Automated Dynamic Analysis of Ransomware: Benefits, Limitations and use for Detection

File Description SizeFormat 
1609.03020v1.pdfAccepted version345.4 kBAdobe PDFView/Open
Title: Automated Dynamic Analysis of Ransomware: Benefits, Limitations and use for Detection
Authors: Sgandurra, D
Muñoz-González, L
Mohsen, R
Lupu, EC
Item Type: Working Paper
Abstract: Recent statistics show that in 2015 more than 140 millions new malware samples have been found. Among these, a large portion is due to ransomware, the class of malware whose specific goal is to render the victim's system unusable, in particular by encrypting important files, and then ask the user to pay a ransom to revert the damage. Several ransomware include sophisticated packing techniques, and are hence difficult to statically analyse. We present EldeRan, a machine learning approach for dynamically analysing and classifying ransomware. EldeRan monitors a set of actions performed by applications in their first phases of installation checking for characteristics signs of ransomware. Our tests over a dataset of 582 ransomware belonging to 11 families, and with 942 goodware applications, show that EldeRan achieves an area under the ROC curve of 0.995. Furthermore, EldeRan works without requiring that an entire ransomware family is available beforehand. These results suggest that dynamic analysis can support ransomware detection, since ransomware samples exhibit a set of characteristic features at run-time that are common across families, and that helps the early detection of new variants. We also outline some limitations of dynamic analysis for ransomware and propose possible solutions.
Issue Date: 31-Dec-2016
Copyright Statement: © 2016 The Author(s)
Keywords: cs.CR
Appears in Collections:Faculty of Engineering

Items in DSpace are protected by copyright, with all rights reserved, unless otherwise indicated.

Creative Commons