Ransomware attacks are becoming increasingly complex and sophisticated, posing significant challenges to traditional detection methods. This study focuses on Windows Portable Executable (PE) files and leverages dynamic analysis with Cuckoo Sandbox to generate execution reports, identifying critical features for ransomware detection through API call sequences. To address the rapidly evolving ransomware landscape, we propose a deep learning-based detection model that employs two numerical representation methods for processing API calls: direct conversion and a novel quadruple-based semantic representation, which effectively captures deeper relationships between API calls. Our approach integrates embedding and convolutional techniques to extract semantic relationships and structural patterns from API call sequences, enhancing the model’s ability to recognize ransomware behaviors with high precision. Additionally, the Transformer model is employed to analyze sequence dependencies, further improving detection accuracy. The proposed model demonstrates remarkable performance, achieving an accuracy of 99.94%, precision of 99.92%, recall of 100%, and an F1 score of 99.96%, highlighting its reliability and effectiveness. Furthermore, we developed a web-based platform using TypeScript, React, and Python Flask, enabling seamless file uploads and comprehensive security analysis. Our research findings are available on Github ( https://github.com/stwater20/RANsomCheck ).

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

RANsomCheck: A CNN-Transformer Model for Malware Detection Based on API Call Sequences

  • Sheng-Shan Chen,
  • Yi-Xuan Wu,
  • Ying-Xuan Ho,
  • Pang-Po Cheng,
  • Chin-Yu Sun

摘要

Ransomware attacks are becoming increasingly complex and sophisticated, posing significant challenges to traditional detection methods. This study focuses on Windows Portable Executable (PE) files and leverages dynamic analysis with Cuckoo Sandbox to generate execution reports, identifying critical features for ransomware detection through API call sequences. To address the rapidly evolving ransomware landscape, we propose a deep learning-based detection model that employs two numerical representation methods for processing API calls: direct conversion and a novel quadruple-based semantic representation, which effectively captures deeper relationships between API calls. Our approach integrates embedding and convolutional techniques to extract semantic relationships and structural patterns from API call sequences, enhancing the model’s ability to recognize ransomware behaviors with high precision. Additionally, the Transformer model is employed to analyze sequence dependencies, further improving detection accuracy. The proposed model demonstrates remarkable performance, achieving an accuracy of 99.94%, precision of 99.92%, recall of 100%, and an F1 score of 99.96%, highlighting its reliability and effectiveness. Furthermore, we developed a web-based platform using TypeScript, React, and Python Flask, enabling seamless file uploads and comprehensive security analysis. Our research findings are available on Github ( https://github.com/stwater20/RANsomCheck ).