Ransomware Detection Using Byte Frequency Distribution
摘要
We propose binary classification of files into Ransomware and Benign using Byte Frequency Distributions (BFD). We have created a dataset by taking 20 ransomware executables and 20 benign files. We compute the BFD of their raw binaries. We calculate the Cosine similarities of the BFD of the target file with the BFD’s of all the other base files in the dataset by treating the distributions as 256 dimensional vectors. We propose that whichever file in the dataset has the maximum cosine similarity is the most similar to the target file. If it is ransomware, we deem the target file to be ransomware. Similarly for benign. We have 97.96% similarity score taking a ransomware target file as an example. The results for the other files have also been comparable. We have converted the BFD to a 1D array and then trained a SVM model. We achieved a f1 score of 0.87. Lastly, we have converted the BFD to a 2D greyscale image and trained a Convolutional Neural Network. We achieved a f1 score of 0.97. The aim of this paper is to introduce these 3 methods of detecting ransomware and compare between them. The files in the dataset are retrieved from very reputable sources. All files in the dataset are labeled as either Ransomware or Benign. This method can be used for zero-day attacks and is immune to code obfuscation. This method does not require any previous information about the file type. It is an early stage detection system i.e. it does not require the ransomware software to start encrypting the files before it can detect it. ...