Convolutional Neural Network-Based Cryptography Ransomware Detection for Low-End Embedded Processors

A crypto-ransomware has the process to encrypt victim’s files. Afterward, the crypto-ransomware requests a ransom for the password of encrypted files to victims. In this paper, we present a novel approach to prevent crypto-ransomware by detecting block cipher algorithms for Internet of Things (IoT) platforms. We extract the sequence and frequency characteristics from the opcode of binary files for the 8-bit Alf and Vegard’s RISC (AVR) processor microcontroller. In other words, the late fusion method is used to extract two features from one source data, learn through each network, and integrate them. We classify the crypto-ransomware virus or harmless software through the proposed method. The general software from AVR packages and block cipher implementations written in C language from lightweight block cipher library (i.e., Fair Evaluation of Lightweight Cryptographic Systems (FELICS)) are trained through the deep learning network and evaluated. The general software and block cipher algorithms are successfully classified by training functions in binary files. Furthermore, we detect binary codes that encrypt a file using block ciphers. The detection rate is evaluated in terms of F-measure, which is the harmonic mean of precision and recall. The proposed method not only achieved 97% detection success rate for crypto-ransomware but also achieved 80% success rate in classification for each lightweight cryptographic algorithm and benign firmware. In addition, the success rate in classification for Substitution-Permutation-Network (SPN) structure, Addition-Rotation-eXclusive-or structures (ARX) structure, and benign firmware is 95%.