Method of detecting virus-encoders in computer system using analysis of their behavior

The article considers the low efficiency of existing methods of ransomware fighting. The importance of developing new approaches to the ransomware identification in computer systems (CS) is substantiated. Heuristic analysis methods are considered as new approaches to ransomware detecting. A new technique for ransomware detecting is based on the analysis of changes in CS parameters. Using machine-learning methods there have been constructed models, which allow detecting ransomware attacks on the computer system. The aim of the experiment was to obtain a model that has the highest percentage of ransomware attacks detection and the least number of false triggering. The machine learning lgorithms used for research are the following: naive Bayes classifier, multilayer neural network, support vector machine, CatBoost gradient boosting algorithm. To build the models training datasets written in Python programming language were used. The raining datasets were collected as a result of experiments with the most popular virus-encoders. The following typical metrics were selected as key metrics for the effectiveness of machine learning models: precision, recall, F1-metric, accuracy, AUC. In the course of experiments, the values of the error matrices were formed and the main indicators of the model quality metrics were obtained. In addition to the classification efficiency metrics, the average time for performing classification operations for each of the models is given. During the process of model training and testing it was revealed that the best model for detecting ransomware is that built on the CatBoost algorithm. The conclusions were drawn about the possibility of applying the approach to detect the ransomware attacks on various computer systems.