence level of 98.6% within a mere 0.998-millisecond latency. This study conclusively affirms the efficacy of employing PE imports for ransomware detection.
求助内容:
应助结果提醒方式:
京公网安备 11010802042870号
