A Ransomware Classification Method Based on Visualization

doi:10.3969/j.issn.1671-1122.2020.04.004

Abstract

Abstract:

Ransomware is a special kind of malware that causes irreversible data loss or system resource blockage of the victim system, causing huge economic losses to the victim system. Classifying ransomware can effectively reduce the work of security analysts. Methods based on dynamic analysis and static analysis require complex feature engineering and are not suitable for large-scale ransomware classification. To achieve fast and large-scale ransomware classification, a method of visualization proposed to classify ransomware. Firstly, the binary files of ransomware and normal software are converted into grayscale images, then the image features are extracted from the VGG16 neural network using transfer learning, and finally, the SVM machine learning classification model is used for classification. The experimental results show that the classification accuracy is 96.7%.

Key words: visualization, ransomware classification, machine learning, transfer learning

CLC Number:

TP309

GUO Chun, CHEN Changqing, SHEN Guowei, JIANG Chaohui. A Ransomware Classification Method Based on Visualization[J]. Netinfo Security, 2020, 20(4): 31-39.

Figures/Tables 12

References 20

[1]	BRIDGES L.The Changing Face of Malware[J]. Network Security, 2008, 2008(1): 17-20.
[2]	PATHAK P B, NANDED Y M.A Dangerous Trend of Cybercrime: Ransomware Growing Challenge[J]. International Journal of Advanced Research in Computer Engineering & Technology(IJARCET), 2016, 5(2): 371-373.
[3]	BHARDWAJ A, AVASTHI V, SASTRY H, et al.Ransomware Digital Extortion: A Rising New Age Threat[J]. Indian Journal of Science and Technology, 2016, 9(14): 1-5.
[4]	AL-RIMY B A S, MAAROF M A, SHAID S Z M. Ransomware Threat Success Factors, Taxonomy, and Countermeasures: A Survey and Research Directions[J]. Computers & Security, 2018, 74(5): 144-166.
[5]	SYMANTEC. 2017 Internet Security Threat Report[EB/OL]. , 2019-10-15.
[6]	SYMANTEC.2019 Internet Security Threat Report[EB/OL]. , 2019-10-15.
[7]	ZHANG Hanqi, XI Xiao, FRANCESCO M, et al.Classification of Ransomware Families with Machine Learning Based on N-gram of Opcodes[J]. Future Generation Computer Systems, 2019, 90(1): 211-221.
[8]	SIMONYAN K, ZISSERMAN A. Very Deep Convolutional Networks for Large-Scale Image Recognition[EB/OL]. , 2019-10-15.
[9]	HSU C W, LIN C. J . A Comparison of Methods for Multiclass Support Vector Machines[J]. IEEE Transactions on Neural Networks, 2002, 13(2): 415-425.
[10]	CONTI G, DEAN E, SINDA M, et al.Visual Reverse Engineering of Binary and Data Files[C]//DBLP.International Workshop on Visualization for Computer Security, September 15, 2008, Cambridge, MA, USA. Heidelberg: Springer, 2008: 1-17.
[11]	NATARAJ L, KARTHIKEYAN S, JACOB G, et al. Malware Images: Visualization and Automatic Classification[EB/OL]. , 2019-10-15.
[12]	KANCHERLA K, MUKKAMALA S. Image Visualization Based Malware Detection[EB/OL]. , 2019-10-15.
[13]	CHEN Zheng, FANG Yong, LIU Liang, et al.Detection Method of Ransomware Based on Dynamic Symbol Execution[J]. Computer Engineering, 2018, 44(6): 104-110.
	陈政,方勇,刘亮,等.基于动态符号执行的勒索软件检测方法[J].计算机工程,2018,44(6):104-110.
[14]	ADE K.Detection and Analysis Cerber Ransomware Based on Network Forensics Behavior[J]. International Journal of Network Security, 2018, 20(5): 836-843.
[15]	KHARRAZ A, KIRDA E. Redemption: Real-Time Protection Against Ransomware at End-Hosts[EB/OL]. , 2019-10-15.
[16]	MORATO D.Ransomware Early Detection by the Analysis of File Sharing Traffic[J]. Journal of Network and Computer Applications, 2018, 124(15): 14-32.
[17]	KOLODENKER E, KOCH W, STRINGHINI G, et al. PayBreak: Defense Against Cryptographic Ransomware[EB/OL]. , 2019-10-15.
[18]	CONTINELLA A, GUAGNELLI A, ZINGARO G, et al.ShieldFS: A Self-Healing Ransomware-Aware Filesystem[C]//ICPS.Proceedings of the 32nd Annual Conference on Computer Security Applications, December 5, 2016, Los Angeles, California, USA. New York: ACM Press, 2016: 336-347.
[19]	DATA W P. Cryptostopper[EB/OL]. , 2019-10-15.
[20]	VINAYAKUMAR R, SOMAN K. P, VELAN K. Evaluating Shallow and Deep Networks for Ransomware Detection and Classification[EB/OL]. , 2019-10-15.

目标	作者	分析方法	主要技术	缺点
检测	陈政^[13]	动态	模块监控	样本较少
	KHARRAZ^[15]	动态	行为分析	部署困难
	MORATO^[16]	动态	SMB 流量分析	部署实现困难,针对性较弱
	KOLODENKER^[17]	动态	加密原语分析	实现困难
	CONTINELLA^[18]	动态	内存分析	只针对AES 算法
	DATA^[19]	动态	诱饵文件	消耗大量内存,且损失无法估计
	KURNIAWAN^[14]	静态	流量分析	只针对cerber家族
分类	VINAYAKUMA^R[20]	动态	API序列	对具有指纹验证或反虚拟机机制的勒索软件没有效果
分类	Zhang^[7]	静态	操作码,n-gram,TF-IDF	不适合大规模分类

勒索软件家族	数目/个
Benign	200
BTCWare	132
Cerber	174
Cryptowall	178
CryptXXX	141
Crysis	162
CTBLocky	109
Gandcrab	126
Jaff	122
locky	196
Mamba	110
MRCR	142
Petrwrap	114
Petya	130
Teslacrypt	154
VirLock	113
Wannacry	184
Total	2486

运行阶段	时间/s
灰度图转化	568.6
特征提取	1196.4
训练和测试	93.6
总时间	1858.6

分类器	Accuracy	Precision	Recall	F1_measure
SVM	0.9670	0.9734	0.9651	0.9682
GNB	0.9589	0.9528	0.9512	0.9519
DT	0.9452	0.9482	0.9215	0.9346

训练和测试时间	SVM	GNB	DT
总时间	93.681	424.068	70.298
平均时间	9.3681	42.4068	7.0298