Ransomware is a special type of malicious software that encrypts the user's assets and makes it unavailable to the users until a ransom is paid to the ransomware author. Such attacks have become one of the most widespread malware that poses serious threat to both individuals and business organizations. Against this destructive malicious program, the dynamic analysis approach is the most popular approach for detecting such an attack. The majority of dynamic analysis relies on the system calls, as these provide an interface for programs to request service from the operating system. However, the redundancy and the irrelevant system calls that the ransomware authors inject in the actual execution flow of suspicious binaries generate a high noisy behavioural sequence that adversely impacts in the detection performance of anti-ransomware tools. To this end, we proposed a non-signature-based detection approach based on the effective windows API call sequences using supervised machine learning techniques. To achieve this objective, we propose an Enhanced Maximum-Relevance and Minimum-Redundancy (EmRmR) filter method to remove the noisy features and select the most relevant subset of features to characterize the real behaviour of the ransomware. Unlike the original mRmR, the EmRmR avoids unnecessary computations intrinsic in the original mRmR algorithms with a small number of evaluations. In addition, this work has introduced a refinement process to reduce the size of the program's call traces by removing those windows API calls that do not have a strong indication for describing the critical behaviour of the ransomware. After accomplishing extensive experimental evaluations, and comparing with existing behavioural-based detection approaches, the proposed method has shown to be effective for discriminating the behaviour of ransomware, and indicates a high detection accuracy with few false-positive rates.

勒索软件是一种特殊类型的恶意软件，它会加密用户的资产并使用户无法使用，直到向勒索软件作者支付了勒索。此类攻击已成为对个人和企业组织都构成严重威胁的最广泛的恶意软件之一。针对这种破坏性恶意程序，动态分析方法是检测此类攻击的最流行方法。大多数动态分析都依赖于系统调用，因为它们为程序提供了从操作系统请求服务的接口。但是，冗余和不相关的系统要求勒索软件作者注入可疑二进制文件的实际执行流中，会产生高噪声的行为序列，从而对反勒索软件工具的检测性能产生不利影响。为此，我们基于有效的Windows API调用序列，使用有监督的机器学习技术，提出了一种基于非签名的检测方法。为了实现此目标，我们提出了一种增强的最大相关性和最小冗余（EmRmR）过滤器方法，以消除嘈杂的特征并选择最相关的特征子集来表征勒索软件的真实行为。与原始mRmR不同，EmRmR避免了带有少量评估的原始mRmR算法固有的不必要的计算。此外，这项工作还引入了一种优化过程，以通过删除那些没有强有力的迹象来描述勒索软件的严重行为的Windows API调用来减小程序的调用痕迹。完成广泛的实验评估后，