Crypto-ransomware Detection through Quantitative API-based Behavioral Profiling

With crypto-ransomware's unprecedented scope of impact and evolving level of sophistication, there is an urgent need to pinpoint the security gap and improve the effectiveness of defenses by identifying new detection approaches. Based on our characterization results on dynamic API behaviors of ransomware, we present a new API profiling-based detection mechanism. Our method involves two operations, namely consistency analysis and refinement. We evaluate it against a set of real-world ransomware and also benign samples. We are able to detect all ransomware executions in consistency analysis and reduce the false positive case in refinement. We also conduct in-depth case studies on the most informative API for detection with context.