KIPS Transactions on Computer and Communication Systems (정보처리학회논문지:컴퓨터 및 통신 시스템)

Korea Information Processing Society (한국정보처리학회)
권호 표지
DOI QR코드

DOI QR Code

A Study on the Cerber-Type Ransomware Detection Model Using Opcode and API Frequency and Correlation Coefficient

Opcode와 API의 빈도수와 상관계수를 활용한 Cerber형 랜섬웨어 탐지모델에 관한 연구

  • 이계혁 (홍익대학교 소프트웨어융합과) ;
  • 황민채 (홍익대학교 소프트웨어융합과) ;
  • 현동엽 (홍익대학교 소프트웨어융합과) ;
  • 구영인 (홍익대학교 소프트웨어융합과) ;
  • 유동영 (홍익대학교 소프트웨어융합과)
  • Received : 2022.07.29
  • Accepted : 2022.08.16
  • Published : 2022.10.31
Download PDF
⟨ Previous Next ⟩

Abstract

Since the recent COVID-19 Pandemic, the ransomware fandom has intensified along with the expansion of remote work. Currently, anti-virus vaccine companies are trying to respond to ransomware, but traditional file signature-based static analysis can be neutralized in the face of diversification, obfuscation, variants, or the emergence of new ransomware. Various studies are being conducted for such ransomware detection, and detection studies using signature-based static analysis and behavior-based dynamic analysis can be seen as the main research type at present. In this paper, the frequency of ".text Section" Opcode and the Native API used in practice was extracted, and the association between feature information selected using K-means Clustering algorithm, Cosine Similarity, and Pearson correlation coefficient was analyzed. In addition, Through experiments to classify and detect worms among other malware types and Cerber-type ransomware, it was verified that the selected feature information was specialized in detecting specific ransomware (Cerber). As a result of combining the finally selected feature information through the above verification and applying it to machine learning and performing hyper parameter optimization, the detection rate was up to 93.3%.

최근 코로나 19 팬더믹 이후 원격근무의 확대와 더불어 랜섬웨어 팬더믹이 심화하고 있다. 현재 안티바이러스 백신 업체들이 랜섬웨어에 대응하고자 노력하고 있지만, 기존의 파일 시그니처 기반 정적 분석은 패킹의 다양화, 난독화, 변종 혹은 신종 랜섬웨어의 등장 앞에 무력화될 수 있다. 이러한 랜섬웨어 탐지를 위한 다양한 연구가 진행되고 있으며, 시그니처 기반 정적 분석의 탐지 방법과 행위기반의 동적 분석을 이용한 탐지 연구가 현재 주된 연구유형이라고 볼 수 있다. 본 논문에서는 단일 분석만을 이용하여 탐지모델에 적용하는 것이 아닌 ".text Section" Opcode와 실제 사용하는 Native API의 빈도수를 추출하고 K-means Clustering 알고리즘, 코사인 유사도, 피어슨 상관계수를 이용하여 선정한 특징정보들 사이의 연관성을 분석하였다. 또한, 타 악성코드 유형 중 웜과 Cerber형 랜섬웨어를 분류, 탐지하는 실험을 통해, 선정한 특징정보가 특정 랜섬웨어(Cerber)를 탐지하는 데 특화된 정보임을 검증하였다. 위와 같은 검증을 통해 최종 선정된 특징정보들을 결합하여 기계학습에 적용하여, 최적화 이후 정확도 93.3% 등의 탐지율을 나타내었다.

Keywords

Acknowledgement

이 논문은 홍익대학교의 '지역특화형 스마트시티 전문대학원 구축 사업'의 지원을 받아 수행된 결과임.

References

  1. K. M. Kim, J. S. Kim, and Y. J Lee, "Ransomware trends & Statistics, First Quarter for 2022," KISA, pp.2, 2022. https://seed.kisa.or.kr/kisa/Board/130/detailView.do
  2. G. H. Lee, M. C. Hwang, Y. I. Ku, D. Y. Hyun, and D. Y. Yoo, "A study on the ransomware detection model using the clustering and similarity analysis of opcode and API," Proceedings of the Annual Spring Conference of Korea Information Processing Society Conference (KIPS), Vol.29, pp.179-180, 2022.
  3. G. H. Lee, M. C. Hwang, Y. I. Ku, D. Y. Hyun, and D. Y. Yoo, "A study on the ransomware detection model using the clustering and similarity analysis of opcode and API", Proceedings of the Annual Spring Conference of Korea Information Processing Society Conference (KIPS), Vol.29, pp.182, 2022.
  4. D. Vidyarthi, C. Kumar, S. Rakshit, and S. Chansarkar, "Static malware analysis to identify ransomware properties," IJCSI International Journal of Computer Science Issues, Vol.16, Iss.3, pp.1-8, 2019.
  5. I. Kara and M. Aydos, "Static and dynamic analysis of third generation cerber ransomware," International Congress on Big Data, Deep Learning and Fighting Cyber Terrorism, 2018.
  6. P. O'Kane, S. Sezer, K. McLaughlin, and E. G. Im, "SVM training phase reduction using dataset feature filtering for malware detection," Journal of IEEE Transactions on Information Forensics and Security, Vol.8, No.3, pp.500-509, 2013. https://doi.org/10.1109/TIFS.2013.2242890
  7. M. Zhang, Y. Duan, H. Yin, and Z. Zhao, "Seman-ticsaware android malware classification using weighted contextual API dependency graphs," Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, pp.1105-1116, 2014.
  8. M. Hasan and M. Rahman, "RansHunt: A support vector machines based ransomware analysis framework with integrated feature set," 2017 20th International Conference of Computer and Information Technology (ICCIT), Dec. 2017.
  9. K. W. Moon and J. H. Lee "Analysis of the latest ransomware features," Sangmyung University, 2018.
  10. Ahnlab ASEC, "Cerber ransomware demanding money by voice," 2016.
  11. O. C. Kwon, S. J. Bae, J. I. Cho, and J. S. Moon, "Malicious codes re-grouping methods using fuzzy clustering based on native API frequency," Journal of The Korea Institute of Information Security and Cryptology, Vol.18, No.6, pp.115-127, 2008.
  12. INFOSEC, Windows functions in malware analysis part1, May 26, 2015. https://resources.infosecinstitute.com/topic/windows-functions-in-malware-analysis-cheat-sheet-part-1/.
  13. J. W. Kim, "A study on Machine Learning-based Ransomware Detection Model using Hybrid Analysis," Konkuk University for Master's Degree in Korea, 2017.