Leveraging Support Vector Machine for Opcode Density Based Detection of Crypto-Ransomware

TL;DR

This paper presents a static analysis approach using opcode density histograms and Support Vector Machine classification to detect crypto-ransomware with high accuracy and significant feature reduction.

Contribution

It introduces a novel static analysis method leveraging opcode density histograms and evaluates feature selection techniques for effective ransomware detection.

Findings

Achieves 100% precision in differentiating ransomware from benign software.

Attains 96.5% accuracy in classifying five ransomware families.

Demonstrates effective feature reduction with minimal loss of accuracy.

Abstract

Ransomware is a significant global threat, with easy deployment due to the prevalent ransomware-as-a-service model. Machine learning algorithms incorporating the use of opcode characteristics and Support Vector Machine have been demonstrated to be a successful method for general malware detection. This research focuses on crypto-ransomware and uses static analysis of malicious and benign Portable Executable files to extract 443 opcodes across all samples, representing them as density histograms within the dataset. Using the SMO classifier and PUK kernel in the WEKA machine learning toolset it demonstrates that this methodology can achieve 100% precision when differentiating between ransomware and goodware, and 96.5% when differentiating between 5 cryptoransomware families and goodware. Moreover, 8 different attribute selection methods are evaluated to achieve significant feature reduction. Using the CorrelationAttributeEval method close to 100% precision can be maintained with a feature reduction of 59.5%. The CFSSubset filter achieves the highest feature reduction of 97.7% however with a slightly lower precision at 94.2%.