Zero Day Ransomware Detection with Pulse: Function Classification with Transformer Models and Assembly Language

TL;DR

Pulse leverages Transformer models trained on Assembly instructions captured by Peekaboo to detect zero-day ransomware with high accuracy, focusing on behavioral context rather than known signatures.

Contribution

This paper introduces Pulse, a novel framework combining Transformer models and Assembly language analysis for proactive zero-day ransomware detection.

Findings

Pulse accurately detects new ransomware samples

Transformer models effectively analyze Assembly instruction patterns

Behavioral context enables detection of novel malware

Abstract

Finding automated AI techniques to proactively defend against malware has become increasingly critical. The ability of an AI model to correctly classify novel malware is dependent on the quality of the features it is trained with and the authenticity of the features is dependent on the analysis tool. Peekaboo, a Dynamic Binary Instrumentation tool defeats evasive malware to capture its genuine behavior. The ransomware Assembly instructions captured by Peekaboo, follow Zipf's law, a principle also observed in natural languages, indicating Transformer models are particularly well suited to binary classification. We propose Pulse, a novel framework for zero day ransomware detection with Transformer models and Assembly language. Pulse, trained with the Peekaboo ransomware and benign software data, uniquely identify truly new samples with high accuracy. Pulse eliminates any familiar functionality across the test and training samples, forcing the Transformer model to detect malicious behavior based solely on context and novel Assembly instruction combinations.