Analysis of API calls with 'A' and 'W' suffixes used in parent and child processes for ransomware detection

In recent years, the impact of ransomware attacks has been increasing. Consequently, numerous studies on ran-somware detection have been conducted. These studies often focus on the API calls used by ransomware. Ransomware frequently generates multiple child processes to conceal malicious behaviors s...

Full description

Saved in:
Bibliographic Details
Published inInternational Symposium on Computing and Networking (Online) pp. 176 - 182
Main Authors Matsuda, Yoshiki, Takahashi, Kenichi, Higashino, Masayuki, Kawamura, Takao
Format Conference Proceeding
LanguageEnglish
Published IEEE 26.11.2024
Subjects
API calls
child process
Encryption
parent process
Ransomware
Software
Online AccessGet full text

Cover

More Information
Summary:In recent years, the impact of ransomware attacks has been increasing. Consequently, numerous studies on ran-somware detection have been conducted. These studies often focus on the API calls used by ransomware. Ransomware frequently generates multiple child processes to conceal malicious behaviors such as file encryption. However, existing research does not focus on the characteristics of child and parent processes. In this paper, we analyze the number of processes generated by ransomware and benign software as well as the Windows API calls of each processes. As the result of our analysis, we found that ransomware exhibits specific characteristics in API calls with 'A' and 'W' suffixes used in parent and child processes, which differ from those in benign software. Thus, we attempt to detect ransomware by using these characteristics of parent and child processes. Our results confirm that the characteristics of parent and child processes are effective for ransomware detection.
ISSN:2379-1896
DOI:10.1109/CANDAR64496.2024.00029