Author Identifier
Matthew Gaber: https://orcid.org/0000-0003-1684-1392
Mohiuddin Ahmed: https://orcid.org/0000-0002-4559-4768
Helge Janicke: https://orcid.org/0000-0002-1345-2829
Document Type
Journal Article
Publication Title
Computers and Security
Volume
148
Publisher
Elsevier
School
School of Science
RAS ID
73856
Abstract
Finding automated AI techniques to proactively defend against malware has become increasingly critical. The ability of an AI model to correctly classify novel malware is dependent on the quality of the features it is trained with and the authenticity of the features is dependent on the analysis tool. Peekaboo, a Dynamic Binary Instrumentation tool defeats evasive malware to capture its genuine behaviour. The ransomware Assembly instructions captured by Peekaboo, follow Zipf's law, a principle also observed in natural languages, indicating Transformer models are particularly well-suited to binary classification. We propose Pulse, a novel framework for zero day ransomware detection with Transformer models and Assembly language. Pulse, trained with the Peekaboo ransomware and benign software data, uniquely identify truly new samples with high accuracy. Pulse eliminates any familiar functionality across the test and training samples, forcing the Transformer model to detect malicious behaviour based solely on context and novel Assembly instruction combinations.
DOI
10.1016/j.cose.2024.104167
Creative Commons License
This work is licensed under a Creative Commons Attribution-Noncommercial 4.0 License
Comments
Gaber, M., Ahmed, M., & Janicke, H. (2025). Zero day ransomware detection with pulse: Function classification with transformer models and assembly language. Computers & Security, 148. https://doi.org/10.1016/j.cose.2024.104167