Skip to main content
SpringerLink
Log in

Leveraging Support Vector Machine for Opcode Density Based Detection of Crypto-Ransomware

  • Chapter
  • First Online:
Cyber Threat Intelligence

Part of the book series: Advances in Information Security ((ADIS,volume 70))

Abstract

Ransomware is a significant global threat, with easy deployment due to the prevalent ransomware-as-a-service model. Machine learning algorithms incorporating the use of opcode characteristics and Support Vector Machine have been demonstrated to be a successful method for general malware detection. This research focuses on crypto-ransomware and uses static analysis of malicious and benign Portable Executable files to extract 443 opcodes across all samples, representing them as density histograms within the dataset. Using the SMO classifier and PUK kernel in the WEKA machine learning toolset it demonstrates that this methodology can achieve 100% precision when differentiating between ransomware and goodware, and 96.5% when differentiating between five crypto-ransomware families and goodware. Moreover, eight different attribute selection methods are evaluated to achieve significant feature reduction. Using the CorrelationAttributeEval method close to 100% precision can be maintained with a feature reduction of 59.5%. The CFSSubset filter achieves the highest feature reduction of 97.7% however with a slightly lower precision at 94.2%.

Using a ranking method applied across the attribute selection evaluators, the opcodes with the highest predictive importance have been identified as FDIVP, AND, SETLE, XCHG, SETNBE, SETNLE, JB, FILD, JLE, POP, CALL, FSUB, FMUL, MUL, SETBE, FISTP, FSUBRP, INC, FIDIV, FSTSW, JA. The MOV and PUSH opcodes, represented in the dataset with significantly higher density, do not actually have high predictive importance, whereas some rarer opcodes such as SETBE and FIDIV do.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 129.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 169.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info
Hardcover Book
USD 169.99
Price excludes VAT (USA)
  • Durable hardcover edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. McAfee Labs, ‘McAfee Labs Threats Report’, McAfee Labs Threat. Rep., no. December, pp. 1–52, 2016.

    Google Scholar 

  2. D. O’Brien, ‘Special Report: Ransomware and Businesses 2016’, Symantec Corp, pp. 1–30, 2016.

    Google Scholar 

  3. CERT UK, ‘Is ransomware still a threat ?’, 2016.

    Google Scholar 

  4. Bleeping Computer, ‘Criminals earn $195K in July with Cerber Ransomware Affiliate Scheme’, 2016. [Online]. Available: https://www.bleepingcomputer.com/news/security/criminals-earn-195k-in-july-with-cerber-ransomware-affiliate-scheme/. [Accessed: 28-Sep-2017].

  5. Europol, ‘INTERNET ORGANISED CRIME THREAT ASSESSMENT (IOCTA) 2017’, 2017.

    Google Scholar 

  6. Cybersecurity Insiders, ‘2017 Ransomware Report’, 2017.

    Google Scholar 

  7. Symantec Official Blog, ‘What you need to know about the WannaCry Ransomware | Symantec Connect Community’, 2017. [Online]. Available: https://www.symantec.com/connect/blogs/what-you-need-know-about-wannacry-ransomware. [Accessed: 28-Sep-2017].

  8. Symantec Official Blog, ‘Petya ransomware outbreak: Here’s what you need to know|Symantec Connect Community’, 2017. [Online]. Available: https://www.symantec.com/connect/blogs/petya-ransomware-outbreak-here-s-what-you-need-know. [Accessed: 28-Sep-2017].

  9. Darktrace, ‘Darktrace|Technology’, 2016. [Online]. Available: https://www.darktrace.com/technology/#machine-learning. [Accessed: 31-Mar-2017].

  10. RansomFlare, ‘MWR’s ransomware prevention and response service’, 2017. [Online]. Available: https://www.mwrinfosecurity.com/work/practice-areas/investigations-and-incident-response/ransomware-prevention-and-response-service. [Accessed: 28-Sep-2017].

  11. Hamed Haddad Pajouh, A. Dehghantanha, R. Khayami, and K.-K. R. Choo, ‘Intelligent OS X Malware Threat Detection’, J. Comput. Virol. Hacking Tech., 2017.

    Google Scholar 

  12. N. Milosevic, A. Dehghantanha, and K.-K. R. Choo, ‘Machine learning aided Android malware classification’, Comput. Electr. Eng., vol. 61, pp. 266–274, Jul. 2017.

    Google Scholar 

  13. A. Azmoodeh, A. Dehghantanha, and K. K. R. Choo, ‘Robust Malware Detection for Internet Of (Battlefield) Things Devices Using Deep Eigenspace Learning’, IEEE Trans. Sustain. Comput., 2017.

    Google Scholar 

  14. DARK Reading, ‘The Growth And Growth Of Ransomware’, 5 Ways The Cyber-Threat Landscape Shifted In 2016, 2016. [Online]. Available: https://www.darkreading.com/threat-intelligence/5-ways-the-cyber-threat-landscape-shifted-in-2016/d/d-id/1327715?image_number=4. [Accessed: 01-Oct-2017].

  15. I. Firdausi, C. Lim, A. Erwin, and a. S. Nugroho, ‘Analysis of Machine learning Techniques Used in Behavior-Based Malware Detection’, Adv. Comput. Control Telecommun. Technol. (ACT), 2010 Second Int. Conf., pp. 10–12, 2010.

    Google Scholar 

  16. K. Rieck, P. Trinius, C. Willems, and T. Holz, ‘Automatic Analysis of Malware Behavior Using Machine Learning’, J. Comput. Secur., vol. 19, no. 4, pp. 639–668, 2011.

    Google Scholar 

  17. M. Egele, T. Scholte, E. Kirda, and C. Kruegel, ‘A survey on automated dynamic malware-analysis techniques and tools’, ACM Comput. Surv., vol. 44, no. 2, pp. 1–42, 2012.

    Google Scholar 

  18. J. Landage and M. Wankhade, ‘Malware and Malware Detection Techniques: A Survey’, Int. J. Eng. Res. …, vol. 2, no. 12, pp. 61–68, 2013.

    Google Scholar 

  19. R. Islam, R. Tian, L. M. Batten, and S. Versteeg, ‘Classification of malware based on integrated static and dynamic features’, J. Netw. Comput. Appl., vol. 36, no. 2, pp. 646–656, Mar. 2013.

    Google Scholar 

  20. E. Gandotra, D. Bansal, and S. Sofat, ‘Tools & Techniques for Malware Analysis and Classification’, Int. J. NEXT-GENERATION Comput., vol. 7, no. 3, pp. 176–197, Nov. 2016.

    Google Scholar 

  21. D. Bilar, ‘Opcodes as predictor for malware’, Int. J. Electron. Secur. Digit. Forensics, vol. 1, no. 2, p. 156, 2007.

    Google Scholar 

  22. D. Bilar and D. Bilar, ‘Callgraph properties of executables’, AI Commun., vol. 20, no. August, p. 12, 2007.

    Google Scholar 

  23. Y. Ding, W. Dai, S. Yan, and Y. Zhang, ‘Control flow-based opcode behavior analysis for Malware detection’, Comput. Secur., vol. 44, pp. 65–74, Jul. 2014.

    Google Scholar 

  24. Z. Zhao, J. Wang, and J. Bai, ‘Malware detection method based on the control-flow construct feature of software’, IET Inf. Secur., vol. 8, no. 1, pp. 18–24, Jan. 2014.

    Google Scholar 

  25. S. Cesare, Y. Xiang, and W. Zhou, ‘Control Flow-Based Malware Variant Detection’, IEEE Trans. DEPENDABLE Secur. Comput., vol. 11, no. 4, pp. 304–317, 2014.

    Google Scholar 

  26. B. B. Rad, M. Masrom, and S. Ibrahim, ‘Opcodes Histogram for Classifying Metamorphic Portable Executables Malware’, in 2012 INTERNATIONAL CONFERENCE ON E-LEARNING AND E-TECHNOLOGIES IN EDUCATION (ICEEE), 2012, pp. 209–213.

    Google Scholar 

  27. P. O’Kane, S. Sezer, K. McLaughlin, and E. G. Im, ‘SVM Training phase reduction using dataset feature filtering for malware detection’, IEEE Trans. Inf. Forensics Secur., vol. 8, no. 3, pp. 500–509, 2013.

    Google Scholar 

  28. C.-T. Lin, N.-J. Wang, H. Xia, and C. Eckert, ‘Feature Selection and Extraction for Malware Classification’, J. Inf. Sci. Eng., vol. 31, no. 3, pp. 965–992, May 2015.

    Google Scholar 

  29. B. M. Khammas, A. Monemi, J. S. Bassi, I. Ismail, S. M. Nor, and M. N. Marsono, ‘FEATURE SELECTION AND MACHINE LEARNING CLASSIFICATION FOR MALWARE DETECTION’, J. Teknol., vol. 77, no. 1, Nov. 2015.

    Google Scholar 

  30. E. G. Park, Jeong Been; Han, Kyung Soo; Kim, Tae Gune; Im, ‘A Study on Selecting Key Opcodes for Malware Classification and Its Usefulness’, Korean Inst. Inf. Sci. Eng., vol. Volume 42, no. Issue 5, pp. 558–565, 2015.

    Google Scholar 

  31. C. T. D. Lo, O. Pablo, and C. Carlos, ‘Feature Selection and Improving Classification Performance for Malware Detection’, in PROCEEDINGS OF 2016 IEEE INTERNATIONAL CONFERENCES ON BIG DATA AND CLOUD COMPUTING (BDCLOUD 2016) SOCIAL COMPUTING AND NETWORKING (SOCIALCOM 2016) SUSTAINABLE COMPUTING AND COMMUNICATIONS (SUSTAINCOM 2016) (BDCLOUD-SOCIALCOM-SUSTAINCOM 2016), 2016, pp. 560–566.

    Google Scholar 

  32. D. Sgandurra, L. Muñoz-González, R. Mohsen, and E. C. Lupu, ‘Automated Dynamic Analysis of Ransomware: Benefits, Limitations and use for Detection’, no. September, 2016.

    Google Scholar 

  33. A. Kharaz, S. Arshad, C. Mulliner, W. Robertson, and E. Kirda, ‘UNVEIL: A Large-Scale, Automated Approach to Detecting Ransomware’, Usenix Secur., pp. 757–772, 2016.

    Google Scholar 

  34. K. Cabaj, P. Gawkowski, K. Grochowski, and D. Osojca, ‘Network activity analysis of CryptoWall ransomware’, pp. 91–11, 2015.

    Google Scholar 

  35. J. Baldwin, O. M. K. Alhawi, and A. Dehghantanha, ‘Leveraging Machine Learning Techniques for Windows Ransomware Network Traffic Detection’, 2017.

    Google Scholar 

  36. M. M. Ahmadian and H. R. Shahriari, ‘2entFOX: A framework for high survivable ransomwares detection’, 2016 13th Int. Iran. Soc. Cryptol. Conf. Inf. Secur. Cryptol., pp. 79–84, 2016.

    Google Scholar 

  37. S. Homayoun, A. Dehghantanha, M. Ahmadzadeh, S. Hashemi, and R. Khayami, ‘Know Abnormal, Find Evil: Frequent Pattern Mining for Ransomware Threat Hunting and Intelligence’, IEEE Trans. Emerg. Top. Comput., vol. 6750, no. c, pp. 1–1, 2017.

    Google Scholar 

  38. K. K. R. Azmoodeh, Amin; Dehghantanha, Ali; Conti, Mauro; Choo, ‘Detecting Crypto Ransomware in IoT Networks Based On Energy Consumption Footprint’, J. Ambient Intell. Humaniz. Comput., vol. 0, no. 0, p. 0, 2017.

    Google Scholar 

  39. Ransomware Tracker, ‘Tracker | Ransomware Tracker’, 2016. [Online]. Available: https://ransomwaretracker.abuse.ch/tracker/. [Accessed: 04-Jan-2017].

  40. VirusTotal, ‘Free Online Virus, Malware and URL Scanner’. 2014.

    Google Scholar 

  41. PortableApps.com, ‘Portable software for USB, portable, and cloud drives’, 2017. [Online]. Available: https://portableapps.com/. [Accessed: 06-Sep-2017].

  42. C. Rossow et al., ‘Prudent practices for designing malware experiments: Status quo and outlook’, Proc. - IEEE Symp. Secur. Priv., no. May, pp. 65–79, 2012.

    Google Scholar 

  43. AV-TEST, ‘Test antivirus software for Windows 10 - June 2017 | AV-TEST’, 2017. [Online]. Available: https://www.av-test.org/en/antivirus/business-windows-client/. [Accessed: 06-Sep-2017].

  44. The-interweb.com/serendipity, ‘InstructionCounter plugin for IDA Pro’, 2017. [Online]. Available: http://www.the-interweb.com/serendipity/index.php?/archives/57-InstructionCounter-plugin-for-IDA-Pro.html. [Accessed: 06-Sep-2017].

  45. Hex-Rays, ‘IDA Support: Evaluation Version’, 2017. [Online]. Available: https://www.hex-rays.com/products/ida/support/download_demo.shtml. [Accessed: 06-Sep-2017].

  46. C.-J. L. Chih-Wei Hsu, Chih-Chung Chang, ‘A Practical Guide to Support Vector Classification’, BJU Int., vol. 101, no. 1, pp. 1396–400, 2008.

    Google Scholar 

  47. University of Waikato, ‘Weka 3 - Data Mining with Open Source Machine Learning Software in Java’, 2016. [Online]. Available: http://www.cs.waikato.ac.nz/ml/weka/. [Accessed: 31-Mar-2017].

  48. V. N. Vapnik, ‘The Nature of Statistical Learning Theory’, Springer, vol. 8. p. 188, 1995.

    Google Scholar 

  49. D. T. Larose, Discovering knowledge in data: an introduction to data mining, vol. 1st. 2005.

    Google Scholar 

  50. A. G. Karegowda, A. S. Manjunath, and M. A. Jayaram, ‘Comparative Study of Attribute Selection Using Gain Ratio and Correlation Based Feature Selection’, Int. J. Inf. Technol. Knowl. Manag., vol. 2, no. 2, pp. 271–277, 2010.

    Google Scholar 

  51. I. H. Witten and E. Frank, Data Mining: Practical machine learning tools and techniques. 2005.

    Google Scholar 

  52. R. R. Bouckaert et al., ‘WEKA Manual for Version 3-8-1’, Univ. Waikato, p. 341, 2016.

    Google Scholar 

  53. Lenny Zeltser, ‘Using VMware for Malware Analysis’. [Online]. Available: https://zeltser.com/vmware-malware-analysis/. [Accessed: 26-Sep-2017].

  54. I. H. Witten, E. Frank, and M. a Hall, Data Mining: Practical Machine Learning Tools and Techniques (Google eBook). 2011.

    Google Scholar 

  55. X. Xu and X. Wang, ‘An Adaptive Network Intrusion Detection Method Based on PCA and Support Vector Machines’, in Advanced Data Mining and Applications, 2005, pp. 696–703.

    Google Scholar 

  56. F. Cloutier, ‘x86 Instruction Set Reference’, 2014. [Online]. Available: http://www.felixcloutier.com/x86/. [Accessed: 21-Sep-2017].

  57. Sergei Shevchenko and Adrian Nish, ‘BAE Systems Threat Research Blog: WanaCrypt0r Ransomworm’, 2017. [Online]. Available: http://baesystemsai.blogspot.co.uk/2017/05/wanacrypt0r-ransomworm.html. [Accessed: 02-Oct-2017].

Download references

Acknowledgements

The authors would like to Virus Total for providing access to their Intelligence platform to assist with the dataset creation, and Ransomware Tracker for being an invaluable resource for current ransomware threat detection.

Author information

Authors and Affiliations

  1. School of Computing, Science and Engineering, University of Salford, Manchester, UK

    Ali Dehghantanha

  2. Department of Computer Science, University of Sheffield, Sheffield, UK

    James Baldwin

Authors
  1. James Baldwin
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Ali Dehghantanha
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Ali Dehghantanha .

Editor information

Editors and Affiliations

  1. Department of Computer Science, University of Sheffield, Sheffield, United Kingdom

    Ali Dehghantanha

  2. Department of Mathematics, University of Padua, Padua, Italy

    Mauro Conti

  3. Department of Computer Science, University of Salford, Manchester, United Kingdom

    Tooska Dargahi

Rights and permissions

Reprints and permissions

Copyright information

© 2018 Springer International Publishing AG, part of Springer Nature

About this chapter

Check for updates. Verify currency and authenticity via CrossMark

Cite this chapter

Baldwin, J., Dehghantanha, A. (2018). Leveraging Support Vector Machine for Opcode Density Based Detection of Crypto-Ransomware. In: Dehghantanha, A., Conti, M., Dargahi, T. (eds) Cyber Threat Intelligence. Advances in Information Security, vol 70. Springer, Cham. https://doi.org/10.1007/978-3-319-73951-9_6

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-73951-9_6

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-73950-2

  • Online ISBN: 978-3-319-73951-9

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation