Ransomware Detection Based On Opcode Behavior Using K-Nearest Neighbors Algorithm
Keywords:Ransomware, opcode behavior, N-gram, K-NN, Confusion Matrix.
Ransomware is a malware that represents a serious threat to a user’s information privacy. By investigating how
ransomware works, we may be able to recognise its atomic behaviour. In return, we will be able to detect the
ransomware at an earlier stage with better accuracy. In this paper, we propose Control Flow Graph (CFG) as
an extracting opcode behaviour technique, combined with 4-gram (sequence of 4 “words”) to extract opcode
sequence to be incorporated into Trojan Ransomware detection method using K-Nearest Neighbors (K-NN)
algorithm. The opcode CFG 4-gram can fully represent the detailed behavioural characteristics of Trojan Ransomware.
The proposed ransomware detection method considers the closest distance to a previously identified
ransomware pattern. Experimental results show that the proposed technique using K-NN, obtains the best accuracy
of 98.86% for 1-gram opcode and using 1-NN classifier.
Copyright terms are indicated in the Republic of Lithuania Law on Copyright and Related Rights, Articles 4-37.