Skip to main content
Springer Nature Link
Log in

API Based Discrimination of Ransomware and Benign Cryptographic Programs

  • Conference paper
  • First Online:
Neural Information Processing (ICONIP 2020)

Part of the book series: Lecture Notes in Computer Science ((LNTCS,volume 12533))

Included in the following conference series:

Abstract

Ransomware is a widespread class of malware that encrypts files in a victim’s computer and extorts victims into paying a fee to regain access to their data. Previous research has proposed methods for ransomware detection using machine learning techniques. However, this research has not examined the precision of ransomware detection. While existing techniques show an overall high accuracy in detecting novel ransomware samples, previous research does not investigate the discrimination of novel ransomware from benign cryptographic programs. This is a critical, practical limitation of current research; machine learning based techniques would be limited in their practical benefit if they generated too many false positives (at best) or deleted/quarantined critical data (at worst). We examine the ability of machine learning techniques based on Application Programming Interface (API) profile features to discriminate novel ransomware from benign-cryptographic programs. This research provides a ransomware detection technique that provides improved detection accuracy and precision compared to other API profile based ransomware detection techniques while using significantly simpler features than previous dynamic ransomware detection research.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

References

  1. Kharraz, A., Robertson, W., Balzarotti, D., Bilge, L., Kirda, E.: Cutting the gordian knot: a look under the hood of ransomware attacks. In: Almgren, M., Gulisano, V., Maggi, F. (eds.) Detection of Intrusions and Malware, and Vulnerability Assessment. DIMVA 2015. Lecture Notes in Computer Science, vol. 9148, pp. 3–24. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-20550-2_1

    Chapter  Google Scholar 

  2. Morse, A.: Investigation: Wannacry Cyber Attack and the NHS. National Audit Office, London 31, 2017 (2017)

    Google Scholar 

  3. Layton, R., Watters, P.A.: A methodology for estimating the tangible cost of data breaches. J. Inf. Secur. Appl. 19(6), 321–330 (2014)

    Google Scholar 

  4. Sgandurra, D., Muñoz-González, L., Mohsen, R., Lupu, E.C.: Automated dynamic analysis of ransomware: benefits, limitations and use for detection. arXiv preprint arXiv:1609.03020 (2016)

  5. Al-rimy, B.A.S., Maarof, M.A., Shaid, S.Z.M.: A 0-day aware crypto-ransomware early behavioral detection framework. In: Saeed, F., Gazem, N., Patnaik, S., Saed Balaid, A., Mohammed, F. (eds.) Recent Trends in Information and Communication Technology. IRICT 2017. Lecture Notes on Data Engineering and Communications Technologies, vol. 5, pp. 758–766. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-59427-9_78

    Chapter  Google Scholar 

  6. Hampton, N., Baig, Z., Zeadally, S.: Ransomware behavioural analysis on windows platforms. J. Inf. Secur. Appl. 40, 44–51 (2018)

    Google Scholar 

  7. Takeuchi, Y., Sakai, K., Fukumoto, S.: Detecting ransomware using support vector machines. In: Proceedings of the 47th International Conference on Parallel Processing Companion, p. 1. ACM (2018)

    Google Scholar 

  8. Harikrishnan, N., Soman, K.: Detecting ransomware using gurls. In: 2018 Second International Conference on Advances in Electronics, Computers and Communications (ICAECC), pp. 1–6. IEEE (2018)

    Google Scholar 

  9. Christodorescu, M., Jha, S., Seshia, S.A., Song, D., Bryant, R.E.: Semantics-aware malware detection. In: 2005 IEEE Symposium on Security and Privacy (S&P’05), pp. 32–46. IEEE (2005)

    Google Scholar 

  10. Black, P., Gondal, I., Layton, R.: A survey of similarities in banking malware behaviours. Comput. Secur. 77, 756–772 (2018)

    Article  Google Scholar 

  11. Hasan, M.M., Rahman, M.M.: RansHunt: a support vector machines based ransomware analysis framework with integrated feature set. In: 2017 20th International Conference of Computer and Information Technology (ICCIT), pp. 1–7. IEEE (2017)

    Google Scholar 

  12. Russinovich, M.E., Solomon, D.A., Ionescu, A.: Windows internals. Pearson Education (2012)

    Google Scholar 

  13. Qiao, Y., Yang, Y., He, J., Tang, C., Liu, Z.: CBM: free, automatic malware analysis framework using api call sequences. In: Sun, F., Li, T., Li, H. (eds.) Knowledge Engineering and Management. Advances in Intelligent Systems and Computing, vol. 214, pp. 225–236. Springer, Berlin, Heidelberg (2014). https://doi.org/10.1007/978-3-642-37832-4_21

    Chapter  Google Scholar 

  14. Islam, R., Tian, R., Batten, L.M., Versteeg, S.: Classification of malware based on integrated static and dynamic features. J. Netw. Comput. Appl. 36(2), 646–656 (2013)

    Article  Google Scholar 

  15. Kolter, J.Z., Maloof, M.A.: Learning to detect and classify malicious executables in the wild. J. Mach. Learn. Res. 7, 2721–2744 (2006)

    MathSciNet  MATH  Google Scholar 

  16. Shafiq, mz., Tabish, S.M., Mirza, F., Farooq, M.: PE-miner: mining structural information to detect malicious executables in realtime. In: Kirda, E., Jha, S., Balzarotti, D. (eds.) Recent Advances in Intrusion Detection. RAID 2009. Lecture Notes in Computer Science, vol. 5758, pp. 121–141. Springer, Berlin, Heidelberg (2009). https://doi.org/10.1007/978-3-642-04342-0_7

    Chapter  Google Scholar 

  17. Apatedns:control your responses. https://www.fireeye.com/services/freeware/apatedns.html

  18. Cover, T.M., Thomas, J.A.: Elements of Information Theory. Wiley, New York (2012)

    MATH  Google Scholar 

  19. Weka 3 data mining with open source machine learning software in java. https://www.cs.waikato.ac.nz/ml/weka/

  20. Feature selection using random forest. https://towardsdatascience.com/feature-selection-using-random-forest-26d7b747597f

  21. Rieck, K., Trinius, P., Willems, C., Holz, T.: Automatic analysis of malware behavior using machine learning. J. Comput. Secur. 19(4), 639–668 (2011)

    Article  Google Scholar 

  22. Plohmann, D., Clauss, M., Enders, S., Padilla, E.: Malpedia: a collaborative effort to inventorize the malware landscape. J. Cybercrime Digit. Invest. 3(1) (2018). https://journal.cecyf.fr/ojs/index.php/cybin/article/view/17

  23. Cuckoo foundation: Cuckoo sandbox - automated malware analysis. https://cuckoosandbox.org/

Download references

Acknowledgement

This research was funded in part through the Internet Commerce Security Laboratory (ICSL), a joint venture between Westpac, IBM, and Federation University Australia. Paul Black is supported by an Australian Government Research Training Program (RTP) Fee-Offset Scholarship through Federation University Australia. This research was partially supported by funding from the Oceania Cyber Security Centre (OCSC).

Author information

Authors and Affiliations

  1. Internet Commerce Security Lab, Federation University, Ballarat, Australia

    Paul Black, Ammar Sohail, Iqbal Gondal, Joarder Kamruzzaman & Peter Vamplew

  2. Cybersecurity and Networking Group, Latrobe University, Melbourne, Australia

    Paul Watters

Authors
  1. Paul Black
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Ammar Sohail
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Iqbal Gondal
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Joarder Kamruzzaman
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Peter Vamplew
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Paul Watters
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Paul Black .

Editor information

Editors and Affiliations

  1. Department of AI, Ping An Life, Shenzhen, China

    Haiqin Yang

  2. Faculty of Information Technology, King Mongkut’s Institute of Technology Ladkrabang, Bangkok, Thailand

    Kitsuchart Pasupa

  3. City University of Hong Kong, Kowloon, China

    Andrew Chi-Sing Leung

  4. Department of Computer Science and Engineering, Hong Kong University of Science and Technology, Hong Kong, Hong Kong

    James T. Kwok

  5. School of Information Technology, King Mongkut’s University of Technology Thonburi, Bangkok, Thailand

    Jonathan H. Chan

  6. The Chinese University of Hong Kong, New Territories, Hong Kong

    Irwin King

Rights and permissions

Reprints and permissions

Copyright information

© 2020 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Black, P., Sohail, A., Gondal, I., Kamruzzaman, J., Vamplew, P., Watters, P. (2020). API Based Discrimination of Ransomware and Benign Cryptographic Programs. In: Yang, H., Pasupa, K., Leung, A.CS., Kwok, J.T., Chan, J.H., King, I. (eds) Neural Information Processing. ICONIP 2020. Lecture Notes in Computer Science(), vol 12533. Springer, Cham. https://doi.org/10.1007/978-3-030-63833-7_15

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-63833-7_15

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-63832-0

  • Online ISBN: 978-3-030-63833-7

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation