CN114969734A - A ransomware variant detection method based on API call sequence - Google Patents

Abstract

The invention realizes a ransomware variant detection method based on API calling sequence through the method in the field of information security. First, set up a ransomware family classification technology unit based on API call sequences, deploy Cuckoo sandbox for the input ransomware virus characteristics, and construct a ransomware data set; collect a large number of API call sequences to form a corpus, and use word2vec for pre-training; select API Call the sequence as a learning feature for preprocessing; train the detection model and evaluate it to obtain a usable model, and then obtain the classification result; on the basis of classifying all dynamic behaviors, the classification results are visualized using Graphviz and Neo4j-based ransomware attack process The technical unit is mainly based on the visualization process of the attack process based on Graphviz, supplemented by the visualization process of the attack process based on Neo4j, and outputs the classification results of the virus. It has shown good results in the task of ransomware family classification.

Description

A ransomware variant detection method based on API call sequence

technical field

The invention relates to the technical field of information security, in particular to a method for detecting ransomware variants based on an API calling sequence.

Background technique

In recent years, attackers have begun to use ransomware as an effective method of cyber attacks due to their aggressive nature. According to a survey by consulting firm Accenture, in the first half of 2021, global cyber threat activity increased by 125% compared to last year. Focusing on the field of ransomware attacks, the targeted industries are mainly insurance, consumer goods and services, and telecommunications, accounting for 23%, 17%, and 16% respectively, and the three together account for 56%. Data breaches caused by ransomware attacks increased by 24% in the first half of 2021 compared to the second half of 2020. Ransomware attacks not only bring costly service interruptions, but also directly threaten political security, economic security, technological security and other aspects.

Ransomware is a special kind of malware that infects computers and restricts user access until a ransom is paid to unlock it. Attackers can quickly generate a large number of ransomware variants through techniques such as polymorphism, and this method is low-cost. Although security mechanisms such as firewalls, anti-virus programs, and automated analyzers have been developed to combat this threat, these traditional mechanisms are ineffective and fail to protect valuable assets stored on local or cloud storage resources.

Ransomware analysis technology is the process of analyzing the purpose and function of ransomware, which is mainly divided into two methods: static analysis and dynamic analysis. Static analysis is an automatic analysis of ransomware that does not perform ransomware, extracts static features such as MD5 and opcodes, and then infers its behavior. However, attackers usually use techniques such as packing and code obfuscation, which makes static analysis difficult to deal with. Dynamic analysis is run-time monitoring and analysis of malicious behavior or the risk of ransomware by executing collected ransomware samples in a virtual environment. Generally speaking, there are two approaches to dynamic analysis depending on the features used and the techniques applied. First, a dynamic analysis is performed by using the characteristics, using information such as frequency or sequence of API calls, compiled hex code, program execution path and other information as characteristics. Second, the collected feature data is analyzed by applying technical analysis using sequence alignment and data mining or machine learning. However, many ransomware variants will recognize sandboxes and delay execution, or make a lot of calls to unrelated benign APIs during execution, making dynamic analysis difficult. Therefore, the existing detection methods lack effective ransomware variant detection methods.

With the rapid development of deep learning, researchers began to apply it to the security field, and achieved good results. If a sequence of feature selection API calls is learned and treated as a text with a single API function as a token, then the ransomware classification problem can be transformed into a text classification problem in the NLP domain. Therefore, some classic models in text classification can be applied to the task of ransomware family classification.

In recent years, ransomware attacks are highly insidious and harmful, and they are fast and easy to spread. The attack paths and targets are diversified, and the scope of ransomware attacks is wider. In addition, due to the abuse of ransomware variant transformation technology by attackers, the quantity and quality of variants have surged, making it difficult for traditional antivirus technologies to detect such attacks. Therefore, there is an urgent need for a good ransomware detection technology, which can quickly determine the family or similar family to which the sample belongs, and then conduct targeted analysis and write decryption programs or security patches to reduce losses as much as possible.

Static analysis technology is difficult to deal with polymorphism, variant, packing, compression and other technologies, and dynamic technology is difficult to deal with delayed operation, adding a large number of unrelated benign API calls, etc. Moreover, the two methods mainly have a good detection effect on known ransomware samples or sample libraries, and are not suitable for ransomware variants.

SUMMARY OF THE INVENTION

To this end, the present invention first proposes a ransomware variant detection method based on API calling sequence. First, a ransomware family classification technology unit based on API calling sequence is set up, and the Cuckoo sandbox is deployed for the input ransomware sample to construct a ransomware virus. Data set; collect a large number of API call sequences to form a corpus, and use word2vec for pre-training; select API call sequences as learning features for preprocessing; train detection models and evaluate them to obtain available models, and then obtain classification results;

After that, on the basis of classifying all dynamic behaviors into seven categories: process, system, shell code detection, memory, file, registry, and network, the visualization technology unit of ransomware attack process based on Graphviz and Neo4j is used for the classification results. Graphviz's attack process visualization process is the main, and Neo4j-based attack process visualization process is supplemented. Use Graphviz's visualization results to view the overall attack process, use Neo4j's visualization results to view specific behaviors or details of the attack process, and finally, output A visual view of the classification results of ransomware virus families.

The specific method for constructing the ransomware data set is as follows: using two methods as the data source;

Specifically, one method is: calling a ready-made behavior analysis report or API call sequence data set, collecting the behavior analysis report and API call sequence data set, and then using a Python script to extract the API call sequence and the name of the ransomware family as tags;

Another method is: build a Cukoo host and a Cuckoo sandbox in Analysis Guest mode as a ransomware analysis environment, obtain original malicious samples from an open source website and put them into the ransomware analysis environment in batches, process samples in batches, and summarize ready-made samples. After the behavioral analysis report, the API call sequence is then extracted.

The pre-training method is as follows: first, a corpus needs to be constructed, wherein the API call sequence does not need to have specific labels, so the source is a malicious code data set, an unlabeled ransomware data set, and a labeled ransomware data set;

The pre-training model selects word2vec including the jump element model and the continuous word bag model, and then selects the jump element model to use the central word to predict the words around it in the text sequence;

The model parameters are learned by maximizing the likelihood function,

The length of the API call text sequence is T, the size of the context window is m, the token at time t is w ^(t) , and the downsampling technique is used to reduce the importance of high-frequency words and increase the importance of low-frequency words, and then Do small batches.

The method for training the detection model is specifically: constructing a detection model based on the API call sequence, the model input is the API call sequence, the output is the category, the TextCNN+Attention model inputs the API call sequence, and is converted into a two-dimensional word vector matrix through the embedding layer; The product layer sets convolution kernels of different sizes, where the length of the second dimension is the length of the word vector, the activation function uses the ReLU function, and adds nonlinear factors. After the convolution layer, three one-dimensional vectors of different lengths will be generated; the pooling layer , using the maximum pooling strategy to generate three values, each of which is the largest element in the original vector; the three values generated by the pooling layer are spliced to generate a 1*3 vector, and then focus on the set information through Attention ; Finally, the corresponding category is output through the fully connected layer.

The evaluation method of the model is to use the weighted average method to calculate the overall accuracy of the multi-classification:

召回率：

基于精确率和召回率的调和平均：

其中，N代表类别总数，i代表样本对应类别，Total代表样本总数，Cnt_i代表类别i的数量，P_i、R_i、F_1i分别代表类别i的精确率、召回率、精确率和召回率的调和平均。

Recall rate:

Harmonic averaging based on precision and recall:

Among them, N represents the total number of categories, i represents the corresponding category of the sample, Total represents the total number of samples, Cnt _i represents the number of category i, and P _i , R _i , and F _1i represent the precision rate, recall rate, precision rate and recall rate of category i, respectively. the harmonic mean.

The implementation of the Graphviz-based attack process visualization process is as follows:

Step 1: Install the Python library graphviz via pip;

Step 2: Install Graphviz, and make sure that the directory containing the dot executable file is on the system path, and PATH needs to be added during the installation process;

Step 3: In order to display intuitively and highlight key behaviors, set the endpoint shape, endpoint color, edge color, and font color;

Step 4: Use the minidom parser to open the XML document, get all the fields action_list, then parse the necessary attributes of the field, and finally store it in the Action object list;

Step 5: Initialize endpoints, such as dynamic analysis start, dynamic analysis abnormal end, dynamic analysis end, sample file, start, vasstarter.exe and other endpoints;

Step 6: Traverse the list of Action objects, obtain endpoints, and use auxiliary arrays to deduplicate endpoints;

Step 7: Initialize edges, such as dynamic analysis process, shutdown of the host, process start execution, etc.;

Step 8: Traverse the list of Action objects, get the edges, and then connect the endpoints obtained above;

Step 9: Then use Python to call the API to export the graph, such as png, jpg, svg, pdf and other formats;

Step 10: If the number of edges and endpoints is too large, it will affect the drawing efficiency. Multi-threaded programming is used to alleviate this problem.

The specific method of the Neo4j-based attack process visualization process is as follows:

Step 1: Download the Java SE JDK from the official Oracle website and install it. Neo4j is a Java-based graph database. To run Neo4j, the JVM process needs to be started, so the JDK of JAVA SE must be installed;

Step 2: Download Neo4j from the graph database Neo4j official website and install it. The installation process needs to configure environment variables;

Step 3: Start the Neo4j program through the console, and the Neo4j service has been deployed locally;

Step 4: Install the Python library py2neo through pip, and then connect to the Neo4j graph database;

Step 5: Use the same method in Graphviz to get a list of Action objects, and build endpoints and edges;

Step 6: Create relationships in batches on existing nodes to improve mapping efficiency;

Step 7: Open the browser and visit http://localhost:7474, you can see the visualization results.

The technical effect to be realized by the present invention is:

Implement a search method with the following properties:

Make full use of the API call sequence to detect ransomware variants, introduce the detection method of word2vec+TextCNN+Attention, pre-train on the API corpus, and then use TextCNN and attention mechanism for classification learning, this method is in the ransomware family. It shows good results on classification tasks.

Description of drawings

Figure 1 The main architecture of Cuckoo;

Figure 2 Example of jumping element model;

Figure 3 API call sequence length distribution diagram;

Figure 4word2vec+TextCNN+Attention model structure;

Figure 5. An example of behavior visualization based on Graphviz;

Figure 6. An example of behavior visualization based on Neo4j;

Detailed ways

The following is a preferred embodiment of the present invention and combined with the accompanying drawings to further describe the technical solution of the present invention, but the present invention is not limited to this embodiment.

The present invention proposes a ransomware variant detection method based on an API calling sequence.

Static analysis technology is difficult to deal with polymorphism, variant, packing, compression and other technologies, and dynamic technology is difficult to deal with delayed operation, adding a large number of unrelated benign API calls, etc. Moreover, the two methods mainly have a good detection effect on known ransomware samples or sample libraries, and are not suitable for ransomware variants. This patent starts from dynamic analysis, selects the API calling sequence, removes repeated subsequences as learning features, and then uses the deep learning classification model for training, and finally obtains the classification result. Next, in order to improve the interpretability of the detection results, the attack flow of the ransomware variant is visualized. Based on this, this patent consists of two parts: "Ransomware Family Classification Technology Based on API Call Sequence" and "Visualization Technology of Ransomware Attack Process Based on Graphviz and Neo4j".

Classification technology of ransomware family based on API calling sequence

This section aims to solve the classification problem of ransomware family, deploy Cuckoo sandbox, and construct ransomware dataset; collect a large number of API call sequences to form a corpus, and use word2vec for pre-training; select API call sequences as learning features for preprocessing; training Detect the model and get the classification result.

Ransomware dataset construction

According to relevant literature, currently available ransomware data sets are scarce, and the data sets provided by open source communities are old and will not be updated regularly; some competitions and open source websites mostly provide malicious code data sets, which are not refined into ransomware virus families. Therefore, it is necessary to construct a ransomware dataset independently.

There are two main data sources: first, ready-made behavior analysis reports or API call sequence datasets, such as ACT-KingKong dataset, MMCC Microsoft Malware Classification Challenge dataset, Ember dataset, etc.; second, original malicious samples , obtained from open source websites such as MalShare, VirusShare, Exploit Database, Viru sTotal, etc., put it into the ransomware analysis environment in batches to run, and then obtain the API call sequence.

Data source method 1: Collect behavior analysis reports and API call sequence data sets, and then use Python script to extract API call sequences and tags (ransomware family name).

Data source method 2: Select the Cuckoo sandbox as the ransomware analysis environment. Cuckoo is an open-source automatic malware analysis system. Its main architecture is shown in Figure 1.

Build a Cuckoo host and a Cuckoo sandbox in Analysis Guest mode, process samples in batches, summarize ready-made behavior analysis reports, and then extract the API call sequence.

Collect and process ransomware samples from the above two data sources, and construct a ransomware dataset containing 13,887 pieces of data. The dataset contains 8 categories, benign and 7 ransomware families, and the specific distribution is shown in Table 1.

Table 1 Distribution of ransomware datasets

category Benign Phobos Sodinokibi WannaCry Ryuk Avaddon Stop Globelmposter quantity 4978 1487 515 4289 100 820 1196 502

pre-training

Since vectorization methods such as one-hot encoding or TF-IDF cannot express the similarity between API functions, pre-training is used to obtain word vectors.

First, a corpus needs to be constructed, in which the API call sequence does not need to have specific labels, so the source can be malicious code datasets, unlabeled ransomware datasets, labeled ransomware datasets, etc. In this way, the invalid data collected is also used effectively.

The pre-training model selects word2vec (including the jump element model and the continuous word bag model), and then selects the jump element model to use the central word to predict the surrounding words in the text sequence.

The jump element model parameters are the center word vector and the context word vector of the token. During training, we learn model parameters by maximizing the likelihood function (i.e. maximum likelihood estimation). This is equivalent to minimizing the loss function of Equation 1, where the text (API call) sequence length is T, the context window size is m, and the token at time t is w ^(t) .

Equation 1 Jump element model loss function:

To reduce computational complexity, approximate training is usually performed, such as negative sampling and hierarchical softmax. There are usually high-frequency words in text data. These words often appear in the context window, but provide little useful information. Therefore, downsampling technology is used to reduce the importance of high-frequency words and increase the importance of low-frequency words. Then do mini-batches for iterative loading during training.

After pre-training, the word elements are mapped to vectors, that is, word vectors, which contain similar information between different word elements.

preprocessing

The API functions in the API call sequence have a logical relationship before and after, and the API functions have special meanings. Table 2 is the API function calls commonly used by ransomware viruses and their function descriptions.

Table 2 Ransomware API function function table

API call sequences vary in length, ranging from tens of thousands to dozens. In order for the API sequence data to be available and used as the input of the detection model, preprocessing is required.

On the one hand, the software itself has a large number of repeated API calls; on the other hand, attackers deliberately add a large number of useless API calls in order to increase the difficulty of analysis by security personnel. Some literatures have proposed and experimentally proved that the repeated subsequences are removed from the API calling sequence, which does not affect the similarity calculation between API sequences. In addition, compressing the sequence of API calls reduces computation time. In summary, it is necessary to de-duplicate the API call sequence. The method of removing consecutive API function calls is adopted. For example, the original sequence is "QWEERRRT", and the duplicated sequence is "QWERT".

After deduplication, the length of the sequence of API calls can be obtained. The sequence length of this dataset is mainly distributed from 0 to 200, as shown in Figure 3. Therefore, 200 is selected as the upper limit of the sequence length, the API call sequence with the sequence length greater than 200 is truncated, and the API call sequence less than 200 is filled with zeros.

Detection model

Convolutional Neural Network (CNN) is a feed-forward neural network whose artificial neurons can respond to surrounding units within a partial coverage area, and perform well for large-scale image processing. A typical convolutional neural network consists of three parts: convolutional layer, pooling layer and fully connected layer. The convolutional layer is responsible for extracting local features in the image; the pooling layer is used to greatly reduce the parameter magnitude (dimension reduction); the fully connected layer is similar to the part of the traditional neural network to output the desired result. CNN has been widely used, such as: face recognition, automatic driving, security and many other fields. TextCNN is an application in text classification. The core idea is to capture local features. For text, local features are sliding windows composed of several words, similar to N-gram. The advantage of convolutional neural networks is that they can automatically combine and filter N-gram features to obtain semantic information at different levels of abstraction.

Attention mechanism is a resource allocation scheme that allocates computing resources to more important tasks and solves the problem of information overload in the case of limited computing power. In neural network learning, generally speaking, the more parameters of the model, the stronger the expression ability of the model, and the greater the amount of information stored in the model, but this will bring about the problem of information overload. Then, by introducing an attention mechanism, focusing on the information that is more critical to the current task among the many input information, reducing the attention to other information, and even filtering out irrelevant information, the problem of information overload can be solved and the task processing efficiency can be improved. Efficiency and accuracy.

Drawing on the idea of text classification, a detection model based on API call sequence is constructed. The input of the model is the API call sequence, and the output is the category.

The structure of TextCNN+Attention model is shown in Figure 4. The input API call sequence is converted into a two-dimensional word vector matrix through the embedding layer; the convolution layer is set with different sizes of convolution kernels, such as 3, 4, and 5, where the length of the second dimension is For the length of the word vector, the activation function uses the ReLU function and adds nonlinear factors. After the convolution layer, three one-dimensional vectors of different lengths are generated; the pooling layer uses the maximum pooling strategy to generate three values, where each value is the largest element in the original vector; the three values generated by the pooling layer are spliced to generate a 1*3 vector, and then the set information is focused through Attention; finally, the corresponding category is output through the fully connected layer.

Evaluation model

To evaluate the pros and cons of a model, there are usually indicators such as Accuracy, Precision, Recall, and F1.

Accuracy: The proportion of all correctly predicted samples in the total sample. The calculation formula is as follows:

Formula 2 accuracy calculation formula

Precision: Also known as precision, accuracy is the ability of the model to find only relevant targets. The formula is as follows:

Formula 3 precision rate calculation formula

Recall: Also known as recall, it is the ability of the model to find all relevant targets, that is, how many real targets can the prediction results given by the model cover at most. The calculation formula is as follows:

Formula 4 Recall rate calculation formula

F1: Based on the harmonic mean of precision and recall, the formula is as follows:

Formula 5F1 calculation formula

Among them, TP (True Positive): the true value is true, the predicted value is true; FP (False Positive): the true value is false, the predicted value is true; FN (False Negative): the true value is true, the predicted value is false ; TN (True Negative): The true value is false and the predicted value is false.

The above calculation formula is suitable for the two-class problem, and the multi-class problem needs further processing. It can be regarded as N (number of data set categories) two-class tasks to calculate the above indicators. This patent adopts the method of weighted-average (weighted average) to calculate the overall Precision, Recall, and F1 of the multi-classification. The calculation method is as follows:

Formula 6 Multi-classification accuracy calculation formula

Formula 7 Multi-class recall calculation formula

Formula 8 multi-class F1 calculation formula

Among them, N represents the total number of categories, i represents the corresponding category of the sample, Total represents the total number of samples, Cnt _i represents the number of category i, and P _i , R _i , and F _1i represent the Precison, Recall, and F1-sco re of category i, respectively.

Visualization technology of ransomware attack process based on Graphviz and Neo4j

The behavior part of the ransomware analysis report is only a simple listing, which is not intuitive, and it is difficult to find key behaviors in a short period of time. Therefore, it is necessary to visualize the attack process of the ransomware virus, and the visualization work also increases the interpretability of the detection model.

The following continues to be implemented for the ACT-KingKong dataset, which consists of xml files. Each xml file corresponds to a ransomware (or malicious code) sample, which contains a series of dynamic behaviors, such as creating processes, deleting registry keys, loading modules, etc.

After comprehensive analysis, all dynamic behaviors are divided into seven categories: process, system, Shell code detection, memory, file, registry, and network. The specific classification is shown in Table 3.

Table 3 Ransomware dynamic behavior classification table

If each process is regarded as an endpoint, and the dynamic behavior is regarded as an edge connecting two endpoints, the visualization of ransomware attack behavior is essentially a directed graph construction.

Graphviz-based behavior visualization

Graphviz (short for Graph Visualization Software) is an open-source toolkit initiated by AT&T Labs Research for drawing graphs specified in DOT language scripts with the file extension "gv", and also provides software applications with tools to use these tools. library. The Python library graphviz provides a simple pure python interface for the graph drawing software Graphviz, which can efficiently draw graphs using Python programming; this module provides two classes: Graph and Digraph, which are undirected graphs and directed graphs in DOT language respectively. Create graph descriptions to graphs, with the same API.

The visualization of the attack process based on Graphviz, the specific implementation steps are as follows:

Step 1: Install the Python library graphviz via pip;

Step 2: Install Graphviz, and make sure that the directory containing the dot executable file is on the system path, and PATH needs to be added during the installation process;

Step 3: In order to display intuitively and highlight key behaviors, set the endpoint shape, endpoint color, edge color, and font color;

Step 4: Use the minidom parser to open the XML document, get all fields action_list, then parse the necessary attributes of the field, and finally store it in the Action object list;

Step 5: Initialize endpoints, such as dynamic analysis start, dynamic analysis abnormal end, dynamic analysis end, sample file, start, vasstarter.exe and other endpoints;

Step 6: Traverse the list of Action objects, obtain endpoints, and use auxiliary arrays to deduplicate endpoints;

Step 7: Initialize edges, such as dynamic analysis process, shutdown of the host, and start of process execution;

Step 8: Traverse the list of Action objects, get the edges, and then connect the endpoints obtained above;

Step 9: Then use Python to call the API to export the graph, such as png, jpg, svg, pdf and other formats;

Step 10: If the number of edges and endpoints is too large, it will affect the drawing efficiency. Use multi-threaded programming to alleviate this problem.

The final implementation effect is shown in Figure 5. The example diagram can clearly see the logical relationship before and after behavior execution. Different endpoints have different colors, which is conducive to quickly locating key behaviors and making the detection model interpretable. However, when the ransomware sample contains a large number of endpoints and edges, the generated graph is large and complex, and many minor behaviors will affect the discovery of key behaviors.

Behavior visualization based on graph database Neo4j

Neo4j is a graph database management system developed by Neo4j, Inc. The developers describe it as an acid-compatible transactional database with native graph storage and processing capabilities, implemented based on Java. The Python library py2neo provides the corresponding API for Python manipulation of Neo4J, which is simple, safe and efficient.

The steps to visualize the ransomware attack process using Neo4j are as follows:

Step 1: Download the Java SE JDK from Oracle's official website and install it. Neo4j is a Java-based graph database. To run Neo4j, the JVM process needs to be started, so the JDK of JAVA SE must be installed.

Step 2: Download Neo4j from the graph database Neo4j official website and install it. The installation process needs to configure environment variables;

Step 3: Start the Neo4j program through the console, and the Neo4j service has been deployed locally;

Step 4: Install the Python library py2neo through pip, and then connect to the Neo4j graph database;

Step 5: Use the same method in Graphviz to get a list of Action objects, and build endpoints and edges;

Step 6: Create relationships in batches on existing nodes to improve mapping efficiency;

Step 7: Open the browser, visit http://localhost:7474, and you can see the visualization results.

The final implementation effect is shown in Figure 6. Since the endpoints and edges are floating, the logical relationship between behaviors is not easy to find. However, since the graph database Neo4j can perform addition, deletion, search and modification operations, it is highly maneuverable and flexible. You can quickly locate critical endpoints and critical edges by deleting secondary endpoints; you can also query other endpoints related to the specified endpoint.

In summary, the behavior visualization based on Graphviz and the behavior visualization based on the graph database Neo4j have their own advantages and disadvantages. Therefore, the solution based on Graphviz and supplemented by Neo4j is a good visualization method.

The present invention uses a laboratory cluster for training, the operating system type is CentOS Linux rel ease7.6.1810 (Core), the processor is Intel(R) Xeon(R) Silver 4214R, the memory size is 256GB, and the specific hardware configuration is shown in the table 4 shown. In addition, the development language of the present invention is Python, the deep learning framework is pytorch, and the specific software configuration is shown in Table 5. The detection model of the present invention uses TextCNN, combined with the attention mechanism, and the specific model parameters are shown in Table 6.

Table 4 Experimental hardware configuration

Table 5 Experimental software configuration

Table 6 Detection model parameter table

The ransomware data set used in the present invention is independently constructed, and the data sources include ACT-KingKong data set, open source community, competition data set, malicious code website, etc. It consists of 13,887 samples, including seven ransomware family samples and benign samples. It is divided into training set and test set according to the ratio of 8:2.

In order to verify the superiority of the detection model of the present invention (word2vec+TextCNN+Attention, WTA for short), a comparative experiment was performed on the constructed ransomware data set. Similarly, random forest (RF), multi-layer perceptron (MLP), TextCNN, long short-term memory network (LSTM), word2vec combined with TextCNN (referred to as WT) and other methods are selected for comparison. The RF algorithm selects the API number for vectorization; multi-layer The perceptron uses the API number as the learning feature, and the network structure includes two fully connected layers, in which the activation function uses ReLU; the TextCNN model uses one-hot encoding for vectorization; the LSTM model uses word2vec for pre-training, and uses a bidirectional long and short-term memory network; WT The model uses word2vec for pre-training, and the classification model uses TextCNN. The difference from the model of the present invention is that the attention mechanism is not used.

Table 7 Comparative experimental results

Classification algorithm Accuracy Precision Recall F1 Time (minutes) RF 0.806 0.805 0.806 0.797 0.042 MLP 0.679 0.701 0.679 0.678 0.473 TextCNN 0.829 0.829 0.829 0.827 18.491 LSTM 0.852 0.853 0.852 0.851 56.378 WT 0.848 0.846 0.848 0.845 17.128 WTA (the present invention) 0.855 0.862 0.855 0.853 18.778

The experimental results are shown in Table 7. The following conclusions can be drawn: the RF machine learning algorithm has good performance in various indicators, especially the shortest time-consuming; comparing the RF and MLP algorithms, compared with the random forest algorithm, more The layer perceptron does not have any advantages; comparing the TextCNN and WT models, it is found that the accuracy rate is improved by about 2% after using the pre-training model; comparing the WT and WTA models, it is found that the accuracy rate is improved by about 1% after using the attention mechanism %; Comparing the two models of LSTM and WTA, it is found that the two models have little difference in each evaluation index, but the training time of the LSTM model is longer; In conclusion, the model WTA of the present invention has outstanding performance in various indicators, and The training time is acceptable.

Claims (7)

1. A ransomware variant detection method based on API calling sequence, it is characterized in that: first set up the ransomware virus family classification technology unit based on API calling sequence, by inputting ransomware virus sample, deploy Cuckoo sandbox, construct ransomware virus data set; Collect a large number of API call sequences to form a corpus, and use word2vec for pre-training; select API call sequences as learning features for preprocessing; train detection models and evaluate them to obtain available models, and then obtain classification results; After that, on the basis of classifying all dynamic behaviors into seven categories: process, system, shell code detection, memory, file, registry, and network, the visualization technology unit of ransomware attack process based on Graphviz and Neo4j is used for the classification results. Graphviz's attack process visualization process is the main, and Neo4j-based attack process visualization process is supplemented. Use Graphviz's visualization results to view the overall attack process, use Neo4j's visualization results to view specific behaviors or details of the attack process, and finally, output A visual view of the classification results of ransomware virus families. 2. A kind of ransomware variant detection method based on API calling sequence as claimed in claim 1, it is characterized in that: the concrete method of described constructing ransomware data set is: adopt two kinds of ways as data sources; Specifically, one method is: calling a ready-made behavior analysis report or API call sequence data set, collecting the behavior analysis report and API call sequence data set, and then using a Python script to extract the API call sequence and the name of the ransomware family as tags; Another method is: build a Cukoo host and a Cuckoo sandbox in Analysis Guest mode as a ransomware analysis environment, obtain original malicious samples from an open source website and put them into the ransomware analysis environment in batches, process samples in batches, and summarize ready-made samples. After the behavioral analysis report, the API call sequence is then extracted. 3. A kind of ransomware variant detection method based on API calling sequence as claimed in claim 2, it is characterized in that: described pre-training method is: first need to build corpus, wherein API calling sequence does not need to have specific label, so The sources are malicious code datasets, unlabeled ransomware datasets, and labeled ransomware datasets; The pre-training model selects word2vec including the jump element model and the continuous word bag model, and then selects the jump element model to use the central word to predict the words around it in the text sequence; The model parameters are learned by maximizing the likelihood function,

The length of the API call text sequence is T, the size of the context window is m, the token at time t is w ^(t) , and the downsampling technique is used to reduce the importance of high-frequency words and increase the importance of low-frequency words, and then Do small batches. 4. a kind of ransomware variant detection method based on API call sequence as claimed in claim 3, it is characterized in that: described training detection model method is specifically: build the detection model based on API call sequence, and the model input is API call sequence , the output is the category, the TextCNN+Attention model inputs the API call sequence, and is converted into a two-dimensional word vector matrix through the embedding layer; the convolution layer sets convolution kernels of different sizes, where the length of the second dimension is the length of the word vector, and the activation function uses The ReLU function, adding nonlinear factors, will generate three one-dimensional vectors of different lengths after the convolution layer; the pooling layer uses the maximum pooling strategy to generate three values, each of which is the largest element in the original vector; The three values generated by the pooling layer are spliced to generate a 1*3 vector, and then the set information is focused through Attention; finally, the corresponding category is output through the fully connected layer. 5. a kind of ransomware variant detection method based on API calling sequence as claimed in claim 4, is characterized in that: described evaluation method of model is, adopts the method of weighted average to calculate multi-classification overall accuracy rate:

Recall rate:

Harmonic averaging based on precision and recall:

Among them, N represents the total number of categories, i represents the corresponding category of the sample, Total represents the total number of samples, Cnt _i represents the number of category i, and P _i , R _i , and F _1i represent the precision rate, recall rate, precision rate and recall rate of category i, respectively. the harmonic mean. 6. a kind of ransomware variant detection method based on API calling sequence as claimed in claim 5, is characterized in that: the realization mode of described attack process visualization process based on Graphviz is: Step 1: Install the Python library graphviz via pip; Step 2: Install Graphviz, and make sure that the directory containing the dot executable file is on the system path, and PATH needs to be added during the installation process; Step 3: In order to display intuitively and highlight key behaviors, set the endpoint shape, endpoint color, edge color, and font color; Step 4: Use the minidom parser to open the XML document, get all fields action_list, then parse the necessary attributes of the field, and finally store it in the Action object list; Step 5: Initialize endpoints, such as dynamic analysis start, dynamic analysis abnormal end, dynamic analysis end, sample file, start, vasstarter.exe and other endpoints; Step 6: Traverse the list of Action objects, obtain endpoints, and use auxiliary arrays to deduplicate endpoints; Step 7: Initialize edges, such as dynamic analysis process, shutdown of the host, process start execution, etc.; Step 8: Traverse the list of Action objects, get the edges, and then connect the endpoints obtained above; Step 9: Then use Python to call the API to export the graph, such as png, jpg, svg, pdf and other formats; Step 10: If the number of edges and endpoints is too large, it will affect the drawing efficiency. Multi-threaded programming is used to alleviate this problem. 7. a kind of ransomware variant detection method based on API calling sequence as claimed in claim 6, is characterized in that: described Neo4j-based attack flow visualization flow specific method is: Step 1: Download the Java SE JDK from the Oracle official website and install it. Neo4j is a Java-based graph database. Running Neo4j needs to start the JVM process, so the JDK of JAVA SE must be installed; Step 2: Download Neo4j from the graph database Neo4j official website and install it. The installation process needs to configure environment variables; Step 3: Start the Neo4j program through the console, and the Neo4j service has been deployed locally; Step 4: Install the Python library py2neo through pip, and then connect to the Neo4j graph database; Step 5: Use the same method in Graphviz to get a list of Action objects, and build endpoints and edges; Step 6: Create relationships in batches on existing nodes to improve mapping efficiency; Step 7: Open the browser and visit http://localhost:7474 to get the visual result.

Images