Dynamic API Call-Based Machine Learning for Early-Stage Ransomware Detection

Abstract

Ransomware is a serious threat while using the computer; it may cause the user's data to be encrypted or not allow them to access computers and require users to pay a ransom to open files. However, scientific work in this area has not been fully addressed, and many challenges are mentioned in previous studies. This approach employs a dedicated pipeline for feature engineering and a collection of machine-learning models for binary classification. The primary innovation in dynamic analysis is using API call functionalities to extract engineered features, which capture distinct behavioral characteristics associated with various ransomware families. This method allows the model to differentiate between benign and malicious operations with considerable accuracy. The models were trained and assessed using a recent dataset that included 2,311 samples from 13 distinct ransomware families.  As for the results, experiments have shown that the models achieved accuracy rates of 99.5% in SVM, 99.7% in KNN, 99.7% in Decision Tree, and 99.9% in XGBoost, respectively, and when evaluating the evaluation criteria, the models showed outstanding performance across many metrics. These findings confirm that the models can accurately detect ransomware patterns and make reliable predictions, thereby validating the efficiency and effectiveness of the proposed methodology.