Treffer: RanVisStat: a statistical feature engineering approach for ransomware binary and multiclass classification using machine learning.

Ransomware attackers have expanded their targets beyond corporate entities, leveraging vulnerabilities in web security and exploiting non-technical users through phishing campaigns. Recent studies have investigated the application of entropy-based feature extraction from binary files, integrated with deep learning models, to detect malicious activity. This approach quantifies the degree of randomness or disorder within a binary file to identify potential threats. However, a critical limitation of this method is its reliance on entropy alone, which lacks sufficient contextual analysis. As a result, high-entropy segments may not reliably indicate the true malicious intent or functional behavior of ransomware. To mitigate this limitation, the present study proposes a novel statistical methodology that enhances feature extraction by incorporating both entropy measurements and contextual insights, thereby improving the accuracy and robustness of ransomware detection. The 'ISOT Ransomware Detection Dataset', a publicly available dataset, is utilized for this purpose. These extracted features are then fed into various machine learning classifiers to evaluate their effectiveness. Among all the classifiers tested, the Extra Trees classifier demonstrated superior performance, surpassing the others with remarkable accuracy metrics. For the multiclassification problem, it achieved an accuracy, precision, recall, and F1-score of 99.49%, 99.49%, 99.53%, and 99.51%, respectively. In the binary problem scenario, its accuracy, precision, recall, and F1-score are even higher, reaching 99.59%, 99.60%, 99.59%, and 99.59%, respectively. To the best of our knowledge, the application of statistical features extracted from visual images for classification of ransomware has not been previously explored. By utilizing a small set of statistical features, we are able to accurately describe and analyze the data, leading to highly effective ransomware detection and classification outcomes. [ABSTRACT FROM AUTHOR]