Leveraging support vector machine for opcode density based detection of crypto-ransomware

Abstract

Ransomware is a significant global threat, with easy deployment due to the prevalent ransomware-as-a-service model. Machine learning algorithms incorporating the use of opcode characteristics and Support Vector Machine have been demonstrated to be a successful method for general malware detection. This research focuses on crypto-ransomware and uses static analysis of malicious and benign Portable Executable files to extract 443 opcodes across all samples, representing them as density histograms within the dataset. Using the SMO classifier and PUK kernel in the WEKA machine learning toolset it demonstrates that this methodology can achieve 100% precision when differentiating between ransomware and goodware, and 96.5% when differentiating between five crypto-ransomware families and goodware. Moreover, eight different attribute selection methods are evaluated to achieve significant feature reduction. Using the CorrelationAttributeEval method close to 100% precision can be maintained with a feature reduction of 59.5%. The CFSSubset filter achieves the highest feature reduction of 97.7% however with a slightly lower precision at 94.2%. Using a ranking method applied across the attribute selection evaluators, the opcodes with the highest predictive importance have been identified as FDIVP, AND, SETLE, XCHG, SETNBE, SETNLE, JB, FILD, JLE, POP, CALL, FSUB, FMUL, MUL, SETBE, FISTP, FSUBRP, INC, FIDIV, FSTSW, JA. The MOV and PUSH opcodes, represented in the dataset with significantly higher density, do not actually have high predictive importance, whereas some rarer opcodes such as SETBE and FIDIV do.