Ransomware attacks have increased dramatically in recent years, with a 600% increase in ransomware families identified. This paper presents an analysis and comparative study of three machine learning algorithms, Random Forest, Gradient Boosting, and Gaussian Naive Bayes (NB) for detecting ransomware from portable executable (PE) files. These algorithms were chosen for their ability to handle high-dimensional data, capture complex patterns, and provide a balance of robustness, accuracy, and interpretability for ransomware detection from PE files. A dataset of ransomware and benign software samples was used to train and evaluate the models, with performance measured including precision, recall, F1-score, and Receiver Operating Characteristic (ROC) curves. Results indicate that Random Forest consistently achieves the best performance, recording the highest precision and recall scores with an average F1-score of 0.97. Gradient Boosting also demonstrated strong detection capability, with an average F1-score of 0.95, making it a viable alternative. In contrast, Gaussian Naïve Bayes, although achieving moderate precision, exhibited very poor recall for ransomware, which limits its effectiveness in practical scenarios. Further analysis of feature importance revealed that the middle sections of executable files provide the most useful indicators for distinguishing ransomware from benign files. Overall, the findings confirm Random Forest as the most effective algorithm for ransomware detection via static analysis.

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

Detecting Ransomware via Static Analysis Using Machine Learning Algorithms

  • Oliver Phillis,
  • Hamza Mutaher,
  • Yussuf Ahmed,
  • Fuad A. Ghaleb

摘要

Ransomware attacks have increased dramatically in recent years, with a 600% increase in ransomware families identified. This paper presents an analysis and comparative study of three machine learning algorithms, Random Forest, Gradient Boosting, and Gaussian Naive Bayes (NB) for detecting ransomware from portable executable (PE) files. These algorithms were chosen for their ability to handle high-dimensional data, capture complex patterns, and provide a balance of robustness, accuracy, and interpretability for ransomware detection from PE files. A dataset of ransomware and benign software samples was used to train and evaluate the models, with performance measured including precision, recall, F1-score, and Receiver Operating Characteristic (ROC) curves. Results indicate that Random Forest consistently achieves the best performance, recording the highest precision and recall scores with an average F1-score of 0.97. Gradient Boosting also demonstrated strong detection capability, with an average F1-score of 0.95, making it a viable alternative. In contrast, Gaussian Naïve Bayes, although achieving moderate precision, exhibited very poor recall for ransomware, which limits its effectiveness in practical scenarios. Further analysis of feature importance revealed that the middle sections of executable files provide the most useful indicators for distinguishing ransomware from benign files. Overall, the findings confirm Random Forest as the most effective algorithm for ransomware detection via static analysis.