Paper 2022/014

Transformer encoder-based Crypto-Ransomware Detection for Low-Power Embedded Processors

Hyunji Kim, Sejin Lim, Yeajun Kang, Wonwoong Kim, and Hwajeong Seo


Crypto-ransomware has a process to encrypt the victim's files, and crypto-ransomware requests the victim for money for a key to decrypt the encrypted file. In this paper, we present new approaches to prevent crypto-ransomware by detecting block cipher algorithms for Internet of Things (IoT) platforms. The generic software of the AVR package and the lightweight block cipher library (FELICS) written in C language was trained through the neural network, and then we evaluated the result. Unlike the previous technique, the proposed method does not extract sequence and frequency characteristics, but considers opcodes and opcode sequences as words and sentences, performs word embedding, and then inputs them to the neural network based on the encoder structure of the transformer model. Through this approach, the file size was reduced by 0.5 times while maintaining a similar level of classification performance compared to the previous method. The detection success rate for the proposed method was evaluated with the F-measured value, which is the harmonic mean of precision and recall. In addition to achieving 98% crypto-ransomware detection success rates, classification by benign firmware and lightweight cryptography algorithm, Substitution-Permutation-Network (SPN) structure, Addition-Rotation-eXclusive-or structure (ARX) and normal firmware classification are also possible.

Available format(s)
Publication info
Preprint. MINOR revision.
Deep learningCryptographyRansomwareInternet of Things
Contact author(s)
hwajeong84 @ gmail com
2022-01-08: revised
2022-01-07: received
See all versions
Short URL
Creative Commons Attribution


      author = {Hyunji Kim and Sejin Lim and Yeajun Kang and Wonwoong Kim and Hwajeong Seo},
      title = {Transformer encoder-based Crypto-Ransomware Detection for Low-Power Embedded Processors},
      howpublished = {Cryptology ePrint Archive, Paper 2022/014},
      year = {2022},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.