{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,2,23]],"date-time":"2026-02-23T23:10:21Z","timestamp":1771888221841,"version":"3.50.1"},"reference-count":37,"publisher":"MDPI AG","issue":"9","license":[{"start":{"date-parts":[[2018,9,10]],"date-time":"2018-09-10T00:00:00Z","timestamp":1536537600000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["Information"],"abstract":"<jats:p>Cryptovirological augmentations present an immediate, incomparable threat. Over the last decade, the substantial proliferation of crypto-ransomware has had widespread consequences for consumers and organisations alike. Established preventive measures perform well, however, the problem has not ceased. Reverse engineering potentially malicious software is a cumbersome task due to platform eccentricities and obfuscated transmutation mechanisms, hence requiring smarter, more efficient detection strategies. The following manuscript presents a novel approach for the classification of cryptographic primitives in compiled binary executables using deep learning. The model blueprint, a Dynamic Convolutional Neural Network (DCNN), is fittingly configured to learn from variable-length control flow diagnostics output from a dynamic trace. To rival the size and variability of equivalent datasets, and to adequately train our model without risking adverse exposure, a methodology for the procedural generation of synthetic cryptographic binaries is defined, using core primitives from OpenSSL with multivariate obfuscation, to draw a vastly scalable distribution. The library, CryptoKnight, rendered an algorithmic pool of AES, RC4, Blowfish, MD5 and RSA to synthesise combinable variants which automatically fed into its core model. Converging at 96% accuracy, CryptoKnight was successfully able to classify the sample pool with minimal loss and correctly identified the algorithm in a real-world crypto-ransomware application.<\/jats:p>","DOI":"10.3390\/info9090231","type":"journal-article","created":{"date-parts":[[2018,9,10]],"date-time":"2018-09-10T10:28:57Z","timestamp":1536575337000},"page":"231","update-policy":"https:\/\/doi.org\/10.3390\/mdpi_crossmark_policy","source":"Crossref","is-referenced-by-count":12,"title":["CryptoKnight: Generating and Modelling Compiled Cryptographic Primitives"],"prefix":"10.3390","volume":"9","author":[{"given":"Gregory","family":"Hill","sequence":"first","affiliation":[{"name":"School of Informatics, The University of Edinburgh, Edinburgh EH8 9YL, UK"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-1849-5788","authenticated-orcid":false,"given":"Xavier","family":"Bellekens","sequence":"additional","affiliation":[{"name":"Division of Cyber Security, Abertay University, Dundee DD1 1HG, UK"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"1968","published-online":{"date-parts":[[2018,9,10]]},"reference":[{"key":"ref_1","unstructured":"Young, A., and Yung, M. (1996, January 6\u20138). Cryptovirology: Extortion-based security threats and countermeasures. Proceedings of the 1996 IEEE Symposium on Security and Privacy, Oakland, CA, USA."},{"key":"ref_2","unstructured":"Snow, J. (2018, September 10). CryptXXX Ransomware, 2016. Available online: https:\/\/blog.kaspersky.com\/cryptxxx-ransomware\/11939\/."},{"key":"ref_3","unstructured":"Chiu, A. (2018, September 07). Player 3 Has Entered the Game: Say Hello to \u2018WannaCry\u2019. Available online: https:\/\/www.cybrary.it\/channelcontent\/player-3-has-entered-the-game-say-hello-to-wannacry\/."},{"key":"ref_4","doi-asserted-by":"crossref","unstructured":"Kharraz, A., Robertson, W., Balzarotti, D., Bilge, L., and Kirda, E. (2015). Cutting the gordian knot: A look under the hood of ransomware attacks. International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, Springer.","DOI":"10.1007\/978-3-319-20550-2_1"},{"key":"ref_5","doi-asserted-by":"crossref","unstructured":"Scaife, N., Carter, H., Traynor, P., and Butler, K.R. (2016, January 27\u201330). Cryptolock (and drop it): Stopping ransomware attacks on user data. Proceedings of the 2016 IEEE 36th International Conference on Distributed Computing Systems (ICDCS), Nara, Japan.","DOI":"10.1109\/ICDCS.2016.46"},{"key":"ref_6","unstructured":"Deane-McKenna, C. (2018, September 10). NHS Ransomware Cyber-Attack was Preventable; The Conversation, 13 May 2017. Available online: https:\/\/theconversation.com\/nhs-ransomware-cyber-attack-was-preventable-77674."},{"key":"ref_7","unstructured":"Beek, C. (2016). McAfee Labs Threats Report, Intel Security."},{"key":"ref_8","unstructured":"Lutz, N. (2008). Towards Revealing Attackers\u2019 Intent by Automatically Decrypting Network Traffic. [Master\u2019s Thesis, ETH Z\u00fcrich]. (A joint project between the ETH Zurich and Google, Inc.)."},{"key":"ref_9","doi-asserted-by":"crossref","unstructured":"Gr\u00f6bert, F., Willems, C., and Holz, T. (2011, January 20\u201321). Automated Identification of Cryptographic Primitives in Binary Programs. Proceedings of the 14th International Symposium on Recent Advances in Intrusion Detection (RAID 2011), Menlo Park, CA, USA.","DOI":"10.1007\/978-3-642-23644-0_3"},{"key":"ref_10","unstructured":"IBM (2018, September 07). Bucbi Ransomware. Available online: https:\/\/exchange.xforce.ibmcloud.com\/collection\/Bucbi-Ransomware-16eef23d3b7ea484ed69ecd78b6c1232."},{"key":"ref_11","doi-asserted-by":"crossref","unstructured":"Lestringant, P., Guih\u00e9ry, F., and Fouque, P.A. (2015, January 14\u201317). Automated Identification of Cryptographic Primitives in Binary Code with Data Flow Graph Isomorphism. Proceedings of the 10th ACM Symposium on Information, Computer and Communications Security, Singapore.","DOI":"10.1145\/2714576.2714639"},{"key":"ref_12","doi-asserted-by":"crossref","unstructured":"Moser, A., Kruegel, C., and Kirda, E. (2007, January 10\u201314). Limits of static analysis for malware detection. Proceedings of the Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007), Miami Beach, FL, USA.","DOI":"10.1109\/ACSAC.2007.21"},{"key":"ref_13","doi-asserted-by":"crossref","first-page":"190","DOI":"10.1145\/1065010.1065034","article-title":"Pin: Building customized program analysis tools with dynamic instrumentation","volume":"Volume 40","author":"Luk","year":"2005","journal-title":"Proceedings of the 2005 ACM SIGPLAN conference on Programming language design and implementation"},{"key":"ref_14","doi-asserted-by":"crossref","unstructured":"Xu, D., Ming, J., and Wu, D. (2017, January 22\u201326). Cryptographic function detection in obfuscated binaries via bit-precise symbolic loop mapping. Proceedings of the 2017 IEEE Symposium on Security and Privacy (SP), San Jose, CA, USA.","DOI":"10.1109\/SP.2017.56"},{"key":"ref_15","doi-asserted-by":"crossref","first-page":"101","DOI":"10.1109\/TDSC.2012.83","article-title":"CipherXRay: Exposing cryptographic operations and transient secrets from monitored binary execution","volume":"11","author":"Li","year":"2014","journal-title":"IEEE Trans. Dependable Secur. Comput."},{"key":"ref_16","doi-asserted-by":"crossref","first-page":"436","DOI":"10.1038\/nature14539","article-title":"Deep learning","volume":"521","author":"LeCun","year":"2015","journal-title":"Nature"},{"key":"ref_17","unstructured":"LeCun, Y. (1989). Generalization and network design strategies. Connectionism in Perspective, Elsevier."},{"key":"ref_18","doi-asserted-by":"crossref","unstructured":"LeCun, Y., Kavukcuoglu, K., and Farabet, C. (June, January 30). Convolutional networks and applications in vision. Proceedings of the 2010 IEEE International Symposium on Circuits and Systems (ISCAS), Paris, France.","DOI":"10.1109\/ISCAS.2010.5537907"},{"key":"ref_19","unstructured":"Hu, B., Lu, Z., Li, H., and Chen, Q. (2014). Convolutional neural network architectures for matching natural language sentences. Advances in Neural Information Processing Systems, Curran Associates, Inc."},{"key":"ref_20","unstructured":"Pearl, J. (1984). Heuristics: Intelligent Search Strategies for Computer Problem Solving."},{"key":"ref_21","unstructured":"Gr\u00f6bert, F. (2010, January 27\u201330). Automatic Identification of Cryptographic Primitives in Software. Proceedings of the 27th Chaos Communication Congress, Berlin, Germany."},{"key":"ref_22","doi-asserted-by":"crossref","unstructured":"Matenaar, F., Wichmann, A., Leder, F., and Gerhards-Padilla, E. (2012, January 16\u201318). CIS: The Crypto Intelligence System for Automatic Detection and Localization of Cryptographic Functions in Current Malware. Proceedings of the 2012 7th International Conference on Malicious and Unwanted Software, Fajardo, PR, USA.","DOI":"10.1109\/MALWARE.2012.6461007"},{"key":"ref_23","unstructured":"Zhang, P., Wu, J., Wang, X., and Wu, Z. (2014, January 7\u20139). Decrypted data detection algorithm based on dynamic dataflow analysis. Proceedings of the 2014 International Conference on Computer, Information and Telecommunication Systems (CITS), Jeju, Korea."},{"key":"ref_24","unstructured":"Lai, X., Zhou, J., and Li, H. (2011, January 26\u201329). Detection and Analysis of Cryptographic Data Inside Software. Proceedings of the 14th International Conference on Information Security, Xi\u2019an, China."},{"key":"ref_25","doi-asserted-by":"crossref","unstructured":"Calvet, J., Fernandez, J.M., and Marion, J.Y. (2012, January 16\u201318). Aligot: Cryptographic function identification in obfuscated binary programs. Proceedings of the 2012 ACM Conference on Computer and Communications Security, Raleigh, NC, USA.","DOI":"10.1145\/2382196.2382217"},{"key":"ref_26","unstructured":"Hosfelt, D.D. (arXiv, 2015). Automated detection and classification of cryptographic algorithms in binary programs through machine learning, arXiv."},{"key":"ref_27","doi-asserted-by":"crossref","unstructured":"Baldwin, J., and Dehghantanha, A. (2018). Leveraging support vector machine for opcode density based detection of crypto-ransomware. Cyber Threat Intelligence, Springer.","DOI":"10.1007\/978-3-319-73951-9_6"},{"key":"ref_28","unstructured":"Sgandurra, D., Mu\u00f1oz-Gonz\u00e1lez, L., Mohsen, R., and Lupu, E.C. (arXiv, 2016). Automated Dynamic Analysis of Ransomware: Benefits, Limitations and use for Detection, arXiv."},{"key":"ref_29","unstructured":"Drape, S. (2009, January 17\u201319). Intellectual Property Protection using Obfuscation. Proceedings of the 2009 IEEE Sensors Applications Symposium, New Orleans, LA, USA."},{"key":"ref_30","unstructured":"Tubella, J., and Gonzalez, A. (1998, January 1\u20134). Control speculation in multithreaded processors through dynamic loop detection. Proceedings of the 1998 Fourth International Symposium on High-Performance Computer Architecture, Las Vegas, NV, USA."},{"key":"ref_31","unstructured":"Moseley, T., Grunwald, D., Connors, D.A., Ramanujam, R., Tovinkere, V., and Peri, R. (2006, January 21\u201325). Loopprof: Dynamic techniques for loop detection and profiling. Proceedings of the 2006 Workshop on Binary Instrumentation and Applications (WBIA), San Jose, CA, USA."},{"key":"ref_32","unstructured":"R\u00e9nyi, A. (July, January 20). On measures of entropy and information. Proceedings of the Fourth Berkeley Symposium on Mathematical Statistics and Probability, Berkeley, CA, USA."},{"key":"ref_33","doi-asserted-by":"crossref","unstructured":"Kalchbrenner, N., Grefenstette, E., and Blunsom, P. (arXiv, 2014). A Convolutional Neural Network for Modelling Sentences, arXiv.","DOI":"10.3115\/v1\/P14-1062"},{"key":"ref_34","first-page":"281","article-title":"Random search for hyper-parameter optimization","volume":"13","author":"Bergstra","year":"2012","journal-title":"J. Mach. Learn. Res."},{"key":"ref_35","unstructured":"Hinton, G.E., Srivastava, N., Krizhevsky, A., Sutskever, I., and Salakhutdinov, R.R. (arXiv, 2012). Improving neural networks by preventing co-adaptation of feature detectors, arXiv."},{"key":"ref_36","unstructured":"Marinho, T. (2018, September 07). GonnaCry. Available online: https:\/\/github.com\/tarcisio-marinho\/GonnaCry."},{"key":"ref_37","unstructured":"Akdemir, K., Dixon, M., Feghali, W., Fay, P., Gopal, V., Guilford, J., Ozturk, E., Wolrich, G., and Zohar, R. (June 2010). Breakthrough AES Performance with Intel AES New Instructions, Intel Corporatlon. White Paper."}],"container-title":["Information"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.mdpi.com\/2078-2489\/9\/9\/231\/pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,10,11]],"date-time":"2025-10-11T15:19:43Z","timestamp":1760195983000},"score":1,"resource":{"primary":{"URL":"https:\/\/www.mdpi.com\/2078-2489\/9\/9\/231"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2018,9,10]]},"references-count":37,"journal-issue":{"issue":"9","published-online":{"date-parts":[[2018,9]]}},"alternative-id":["info9090231"],"URL":"https:\/\/doi.org\/10.3390\/info9090231","relation":{},"ISSN":["2078-2489"],"issn-type":[{"value":"2078-2489","type":"electronic"}],"subject":[],"published":{"date-parts":[[2018,9,10]]}}}