RanViz: Ransomware Visualization and Classification Based on Time-Series Categorical Representation of API Calls
Ransomware continues to pose a significant threat to individuals and organizations worldwide, causing disruptions, financial losses, and reputational damage. As ransomware attacks grow in sophistication, understanding their behaviour through effective analysis has become increasingly critical for mi...
Saved in:
| Main Authors: | , |
|---|---|
| Format: | Article |
| Language: | English |
| Published: |
IEEE
2025-01-01
|
| Series: | IEEE Access |
| Subjects: | |
| Online Access: | https://ieeexplore.ieee.org/document/10942324/ |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| _version_ | 1850272929832501248 |
|---|---|
| author | Vhuhwavho Mokoma Avinash Singh |
| author_facet | Vhuhwavho Mokoma Avinash Singh |
| author_sort | Vhuhwavho Mokoma |
| collection | DOAJ |
| description | Ransomware continues to pose a significant threat to individuals and organizations worldwide, causing disruptions, financial losses, and reputational damage. As ransomware attacks grow in sophistication, understanding their behaviour through effective analysis has become increasingly critical for mitigation and prevention. However, ransomware analysis presents several challenges. First, the sheer volume of Application Programming Interface (API) call data generated by ransomware during execution can overwhelm traditional analysis methods. Second, the temporal and categorical nature of this data makes identifying meaningful patterns complex. Third, the integration of machine learning (ML) models, which are essential for accurate classification, is hindered by the difficulty of modelling intricate API call behaviours. Without effective tools to address these issues, analysts risk missing critical behavioural indicators. To overcome these challenges, the proposed Ransomware Visualization (RanViz) system was developed to provide a comprehensive visual analytics and classification platform designed to enhance ransomware analysis. RanViz employs advanced visualization techniques to represent categorical API call time-series data, enabling analysts to intuitively understand ransomware behaviours that might otherwise remain obscured. The system incorporates ML models based on API call frequency, temporal interval, and sequence to classify unknown samples as either benign or ransomware. The models collectively achieve an accuracy of over 95% in detecting ransomware. By providing a unified platform that combines powerful visualization tools with high-performing ML models, RanViz simplifies ransomware analysis and offers a robust framework for accurate classification. This makes it an invaluable tool for digital forensics and cybersecurity professionals tasked with addressing the ever-evolving ransomware threat. |
| format | Article |
| id | doaj-art-0da87c6dbc884ef7873f4ecd2a2deb6f |
| institution | OA Journals |
| issn | 2169-3536 |
| language | English |
| publishDate | 2025-01-01 |
| publisher | IEEE |
| record_format | Article |
| series | IEEE Access |
| spelling | doaj-art-0da87c6dbc884ef7873f4ecd2a2deb6f2025-08-20T01:51:39ZengIEEEIEEE Access2169-35362025-01-0113562375625410.1109/ACCESS.2025.355516310942324RanViz: Ransomware Visualization and Classification Based on Time-Series Categorical Representation of API CallsVhuhwavho Mokoma0https://orcid.org/0009-0009-8313-1164Avinash Singh1https://orcid.org/0000-0003-3024-4076Department of Computer Science, University of Pretoria, Pretoria, South AfricaDepartment of Computer Science, University of Pretoria, Pretoria, South AfricaRansomware continues to pose a significant threat to individuals and organizations worldwide, causing disruptions, financial losses, and reputational damage. As ransomware attacks grow in sophistication, understanding their behaviour through effective analysis has become increasingly critical for mitigation and prevention. However, ransomware analysis presents several challenges. First, the sheer volume of Application Programming Interface (API) call data generated by ransomware during execution can overwhelm traditional analysis methods. Second, the temporal and categorical nature of this data makes identifying meaningful patterns complex. Third, the integration of machine learning (ML) models, which are essential for accurate classification, is hindered by the difficulty of modelling intricate API call behaviours. Without effective tools to address these issues, analysts risk missing critical behavioural indicators. To overcome these challenges, the proposed Ransomware Visualization (RanViz) system was developed to provide a comprehensive visual analytics and classification platform designed to enhance ransomware analysis. RanViz employs advanced visualization techniques to represent categorical API call time-series data, enabling analysts to intuitively understand ransomware behaviours that might otherwise remain obscured. The system incorporates ML models based on API call frequency, temporal interval, and sequence to classify unknown samples as either benign or ransomware. The models collectively achieve an accuracy of over 95% in detecting ransomware. By providing a unified platform that combines powerful visualization tools with high-performing ML models, RanViz simplifies ransomware analysis and offers a robust framework for accurate classification. This makes it an invaluable tool for digital forensics and cybersecurity professionals tasked with addressing the ever-evolving ransomware threat.https://ieeexplore.ieee.org/document/10942324/Ransomware analysisAPI callsmachine learningransomwaretime seriesvisualization |
| spellingShingle | Vhuhwavho Mokoma Avinash Singh RanViz: Ransomware Visualization and Classification Based on Time-Series Categorical Representation of API Calls IEEE Access Ransomware analysis API calls machine learning ransomware time series visualization |
| title | RanViz: Ransomware Visualization and Classification Based on Time-Series Categorical Representation of API Calls |
| title_full | RanViz: Ransomware Visualization and Classification Based on Time-Series Categorical Representation of API Calls |
| title_fullStr | RanViz: Ransomware Visualization and Classification Based on Time-Series Categorical Representation of API Calls |
| title_full_unstemmed | RanViz: Ransomware Visualization and Classification Based on Time-Series Categorical Representation of API Calls |
| title_short | RanViz: Ransomware Visualization and Classification Based on Time-Series Categorical Representation of API Calls |
| title_sort | ranviz ransomware visualization and classification based on time series categorical representation of api calls |
| topic | Ransomware analysis API calls machine learning ransomware time series visualization |
| url | https://ieeexplore.ieee.org/document/10942324/ |
| work_keys_str_mv | AT vhuhwavhomokoma ranvizransomwarevisualizationandclassificationbasedontimeseriescategoricalrepresentationofapicalls AT avinashsingh ranvizransomwarevisualizationandclassificationbasedontimeseriescategoricalrepresentationofapicalls |