Leveraging Support Vector Machine for Opcode Density Based Detection of Crypto-Ransomware
This work addresses the problem of crypto-ransomware detection for cybersecurity, but it is incremental as it applies an existing SVM method to a specific domain with new data.
The research tackled crypto-ransomware detection by using static analysis of opcode density histograms from Portable Executable files, achieving 100% precision in distinguishing ransomware from goodware and 96.5% precision across five ransomware families, with feature reduction methods maintaining high precision while reducing features by up to 97.7%.
Ransomware is a significant global threat, with easy deployment due to the prevalent ransomware-as-a-service model. Machine learning algorithms incorporating the use of opcode characteristics and Support Vector Machine have been demonstrated to be a successful method for general malware detection. This research focuses on crypto-ransomware and uses static analysis of malicious and benign Portable Executable files to extract 443 opcodes across all samples, representing them as density histograms within the dataset. Using the SMO classifier and PUK kernel in the WEKA machine learning toolset it demonstrates that this methodology can achieve 100% precision when differentiating between ransomware and goodware, and 96.5% when differentiating between 5 cryptoransomware families and goodware. Moreover, 8 different attribute selection methods are evaluated to achieve significant feature reduction. Using the CorrelationAttributeEval method close to 100% precision can be maintained with a feature reduction of 59.5%. The CFSSubset filter achieves the highest feature reduction of 97.7% however with a slightly lower precision at 94.2%.