RansPred: A Novel Method for Detecting Ransomware Using Alignment Techniques
摘要
Ransomware is one of the most common types of malware that uses cryptology to attack victims’ computers. The victims then have to pay a ransom to recover encrypted resources. Ransomware is currently one of the most serious threats to individuals and organizations. Therefore, it is essential to detect them before they cause serious problems. Since obfuscation tactics are often used in polymorphic and metamorphic ransomware, it is difficult to detect them before they infect the system. Therefore, one should look for a ransomware detection solution that is resistant to obfuscation techniques. The executable file header includes the fields that define the program structure and can potentially be used to detect ransomware before its execution. Extracting this section of executable files does not require preprocessing or special resources. In addition, changing the structure of the program incorporates changes to the header fields as well. The aims of ransomware and benign programs differ, resulting in discrepancies in parts of their headers. In this paper, we propose a new technique called RansPred to accurately detect ransomware utilizing executable file header bytes. RansPred is designed to determine the desired sample label using the alignment score of the important sections of the header and the weighted vote technique. Our results show that RansPred can detect ransomware with 95.0% accuracy, approximately 2% better than the previous studies found in the literature. Rans-pred as a standalone tool and its source code are publicly available at: https://github.com/FarnoushManavi/RansPred.git.