RanViz : ransomware visualization and classification based on time-series categorical representation of API calls

Abstract

Ransomware continues to pose a significant threat to individuals and organizations worldwide, causing disruptions, financial losses, and reputational damage. As ransomware attacks grow in sophistication, understanding their behaviour through effective analysis has become increasingly critical for mitigation and prevention. However, ransomware analysis presents several challenges. First, the sheer volume of Application Programming Interface (API) call data generated by ransomware during execution can overwhelm traditional analysis methods. Second, the temporal and categorical nature of this data makes identifying meaningful patterns complex. Third, the integration of machine learning (ML) models, which are essential for accurate classification, is hindered by the difficulty of modelling intricate API call behaviours. Without effective tools to address these issues, analysts risk missing critical behavioural indicators. To overcome these challenges, the proposed Ransomware Visualization (RanViz) system was developed to provide a comprehensive visual analytics and classification platform designed to enhance ransomware analysis. RanViz employs advanced visualization techniques to represent categorical API call time-series data, enabling analysts to intuitively understand ransomware behaviours that might otherwise remain obscured. The system incorporates ML models based on API call frequency, temporal interval, and sequence to classify unknown samples as either benign or ransomware. The models collectively achieve an accuracy of over 95% in detecting ransomware. By providing a unified platform that combines powerful visualization tools with high-performing ML models, RanViz simplifies ransomware analysis and offers a robust framework for accurate classification. This makes it an invaluable tool for digital forensics and cybersecurity professionals tasked with addressing the ever-evolving ransomware threat.