Beruflich Dokumente
Kultur Dokumente
detection
Li Chen, Chih-Yuan Yang, Anindya Paul, Ravi Sahita
Security and Privacy Research, Intel Labs, Hillsboro, OR 97124
Abstract—There has been a surge of interest in using machine ransomware remains a notorious security issue today. In our
learning (ML) to automatically detect malware through their case study, we focus on cryto-ransomware.
dynamic behaviors. These approaches have achieved significant The popularity of Internet and untraceable payment meth-
improvement in detection rates and lower false positive rates at
ods and availability of software development tools makes
arXiv:1812.09400v1 [cs.LG] 21 Dec 2018
2
B. Adversarial Machine Learning
The first adversarial machine learning attack is used against
spam filtering by generating adversarial text without affecting
content readability [18]. The topic got significant attention in
the security community when Szegady et al. [53] fool a DNN
based image recognition classifier by adding low-intensity per-
turbations to the input image which looks indistinguishable to
human eyes. Adversarial attacks on the computer vision (CV)
receive the most attention, where intentionally adding small
human imperceptible perturbations to the original images has
shown to drastically alter the ML boundary decisions [26], Figure 1: A diagram of sandbox system. The Sandbox will
[33], [44], [40], [11]. Beyond CV, [12] generate adversarial execute a binary downloaded from the Control server. The
speech which changes the output of Mozilla’s DeepSpeech: execution log is uploaded to the Data storage. Power Control
a speech-to-text transcription engine although perceptually can shut down Sandbox if needed.
sounding the same. Adversarial malware are created to bypass
ML-based detection systems while keeping maliciousness of
the software intact [29]. FSW are triggered for all file I/O operations. The low-level
Defense techniques including input pre-processing via JPEG I/O activity patterns are collected and the normalized Shannon
compression [21], [20], feature squeezing [55], novel model entropy of the targeted file is calculated [47]. To catch evasive
architecture using regularization [30], adversarial training [34], ransomware, a user activity simulation program is executed
neural fingerprinting [22] have exhibited success to mitigate to emulate mouse clicks and key strokes. To mimic an active
the proliferating adversarial machine learning attacks. desktop environment, a Notepad and Office Word applications
C. Generative Adversarial Network are launched before and during ransomware sample execution.
The clean-ware dataset is collected manually from installing
The first generative adversarial network (GAN) ever intro- and executing around a hundred of applications from various
duced is a fully connected neural network architecture for both categories such as office suite, browsers, file compression
the discriminator and the generator [25]. Ever since, abundant applications etc. The idle I/O activities of benign Windows
GAN variants are proposed. The Deep Convolutional GAN system are collected for a few months from regular backups,
(DCGAN) [45] proposes using strided convolutions instead of updates, anti-virus applications and so on.
fully connected multi-layer perceptrons and feature normal-
Each sandbox robot, as seen in Figure 1, is pre-installed
ization to stabilize training and dealing with the poor weight
with several user files such as Windows Office, text or mul-
initialization problem. The Conditional GAN (CGAN) [39]
timedia files. These files are designed to be the target of
adds conditional setting to the generator and the discriminator
ransomware and used as decoy files to filter active ransomware
by making both neural networks class-conditional. It has
samples. If these files are modified during execution, then
advantages to better represent multi-modal data generation.
this sample is assumed to be a “crypto-”ransomware and
The Laplacian Pyramid GAN (LPGAN) [23] produces high
then collected to the malicious dataset. All behavior data
quality generated images and uses multiple generators and
are uploaded to Resilient ML platform [56], an open source
discriminators in its architecture. It downsamples the input
project for data analysis. The names of the decoy files are
images, and during backpropagation, injects noise generated
appended with time stamps before ransomware execution, so
by a conditional GAN and then upsamples the images. Auxil-
each sample will see the same set of user files but with
lary Classifier GAN (ACGAN) [43] improves the training of
different file names.
GAN by adding more structure to the GAN’s latent space
along with a specialized cost function. Wasserstein GAN
(WGAN) [4] uses Wasserstein distance as the loss function B. Feature Mapping
to efficiently approximates the Earth Mover distance and
significantly reduces the mode dropping phenomenon. The collected execution log via FSW contains time stamp,
event name, targeted file name and file entropy, as seen in
III. R ANSOMWARE DATA D ESCRIPTION
Figure 2. We attempt the least effort of feature processing by
A. Data Collection and Description mapping the event combined with entropy change. The four
In our analysis, the ransomware samples are downloaded main file actions are file delete, file create, file rename and file
from VirusTotal, where we collect recent submitted ran- change. The entropy level is combined with the event of file
somware around late 2017 based on tags from Microsoft change. Hence each execution log is represented by a sequence
and Kaspersky. The samples are executed in a home-grown of events. We set the length for each sample to be 3000, so that
bare-metal sandbox system as seen in Figure 1 and the dy- the shorter length samples will be padded with zeros towards
namic behaviors are collected via the .Net framework FileSys- the end to match the dimension. Table I shows the feature
temWatcher (FSW) API. The callback functions bound with mapping.
3
Figure 2: A screen shot of dynamic execution log collected
using FileSystemWatcher (FSW).
Events Feature encoding
Padding 0
File deleted 1
File content changed and entropy ∈ [0.9, 1] 2
File content changed and entropy ∈ [0.2, 0.4] 3
File content changed and entropy ∈ [0, 0.2] 4
File created 5
File content changed and entropy ∈ [0.8, 0.9] 6
File renamed 7
File content changed and entropy ∈ [0.4, 0.6] 8
File content changed and entropy ∈ [0.6, 0.8] 9
Table I: Feature mapping. We attempt the least effort of feature Figure 3: Overview of our proposed framework using GAN to
processing and categorize the events into 8 categories. We used generate dynamic features possessing ransomware properties.
0 to pad the events so they are of the same length.
4
n1 (i)
qi = , (4)
n2 (i)
bypass detection and increase false negative rate. Hence we ments from Gm is approximately bm 784 c. In our experiment,
focus on Gm for subsequent analysis and experiments. Each since all the segments in Gm pass quality assessment, we
generated sample is of size 28×28, so we flatten the sample to can randomly concatenate the individual segments. We note
1-dimensional segments of length 784 and round the generated that for even stronger attacks, the attacker can optimize the
sample to the closest integer value. For abuse of notation, we concatenation based on some optimization objective, and this
denote this set as Gm . is one of our next research steps.
The generated malicious samples, after quality assessment
C. Quality Assessment on the Generated Malicious Samples in Sec IV-C, are fed into the ransomware classifier. The
Unlike in computer vision where the quality of the generated adversarial detection rate is defined as the number of correctly
samples can be evaluated by visual inspection, evaluating predicted adversarial samples divided by the total number of
the quality on dynamic execution logs requires a quantifiable adversarial samples. From a defender’s perspective, we can use
metric. We propose a sample-based quality metric qi , where the adversarial detection rate as another metric to quantify how
for each sample i ∈ Gm resilient the malware detector is against adversarial attacks.
5
E. Summary of Proposed Methodology
In Algorithm 2, we summarize our framework of training
ACGAN to generalize dynamic ransomware features and using
a set of quality metrics to statistically evaluate the malicious-
ness of the generated samples.
6
Figure 6: ROC curves of XGB, LDA, SVM compared with
XGB◦ Text-CNN, LDA◦ Text-CNN and SVM◦ Text-CNN.
When using Text-CNN as a feature extractor and retraining Figure 8: Boxplots of Q to evaluate the generated batch
XGB, LDA, SVM in the Text-CNN embedding subspace, we quality. All the generated segments have qi ≥ τ , with
observe that all the composed classifiers possess significantly min{qi } = 1.9 for all n ∈ {3, 4, . . . , 7}-grams.
higher classification efficacy measured by AUC, F-score, ac-
curacy false positive rate and true positive rate.
statistically much closer to the real malicious class with qi ≥ τ
and min{qi } = 1.9.
All the generated and qualified segments are concatenated
randomly to produce 1257 execution logs.
Figure 7: Quality metric qte for 4-,5-,6-grams. All the gener- D. Evasion
ated segments have qi ≥ τ , where τ = 1.5 and min{qi } = 1.9. The highly performing ransomware detectors Text-CNN,
Hence the generated segments have minimum of almost twice XGB ◦ Text-CNN, LDA ◦ Text-CNN, Random forest ◦
the unique malicious signatures than the unique benign signa- Text-CNN, Naive Bayes ◦ Text-CNN, SVM-linear ◦ Text-
tures for 4-,5-,6-grams. CNN, SVM-radial ◦ Text-CNN are applied on the adversary-
generated logs. We report the number of detected samples and
the detection rate in Table IV.
a feature extractor, is most likely to be selected by a security Most of the classifiers significantly degrade in detection
defender. Although knowledge of the defender’s ransomware performance, where Text-CNN, LDA ◦ Text-CNN, Naive
classifier is not needed by our analysis methodology, we Bayes ◦ Text-CNN, SVM-linear ◦ Text-CNN fail to detect
evaluate the adversarial detection rate against Text-CNN based any generated malicious samples, while XGB ◦ Text-CNN
classifiers. detects 12.73% correctly and Random forest ◦ Text-CNN
B. Generate Adversarial Segments detects 36.35% correctly. The most robust classifier turns out
to be SVM-radial ◦ Text-CNN in this experiment with 100%
We follow the steps in Section IV-B2 to train an AC- detection rate. This can be due to its nonlinear boundary in the
GAN [43], where we set the batch size to be 100, the latent Text-CNN latent feature space. However only one classifier out
dimension to be 100, and the training is stopped at the 80- of all seven highly effective classifiers is resilient to our bypass
th epoch. After training, we obtain 5029 segments from the scheme. Our adversarial detection result clearly indicates that
malicious class Y = 1. We round the segments to the nearest this is a potential vulnerability for ML-based ransomware
integer and denote this set as Gm . detection systems.
C. Quality Assessment Classifier No. detected Detection rate (%)
A successful evasion means the generated malicious sam- Text-CNN 0 0
XGB ◦ Text-CNN 16 12.73
ples not only fool ransomware classifier, but also persists LDA ◦ Text-CNN 0 0
maliciousness based on certain metrics. Following Section Random forest ◦ Text-CNN 457 36.35
IV-C, we compute the quality metric q of each GAN-generated Naive Bayes ◦ Text-CNN 0 0
SVM-linear◦ Text-CNN 0 0
sample for n-grams with n ∈ {3, 4, . . . , 7}. Figure 7 shows SVM-radial◦ Text-CNN 1257 100%
the quality metric in y-axis against each generated segment
in x-axis for 4-, 5-, 6-grams. We set the quality threshold to Table IV: Adversarial detection rate on the generated malicious
be τ = 1.5, which means a qualified generated segment with samples. Six of the seven highly effective classifiers degrade
statistically measured maliciousness would need to match over severely in performance and only one classifier persists re-
50% of the unique malicious n-grams than the unique benign siliency against attacks. This quantifies the attack surface for
n-grams. these ML-based ransomware detection algorithms. The non-
We also plot the batch-based quality metric Q for n = linear boundary of SVM-radial◦ Text-CNN effectively detects
{3, 4, . . . , 7}-grams, as represented in boxplots in Figure 8. the adversarial samples.
As shown in the boxplots, all the generated segments are
7
E. Latent Feature Space Investigation
We investigate why most of the highly effective classifiers
fail to predict the adversarially generated samples correctly.
We use the last pooling layer from Text-CNN as a feature
extractor and will refer to the space of features extracted by Figure 9: Visualization of the Text-CNN extracted features
Text-CNN as the latent feature subspace. The classifiers that for (left) PC-dimension 1 vs PC-dimension; (middle) PC-
achieve effective and competitive classification performance dimension 1 vs PC-dimension 3; (right) PC-dimension 2 vs
are XGB, LDA, Random Forest, Naive Bayes and SVM PC-dimension 3. The generated malicious samples are colored
trained in the latent feature subspace. Text-CNN the classifier in dark red, and lie closer to the benign set in Text-CNN
itself has linear boundaries via the fully connected layer in the subspace. We draw the 95% data eclipse around the scattered
latent feature subspace. Hence one natural investigation starts points.
at how the generated samples and the real samples relate in the
latent feature subspace induced by Text-CNN, in comparison
with their relationship in the original feature space, consisting
of the raw execution logs.
Represented in 2-D visualization, Figure 9 shows that the
generated samples, in dark red, lie close to a linear boundary
but much closer to the real benign samples in the Text-CNN
latent feature subspace. However as shown in Section V, most
of the generated samples match more than twice of the unique Figure 10: Density plot of the distances between real benign
ransomware signatures than the unique benign signatures. This and real malicious logs in both original feature space and Text-
motivates us to explore the L2 distance between the real CNN latent feature space.
malicious samples and real benign samples, as well as between
the generated samples and the real samples in both the latent
feature subspace and the original feature space. figure in Figure 11 plots, in the original feature space, the
Denote the latent features of the generated malicious logs as density of the L2 -distance Dtr,g,m between the generated logs
Fg , the latent features of the training malicious logs as Ftr,m and the training malicious logs in red and the density of the L2
and the latent features of the training benign logs as Ftr,b . distance Dtr,g,b between the generated logs and the training
Similarly, for the test data, the latent malicious and benign benign logs in blue. The dashed red and blue vertical lines
features are denoted as Fte,m and Fte,b respectively. represent the means of Dtr,g,m and Dtr,g,b respectively. The
We plot the density of the L2 -distances between test mali- generated malicious logs are much closer to the real malicious
cious data and training data, both of which are real samples. logs than to the real benign logs in the original feature space.
The left figure in Figure 10 shows, in the original feature The right figure in Figure 11 plots, in the latent feature
space, the density of the L2 distance Dtr,te,m between the space, the density of the L2 -distance Dtr,g,m between Fg
malicious test logs and the training malicious logs in red and and Ftr,m in red and the density of the L2 distance Dtr,g,b
the density of the L2 distance Dtr,te,b between the malicious between Fg and Ftr,b in blue. The dashed red and blue vertical
test logs and the training benign logs in blue. The dashed red lines represent the means of Dtr,g,m and Dtr,g,b respectively.
and blue vertical lines represent the means of Dtr,te,m and Fg is much closer to Ftr,b than to Ftr,m . Figure 11 shows
Dtr,te,b respectively. On average, the malicious test logs are that in the Text-CNN feature subspace, the generated logs
closer to the training malicious logs than to the training benign are closer to the benign logs, while in the original feature
logs. However in the original data space, the distributions of space, the generated logs are closer to the malicious logs. This
distances are not very well-separated and this is also reflected phenomenon indicates that the generated adversarial samples
in the algorithm performance on the original data space as lie in the blind spot of the Text-CNN algorithm.
shown in Table II.
The right figure in Figure 10 plots the density of the L2
distance dtr,te,m between Fte,m and Ftr,m in red and the
density of the L2 distance dtr,te,b between Fte,m and Ftr,b
in blue. The dashed red and blue vertical lines represent the
means of dtr,te,m and dtr,te,b respectively. Fte,m is much
closer to Ftr,m than to Ftr,b . The distances are consistent
across original feature space and the latent feature subspace.
This observation is expected since the malicious samples
should be close together in either feature space. Figure 11: Density plot of the distances between generated
Next we understand whether the observed phenomenon logs and real logs in both original feature space and Text-
extends to the generated samples and real samples. The left CNN latent feature space.
8
VI. D ISCUSSION [6] Andrew P Bradley. The use of the area under the roc curve in
the evaluation of machine learning algorithms. Pattern recognition,
In this paper, we describe a framework via generative ad- 30(7):1145–1159, 1997.
versarial network to synthesize dynamic ransomware samples [7] Leo Breiman. Random forests. Machine learning, 45(1):5–32, 2001.
[8] Krzysztof Cabaj, Marcin Gregorczyk, and Wojciech Mazurczyk.
and propose a set of quality metrics via statistical similarity to Software-defined networking-based crypto ransomware detection using
quantify the maliciousness of the GAN-generated samples. We http traffic characteristics. Computers & Electrical Engineering, 66:353–
demonstrate in our experiments that six of the seven highly 368, 2018.
[9] Nicholas Carlini and David Wagner. Adversarial examples are not
effective ransomware classifiers fail to detect most of the easily detected: Bypassing ten detection methods. In Proceedings of
GAN-generated samples. the 10th ACM Workshop on Artificial Intelligence and Security, pages
Our proposed framework should be utilized as a defensive 3–14. ACM, 2017.
[10] Nicholas Carlini and David Wagner. Audio adversarial examples:
capability for developing a resilient model for detecting ran- Targeted attacks on speech-to-text. arXiv preprint arXiv:1801.01944,
somware in the field. As described in Section IV-D, a defender 2018.
can use the adversarial detection rate as a metric to quantify [11] Nicholas Carlini and David A. Wagner. Towards evaluating the robust-
ness of neural networks. In 2017 IEEE Symposium on Security and
the resilience of the ransomware detector against adversarial Privacy, SP 2017, San Jose, CA, USA, May 22-26, 2017, pages 39–57,
attacks. The defender can use the GAN-generated samples 2017.
as part of the training procedure to update the defender’s [12] Nicholas Carlini and David A. Wagner. Audio adversarial examples:
Targeted attacks on speech-to-text. CoRR, abs/1801.01944, 2018.
classifier. Our proposed quality assessment approach can be [13] Li Chen, Salmin Sultana, and Ravi Sahita. Henet: A deep learning
leveraged even when the model is deployed and is in use in approach on intel
R processor trace for effective exploit detection. In
the field to track the changes in distance between generated 2018 IEEE Security and Privacy Workshops (SPW), pages 109–115.
IEEE, 2018.
and real samples. These robustness mechanisms must be [14] Li Chen, Mingwei Zhang, Chih-Yuan Yang, and Ravi Sahita. Semi-
considered as an integral part of an adversary-resilient malware supervised classification for dynamic android malware detection. arXiv
classifier. preprint arXiv:1704.05948, 2017.
[15] Tianqi Chen and Carlos Guestrin. Xgboost: A scalable tree boosting
Our case study for evaluating a broad range of ransomware system. In Proceedings of the 22nd acm sigkdd international conference
classifiers also demonstrates the pitfalls in selecting classifiers on knowledge discovery and data mining, pages 785–794. ACM, 2016.
based on high accuracy and low false-positives which is [16] Yun-Chun Chen, Yu-Jhe Li, Aragorn Tseng, and Tsungnan Lin. Deep
learning for malicious flow detection. In Personal, Indoor, and Mobile
typical today in malware detection. After a deeper analysis Radio Communications (PIMRC), 2017 IEEE 28th Annual International
of generating quality adversarial samples, the most robust Symposium on, pages 1–7. IEEE, 2017.
classifier is verified to be SVM-radial◦Text-CNN in our ex- [17] Andrea Continella, Alessandro Guagnelli, Giovanni Zingaro, Giulio
De Pasquale, Alessandro Barenghi, Stefano Zanero, and Federico Maggi.
periment. This analysis may form the basis of selecting multi- Shieldfs: a self-healing, ransomware-aware filesystem. In Proceedings of
classifier ensemble-based approaches to act as a defense-in- the 32nd Annual Conference on Computer Security Applications, pages
depth against adversarial probing attacks once the ransomware 336–347. ACM, 2016.
[18] Nilesh Dalvi, Pedro Domingos, Mausam, Sumit Sanghai, and Deepak
classifiers are deployed in the field. In our specific case study, Verma. Adversarial classification. In Proceedings of the Tenth ACM
a weighted score between the XGB◦Text-CNN classifier and SIGKDD International Conference on Knowledge Discovery and Data
the SVM-radial◦Text-CNN classifier gives the defender much Mining, KDD ’04, pages 99–108, New York, NY, USA, 2004. ACM.
[19] Nilesh Dalvi, Pedro Domingos, Sumit Sanghai, Deepak Verma, et al.
more coverage in the space of execution logs for ransomware. Adversarial classification. In Proceedings of the tenth ACM SIGKDD
Lastly, it is important to note that our framework is still international conference on Knowledge discovery and data mining,
useful to enforce the resiliency of the ransomware detection pages 99–108. ACM, 2004.
[20] Nilaksh Das, Madhuri Shanbhogue, Shang-Tse Chen, Fred Hohman,
model even when the model is deployed on a platform using Li Chen, Michael E Kounavis, and Duen Horng Chau. Keeping
software and hardware-based Trusted Execution Environments the bad guys out: Protecting and vaccinating deep learning with jpeg
(TEEs) that protect the run-time confidentiality and integrity compression. arXiv preprint arXiv:1705.02900, 2017.
[21] Nilaksh Das, Madhuri Shanbhogue, Shang-Tse Chen, Fred Hohman,
of the classifier(s) while in-use - providing the defender with Siwei Li, Li Chen, Michael E. Kounavis, and Duen Horng Chau.
an additional tool to continue to enforce the security objectives SHIELD: fast, practical defense and vaccination for deep learning
consistently even post the training stages. using JPEG compression. In Proceedings of the 24th ACM SIGKDD
International Conference on Knowledge Discovery & Data Mining,
KDD 2018, London, UK, August 19-23, 2018, pages 196–204, 2018.
R EFERENCES [22] Sumanth Dathathri, Stephan Zheng, Richard M. Murray, and Yisong
Yue. Detecting adversarial examples via neural fingerprinting. CoRR,
[1] Bander Ali Saleh Al-rimy, Mohd Aizaini Maarof, and Syed Zainud- abs/1803.03870, 2018.
din Mohd Shaid. Ransomware threat success factors, taxonomy, and [23] Emily L Denton, Soumith Chintala, Rob Fergus, et al. Deep generative
countermeasures: A survey and research directions. Computers & image models using a laplacian pyramid of adversarial networks. In
Security, 2018. Advances in neural information processing systems, pages 1486–1494,
[2] Omar MK Alhawi, James Baldwin, and Ali Dehghantanha. Leveraging 2015.
machine learning techniques for windows ransomware network traffic [24] JA Gómez-Hernández, L Álvarez-González, and Pedro García-Teodoro.
detection. Cyber Threat Intelligence, pages 93–106, 2018. R-locker: Thwarting ransomware action through a honeyfile-based ap-
[3] Tseng Aragorn, Chen YunChun, Kao YiHsiang, and Lin Tsungnan. Deep proach. Computers & Security, 73:389–398, 2018.
learning for ransomware detection. IEICE Technical Report; IEICE Tech. [25] Ian Goodfellow, Jean Pouget-Abadie, Mehdi Mirza, Bing Xu, David
Rep., 116(282):87–92, 2016. Warde-Farley, Sherjil Ozair, Aaron Courville, and Yoshua Bengio. Gen-
[4] Martin Arjovsky, Soumith Chintala, and Léon Bottou. Wasserstein gan. erative adversarial nets. In Advances in neural information processing
arXiv preprint arXiv:1701.07875, 2017. systems, pages 2672–2680, 2014.
[5] Battista Biggio and Fabio Roli. Wild patterns: Ten years after the rise of [26] Ian J. Goodfellow, Jonathon Shlens, and Christian Szegedy. Explaining
adversarial machine learning. Pattern Recognition, 84:317–331, 2018. and harnessing adversarial examples. CoRR, abs/1412.6572, 2014.
9
[27] Nikolai Hampton, Zubair Baig, and Sherali Zeadally. Ransomware In Pattern Recognition (ICPR), 2010 20th International Conference on,
behavioural analysis on windows platforms. Journal of information pages 4348–4351. IEEE, 2010.
security and applications, 40:44–51, 2018. [51] Marina Sokolova, Nathalie Japkowicz, and Stan Szpakowicz. Beyond
[28] Andrew Ilyas, Logan Engstrom, Anish Athalye, and Jessy Lin. Black- accuracy, f-score and roc: a family of discriminant measures for per-
box adversarial attacks with limited queries and information. arXiv formance evaluation. In Australasian joint conference on artificial
preprint arXiv:1804.08598, 2018. intelligence, pages 1015–1021. Springer, 2006.
[29] Jinho Jung, Chanil Jeon, Max Wolotsky, Insu Yun, and Taesoo Kim. [52] R. Soto and J. Zadeh. Automated prevention of ransomware with
AVPASS: Leaking and Bypassing Antivirus Detection Model Automat- machine learning and gpos. In Presented as the RSA Conference 2017,
ically. In Black Hat USA Briefings (Black Hat USA), Las Vegas, NV, San Francisco, CA, 2017.
July 2017. [53] Christian Szegedy, Wojciech Zaremba, Ilya Sutskever, Joan Bruna,
[30] Harini Kannan, Alexey Kurakin, and Ian J. Goodfellow. Adversarial Dumitru Erhan, Ian J. Goodfellow, and Rob Fergus. Intriguing properties
logit pairing. CoRR, abs/1803.06373, 2018. of neural networks. CoRR, abs/1312.6199, 2013.
[31] Amin Kharraz, Sajjad Arshad, Collin Mulliner, William K Robertson, [54] R Vinayakumar, KP Soman, KK Senthil Velan, and Shaunak Ganorkar.
and Engin Kirda. Unveil: A large-scale, automated approach to detecting Evaluating shallow and deep networks for ransomware detection and
ransomware. In USENIX Security Symposium, pages 757–772, 2016. classification. In Advances in Computing, Communications and Infor-
[32] Yoon Kim. Convolutional neural networks for sentence classification. matics (ICACCI), 2017 International Conference on, pages 259–265.
arXiv preprint arXiv:1408.5882, 2014. IEEE, 2017.
[33] Alexey Kurakin, Ian J. Goodfellow, and Samy Bengio. Adversarial [55] Weilin Xu, David Evans, and Yanjun Qi. Feature squeezing: Detecting
examples in the physical world. CoRR, abs/1607.02533, 2016. adversarial examples in deep neural networks. In 25th Annual Network
[34] Aleksander Madry, Aleksandar Makelov, Ludwig Schmidt, Dimitris and Distributed System Security Symposium, NDSS 2018, San Diego,
Tsipras, and Adrian Vladu. Towards deep learning models resistant California, USA, February 18-21, 2018, 2018.
to adversarial attacks. CoRR, abs/1706.06083, 2017. [56] Chihyuan Yang and Li Chen. Github: Resilient-ml-research-platform.
https://github.com/intel/Resilient-ML-Research-Platform, 2018.
[35] McAfee. McAfee Labs Threats Report March 2018.
https://www.mcafee.com/enterprise/en-us/assets/reports/
rp-quarterly-threats-mar-2018.pdf, 2018.
[36] McAfee. McAfee Labs Threats Report September
2018. https://www.mcafee.com/enterprise/en-us/assets/reports/
rp-quarterly-threats-sep-2018.pdf, 2018.
[37] McAfee. Understanding Ransomware and Strategies to De-
feat it. https://www.mcafee.com/enterprise/en-us/assets/white-papers/
wp-understanding-ransomware-strategies-defeat.pdf, 2018.
[38] Andrew McCallum, Kamal Nigam, et al. A comparison of event models
for naive bayes text classification. In AAAI-98 workshop on learning
for text categorization, volume 752, pages 41–48. Citeseer, 1998.
[39] Mehdi Mirza and Simon Osindero. Conditional generative adversarial
nets. arXiv preprint arXiv:1411.1784, 2014.
[40] Seyed-Mohsen Moosavi-Dezfooli, Alhussein Fawzi, and Pascal
Frossard. Deepfool: A simple and accurate method to fool deep neural
networks. In 2016 IEEE Conference on Computer Vision and Pattern
Recognition, CVPR 2016, Las Vegas, NV, USA, June 27-30, 2016, pages
2574–2582, 2016.
[41] Daniel Morato, Eduardo Berrueta, Eduardo Magaña, and Mikel Izal.
Ransomware early detection by the analysis of file sharing traffic.
Journal of Network and Computer Applications, 2018.
[42] Fairuz Amalina Narudin, Ali Feizollah, Nor Badrul Anuar, and Abdullah
Gani. Evaluation of machine learning classifiers for mobile malware
detection. Soft Computing, 20(1):343–357, 2016.
[43] Augustus Odena, Christopher Olah, and Jonathon Shlens. Condi-
tional image synthesis with auxiliary classifier gans. arXiv preprint
arXiv:1610.09585, 2016.
[44] Nicolas Papernot, Patrick D. McDaniel, Somesh Jha, Matt Fredrikson,
Z. Berkay Celik, and Ananthram Swami. The limitations of deep
learning in adversarial settings. In IEEE European Symposium on
Security and Privacy, EuroS&P 2016, Saarbrücken, Germany, March
21-24, 2016, pages 372–387, 2016.
[45] Alec Radford, Luke Metz, and Soumith Chintala. Unsupervised
representation learning with deep convolutional generative adversarial
networks. arXiv preprint arXiv:1511.06434, 2015.
[46] Konrad Rieck, Philipp Trinius, Carsten Willems, and Thorsten Holz. Au-
tomatic analysis of malware behavior using machine learning. Journal
of Computer Security, 19(4):639–668, 2011.
[47] Nolen Scaife, Henry Carter, Patrick Traynor, and Kevin RB Butler.
Cryptolock (and drop it): stopping ransomware attacks on user data. In
Distributed Computing Systems (ICDCS), 2016 IEEE 36th International
Conference on, pages 303–312. IEEE, 2016.
[48] Daniele Sgandurra, Luis Muñoz-González, Rabih Mohsen, and Emil C
Lupu. Automated dynamic analysis of ransomware: Benefits, limitations
and use for detection. arXiv preprint arXiv:1609.03020, 2016.
[49] Daniele Sgandurra, Luis Muñoz-González, Rabih Mohsen, and Emil C.
Lupu. Automated dynamic analysis of ransomware: Benefits, limitations
and use for detection. CoRR, abs/1609.03020, 2016.
[50] Ashkan Sharifi Shamili, Christian Bauckhage, and Tansu Alpcan. Mal-
ware detection on mobile devices using distributed machine learning.
10