Portal de Periódicos da CAPES

A novel approach for ransomware detection based on PE header using graph embedding

2022; Springer Science+Business Media; Volume: 18; Issue: 4 Linguagem: Inglês

10.1007/s11416-021-00414-x

2263-8733

Farnoush Manavi, Ali Hamzeh,

Software Testing and Debugging Techniques

The development of cryptocurrency has led to an increase in a type of malware called ransomware. Ransomware is a family of malware that uses malicious techniques to prevent users from accessing their systems or data. Ransomware threatens all industries, from health and hospitals to banks, training centers, and manufacturers of goods. Therefore, early ransomware detection is critical. Most researchers try to identify ransomware by examining the behavior of the software at runtime. Therefore, these approaches are costly and require resources to run every software. In this paper, ransomware detection is conducted without running the software and without any special pre-processing, only using the headers of the executable file. In the proposed approach, a graph is created using the headers of executable files (specifically portable executable files) and then the graph is mapped in an eigenspace using the "Power Iteration" method. This mapping converts an executable file to a feature vector, which is eventually used to train a Random Forest classifier. Acceptable computational complexity in large datasets compared to previous methods and high detection rates are the main advantages of the proposed method.