Ruoxu Zhao,Dawu Gu,Juanru Li,Ran Yu

DOI: https://doi.org/10.1007/978-3-642-24861-0_13

2011-01-01

Abstract:Cryptographic algorithms are widely used inside software for data security and integrity. The search of cryptographic data (include algorithms, input-output data and intermediated states of operation) is important to security analysis. However, various implementations of cryptographic algorithms lead the automatic detection and analysis to be very hard. This paper proposes a novel automatic cryptographic data detection and analysis approach. This approach is based on execution tracing and data pattern extraction techniques, searching the data pattern of cryptographic algorithms, and automatically extracting detected Cryptographic algorithms and input-output data. We implement and evaluate our approach, and the result shows our approach can detect and extract common symmetric ciphers and hash functions in most kinds of programs with accuracy, effectiveness and universality.

Erik Larsen,David Noever,Korey MacVittie

DOI: https://doi.org/10.48550/arXiv.2110.07636

2021-10-15

Abstract:A survey of machine learning techniques trained to detect ransomware is presented. This work builds upon the efforts of Taylor et al. in using sensor-based methods that utilize data collected from built-in instruments like CPU power and temperature monitors to identify encryption activity. Exploratory data analysis (EDA) shows the features most useful from this simulated data are clock speed, temperature, and CPU load. These features are used in training multiple algorithms to determine an optimal detection approach. Performance is evaluated with accuracy, F1 score, and false-negative rate metrics. The Multilayer Perceptron with three hidden layers achieves scores of 97% in accuracy and F1 and robust data preparation. A random forest model produces scores of 93% accuracy and 92% F1, showing that sensor-based detection is currently a viable option to detect even zero-day ransomware attacks before the code fully executes.

Machine Learning,Cryptography and Security

Qian Chen,Sheikh Rabiul Islam,Henry Haswell,Robert A. Bridges

DOI: https://doi.org/10.13140/RG.2.2.12785.84326

2019-10-15

Abstract:Security operation centers (SOCs) typically use a variety of tools to collect large volumes of host logs for detection and forensic of intrusions. Our experience, supported by recent user studies on SOC operators, indicates that operators spend ample time (e.g., hundreds of man-hours) on investigations into logs seeking adversarial actions. Similarly, reconfiguration of tools to adapt detectors for future similar attacks is commonplace upon gaining novel insights (e.g., through internal investigation or shared indicators). This paper presents an automated malware pattern-extraction and early detection tool, testing three machine learning approaches: TF-IDF (term frequency-inverse document frequency), Fisher's LDA (linear discriminant analysis) and ET (extra trees/extremely randomized trees) that can (1) analyze freshly discovered malware samples in sandboxes and generate dynamic analysis reports (host logs); (2) automatically extract the sequence of events induced by malware given a large volume of ambient (un-attacked) host logs, and the relatively few logs from hosts that are infected with potentially polymorphic malware; (3) rank the most discriminating features (unique patterns) of malware and from the learned behavior detect malicious activity; and (4) allows operators to visualize the discriminating features and their correlations to facilitate malware forensic efforts. To validate the accuracy and efficiency of our tool, we design three experiments and test seven ransomware attacks (i.e., WannaCry, DBGer, Cerber, Defray, GandCrab, Locky, and nRansom). The experimental results show that TF-IDF is the best of the three methods to identify discriminating features, and ET is the most time-efficient and robust approach.

Cryptography and Security,Computers and Society

Sibel Gulmez,Arzu Gorgulu Kakisim,Ibrahim Sogukpinar

DOI: https://doi.org/10.1016/j.cose.2024.103703

IF: 5.105

2024-01-10

Computers & Security

Abstract:Recently, the frequency and complexity of ransomware attacks have been increasing steadily, posing significant threats to individuals and organizations alike. While traditional signature-based antiransomware systems are effective in the detection of known threats, they struggle to identify new ransomware samples. To address this limitation, many researchers have focused on analyzing the behavior and actions of executables. During this dynamic analysis process, various dynamic-based features emerge, offering different perspectives on the executable's behavior, including Application Program Interface (API) call sequences, dynamic link libraries (DLLs), and mutual exclusions. Existing methods mostly perform machine or deep learning models for feature engineering and detection. These methods usually perform learning according to a single perspective or by combining data from different perspectives into the frequency domain. In this case, they may ignore the information from the other aspects or the sequence relationship between the features. In addition, learning models used in these solutions are mostly incomprehensible to humans, which could be an obstacle in terms of having an insight through the model's mentality and also ransomware's way of work. In this study, we provide XRan (eXplainable deep learning-based RANsomware detection using dynamic analysis), an Explainable Artificial Intelligence (XAI) supported ransomware detection system that combines different dynamic analysis-based sequences, each representing a different view of the executable, in order to enrich the feature space. XRan employs a Convolutional Neural Network (CNN) architecture to detect ransomware and two XAI models as Interpretable Model-Agnostic Explanations (LIME), and SHapley Additive exPlanations (SHAP) to provide local and global explanations for detection. Experimental results demonstrate that XRan provides up to 99.4% True Positive Rate (TPR), and outperforms the state-of-the-art methods.

computer science, information systems

Malak Aljabri,Fahd Alhaidari,Aminah Albuainain,Samiyah Alrashidi,Jana Alansari,Wasmiyah Alqahtani,Jana Alshaya

DOI: https://doi.org/10.1016/j.eij.2024.100445

IF: 4.195

2024-01-31

Egyptian Informatics Journal

Abstract:Ransomware attacks have escalated recently and are affecting essential infrastructure and enterprises across the globe. Unfortunately, ransomware uses sophisticated encryption techniques to encrypt important files on the targeted machine and then demands payment to decrypt the data. Artificial intelligent techniques including machine learning have been increasingly applied in the field of cybersecurity and greatly contributed to detecting and preventing different kinds of attacks However, the number of studies that applied machine learning to detect ransomware are still limited by the obfuscation of malware, the lack of setting up a proper analysis environment, the accuracy of models, and the high false-positive rate. Thus, it is crucial to develop effective ransomware detection based on machine learning techniques. This study aims to build a robust machine-learning model that can recognize unknown samples using memory dumps to detect ransomware with high accuracy and minimal false positives providing an extensive analysis of how memory traces can assist in the detection of ransomware. This goal was achieved by building a new dataset composed of recent ransomware group attack samples like Revil, Lockbit, and BlackCat, as well as a number of benign samples, including office applications, Windows applications, and compression applications, which were dynamically analyzed within an enhanced cuckoo sandbox to ensure the most reliable results. Then, a set of machine learning models were developed, and a comparative performance analysis was conducted. Among the various models evaluated, XGBoost was the best-performing model, using only 47 features out of 58. It achieved 97.85% accuracy with a 2% false positive rate.

computer science, information systems, artificial intelligence

Ruoxu Zhao,Dawu Gu,Juanru Li,Yuanyuan Zhang

DOI: https://doi.org/10.1007/978-3-319-12087-4_7

2014-01-01

Abstract:Encryption is increasingly used in network communications, especially by malicious software (malware) to hide its malicious activities and protect itself from being detected or analyzed. Understanding malware's encryption schemes helps researchers better analyze its network protocol, and then derive the internal structure of the malware. However, current techniques of encrypted protocol analysis have a lot of limitations. For example, they usually require the encryption part being separated from message processing which is hardly satisfied in today's malware, and they cannot provide detailed information about the encryption parameter such as the algorithm used and its secret key. Therefore, these techniques cannot fulfill the needs of today's malware analysis.In this paper, we propose a novel and enhanced approach to automatically detect and analyze encryption and encoding functions within network applications. Utilizing dynamic taint analysis and data pattern analysis, we are able to detect encryption, encoding and checksum routines within the normal processing of protocol messages without prior knowledge of the protocol, and provide detailed information about its encryption scheme, including the algorithms used, secret keys, ciphertext and plaintext. We can also detect private or custom encryption routines made by malware authors, which can be used as signature of the malware. We evaluate our method with several malware samples to demonstrate its effectiveness.

Kenan Begovic,Abdulaziz Al-Ali,Qutaibah Malluhi

DOI: https://doi.org/10.1016/j.cose.2023.103349

2023-06-21

Abstract:The ransomware threat has loomed over our digital life since 1989. Criminals use this type of cyber attack to lock or encrypt victims' data, often coercing them to pay exorbitant amounts in ransom. The damage ransomware causes ranges from monetary losses paid for ransom at best to endangering human lives. Cryptographic ransomware, where attackers encrypt the victim's data, stands as the predominant ransomware variant. The primary characteristics of these attacks have remained the same since the first ransomware attack. For this reason, we consider this a key factor differentiating ransomware from other cyber attacks, making it vital in tackling the threat of cryptographic ransomware. This paper proposes a cyber kill chain that describes the modern crypto-ransomware attack. The survey focuses on the Encryption phase as described in our proposed cyber kill chain and its detection techniques. We identify three main methods used in detecting encryption-related activities by ransomware, namely API and System calls, I/O monitoring, and file system activities monitoring. Machine learning (ML) is a tool used in all three identified methodologies, and some of the issues within the ML domain related to this survey are also covered as part of their respective methodologies. The survey of selected proposals is conducted through the prism of those three methodologies, showcasing the importance of detecting ransomware during pre-encryption and encryption activities and the windows of opportunity to do so. We also examine commercial crypto-ransomware protection and detection offerings and show the gap between academic research and commercial applications.

Cryptography and Security

Ruoxu Zhao,Dawu Gu,Juanru Li,Hui Liu

DOI: https://doi.org/10.1007/978-3-642-34129-8_22

2012-01-01

Abstract:Malware often encrypts its malicious code and sensitive data to avoid static pattern detection, thus detecting encryption functions and extracting the encryption keys in a malware can be very useful in security analysis. However, it's a complicated process to automatically detect encryption functions among huge amount of binary code, and the main challenge is to keep high efficiency and accuracy at the same time. In this paper we propose an enhanced detection approach. First we designed a novel process level emulation technique to efficiently analyze binary code, which is less resource-consuming compared with full system emulation. Further, we conduct program partitioning and assembly-to-IL(intermediate language) translation on binary code to simplify the analysis. We applied our approach to sample programs using cryptographic libraries and custom implemented version of typical encryption algorithms, and showed that these routines can be detected efficiently. It is convenient for analysts to use our approach to deal with the encrypted data within malware automatically. Our approach also provides an extensible interface for analysts to add extra templates to detect other forms of functions besides encryption routines.

Ahmed Alghamdi

DOI: https://doi.org/10.52783/cana.v31.1476

2024-09-02

Abstract:The growing sophistication of malware in exisiting environment poses tough demands on its detection methods of another kind. This paper introduces a framework for cyber security improvement, a means to solve strongly the probability issue of how to determine the behavior algorithmically in your system. This research is applied to malware detection systems based on methods (Support Vector Machines, Random Forest) and Neural Networks that are robust against deception. Statistical analysis of security threats and a review of current methods used for malware detection are given at its outset. The proposed framework, with its statistical framework analysis, looks for patterns and anomalies that indicate malice. It then integrates cryptographic techniques onto data transmission, computation processes; that the core of our system remains untouched by potential disturbances. The concept is further elaborated with open-source code from the field, Machine Learning (SVM, Random Forest, Neural Networks), As if with this variety of tools we can now detect and classify types of malware that generate irregular patterns but do not necessarily resemble known signatures at all. Such a hybrid security mechanism as described here, combining the best of statistics, cryptographic security, and machine learning, gives a precision of detection beyond compare to today's systems. The experiments show large gains in both detection accuracy and response speed, demonstrating this whole-element approach's potential to better safeguard cybersecurity in all manner of fields. It may be foreseen that this proposed line of research could well become a key new tool, capable of adaptation and expansion with the needs expanding around us.

Caio C. Moreira,Davi C. Moreira,Claudomiro Sales

DOI: https://doi.org/10.1016/j.jisa.2024.103716

IF: 4.96

2024-02-10

Journal of Information Security and Applications

Abstract:This study presents a comprehensive static analysis method that combines multiple structural features extracted from Windows executable files. The method employs an ensemble soft voting model that comprises three machine learning techniques: Logistic Regression (LR), Random Forest (RF), and eXtreme Gradient Boosting (XGB). Our proposed model aims to identify newly emerged ransomware families by analyzing header fields, imported Dynamic-link Libraries (DLLs), function calls, and entropy of sections. To assess the method's efficacy in detecting zero-day ransomware families, we created a dataset consisting of 2675 binary samples. The training set consisted of 1023 samples from 25 relevant ransomware families and 1134 benign applications (goodware) samples. The testing set comprised 385 samples from 15 recent ransomware families and 133 goodware samples. The results for the Detection of New Ransomware Families (DNRF) demonstrated weighted averages of 97.53% accuracy, 96.36% precision, 97.52% recall, and 96.41% F-measure. In addition, the scanning and prediction showed an average of 0.37 s. These results showed the model's adaptability to the ever-changing ransomware landscape while maintaining reasonable testing times, making it applicable as an additional security layer in antivirus protection systems on low-resource hardware devices. Furthermore, we used the SHapley Additive exPlanations (SHAP) interpretation method to establish trust and gain insights into the decision-making process of the proposed model. Our method offers significant advantages and can assist developers of ransomware detection systems in creating more resilient, dependable, and real-time solutions.

computer science, information systems

Arslan Ashraf,Abdul Aziz,Umme Zahoora,Muttukrishnan Rajarajan,Asifullah Khan

DOI: https://doi.org/10.48550/arXiv.1910.00286

2019-10-01

Cryptography and Security

Abstract:Detection and analysis of a potential malware specifically, used for ransom is a challenging task. Recently, intruders are utilizing advanced cryptographic techniques to get hold of digital assets and then demand a ransom. It is believed that generally, the files comprise of some attributes, states, and patterns that can be recognized by a machine learning technique. This work thus focuses on the detection of Ransomware by performing feature engineering, which helps in analyzing vital attributes and behaviors of the malware. The main contribution of this work is the identification of important and distinct characteristics of Ransomware that can help in detecting them. Finally, based on the selected features, both conventional machine learning techniques and Transfer Learning based Deep Convolutional Neural Networks have been used to detect Ransomware. In order to perform feature engineering and analysis, two separate datasets (static and dynamic) were generated. The static dataset has 3646 samples (1700 Ransomware and 1946 Goodware). On the other hand, the dynamic dataset comprised of 3444 samples (1455 Ransomware and 1989 Goodware). Through various experiments, it is observed that the Registry changes, API calls, and DLLs are the most important features for Ransomware detection. Additionally, important sequences are found with the help of the N-Gram technique. It is also observed that in the case of Registry Delete operation, if a malicious file tries to delete registries, it follows a specific and repeated sequence. However, for the benign file, it doesnt follow any specific sequence or repetition. Similarly, an interesting observation made through this study is that there is no common Registry deleted sequence between malicious and benign files. And thus this discernible fact can be readily exploited for Ransomware detection.

Sana Aurangzeb,Rao Naveed Bin Rais,Muhammad Aleem,Muhammad Arshad Islam,Muhammad Azhar Iqbal

DOI: https://doi.org/10.7717/peerj-cs.361

2021-02-02

Abstract:Due to the expeditious inclination of online services usage, the incidents of ransomware proliferation being reported are on the rise. Ransomware is a more hazardous threat than other malware as the victim of ransomware cannot regain access to the hijacked device until some form of compensation is paid. In the literature, several dynamic analysis techniques have been employed for the detection of malware including ransomware; however, to the best of our knowledge, hardware execution profile for ransomware analysis has not been investigated for this purpose, as of today. In this study, we show that the true execution picture obtained via a hardware execution profile is beneficial to identify the obfuscated ransomware too. We evaluate the features obtained from hardware performance counters to classify malicious applications into ransomware and non-ransomware categories using several machine learning algorithms such as Random Forest, Decision Tree, Gradient Boosting, and Extreme Gradient Boosting. The employed data set comprises 80 ransomware and 80 non-ransomware applications, which are collected using the VirusShare platform. The results revealed that extracted hardware features play a substantial part in the identification and detection of ransomware with F-measure score of 0.97 achieved by Random Forest and Extreme Gradient Boosting.

Eric Filiol

DOI: https://doi.org/10.48550/arXiv.1009.4000

2010-09-21

Abstract:Fighting against computer malware require a mandatory step of reverse engineering. As soon as the code has been disassemblied/decompiled (including a dynamic analysis step), there is a hope to understand what the malware actually does and to implement a detection mean. This also applies to protection of software whenever one wishes to analyze them. In this paper, we show how to amour code in such a way that reserse engineering techniques (static and dymanic) are absolutely impossible by combining malicious cryptography techniques developped in our laboratory and new types of programming (k-ary codes). Suitable encryption algorithms combined with new cryptanalytic approaches to ease the protection of (malicious or not) binaries, enable to provide both total code armouring and large scale polymorphic features at the same time. A simple 400 Kb of executable code enables to produce a binary code and around $2^{140}$ mutated forms natively while going far beyond the old concept of decryptor.

Cryptography and Security

Carlo Meijer,Veelasha Moonsamy,Jos Wetzels

DOI: https://doi.org/10.48550/arXiv.2009.04274

2020-09-09

Cryptography and Security

Abstract:The continuing use of proprietary cryptography in embedded systems across many industry verticals, from physical access control systems and telecommunications to machine-to-machine authentication, presents a significant obstacle to black-box security-evaluation efforts. In-depth security analysis requires locating and classifying the algorithm in often very large binary images, thus rendering manual inspection, even when aided by heuristics, time consuming. In this paper, we present a novel approach to automate the identification and classification of (proprietary) cryptographic primitives within binary code. Our approach is based on Data Flow Graph (DFG) isomorphism, previously proposed by Lestringant et al. Unfortunately, their DFG isomorphism approach is limited to known primitives only, and relies on heuristics for selecting code fragments for analysis. By combining the said approach with symbolic execution, we overcome all limitations of their work, and are able to extend the analysis into the domain of unknown, proprietary cryptographic primitives. To demonstrate that our proposal is practical, we develop various signatures, each targeted at a distinct class of cryptographic primitives, and present experimental evaluations for each of them on a set of binaries, both publicly available (and thus providing reproducible results), and proprietary ones. Lastly, we provide a free and open-source implementation of our approach, called Where's Crypto?, in the form of a plug-in for the popular IDA disassembler.

K. R. Kalphana,S. Aanjankumar,M. Surya,M. S. Ramadevi,K. R. Ramela,T Anitha,N. Nagaprasad,Ramaswamy Krishnaraj

DOI: https://doi.org/10.1038/s41598-024-70544-x

IF: 4.6

2024-09-29

Scientific Reports

Abstract:In recent times, the number of malware on Android mobile phones has been growing, and a new kind of malware is Android ransomware. This research aims to address the emerging concerns about Android ransomware in the mobile sector. Previous studies highlight that the number of new Android ransomware is increasing annually, which poses a huge threat to the privacy of mobile phone users for sensitive data. Various existing techniques are active to detect ransomware and secure the data in the mobile cloud. However, these approaches lack accuracy and detection performance with insecure storage. To resolve this and enhance the security level, the proposed model is presented. This manuscript provides both recognition algorithms based on the deep learning model and secured storage of detected data in the cloud with a secret key to safeguard sensitive user information using the hybrid cryptographic model. Initially, the input APK files and data are preprocessed to extract features. The collection of optimal features is carried out using the Squirrel search optimization process. After that, the Deep Learning-based model, adaptive deep saliency The AlexNet classifier is presented to detect and classify data as malicious or normal. The detected data, which is not malicious, is stored on a cloud server. For secured storage of data in the cloud, a hybrid cryptographic model such as hybrid homomorphic Elliptic Curve Cryptography and Blowfish is employed, which includes key computation and key generation processes. The cryptographic scheme includes encryption and decryption of data, after which the application response is found to attain a decrypted result upon user request. The performance is carried out for both the Deep Learning-based model and the hybrid cryptography-based security model, and the results obtained are 99.89% accuracy in detecting malware compared with traditional models. The effectiveness of the proposed system over other models such as GNN is 94.76%, CNN is 95.76%, and Random Forest is 96%.

multidisciplinary sciences

Jaehyuk Lee,Jinseo Yun,Kyungroul Lee

DOI: https://doi.org/10.3390/electronics13061030

IF: 2.9

2024-03-10

Electronics

Abstract:Ransomware, which emerged in 1989, has evolved to the present in numerous variants and new forms. For this reason, serious damage caused by ransomware has occurred not only within our country but around the world, and, according to the analysis of ransomware trends, ransomware poses an ongoing and significant threat, with major damage expected to continue to occur in the future. To address this problem, various approaches to detect ransomware have been explored, with a recent focus on file entropy estimation methods. These methods exploit the characteristic increase in file entropy that is caused by ransomware encryption. In response, a method was developed to neutralize entropy-based ransomware detection technology by manipulating entropy using encoding methods from the attacker's perspective. Consequently, from the defender's standpoint, countermeasures are essential to minimize the damage caused by ransomware. Therefore, this article proposes a methodology that utilizes diverse machine learning models such as K-Nearest Neighbors (KNN), logistic regression, decision tree, random forest, gradient boosting, support vector machine (SVM), and multi-layer perception (MLP) to detect files infected with ransomware. The experimental results demonstrate empirically that files infected with ransomware can be detected with approximately 98% accuracy, and the results of this research are expected to provide valuable information for developing countermeasures against various ransomware detection technologies.

engineering, electrical & electronic,computer science, information systems,physics, applied

Zi-hao XIANG,Wei-dong QIU

DOI: https://doi.org/10.13274/j.cnki.hdzj.2018.05.019

2018-01-01

Abstract:Ransomware is a kind of malware that locks the desktop,limits user access,or encrypts,overwrites,and deletes user files for ransom.Although the concept of ransomware dates back to the 1980s,this malware has attracted widespread attention in recent years.By the end of 2016,more than 9000000 ransomware samples were found.Compared to 2015,the number of new ransomware nearly doubled,and the total ransom jumped from $ 24 million in 2015 to $1 billion now.Although many generic malware detection methods are proposed,none has attempted to detect ransomware.This paper presents a method to detect this kind of malware based on machine learning.Through real-time monitoring of program operation,features are extracted from API call and registry operation.Then the supervised learning method is used to classify and detect the samples of the ransomware and the normal software.

Aldin Vehabovic,Nasir Ghani,Elias Bou-Harb,Jorge Crichigno,Aysegul Yayimli

DOI: https://doi.org/10.1109/BlackSeaCom54372.2022.9858296

2023-04-10

Abstract:Ransomware uses encryption methods to make data inaccessible to legitimate users. To date a wide range of ransomware families have been developed and deployed, causing immense damage to governments, corporations, and private users. As these cyberthreats multiply, researchers have proposed a range of ransomware detection and classification schemes. Most of these methods use advanced machine learning techniques to process and analyze real-world ransomware binaries and action sequences. Hence this paper presents a survey of this critical space and classifies existing solutions into several categories, i.e., including network-based, host-based, forensic characterization, and authorship attribution. Key facilities and tools for ransomware analysis are also presented along with open challenges.

Cryptography and Security

Wenjia Song,Sanjula Karanam,Ya Xiao,Jingyuan Qi,Nathan Dautenhahn,Na Meng,Elena Ferrari,Danfeng

2024-11-19

Abstract:Crypto-ransomware has caused an unprecedented scope of impact in recent years with an evolving level of sophistication. An extensive range of studies have been on defending against ransomware and reviewing the efficacy of various protections. However, for practical defenses, deployability holds equal significance as detection accuracy. Therefore, in this study, we review 117 published ransomware defense works, categorize them by the level they are implemented at, and discuss the deployability. API-based solutions are easy to deploy and most existing works focus on machine learning-based classification. To provide more insights, we quantitively characterize the runtime behaviors of real-world ransomware samples. Based on our experimental findings, we present a possible future detection direction with our consistency analysis and API-contrast-based refinement. Moreover, we experimentally evaluate various commercial defenses and identify the security gaps. Our findings help the field understand the deployability of ransomware defenses and create more effective, practical solutions.

Cryptography and Security

Hardlife Ngirande,Martin Muduva,Ronald Chiwariro,Austin Makate

DOI: https://doi.org/10.22214/ijraset.2024.57885

2024-01-31

International Journal for Research in Applied Science and Engineering Technology

Abstract:Abstract: Ransomware is a malicious code designed to encrypt and lock personal data such as documents and photos, in order to create opportunity for extorting money from the victims. Android operating systems are particularly targeted due to their large market share. Previous studies have primarily relied on signature-based detection methods, which require sufficient data samples and labelled signatures. However, modern ransomware utilizes obfuscation techniques that make it challenging to analyse using static methods. This project proposes a hybrid analysis approach for Android ransomware, employing the SVM algorithm for detection. The novelty lies in the limited exploration of SVM algorithms for ransomware analysis. The dataset used in the study was obtained from CICA and Mal 2017. Static features, including permissions, intents, encoding methods, and API calls were used, along with dynamic features such as network activities and system calls. The SVM model achieved good performance, with 81% accuracy and 90% precision using static features, and 100% accuracy with dynamic features