Anomalix: Intelligent static portable executable metadata-based ransomware detection using machine learning

¹ Dept of CSBS, Rajalakshmi Engineering College Chennai, India
² Dept of CSBS, Rajalakshmi Engineering College Chennai, India
³ Dept of CSBS, Rajalakshmi Engineering College Chennai, India

This email address is being protected from spambots. You need JavaScript enabled to view it.
This email address is being protected from spambots. You need JavaScript enabled to view it.
This email address is being protected from spambots. You need JavaScript enabled to view it.

Abstract

Ransomware is one of the worst forms of Cyberattack. Often it escapes the detection of traditional signature-based antivirus (AV) solutions or so-called legacy AV solutions through the use of obfuscation, polymorphism and exploit kits that exploit zero-day vulnerabilities. In response, we propose ANOMALIX, the static analysis-based ransomware detection framework. The framework uses both Portable Executable (PE) metadata as well as machine learning techniques to determine whether the intent is malicious or not before the execution takes place. Structural attributes - like import tables, sections, resources and memory configuration - were transmuted into discriminative features. A set of classifiers including Random Forest (RF), Decision Tree, Logistic Regression and XGBoost classifiers were trained on the resulting feature set extracted from a Kaggle PE malware dataset and the Random Forest classifier was found to be the best of the classifiers evaluated. The system is implemented as a web based service with functionality provided include confidence scoring, interpretability of AI, Automated reporting and email notification. Empirical evaluations have shown that static analysis of PE metadata is a safe, efficient and scalable solution to provide early detection of ransomware threats.