Ransomware Early Detection Method Based on API Latent Semantics

Cryptographic ransomware extorts a ransom by encrypting user files. Existing early detection methods based on the first encryption-related application programming interface (API) cannot detect ransomware before it executes encryption behavior. Because the point at which different ransomware families begin executing their encryption behavior varies, existing early detection methods based on fixed time thresholds can only accurately detect a small fraction of ransom⁃ ware before it executes encryption behavior. To further improve the timeliness of ransomware detection, this article propos⁃ es a concept that characterizes the time period from the start of software operation to the first call of encryption-related dy⁃ namic-link libraries (DLLs), namely the initial phase of operation (IPO). Based on the analysis of DLL and API call behavior in the early operational phase of several ransomwares, this article presents a method based on the API sequences generated by the software within the IPO as the detection object, namely the ransomware early detection method based on API latent seman⁃ tics (REDMALS). REDMALS captures the API sequences within the IPO, uses the term frequency-inverse document frequen⁃ cy algorithm and the latent semantic analysis algorithm to generate feature vectors on the captured API sequences and to ex⁃ tract potential semantic structures, respectively, and then uses a machine learning algorithm to construct a detection model for ransomware detection. The experimental results show that REDMALS using the random forest algorithm achieves 97.7% and 96.0% accuracy on the constructed variant test set and unknown test set, respectively, and 83% and 76% of the ransom⁃ ware samples in both test sets, respectively, can be detected before they perform any encryption behavior. © 2024 Chinese Institute of Electronics. All rights reserved.