Early Detection and Defense Countermeasure Inference of Ransomware based on API Sequence

• Published in: International journal of advanced computer science & applications Vol. 14; no. 10
• Main Authors: Zhang, Shuqin, Du, Tianhui, Shi, Peiyu, Su, Xinyu, Han, Yunfei
• Format: Journal Article
• Language: English
• Published: West Yorkshire Science and Information (SAI) Organization Limited 2023
• Subjects: Algorithms; Application programming interface; Data augmentation; Data collection; Defense; Inference; Knowledge bases (artificial intelligence); Machine learning; Network security; Ontology; Ransomware; Security; Sequences
• ISSN: 2158-107X; 2156-5570; 2156-5570
• DOI: 10.14569/IJACSA.2023.0141067

Currently, ransomware attacks have become an important threat in the field of network security. The detection and defense of ransomware has become particularly important. However, due to the insufficient data and behavior patterns collected dynamically to detect variants and unknown ransomware, there is also a lack of specialized defense strategies for ransomware. In response to this situation, this article proposes a ransomware early detection and defense system (REDDS) based on application programming interface (API) sequences. REDDS first dynamically collects API sequences from the pre-encryption stage of the ransomware, and calculates the API sequences as feature vectors using the n-gram model and TF-IDF algorithm. Due to the limitations of dynamic data collection, API sequences were enhanced using Wasserstein GAN with Gradient Penalty (WGAN GP), and then machine learning classification algorithms were used to train the enhanced data to detect ransomware. By mapping the malicious API of ransomware to public security knowledge bases such as Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK), a Ransomware Defense Countermeasures Ontology (RDCO) is proposed. Based on the ontology model, a set of inference rules is designed to automatically infer the defense countermeasures of ransomware. The experimental results show that WGAN-GP can more effectively enhance API sequence data than other GAN models. After data augmentation, the accuracy of machine learning detection models has significantly improved, with a maximum of 99.32%. Based on malicious APIs in ransomware, defense countermeasures can be inferred to help security managers respond to ransomware attacks and deploy appropriate security solutions.