Ransomware Early Detection Method Based on Short API Sequence

CHEN Chang-qing; GUO Chun; CUI Yun-he; SHEN Guo-wei; JIANG Chao-hui

doi:10.12263/DZXB.20200623

您当前的位置：

首页 >

文章列表页 >

Ransomware Early Detection Method Based on Short API Sequence

更新时间：2025-12-08

- Ransomware Early Detection Method Based on Short API Sequence
- Acta Electronica Sinica Vol. 49, Issue 3, Pages: 586-595(2021)
- 作者机构：
  
  贵州省公共大数据重点实验室, 贵州大学计算机科学与技术学院,贵州,贵阳,550025
- 作者简介：
- 基金信息：
  
  National Natural Science Foundation of China (No.61802081);Science and Technology Fund of Guizhou Province (黔科合基础[2017]1051, 黔科合重大专项字[2018]3001);Open Project of Guizhou Provincial Key Laboratory of Public Big Data (No.2017BDKFJJ025)
- DOI：10.12263/DZXB.20200623
  CLC： TP309
- Published Online：25 March 2021，
  
  Published：2021
- 稿件说明：
移动端阅览
CHEN Chang-qing, GUO Chun, CUI Yun-he, et al. Ransomware Early Detection Method Based on Short API Sequence[J]. Acta Electronica Sinica, 2021, 49(3): 586-595.
DOI：

CHEN Chang-qing, GUO Chun, CUI Yun-he, et al. Ransomware Early Detection Method Based on Short API Sequence[J]. Acta Electronica Sinica, 2021, 49(3): 586-595. DOI： 10.12263/DZXB.20200623.

摘要

传统的勒索软件动态检测方法需要收集较长时间的软件行为，难以满足勒索软件及时检测的需求.本文从勒索软件及时检测的角度出发，提出了"勒索软件检测关键时间段（Critical Time Periods for Ransomware Detection，CTP）"的概念，并基于CTP的要求提出了一种基于应用程序编程接口（Application Programming Interface，API）短序列的勒索软件早期检测方法（Ransomware Early Detection Method based on short API Sequence，REDMS）.REDMS以软件在CTP内执行时所调用的API短序列为分析对象，通过

-gram模型和词频-逆文档频率算法对采集到的API短序列进行计算以生成特征向量，然后运用机器学习算法建立检测模型对勒索软件进行早期检测.实验结果显示，REDMS在API采集时段为前7s且使用随机森林算法时，分别能以98.2%、96.7%的准确率检测出已知和未知的勒索软件样本.

Abstract

Traditional ransomware dynamic detection methods need to collect software behaviors for a long time

which is difficult to meet the need for timely detection of ransomware. From the perspective of the timely detection of ransomware

this article proposes a concept named "Critical Time Periods for Ransomware Detection (CTP)"

and proposes an early ransomware detection method based on short application programming interface (API) sequence (REDMS) to fit the requirement of CTP. REDMS takes the short API sequences that are obtained by software running during the CTP as the analysis o

bject

and calculates these short API sequences through the

-gram model and the term frequency-inverse document frequency algorithm to generate the feature vectors

and then uses a machine-learning algorithm to build a detection model for detecting ransomware. The experimental results show that when the first 7 seconds of API collection period and random forest algorithm are used

REDMS achieves 98.2% and 96.7% accuracy respectively for detecting the known and unknown ransomware samples.

关键词

Keywords

references

Views

下载量

CSCD

Alert me when the article has been cited

提交

Tools

Publicity Resources

Ransomware Early Detection Method Based on API Latent Semantics

A Detection Method for Android Repackaged Malware Based on Sensitive Component Function Call Graph

Research on High-Efficiency Integrated Circuit DFT Technology Based on Machine Learning

DRHA-UIE: An Underwater Image Enhancement Method Based on Dual Residual Hybrid Attention Block

Cryptomining Malware Early Detection Method in Behavioral Diversity Period

Related Author

LUO Bin

GUO Chun

SHEN Guo-wei

CUI Yun-he

CHEN Yi

PING Yuan

DU Rui-ying

CHEN Jing

Related Institution

State Key Laboratory of Public Big Data，College of Computer Science and Technology， Guizhou University

School of Information Engineering， Xuchang University

School of Computer and Information Engineering, Henan Normal University

School of Cyber Science and Engineering, Wuhan University

Key Laboratory of Aerospace Information Security and Trusted Computing, Ministry of Education, Wuhan University

⁰