Tese

Abordagem Inteligente com Combinação de Características Estruturais para Detecção de Novas Famílias de Ransomware

Ransomware is a malicious software that aims to encrypt user files and demand a ransom to unlock them. It is a cyber threat that can cause significant financial damage, as well as compromise privacy and data integrity. Although signature-based detection scanners commonly combat this threat, they fai...

ver descrição completa

Autor principal: MOREIRA, Caio Carvalho
Grau: Tese
Idioma: por
Publicado em: Universidade Federal do Pará 2024
Assuntos:
Acesso em linha: https://repositorio.ufpa.br/jspui/handle/2011/16614
Resumo:
Ransomware is a malicious software that aims to encrypt user files and demand a ransom to unlock them. It is a cyber threat that can cause significant financial damage, as well as compromise privacy and data integrity. Although signature-based detection scanners commonly combat this threat, they fail to identify unknown ransomware families (variants). One method to detect new threats without the need to execute them is static analysis, which inspects the code and structure of the software, along with classification through intelligent approaches. The Detection of New Ransomware Families (DNFR) can be evaluated in a realistic and challenging scenario by categorizing and isolating families for training and testing. Hence, this thesis aims to develop an effective static analysis model for DNFR, which can be applied in Windows systems as an additional security layer to check executable files upon receipt or before execution. Early ransomware detection is essential to reduce the likelihood of a successful attack. The proposed approach comprehensively analyzes executable binaries, extracting and combining various structural features, and distinguishes them between ransomware or benign software employing a soft voting model comprising three machine learning techniques: Logistic Regression (LR), Random Forest (RF), and eXtreme Gradient Boosting (XGB). Results for DNFR demonstrated an average accuracy of 97.53%, precision of 96.36%, recall of 97.52%, and F-measure of 96.41%. Additionally, scanning and predicting individual samples took an average of 0.37 seconds. This performance indicates success in quickly identifying unknown ransomware variants and adapting the model to the constantly evolving landscape, suggesting its applicability in antivirus protection systems, even on resource-limited devices. Therefore, the method offers significant advantages and can assist developers of ransomware detection systems in creating more resilient, reliable, and fast-response solutions.