Improving ransomware detection based on portable executable header using xception convolutional neural network

ABSTRACT

All malware are harmful to computer systems;however, crypto-ransomware specifically leads to irreparable data loss and causes substantial economic prejudice. Ransomware attacks increased significantly during the COVID-19 pandemic, and because of its high profitability, this growth will likely persist. To respond to these attacks, we apply static analysis to detect ransomware by converting Portable Executable (PE) header files into color images in a sequential vector pattern and classifying these via Xception Convolutional Neural Network (CNN) model without transfer learning, which we call Xception ColSeq. This approach simplifies feature extraction, reduces processing load, and is more resilient against evasion techniques and ransomware evolution. The proposed method was evaluated using two datasets. The first contains 1000 ransomware and 1000 benign applications, on which the model achieved an accuracy of 93.73%, precision of 92.95%, recall of 94.64%, and F-measure of 93.75%. The second dataset, which we created and have made available, contains 1023 ransomware, grouped in 25 still active and relevant families, and 1134 benign applications, on which the proposed method achieved an accuracy of 98.20%, precision of 97.50%, recall of 98.76%, and F-measure of 98.12%. Furthermore, we refined a testing methodology for a particular case of zero-day ransomware attacks detection—the detection of new ransomware families—by adding an adequate amount of randomly selected benign applications to the test set, providing representative evaluation performance metrics. These results represent an improvement over the performance of the current methods reported in the literature. Our advantageous approach can be applied as a technique for ransomware detection to protect computer systems from cyber threats. © 2023 Elsevier Ltd