Ransomware detection based on opcode behaviour using k-nearest neighbours algorithm

Ransomware is a malware that represents a serious threat to a user's information privacy. By investigating how ransomware works, we may be able to recognise its atomic behaviour. In return, we will be able to detect the ransomware at an earlier stage with better accuracy. In this paper, we prop...

Full description

Bibliographic Details
Main Authors: Stiawan, Deris (Author), Daely, Somame Morianus (Author), Heryanto, Ahmad (Author), Nurul Afifah, Nurul Afifah (Author), Idris, Mohd. Yazid (Author), Budiarto, Rahmat (Author)
Format: Article
Language:English
Published: Kauno Technologijos Universitetas, 2021-09-24.
Subjects:
Online Access:Get fulltext
Description
Summary:Ransomware is a malware that represents a serious threat to a user's information privacy. By investigating how ransomware works, we may be able to recognise its atomic behaviour. In return, we will be able to detect the ransomware at an earlier stage with better accuracy. In this paper, we propose Control Flow Graph (CFG) as an extracting opcode behaviour technique, combined with 4-gram (sequence of 4 "words") to extract opcode sequence to be incorporated into Trojan Ransomware detection method using K-Nearest Neighbors (K-NN) algorithm. The opcode CFG 4-gram can fully represent the detailed behavioural characteristics of Trojan Ran-somware. The proposed ransomware detection method considers the closest distance to a previously identified ransomware pattern. Experimental results show that the proposed technique using K-NN, obtains the best accuracy of 98.86% for 1-gram opcode and using 1-NN classifier.