基于API潜在语义的勒索软件早期检测方法

罗斌; 郭春; 申国伟; 崔允贺; 陈意; 平源

doi:10.12263/DZXB.20231039

您当前的位置：

首页 >

文章列表页 >

基于API潜在语义的勒索软件早期检测方法

学术论文 | 更新时间：2026-01-07

- 基于API潜在语义的勒索软件早期检测方法
- Ransomware Early Detection Method Based on API Latent Semantics
- 电子学报 2024年52卷第4期页码：1288-1295
- 作者机构：
  
  1.贵州大学计算机科学与技术学院公共大数据国家重点实验室，贵州贵阳550025
  2.许昌学院信息工程学院，河南许昌461000
- 作者简介：
  
  [ "罗斌男，1999年生，贵州毕节人.贵州大学计算机科学与技术学院硕士研究生.主要研究方向为计算机网络与信息安全. E-mail: gzu_bin@163.com" ]
  [ "郭春男，1986年生，贵州贵阳人.博士，贵州大学计算机科学与技术学院教授.主要研究领域为恶意代码检测、入侵检测.E-mail: gc_gzedu@163.com" ]
- 基金信息：
  
  国家自然科学基金(62162009);贵州省科技支撑计划(［2022］071);贵州省高等学校大数据与网络安全创新团队(［2023］052);河南省科技攻关计划项目(222102210048)
- DOI：10.12263/DZXB.20231039
  中图分类号： TP309
- 收稿：2023-11-06，
  
  修回：2024-03-13，
  
  纸质出版：2024-04-25
- 稿件说明：
移动端阅览
罗斌, 郭春, 申国伟, 等. 基于API潜在语义的勒索软件早期检测方法[J]. 电子学报, 2024, 52(04): 1288-1295.

LUO Bin, GUO Chun, SHEN Guo-wei, et al. Ransomware Early Detection Method Based on API Latent Semantics[J]. Acta Electronica Sinica, 2024, 52(04): 1288-1295.
罗斌, 郭春, 申国伟, 等. 基于API潜在语义的勒索软件早期检测方法[J]. 电子学报, 2024, 52(04): 1288-1295. DOI：10.12263/DZXB.20231039

LUO Bin, GUO Chun, SHEN Guo-wei, et al. Ransomware Early Detection Method Based on API Latent Semantics[J]. Acta Electronica Sinica, 2024, 52(04): 1288-1295. DOI：10.12263/DZXB.20231039

摘要

加密型勒索软件通过加密用户文件来勒索赎金.现有的基于第一条加密应用编程接口（Application Programming Interface，API）的早期检测方法无法在勒索软件执行加密行为前将其检出.由于不同家族的勒索软件开始执行其加密行为的时刻各不相同，现有的基于固定时间阈值的早期检测方法仅能将少量勒索软件在其执行加密行为前准确检出.为进一步提升勒索软件检测的及时性，本文在分析多款勒索软件运行初期调用动态链接库（Dynamic Link Library，DLL）和API行为的基础上，提出了一个表征软件从开始运行到首次调用加密相关DLL之间的时间段的概念——运行初始阶段（Initial Phase of Operation，IPO），并提出了一个以软件在IPO内产生的API序列为检测对象的勒索软件早期检测方法，即基于API潜在语义的勒索软件早期检测方法（Ransomware Early Detection Method based on API Latent Semantics，REDMALS）.REDMALS采集IPO内的API序列后，采用TF-IDF（Term Frequency-Inverse Document Frequency）算法以及潜在语义分析（Latent Semantic Analysis，LSA）算法对采集的API序列生成特征向量及提取潜在的语义结构，再运用机器学习算法构建检测模型用于勒索软件检测.实验结果显示运用随机森林算法的REDMALS在构建的变种测试集和未知测试集上可分别获得97.7%、96.0%的准确率，且两个测试集中83%和76%的勒索软件样本可在其执行加密行为前被检出.

Abstract

Cryptographic ransomware extorts a ransom by encrypting user files. Existing early detection methods based on the first encryption-related application programming interface (API) cannot detect ransomware before it executes encryption behavior. Because the point at which different ransomware families begin executing their encryption behavior varies

existing early detection methods based on fixed time thresholds can only accurately detect a small fraction of ransomware before it executes encryption behavior. To further improve the timeliness of ransomware detection

this article proposes a concept that characterizes the time period from the start of software operation to the first call of encryption-related dynamic-link libraries (DLLs)

namely the initial phase of operation (IPO). Based on the analysis of DLL and API call behavior in the early operational phase of several ransomwares

this article presents a method based on the API sequences generated by the software within the IPO as the detection object

namely the ransomware early detection method based on API latent semantics (REDMALS). REDMALS captures the API sequences within the IPO

uses the term frequency-inverse document frequency algorithm and the latent semantic analysis algorithm to generate feature vectors on the captured API sequences and to extract potential semantic structures

respectively

and then uses a machine learning algorithm to construct a detection model for ransomware detection. The experimental results show that REDMALS using the random forest algorithm achieves 97.7% and 96.0% accuracy on the constructed variant test set and unknown test set

respectively

and 83% and 76% of the ransomware samples in both test sets

respectively

can be detected before they perform any encryption behavior.

关键词

Keywords

references

BRAUE D . Global ransomware damage costs predicted to exceed $265 billion by 2031 [EB/OL ] . ( 2021-06-03 )[ 2024-01-03 ] . https://cybersecurityventures.com/ransomware-report-2021/ https://cybersecurityventures.com/ransomware-report-2021/ .

MCINTOSH T , KAYES A S M , CHEN Y P P , et al . Ransomware mitigation in the modern era: A comprehensive review, research challenges, and future directions [J ] . ACM Computing Surveys , 2021 , 54 ( 9 ): 197 .

KHAMMAS B M . Ransomware detection using random forest technique [J ] . ICT Express , 2020 , 6 ( 4 ): 325 - 331 .

ZHANG B , XIAO W T , XIAO X , et al . Ransomware classification using patch-based CNN and self-attention network on embedded N-grams of opcodes [J ] . Future Generation Computer Systems , 2020 , 110 : 708 - 720 .

DENG X Z , CEN M C , JIANG M , et al . Ransomware early detection using deep reinforcement learning on portable executable header [J/OL ] . Cluster Computing , 2023 . https://doi.org/10.1007/s10586-023-04043-5 https://doi.org/10.1007/s10586-023-04043-5 .

JETHVA B , TRAORÉ I , GHALEB A , et al . Multilayer ransomware detection using grouped registry key operations, file entropy and file signature monitoring [J ] . Journal of Computer Security , 2020 , 28 ( 3 ): 337 - 373 .

QIN B , WANG Y L , MA C C . API call based ransomware dynamic detection approach using TextCNN [C ] // 2020 International Conference on Big Data, Artificial Intelligence and Internet of Things Engineering (ICBAIE) . Piscataway : IEEE , 2020 : 162 - 166 .

GULMEZ S , GORGULU KAKISIM A , SOGUKPINAR I . XRan: Explainable deep learning-based ransomware detection using dynamic analysis [J ] . Computers & Security , 2024 , 139 : 103703 .

刘文静 , 郭春 , 申国伟 , 等 . 基于深度学习的勒索软件早期检测方法 [J ] . 计算机科学 , 2023 , 50 ( 3 ): 391 - 398 .

LIU W J , GUO C , SHEN G W , et al . Ransomware early detection method based on deep learning [J ] . Computer Science , 2023 , 50 ( 3 ): 391 - 398 . (in Chinese)

ALI SALEH AL-RIMY B , MAAROF M A , ALAZAB M , et al . Redundancy coefficient gradual up-weighting-based mutual information feature selection technique for crypto-ransomware early detection [J ] . Future Generation Computer Systems , 2021 , 115 : 641 - 658 .

KOK S H , ABDULLAH A , JHANJHI N Z . Early detection of crypto-ransomware using pre-encryption detection algorithm [J ] . Journal of King Saud University - Computer and Information Sciences , 2022 , 34 ( 5 ): 1984 - 1999 .

HOMAYOUN S , DEHGHANTANHA A , AHMADZADEH M , et al . Know abnormal, find evil: Frequent pattern mining for ransomware threat hunting and intelligence [J ] . IEEE Transactions on Emerging Topics in Computing , 2020 , 8 ( 2 ): 341 - 351 .

RHODE M , BURNAP P , JONES K . Early-stage malware prediction using recurrent neural networks [J ] . Computers and Security , 2018 , 77 ( C ): 578 - 594 .

陈长青 , 郭春 , 崔允贺 , 等 . 基于API短序列的勒索软件早期检测方法 [J ] . 电子学报 , 2021 , 49 ( 3 ): 586 - 595 .

CHEN C Q , GUO C , CUI Y H , et al . Ransomware early detection method based on short API sequence [J ] . Acta Electronica Sinica , 2021 , 49 ( 3 ): 586 - 595 . (in Chinese)

BELLEGARDA J R . Exploiting latent semantic information in statistical language modeling [J ] . Proceedings of the IEEE , 2000 , 88 ( 8 ): 1279 - 1296 .

AMER E , ZELINKA I . A dynamic Windows malware detection and prediction method based on contextual understanding of API call sequence [J ] . Computers & Security , 2020 , 92 : 101760 .

浏览量

下载量

CSCD

文章被引用时，请邮件提醒。

提交

工具集

关联资源

基于特征自适应选取的视觉目标跟踪算法

连续学习方法与其在视觉任务中的应用

基于因果提示蒸馏的开放世界目标检测

基于神经网络的图像风格迁移算法综述