Android Ransomware Detection by Deep Learning

Abstract

This research proposes a novel deep learning-based detection model to combat the growing menace of Android ransomware. Deep learning models can learn complex features and training models with many convolutional layers and millions of parameters, leading to overfitting in a few numbers of epochs. As shown by previous works, current methods for Android malware detection are constrained by insufficient feature sets and preprocessing methods. Combining static and dynamic information for a more thorough analysis is essential to improve detection accuracy. While Recurrent Neural Network (RNN) has effectively solved temporal problems, it has limitations such as gradient dispersion and high calculation costs. The goal is to develop Android ransomware detection by deep learning with optimal epochs and test the model using parameter evaluation of accuracy, precision, recall and F-1 score. The methodology comprises of five phases: dataset, data preprocessing, Deep Learning model (CNN and LSTM), 10-fold cross-validation and result. The model is tested on an Android dataset, CICAndMal2019, which includes Permission and Intent as static features and API calls as dynamic features. For this research, only the sample of ransomware from Jisut, RansomBO, Charger, Lockerpin, Koler, Pletor, PornDroid, Simplocker, SVpeng, WannaLocker family and other benign samples will be used. The CNN model obtained its best performance at 40 epochs, with the result of 97.93% accuracy, 98.00% precision, 99.93% recall and 98.95% F-1 score. The LSTM model performed best at 10 epochs, with a result of 97.74% accuracy, 97.74 % precision, 100% recall, and 98.86% F-1 score. This research highlights that the CNN model obtains accuracy slightly higher than the LSTM model, improving the Android ransomware detection by deep learning.