The unprecedented growth in mobile systems has transformed the way we approach everyday computing. Unfortunately, the emergence of a sophisticated type of malware known as ransomware poses a great threat to consumers of this technology. Traditional research on mobile malware detection has focused on approaches that rely on analyzing bytecode for uncovering malicious apps. However, cybercriminals can bypass such methods by embedding malware directly in native machine code, making traditional methods inadequate. Another challenge that detection solutions face is scalability. The sheer number of malware variants released every year makes it difficult for solutions to efficiently scale their coverage.

To address these concerns, this work presents RansomShield, an energy-efficient solution that leverages CNNs to detect ransomware. We evaluate CNN architectures that have been known to perform well on computer vision tasks and examine their suitability for ransomware detection. We show that systematically converting native instructions from Android apps into images using space-filling curve visualization techniques enable CNNs to reliably detect ransomware with high accuracy. We characterize the robustness of this approach across ARM and x86 architectures and demonstrate the effectiveness of this solution across heterogeneous platforms including smartphones and chromebooks. We evaluate the suitability of different models for mobile systems by comparing their energy demands using different platforms. In addition, we present a CNN introspection framework that determines the important features that are needed for ransomware detection. Finally, we evaluate the robustness of this solution against adversarial machine learning (AML) attacks using state-of-the-art Android malware dataset.

移动系统的空前增长改变了我们处理日常计算的方式。不幸的是，一种被称为勒索软件的复杂恶意软件的出现对该技术的消费者构成了巨大威胁。传统的移动恶意软件检测研究主要集中在依靠分析字节码来发现恶意应用程序的方法上。然而，网络犯罪分子可以通过将恶意软件直接嵌入本地机器代码来绕过此类方法，从而使传统方法无法发挥作用。检测解决方案面临的另一个挑战是可扩展性。每年发布的恶意软件变体数量之多，使得解决方案难以有效地扩大其覆盖范围。

为了解决这些问题，这项工作提出了 RansomShield，这是一种利用 CNN 检测勒索软件的节能解决方案。我们评估已知在计算机视觉任务上表现良好的 CNN 架构，并检查它们对勒索软件检测的适用性。我们表明，使用空间填充曲线可视化技术将 Android 应用程序的本机指令系统地转换为图像，使 CNN 能够可靠地高精度检测勒索软件。我们描述了这种方法在 ARM 和 x86 架构上的稳健性，并展示了该解决方案在包括智能手机和 Chromebook 在内的异构平台上的有效性。我们通过比较使用不同平台的能量需求来评估不同模型对移动系统的适用性。此外，我们提出了一个 CNN 自省框架，它确定了勒索软件检测所需的重要特征。最后，我们使用最先进的 Android 恶意软件数据集评估该解决方案针对对抗性机器学习 (AML) 攻击的稳健性。