FEATURE ENGINEERING APPARATUS AND METHOD FOR EVASIVE RANSOMWARE DETECTION

摘要

The present invention relates to a feature processing apparatus and method for detecting evasive ransomware, an input/output request collection unit that periodically collects a header of an input/output request at a specific time interval, and a read request is detected from the header of the input/output request. In case, a first hash table construction unit that creates a first entry including block information related to the read request and stores it in the first hash table through window-based search, the same as the block of the read request in the header of the input/output request When an overwrite request for a memory block having a start address is detected, a second hash table construction unit that generates a second entry including block information related to the overwrite request and stores it in a second hash table through the search; and And a feature generator that calculates a plurality of features for detecting ransomware based on the first and second hash tables.