Netinfo Security ›› 2020, Vol. 20 ›› Issue (2): 57-57.doi: 10.3969/j.issn.1671-1122.2020.02.008

• 技术研究 • Previous Articles     Next Articles

Dynamic Detection of Ransomware Based on Stacking Model Fusion

LÜ Zongping1, ZHAO Chundi1,2(), GU Zhaojun1, ZHOU Jingxian1   

  1. 1. Information Security Evaluation Center, Civil Aviation University of China, Tianjin 300300, China
    2. College of Computer Science and Technology, Civil Aviation University of China, Tianjin 300300, China
  • Received:2019-09-09 Online:2020-02-10 Published:2020-05-11

Abstract:

In view of the characteristics of polymorphic deformation of ransomware, dynamic behavior feature analysis and detection method is widely used, but this method also has the problems of single detection feature and over-fitting of machine learning algorithm. Based on the Stacking model fusion method, a new ransomware detection algorithm, XRLStacking, is proposed. Firstly, all the original dynamic features of ransomware are extracted and de-redundant processing is carried out. Only three kinds of features, namely API name, thread number and sequence number, are retained for each sample call. Then, the features with little effect on classification are optimized by using fusion of N-gram and TF-IDF algorithm to ensure that each sample API has some features. Finally, classification based on Stacking model fusion algorithm and multi-feature combination are used to identify blackmail software. Experiments based on Cuckoo Sandbox to generate a large number of real data show that the proposed algorithm has high recognition accuracy. At the same time, compared with XGBoost and random forest, this algorithm can avoid over-fitting to some extent.

Key words: ransomware, dynamic detection, XRLStacking algorithm, API, sequence relationship

CLC Number: