Ransomware Detection Based On Opcode Behavior Using K-Nearest Neighbors Algorithm

Ransomware is a malware that represents a serious threat to a user’s information privacy. By investigating howransomware works, we may be able to recognise its atomic behaviour. In return, we will be able to detect theransomware at an earlier stage with better accuracy. In this paper, we propose Control Flow Graph (CFG) asan extracting opcode behaviour technique, combined with 4-gram (sequence of 4 “words”) to extract opcodesequence to be incorporated into Trojan Ransomware detection method using K-Nearest Neighbors (K-NN)algorithm. The opcode CFG 4-gram can fully represent the detailed behavioural characteristics of Trojan Ransomware.The proposed ransomware detection method considers the closest distance to a previously identifiedransomware pattern. Experimental results show that the proposed technique using K-NN, obtains the best accuracyof 98.86% for 1-gram opcode and using 1-NN classifier.

Hierarchical Attention Graph Embedding Networks for Binary Code Similarity against Compilation Diversity

Binary code similarity comparison is the technique that determines if two functions are similar by only considering their compiled form, which has many applications, including clone detection, malware classification, and vulnerability discovery. However, it is challenging to design a robust code similarity comparison engine since different compilation settings that make logically similar assembly functions appear to be very different. Moreover, existing approaches suffer from high-performance overheads, lower robustness, or poor scalability. In this paper, a novel solution HBinSim is proposed by employing the multiview features of the function to address these challenges. It first extracts the syntactic and semantic features of each basic block by static analysis. HBinSim further analyzes the function and constructs a syntactic attribute control flow graph and a semantic attribute control flow graph for each function. Then, a hierarchical attention graph embedding network is designed for graph-structured data processing. The network model has a hierarchical structure that mirrors the hierarchical structure of the function. It has three levels of attention mechanisms applied at the instruction, basic block, and function level, enabling it to attend differentially to more and less critical content when constructing the function representation. We conduct extensive experiments to evaluate its effectiveness and efficiency. The results show that our tool outperforms the state-of-the-art binary code similarity comparison tools by a large margin against compilation diversity clone searching. A real-world vulnerabilities search case further demonstrates the usefulness of our system.

A Detection Approach for Vulnerability Exploiter Based on the Features of the Exploiter

With the wide application of software system, software vulnerability has become a major risk in computer security. The on-time detection and proper repair for possible software vulnerabilities are of great importance in maintaining system security and decreasing system crashes. The Control Flow Integrity (CFI) can be used to detect the exploit by some researchers. In this paper, we propose an improved Control Flow Graph with Jump (JCFG) based on CFI and develop a novel Vulnerability Exploit Detection Method based on JCFG (JCFG-VEDM). The detection method of the exploit program is realized based on the analysis results of the exploit program. Then the JCFG is addressed through combining the features of the exploit program and the jump instruction. Finally, we implement JCFG-VEDM and conduct the experiments to verify the effectiveness of the proposed method. The experimental results show that the proposed detection method (JCFG-VEDM) is feasible and effective.