Ransomware Detection Based On Opcode Behavior Using K-Nearest Neighbors Algorithm


  • Deris Stiawan Universitas Sriwijaya
  • Somame Morianus Daely Dept. of Computer Engineering, Universitas Sriwijaya, Palembang
  • Ahmad Heryanto Dept. of Computer Engineering, Universitas Sriwijaya, Palembang
  • Nurul Afifah Dept. of Informatic, Universitas Sriwijaya, Palembang
  • Mohd Yazid Idris School of Computing, Faculty of Engineering, Universiti Teknologi Malaysia, Johor
  • Rahmat Budiarto College of Computer Science & Information Technology, Albaha University, Albaha




Ransomware, opcode behavior, N-gram, K-NN, Confusion Matrix.


Ransomware is a malware that represents a serious threat to a user’s information privacy. By investigating how
ransomware works, we may be able to recognise its atomic behaviour. In return, we will be able to detect the
ransomware at an earlier stage with better accuracy. In this paper, we propose Control Flow Graph (CFG) as
an extracting opcode behaviour technique, combined with 4-gram (sequence of 4 “words”) to extract opcode
sequence to be incorporated into Trojan Ransomware detection method using K-Nearest Neighbors (K-NN)
algorithm. The opcode CFG 4-gram can fully represent the detailed behavioural characteristics of Trojan Ransomware.
The proposed ransomware detection method considers the closest distance to a previously identified
ransomware pattern. Experimental results show that the proposed technique using K-NN, obtains the best accuracy
of 98.86% for 1-gram opcode and using 1-NN classifier.

Author Biography

Deris Stiawan, Universitas Sriwijaya

Deris Stiawan (SCOPUS ID: 36449642900). He is senior lecturer in Faculty of Computer Science University of Sriwijaya, Indonesia.  He is member of IEEE and since 2010 he is joined on Pervasive Computing Research Group (PCRG). His professional profile has derived to computer and network security fields, focused on network attack and intrusion prevention / detection system. In 2011, He holds Certified Ethical Hacker (C|EH) & Certified Hacker Forensic Investigator (C|HFI) licensed from EC-Council USA and Cisco Certified Networking Associate since 2005.