Analysis of Crypto-Ransomware Using ML-Based Multi-Level Profiling

Abstract

Crypto-ransomware is the most prevalent form of modern malware, has affected various industries, demanding a significant amount of ransom. Mainly, small businesses, healthcare, education, and government sectors have been under continuous attacks by these adversaries. Various static and dynamic analysis techniques exist, but these methods become less efficient as the malware writers continuously trick the defenders. Numerous research of ransomware with AI techniques often lack the behavioral analysis and its correlation mapping. In this work, we developed an AI-powered hybrid approach overcoming the recent challenges to detect ransomware. Specifically, we proposed a deep inspection approach for multi-level profiling of crypto-ransomware, which captures the distinct features at Dynamic link library, function call, and assembly levels. We showed how the code segments correlate at these levels for studied samples. Our hybrid multi-level analysis approach includes advanced static and dynamic methods and a novel strategy of analyzing behavioral chains with AI techniques. Moreover, association rule mining, natural language processing techniques, and machine learning classifiers are integrated for building ransomware validation and detection model. We experimented with crypto-ransomware samples (collected from VirusTotal). One of the machine learning algorithms achieved the highest accuracy of 99.72% and a false positive rate of 0.003 with two class datasets. The result exhibited that multi-level profiling can better detect ransomware samples with higher accuracy. The multi-level feature sequence can be extracted from most of the applications running in the different operating systems; therefore, we believe that our method can detect ransomware for devices on multiple platforms. We designed a prototype, AIRaD (AI-based Ransomware Detection) tool, which will allow researchers and the defenders to visualize the analysis with proper interpretation.

Publication Title

IEEE Access

Link to Full Text

Share

COinS