Version 1
: Received: 14 November 2023 / Approved: 14 November 2023 / Online: 16 November 2023 (02:13:52 CET)
How to cite:
Kang, Q.; Gu, Y. Enhancing Ransomware Detection: A Windows API Min Max Relevance Refinement Approach. Preprints2023, 2023111004. https://doi.org/10.20944/preprints202311.1004.v1
Kang, Q.; Gu, Y. Enhancing Ransomware Detection: A Windows API Min Max Relevance Refinement Approach. Preprints 2023, 2023111004. https://doi.org/10.20944/preprints202311.1004.v1
Kang, Q.; Gu, Y. Enhancing Ransomware Detection: A Windows API Min Max Relevance Refinement Approach. Preprints2023, 2023111004. https://doi.org/10.20944/preprints202311.1004.v1
APA Style
Kang, Q., & Gu, Y. (2023). Enhancing Ransomware Detection: A Windows API Min Max Relevance Refinement Approach. Preprints. https://doi.org/10.20944/preprints202311.1004.v1
Chicago/Turabian Style
Kang, Q. and Yuanyuan Gu. 2023 "Enhancing Ransomware Detection: A Windows API Min Max Relevance Refinement Approach" Preprints. https://doi.org/10.20944/preprints202311.1004.v1
Abstract
Ransomware constitutes a distinctive category of pernicious software that sequesters a user's digital assets by encryption, holding them hostage until a sum is extorted from the victim. These incursions have escalated to become among the most prevalent and significant threats confronting both individuals and corporate entities. In combatting this virulent program, dynamic analysis has been established as the favored detection modality. Such analyses typically hinge on Windows API calls, the conduits through which programs requisition services from the operating system. Yet, the superfluous and unrelated Windows API calls interjected by adversaries into the execution stream of suspect binaries precipitate an excessively noisy behavioral sequence, which impairs the performance of counter-ransomware mechanisms. The research outlined herein introduces a novel non-signature-based detection paradigm that harnesses efficacious Windows API call sequences through supervised machine learning strategies. An innovative Enhanced Min Max (EmRmR) filter technique is proposed, aiming to purge noisy features and isolate the most indicative feature subset that encapsulates the ransomware's true behavior. The EmRmR method, diverging from the traditional Min Max approach, circumvents the superfluous calculations that are a hallmark of the conventional algorithms, thereby necessitating a reduced number of evaluations. Additionally, a refinement procedure has been integrated to contract the program's call trace volume by discarding those Windows API calls lacking a robust correlation with ransomware's pivotal behavior. Subsequent to rigorous experimental analyses and juxtaposition with extant behavior-based detection methodologies, the proposed strategy has demonstrated its efficacy in differentiating ransomware behavior, delivering high detection precision alongside a diminution in false-positive occurrences.
Computer Science and Mathematics, Artificial Intelligence and Machine Learning
Copyright:
This is an open access article distributed under the Creative Commons Attribution License which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.