Journal of Digital Contents Society (디지털콘텐츠학회 논문지)

Digital Contents Society (한국디지털콘텐츠학회)
권호 표지
DOI QR코드

DOI QR Code

Offline Based Ransomware Detection and Analysis Method using Dynamic API Calls Flow Graph

다이나믹 API 호출 흐름 그래프를 이용한 오프라인 기반 랜섬웨어 탐지 및 분석 기술 개발

  • Kang, Ho-Seok (Institute of Ubiquitous Information Technology and Application (UBITA), Konkuk University) ;
  • Kim, Sung-Ryul (Department of Software, Konkuk University)
  • 강호석 (건국대학교 유비쿼터스정보기술연구원) ;
  • 김성열 (건국대학교 소프트웨어학과)
  • Received : 2018.02.14
  • Accepted : 2018.02.27
  • Published : 2018.02.28
Download PDF
⟨ Previous Next ⟩

Abstract

Ransomware detection has become a hot topic in computer security for protecting digital contents. Unfortunately, current signature-based and static detection models are often easily evadable by compress, and encryption. For overcoming the lack of these detection approach, we have proposed the dynamic ransomware detection system using data mining techniques such as RF, SVM, SL and NB algorithms. We monitor the actual behaviors of software to generate API calls flow graphs. Thereafter, data normalization and feature selection were applied to select informative features. We improved this analysis process. Finally, the data mining algorithms were used for building the detection model for judging whether the software is benign software or ransomware. We conduct our experiment using more suitable real ransomware samples. and it's results show that our proposed system can be more effective to improve the performance for ransomware detection.

최근 랜섬웨어 탐지는 디지털 콘텐츠 보호를 위한 컴퓨터 보안 분야에서 중요한 주요한 이슈가 되고 있다. 그러나 불행하게도 현재 시그니쳐 기반이나 정적 탐지 모델의 경우 압축 및 암호화 등의 기법을 이용하여 탐지를 피해갈 수 있다. 이를 극복하기 위해 본 논문에서는 RF, SVM, SL, NB 알고리즘 같은 데이터 마이닝 기법을 이용한 다이나믹 랜섬웨어 탐지 시스템을 제안하였다. 이 기법은 실제 소프트웨어를 구동 시켜 동작 행위를 추출해 API 호출 흐름 그래프를 만들고 그 특징을 분석에 이용하였다. 그 후 데이터 정규화, 특징 선택 작업을 진행하였다. 우리는 이러한 분석과정을 더욱더 개선 시켰다. 마지막으로 데이터 마이닝 알고리즘을 적용시켜 랜섬웨어인지를 판별하였다. 제안한 알고리즘의 성능 측정을 위해 더 적합한 추가 샘플 랜섬웨어 데이터를 수집하여 실험하였고 탐지성능이 향상되었음을 보여주었다.

Keywords

References

  1. Tech Times News, Cybersecurity: SonicWall Threat Report [Internet] Available: http://www.techtimes.com/articles/196580/20170208/cybersecurity-sonicwall-threat-report-shows-malware-slightly-dropped-but-ransomware-surged-in-2016.htm.
  2. Z.-G. Chen, H.-S. Kang, S.-N. Yin and S.-R. Kim, "Automatic Ransomware Detection and Analysis Based on Dynamic API Call Flow Graph," in Processing of 2017 Research in Adaptive and Convergent System, Poland, 2017
  3. G. Nguyen, V. Nguyen, S. Nguyen, and K. Kim, "Efficient Association Rule Mining based SON Algorithm for a Bigdata Platform," Journal of Digital Contents Society, Vol.18, No.8, pp.1593-1601, December 2017. https://doi.org/10.9728/DCS.2017.18.8.1593
  4. M. A. Aydn, A. H. Zaim, and K. G. Ceylan, "A hybrid intrusion detection system design for computer network security," Computers & Electrical Engineering, Vol.35, No.3, pp.517-526, 2009. https://doi.org/10.1016/j.compeleceng.2008.12.005
  5. J. Lee, K. Jeong, and H. Lee, "Detecting metamorphic malwares using code graphs," in Proceedings of the 2010 ACM symposium on applied computing, pp. 1970-1977. ACM, 2010.
  6. F. Karbalaie, A. Sami, and M. Ahmadi, "Semantic malware detection by deploying graph mining," International Journal of Computer Science Issues, Vol.9, No.1, pp.373-379, 2012.
  7. N. Nissim, R. Moskovitch, L. Rokach, and Y. Elovici, "Novel active learning methods for enhanced pc malware detection in windows os," Expert Systems with Applications, Vol.41, No.13, pp.5843-5857, 2014. https://doi.org/10.1016/j.eswa.2014.02.053
  8. J. Saxe and K. Berlin, "Deep neural network based malware detection using two dimensional binary program features," in Proceedings of Malicious and Unwanted Software (MALWARE), 2015 10th International Conference on, pp.11-20, 2015.
  9. D. Kim and S. Kim, "Design of quantication model for ransom ware prevent," World Journal of Engineering and Technology, Vol.3, No.03 pp.203, 2015. https://doi.org/10.4236/wjet.2015.33C030
  10. D. Sgandurra, L. Mu-noz-Gonzalez, R. Mohsen, and E. C. Lupu, "Automated dynamic analysis of ransomware: Benets, limitations and use for detection," arXiv preprint arXiv:1609.03020, 2016.
  11. S. Song, B. Kim, and S. Lee, "The effective ransomware prevention technique using process monitoring on android platform," Mobile Information Systems, 2016
  12. A. Kharraz, S. Arshad, C. Mulliner, W. K. Robertson, and E. Kirda, "Unveil: A large-scale, automated approach to detecting ransomware," in Proceedings of USENIX Security Symposium, pp.757-772, 2016.
  13. APIMonitor.com, Win32 API Monitor tool [Internet], Available: http://www.apimonitor.com/.
  14. S. Kotsiantis, D. Kanellopoulos, and P. Pintelas, "Data preprocessing for supervised leaning," International Journal of Computer Science, Vol.1, No.2, pp.111-117, 2006.
  15. K. Rieck, P. Trinius, C. Willems, and T. Holz, "Automatic analysis of malware behavior using machine learning," Journal of Computer Security, Vol.19, No.4, pp.:639-668, 2011. https://doi.org/10.3233/JCS-2010-0410
  16. M. A. Hall, "Correlation-based feature selection for machine learning," 1999.
  17. J. Benesty, J. Chen, Y. Huang, and I. Cohen, "Pearson correlation coecient," in Noise reduction in speech processing, pp.1-4, 2009.
  18. A. G. Karegowda, A. Manjunath, and M. Jayaram, " Comparative study of attribute selection using gain ratio and correlation based feature selection," International Journal of Information Technology and Knowledge Management, Vol.2, No.2, pp.271-277, 2010.
  19. Software.informer, Benign softwares [Internet], Available: http://software.informer.com/software/.
  20. VirusShare [Internet], Available: http://virusshare.com/.
  21. S. V. Stehman, "Selecting and interpreting measures of thematic classification accuracy," Remote sensing of Environment, Vol.62, No.1, pp.77-89, 1997. https://doi.org/10.1016/S0034-4257(97)00083-7
  22. R. R. Picard and R. D. Cook, "Cross-validation of regression models," Journal of the American Statistical Association, Vol.79, No.387, pp.575-583, 1984. https://doi.org/10.1080/01621459.1984.10478083
  23. G. Seni and J. F. Elder, "Ensemble methods in data mining: improving accuracy through combining predictions," Synthesis Lectures on Data Mining and Knowledge Discovery, Vol.2, No.1, pp.1-126, 2010.