{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,5,14]],"date-time":"2026-05-14T12:22:11Z","timestamp":1778761331258,"version":"3.51.4"},"reference-count":79,"publisher":"Association for Computing Machinery (ACM)","issue":"3","license":[{"start":{"date-parts":[[2023,3,13]],"date-time":"2023-03-13T00:00:00Z","timestamp":1678665600000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"funder":[{"name":"National Science Foundation","award":["CNS-1947580"],"award-info":[{"award-number":["CNS-1947580"]}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["ACM Trans. Priv. Secur."],"published-print":{"date-parts":[[2023,8,30]]},"abstract":"<jats:p>The unprecedented growth in mobile systems has transformed the way we approach everyday computing. Unfortunately, the emergence of a sophisticated type of malware known as ransomware poses a great threat to consumers of this technology. Traditional research on mobile malware detection has focused on approaches that rely on analyzing bytecode for uncovering malicious apps. However, cybercriminals can bypass such methods by embedding malware directly in native machine code, making traditional methods inadequate. Another challenge that detection solutions face is scalability. The sheer number of malware variants released every year makes it difficult for solutions to efficiently scale their coverage.<\/jats:p>\n          <jats:p>To address these concerns, this work presents RansomShield, an energy-efficient solution that leverages CNNs to detect ransomware. We evaluate CNN architectures that have been known to perform well on computer vision tasks and examine their suitability for ransomware detection. We show that systematically converting native instructions from Android apps into images using space-filling curve visualization techniques enable CNNs to reliably detect ransomware with high accuracy. We characterize the robustness of this approach across ARM and x86 architectures and demonstrate the effectiveness of this solution across heterogeneous platforms including smartphones and chromebooks. We evaluate the suitability of different models for mobile systems by comparing their energy demands using different platforms. In addition, we present a CNN introspection framework that determines the important features that are needed for ransomware detection. Finally, we evaluate the robustness of this solution against adversarial machine learning (AML) attacks using state-of-the-art Android malware dataset.<\/jats:p>\n          <jats:p\/>","DOI":"10.1145\/3579822","type":"journal-article","created":{"date-parts":[[2023,1,17]],"date-time":"2023-01-17T12:01:43Z","timestamp":1673956903000},"page":"1-30","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":16,"title":["RansomShield: A Visualization Approach to Defending Mobile Systems Against Ransomware"],"prefix":"10.1145","volume":"26","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-4148-7367","authenticated-orcid":false,"given":"Nada","family":"Lachtar","sequence":"first","affiliation":[{"name":"University of Michigan, Dearborn, MI"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-9011-296X","authenticated-orcid":false,"given":"Duha","family":"Ibdah","sequence":"additional","affiliation":[{"name":"University of Michigan, Dearborn, MI"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-9614-2876","authenticated-orcid":false,"given":"Hamza","family":"Khan","sequence":"additional","affiliation":[{"name":"University of Michigan, Dearborn, MI"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-6711-1280","authenticated-orcid":false,"given":"Anys","family":"Bacha","sequence":"additional","affiliation":[{"name":"University of Michigan, Dearborn, MI"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"320","published-online":{"date-parts":[[2023,3,13]]},"reference":[{"key":"e_1_3_1_2_2","doi-asserted-by":"publisher","DOI":"10.1145\/2901739.2903508"},{"key":"e_1_3_1_3_2","doi-asserted-by":"publisher","DOI":"10.1145\/3167132.3167304"},{"key":"e_1_3_1_4_2","article-title":"Android malware detection through generative adversarial networks","author":"Amin Muhammad","year":"2019","unstructured":"Muhammad Amin, Babar Shah, Aizaz Sharif, Tamleek Ali, Ki-Il Kim, and Sajid Anwar. 2019. Android malware detection through generative adversarial networks. Transactions on Emerging Telecommunications Technologies 33, 2 (2019), e3675.","journal-title":"Transactions on Emerging Telecommunications Technologies"},{"key":"e_1_3_1_5_2","unstructured":"AnandTech. 2018. The Mate 20 and Mate 20 Pro Review: Kirin 980 Powering Two Contrasting Devices. Retrieved from https:\/\/www.anandtech.com\/show\/13503\/the-mate-20-mate-20-pro-review. Accessed 8\/3\/2021."},{"key":"e_1_3_1_6_2","unstructured":"App Annie. 2019. The State of Mobile. https:\/\/www.data.ai\/en\/insights\/market-data\/the-state-of-mobile-2019\/. Accessed 4\/28\/2020."},{"key":"e_1_3_1_7_2","unstructured":"Apple. 2019. A12 Bionic the Smartest Most Powerful Chip in a Smartphone. Retrieved from https:\/\/www.apple.com\/iphone-xs\/a12-bionic\/. Accessed 19\/3\/2018."},{"key":"e_1_3_1_8_2","unstructured":"Avast. 2017. WannaCry WannaBe Targeting Android Smartphones. Retrieved from https:\/\/blog.avast.com\/wannacry-wannabe-targeting-android-smartphones. Accessed 19\/7\/2021."},{"key":"e_1_3_1_9_2","unstructured":"Avast. 2020. How to Remove Ransomware from Android Devices. Retrieved from https:\/\/www.avast.com\/c-how-to-remove-ransomware-android. Accessed 17\/12\/2020."},{"key":"e_1_3_1_10_2","doi-asserted-by":"publisher","DOI":"10.1109\/ISDFS.2018.8355317"},{"key":"e_1_3_1_11_2","unstructured":"Victor Chebyshev. 2020. Mobile Malware Evolution 2020. Retrieved from https:\/\/securelist.com\/mobile-malware-evolution-2020\/101029. Accessed 8\/8\/2021."},{"key":"e_1_3_1_12_2","doi-asserted-by":"publisher","DOI":"10.1109\/TIFS.2017.2787905"},{"key":"e_1_3_1_13_2","doi-asserted-by":"publisher","DOI":"10.1109\/TMI.2018.2835303"},{"key":"e_1_3_1_14_2","doi-asserted-by":"publisher","DOI":"10.1145\/2991079.2991110"},{"key":"e_1_3_1_15_2","unstructured":"Aldo Cortesi. 2015. A library for drawing space-filling curves like the Hilbert Curve.Retrieved from https:\/\/github.com\/cortesi\/scurve. Accessed 5\/10\/2020."},{"key":"e_1_3_1_16_2","doi-asserted-by":"publisher","DOI":"10.1145\/2485922.2485970"},{"key":"e_1_3_1_17_2","doi-asserted-by":"publisher","DOI":"10.1109\/83.499920"},{"key":"e_1_3_1_18_2","unstructured":"Grayshift. 2018. Introducing GrayKey. Retrieved from https:\/\/graykey.grayshift.com. Accessed 13\/8\/2021."},{"key":"e_1_3_1_19_2","article-title":"Compact Hilbert Indices","author":"Hamilton Chris","year":"2006","unstructured":"Chris Hamilton. 2006. Compact Hilbert Indices. Dalhousie University, Faculty of Computer Science, Technical Report CS-2006-07.","journal-title":"Dalhousie University, Faculty of Computer Science, Technical Report CS-2006-07"},{"key":"e_1_3_1_20_2","doi-asserted-by":"publisher","DOI":"10.1109\/CISIS.2007.16"},{"key":"e_1_3_1_21_2","doi-asserted-by":"publisher","DOI":"10.1109\/CSPA.2018.8368693"},{"key":"e_1_3_1_22_2","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-662-38452-7_1"},{"key":"e_1_3_1_23_2","doi-asserted-by":"publisher","DOI":"10.1109\/BigData.2018.8622324"},{"key":"e_1_3_1_24_2","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2017.116"},{"key":"e_1_3_1_25_2","doi-asserted-by":"publisher","DOI":"10.1145\/3133956.3134035"},{"key":"e_1_3_1_26_2","first-page":"126","volume-title":"Proceedings of the IEEE Embedded Systems Letters.","author":"Ibdah N. Lachtar D.","year":"2020","unstructured":"N. Lachtar D. Ibdah and A. Bacha. 2020. Towards mobile malware detection through convolutional neural networks. In Proceedings of the IEEE Embedded Systems Letters.126\u2013129."},{"key":"e_1_3_1_27_2","unstructured":"Intel. 2011. Intel 64 and IA-32 Architectures Software Developer\u2019s Manual Volume 3 Section 14.7. https:\/\/www.intel.com\/content\/www\/us\/en\/developer\/articles\/technical\/intel-sdm.html.Accessed15\/6\/2021."},{"key":"e_1_3_1_28_2","unstructured":"Intel. 2019. Movidius Neural Compute Stick. Retrieved from https:\/\/software.intel.com\/en-us\/movidius-ncs. Accessed 14\/8\/2021."},{"key":"e_1_3_1_29_2","unstructured":"Intel. 2019. Chromeboox Powered by Intel. Retrieved from https:\/\/intel.com. Accessed 13\/8\/2021."},{"key":"e_1_3_1_30_2","doi-asserted-by":"publisher","DOI":"10.1109\/TPAMI.2016.2598339"},{"key":"e_1_3_1_31_2","first-page":"1889","volume-title":"Proceedings of the International Conference on Neural Information Processing Systems","author":"Karpathy Andrej","year":"2014","unstructured":"Andrej Karpathy, Armand Joulin, and Li Fei-Fei. 2014. Deep fragment embeddings for bidirectional image sentence mapping. In Proceedings of the International Conference on Neural Information Processing Systems. 1889\u20131897."},{"key":"e_1_3_1_32_2","volume-title":"Proceedings of the 25th USENIX Security Symposium","author":"Kharraz Amin","year":"2016","unstructured":"Amin Kharraz, Sajjad Arshad, Collin Mulliner, William Robertson, and Engin Kirda. 2016. UNVEIL: A large scale, automated approach to detecting ransomware. In Proceedings of the 25th USENIX Security Symposium. USENIX Association."},{"key":"e_1_3_1_33_2","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-66332-6_5"},{"key":"e_1_3_1_34_2","doi-asserted-by":"publisher","DOI":"10.1145\/3052973.3053035"},{"key":"e_1_3_1_35_2","doi-asserted-by":"publisher","DOI":"10.5555\/2999134.2999257"},{"key":"e_1_3_1_36_2","doi-asserted-by":"publisher","DOI":"10.1109\/LOCS.2019.2918091"},{"key":"e_1_3_1_37_2","first-page":"2","article-title":"Learning algorithms for classification: A comparison on handwritten digit recognition","volume":"261","author":"LeCun Yann","year":"1995","unstructured":"Yann LeCun, L. D. Jackel, L\u00e9on Bottou, Corinna Cortes, John S. Denker, Harris Drucker, Isabelle Guyon, Urs A. Muller, Eduard Sackinger, Patrice Simard, and Vladimir Vapnik1995. Learning algorithms for classification: A comparison on handwritten digit recognition. Neural Networks: The Statistical Mechanics Perspective 261, 276 (1995), 2.","journal-title":"Neural Networks: The Statistical Mechanics Perspective"},{"key":"e_1_3_1_38_2","doi-asserted-by":"publisher","DOI":"10.1145\/3129676.3129713"},{"key":"e_1_3_1_39_2","doi-asserted-by":"publisher","DOI":"10.1109\/TII.2017.2789219"},{"key":"e_1_3_1_40_2","series-title":"Proceedings of the RAID","first-page":"192","volume":"10453","author":"Li Yuping","year":"2017","unstructured":"Yuping Li, Jiyong Jang, Xin Hu, and Xinming Ou. 2017. Android malware clustering through malicious payload mining. In Proceedings of the RAID(Lecture Notes in Computer Science, Vol. 10453). Springer, 192\u2013214."},{"key":"e_1_3_1_41_2","unstructured":"Lookout. 2019. U.S. Targeted by Coercive Mobile Ransomware Impersonating the FBI. Retrieved from https:\/\/blog.lookout.com\/scarepakage. Accessed 5\/7\/2021."},{"key":"e_1_3_1_42_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.procs.2017.08.216"},{"key":"e_1_3_1_43_2","doi-asserted-by":"publisher","DOI":"10.1109\/ACCESS.2018.2873583"},{"key":"e_1_3_1_44_2","unstructured":"McAfee. 2017. Android Banking Trojan MoqHao Spreading via SMS Phishing in South Korea. Retrieved from https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/android-banking-trojan-moqhao-spreading-via-sms-phishing-south-korea\/. Accessed 20\/8\/2021."},{"key":"e_1_3_1_45_2","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-00470-5_6"},{"key":"e_1_3_1_46_2","doi-asserted-by":"publisher","DOI":"10.1109\/69.908985"},{"key":"e_1_3_1_47_2","doi-asserted-by":"publisher","DOI":"10.1145\/3230833.3234691"},{"key":"e_1_3_1_48_2","doi-asserted-by":"publisher","DOI":"10.1109\/IJCNN.2017.7966078"},{"key":"e_1_3_1_49_2","article-title":"Jetson Nano","year":"2019","unstructured":"Nvidia. 2019. Jetson Nano. Retrieved fromhttps:\/\/www.nvidia.com\/en-us\/autonomous-machines\/embedded-systems\/jetson-nano\/. Accessed 13\/8\/2021.","journal-title":"Retrieved from"},{"key":"e_1_3_1_50_2","unstructured":"Nvidia. 2019. Unmatched Power. Unmatched Creative Freedom. Nvidia Quadro P2000. Retrieved from https:\/\/www.nvidia.com\/en-us\/autonomous-machines\/embedded-systems\/jetson-nano\/. Accessed 15\/7\/2021."},{"key":"e_1_3_1_51_2","doi-asserted-by":"publisher","DOI":"10.1109\/HPCA.2015.7056070"},{"key":"e_1_3_1_52_2","unstructured":"G. Peano. 1967. The principles of arithmetic presented by a new method. Heijenoort (1967) 83\u201397."},{"key":"e_1_3_1_53_2","doi-asserted-by":"publisher","DOI":"10.1109\/TMI.2016.2538465"},{"key":"e_1_3_1_54_2","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-46723-8_37"},{"key":"e_1_3_1_55_2","doi-asserted-by":"publisher","DOI":"10.1007\/s11263-015-0816-y"},{"key":"e_1_3_1_56_2","doi-asserted-by":"publisher","DOI":"10.1145\/3399670"},{"key":"e_1_3_1_57_2","doi-asserted-by":"publisher","DOI":"10.1109\/TDSC.2016.2536605"},{"key":"e_1_3_1_58_2","doi-asserted-by":"publisher","DOI":"10.1109\/ICDCS.2016.46"},{"key":"e_1_3_1_59_2","unstructured":"D. Sgandurra L. Mu\u00f1oz-Gonz\u00e1lez R. Mohsen and E. C. Lupu. 2016. Automated dynamic analysis of ransomware: Benefits limitations and use for detection. arXiv preprint arXiv:1609.03020 (2016)."},{"key":"e_1_3_1_60_2","doi-asserted-by":"publisher","DOI":"10.1109\/TPAMI.1983.4767431"},{"key":"e_1_3_1_61_2","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2016.308"},{"key":"e_1_3_1_62_2","doi-asserted-by":"publisher","DOI":"10.1145\/3229710.3229726"},{"key":"e_1_3_1_63_2","unstructured":"TensorFlow\u2122. 2019. An open source machine learning framework for everyone. Retrieved from https:\/\/www.tensorflow.org. Accessed 9\/9\/2020."},{"key":"e_1_3_1_64_2","unstructured":"Klein Tools. 2019. Security Module for Raspberry PI. Retrieved from https:\/\/www.zymbit.com\/zymkey. Accessed 28\/4\/2021."},{"key":"e_1_3_1_65_2","unstructured":"Klein Tools. 2019. USB Digital Meter USB-A and USB-C ET920. Retrieved from https:\/\/www.kleintools.com. Accessed 15\/4\/2021."},{"key":"e_1_3_1_66_2","unstructured":"Trend Micro. 2018. Enterprise Cybersecurity Solutions. Retrieved from https:\/\/www.trendmicro.com. Accessed 9\/3\/2021."},{"key":"e_1_3_1_67_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.comnet.2020.107138"},{"key":"e_1_3_1_68_2","unstructured":"Virus Total. 2018. VirusTotal. Retrieved from https:\/\/www.virustotal.com. Accessed 13\/3\/2021."},{"issue":"2","key":"e_1_3_1_69_2","first-page":"129","article-title":"Theoretical study on the Z curves","volume":"19","author":"Wang Jihua","year":"2004","unstructured":"Jihua Wang, Baoquan Wang, Lianshun Zhang, Xianghua Dou, and Liling Zhao. 2004. Theoretical study on the Z curves. Journal of Biomathematics 19, 2 (2004), 129\u2013135.","journal-title":"Journal of Biomathematics"},{"key":"e_1_3_1_70_2","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-60876-1_12"},{"key":"e_1_3_1_71_2","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-60876-1_12"},{"key":"e_1_3_1_72_2","unstructured":"Wikipedia. 2015. Nexus 5X. Retrieved from https:\/\/en.wikipedia.org\/wiki\/Nexus_5X. Accessed 15\/8\/2021."},{"key":"e_1_3_1_73_2","doi-asserted-by":"publisher","DOI":"10.1109\/TPAMI.2017.2787130"},{"key":"e_1_3_1_74_2","doi-asserted-by":"publisher","DOI":"10.1109\/ASE.2019.00155"},{"key":"e_1_3_1_75_2","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2018.23198"},{"key":"e_1_3_1_76_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.future.2019.09.025"},{"key":"e_1_3_1_77_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2019.04.005"},{"key":"e_1_3_1_78_2","unstructured":"Yuchen Zhang and Percy Liang. 2019. Defending against Whitebox Adversarial Attacks via Randomized Discretization. The 22nd International Conference on Artificial Intelligence and Statistics PMLR 684\u2013693."},{"key":"e_1_3_1_79_2","doi-asserted-by":"publisher","DOI":"10.1145\/3196494.3196515"},{"key":"e_1_3_1_80_2","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2017.651"}],"container-title":["ACM Transactions on Privacy and Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3579822","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3579822","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,17]],"date-time":"2025-06-17T17:51:27Z","timestamp":1750182687000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3579822"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2023,3,13]]},"references-count":79,"journal-issue":{"issue":"3","published-print":{"date-parts":[[2023,8,30]]}},"alternative-id":["10.1145\/3579822"],"URL":"https:\/\/doi.org\/10.1145\/3579822","relation":{},"ISSN":["2471-2566","2471-2574"],"issn-type":[{"value":"2471-2566","type":"print"},{"value":"2471-2574","type":"electronic"}],"subject":[],"published":{"date-parts":[[2023,3,13]]},"assertion":[{"value":"2021-10-11","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2022-12-20","order":1,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}},{"value":"2023-03-13","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}