Analysis of the Dynamic Features on Ransomware Detection Using Deep Learning-based Methods

Abstract

Recently, the number and complexity of ran-somware attacks have been increasing day by day, threatening more individuals and organizations, both financially and reputationally, by denying users access to their files or devices and then demanding payment to restore access. Traditional anti-ransomware systems help detect known ransomware threats, but they are ineffective to identify zero-day ransomware. Therefore, many researchers use dynamic analysis approaches to provide detection by analyzing behavior and actions during execution to determine if the executable is malware. However, during dynamic analysis, many dynamic-based features can emerge, such as Application Program Interface (API) call sequences, dynamic-link libraries (DLLs), enumerated directories, mutual exclusions, and registry key operations, which can be called different views belonging to an executable. In this paper, we aim to analyze the effects of such dynamic analysis-based features obtained from the different views on ransomware detection using Convolutional Neural Network (CNN) and Long-Short-Term Memory (LSTM). To provide detailed comparison results, we use three different ransomware datasets, one malware dataset, and benign samples. The results show that true positive rate (TPR) reaches 100% for ransomware and malware datasets if the API call sequences are used as input for deep learning models, but the false positive rate (FPR) is significantly high. When we use DLLs, enumerated directories, and other features it is observed that the models achieve higher accuracy for ransomware detection, but obtain relatively lower TPR.