| Abstract [eng] |
Ransomware is one of the types of malware attacks that most severely affects financial institutions, since they cannot afford to lose their data or experience long-term disruptions. It is crucial for financial institutions to protect themselves from ransomware attacks. To fight zero-day ransomware attacks that are previously unseen attacks, we have presented a method that uses the static header features of portable executables. The method forms a comprehensive static feature set that includes the header fields of portable executables, count of dynamic link libraries (DLLs), DLL average, DLL list, function call average, and a measure of section content randomness. In order to make a compact feature set, a threshold was applied to three feature sets: portable executable header, DLL features, and section randomness. To determine the DLL average usage, the Tanimoto coefficient was applied to measure DLL similarity. The same procedure was applied to determine the function call average. The Chi-square test was applied to measure the section content randomness of portable executables. A stacking classifier was applied to measure the performance of the developed feature set. A publicly available dataset was used for the experiments. The results for the detection of zero-day attacks demonstrated averages of 97.15% accuracy, 98.06% recall, and 92.74% F-measure. When compared with other methods using the same dataset, our proposed method provided slightly better performance for many ransomware families. |
