CNN2D Algorithm for Detection of Ransomware Attacks Using Processor and Disk Usage Data
Main Article Content
Abstract
Commonly, ransomware encrypts data, turns off antivirus protection, and destroys the target computer and everything on it. The techniques used today to detect this kind of WannaCry include monitoring the files, system requests, and processes on the system that is being targeted and analysing the data collected. Monitoring numerous processes has a substantial overhead; more current ransomware may interfere with the monitoring and alter the collected data. A dependable and practical technique for locating ransomware operating within a virtual machine, also called a VM, is provided in this study. We construct a framework for detection by applying an automated machine learning (ML) evaluation to the whole virtual machine (VM) using data collected from the physical host computer pertaining to specific processors and disc I/O events. This approach eliminates the need to continuously watch every action on the system that is being targeted and lessens the likelihood that ransomware would contaminate data. It also endures shifts in the amount of labour that users must do. It provides fast and very likely detection of known ransomware (used to train this machine learning model) and also of unknown ransomware (not utilised for teaching the model). Out of the seven artificial neural network classifiers that we looked at, the randomly generated forest (RF) classification gave the best results. Across six different customer loads plus 22 instances of ransomware, the RF model detected malware with a 0.98 confidence in 400 milliseconds.
Downloads
Metrics
Article Details
This work is licensed under a Creative Commons Attribution 4.0 International License.
You are free to:
- Share — copy and redistribute the material in any medium or format for any purpose, even commercially.
- Adapt — remix, transform, and build upon the material for any purpose, even commercially.
- The licensor cannot revoke these freedoms as long as you follow the license terms.
Under the following terms:
- Attribution — You must give appropriate credit , provide a link to the license, and indicate if changes were made . You may do so in any reasonable manner, but not in any way that suggests the licensor endorses you or your use.
- No additional restrictions — You may not apply legal terms or technological measures that legally restrict others from doing anything the license permits.
Notices:
You do not have to comply with the license for elements of the material in the public domain or where your use is permitted by an applicable exception or limitation .
No warranties are given. The license may not give you all of the permissions necessary for your intended use. For example, other rights such as publicity, privacy, or moral rights may limit how you use the material.
References
SR Department. (2022). Ransomware victimization rate 2022. Accessed: Apr. 6, 2022. [Online]. Available: https://www.statista. com/statistics/204457/businesses-ransomware-attack-rate/
D. Braue. (2022). Ransomware Damage Costs. Accessed: Sep. 16, 2022. [Online]. Available:
Logix Consulting. (2020). What is Signature Based Malware Detection. Accessed: Apr. 3, 2023. [Online]. Available: https://www.logixconsulting. com/2020/12/15/what-is-signature-based-malware-detection/
W. Liu, P. Ren, K. Liu, and H.-X. Duan, ‘‘Behaviour-based malware analysis and detection,’’ in Proc. 1st Int. Workshop Complex. Data Mining, Sep. 2011, pp. 39–42.
(2021). Polymorphic Malware. Accessed: Apr. 3, 2023. [Online]. Available:
M. Loman. (2021). Lock file Ransomware’s Box of Tricks: Intermittent Encryption and Evasion. Accessed: Nov. 16, 2021. [Online]. Available:
N. Pundir, M. Tehrani poor, and F. Rahman, ‘‘Ran Stop: A hardware-assisted runtime crypto-ransomware detection technique,’’ 2020, arXiv:2011.12248.
S. Mehnaz, A. Budgerigar, and E. Bertino, ‘‘Regard: A real-time detection system against cryptographic ransomware,’’ in Proc. Int. Symp. Res. Attacks, Intrusions, and Defenses. Cham, Switzerland: Springer, 2018, pp. 114–136.
J. Demme, M. Maycock, J. Schmitz, A. Tang, A. Waksman, S. Seth Madhavan, and S. Stolfo, ‘‘On the feasibility of online malware detection with performance counters,’’ ACM SIGARCH Compute. Archit. News, vol. 41, no. 3, pp. 559–570, Jun. 2013.
A. Tang, S. Seth Madhavan, and S. J. Stolfo, ‘‘Unsupervised anomaly-based malware detection using hardware features,’’ in Proc. Int. Workshop Recent Adv. Intrusion Detection. Cham, Switzerland: Springer, 2014, pp. 109–129.
S. Das, J. Werner, M. Antonakakis, M. Polychronakis, and F. Monrose, ‘‘SoK: The challenges, pitfalls, and perils of using hardware performance counters for security,’’ in Proc. IEEE Symp. Secure. Privacy (SP), May 2019, pp. 20–38.
S. P. Kadiyala, P. Jadhav, S.-K. Lam, and T. Srikanthan, ‘‘Hardware performance counter-based fine-grained malware detection,’’ ACM Trans. Embedded Compute. Syst., vol. 19, no. 5, pp. 1–17, Sep. 2020.
B. Zhou, A. Gupta, R. Jahanshahi, M. Egale, and A. Joshi, ‘‘Hardware performance counters can detect malware: myth or fact?’’ in Proc. Asia Conf. Compute. Common. Secure., May 2018, pp. 457–468.
S. Aurangzeb, R. N. B. Rais, M. Aleem, M. A. Islam, and M. A. Iqbal, ‘‘On the classification of Microsoft-windows ransomware using hardware profile,’’ Peer Compute. Sci., vol. 7, p. e361, Feb. 2021.
M. Alam, S. Bhattacharya, S. Dutta, S. Sinha, D. Mukhopadhyay, and A. Chattopadhyay, ‘‘RATAFIA: Ransomware analysis using time and frequency-informed autoencoders,’’ in Proc. IEEE Int. Symp. Hard. Oriented Secure. Trust (HOST), May 2019, pp. 218–227.
K. Thumbpad, R. Boppana, and P. Lama, ‘‘HPC 41 events 5 rounds,’’ Harvard Dataverse, 2022, doi: 10.7910/DVN/MA5UPP.
K. Thumbpad, R. Boppana, and P. Lama, ‘‘IO 41 events 5 rounds,’’ Harvard Dataverse, 2022, Doi: 10.7910/DVN/GHJFUT.
K. Thumbpad, R. Boppana, and P. Lama, ‘‘HPC 5 events 7 rounds,’’ Harvard Dataverse, 2022, Doi: 10.7910/DVN/YAYW0J.
K. Thumbpad, R. Boppana, and P. Lama, ‘‘Io 5 events, 7 rounds,’’ Harvard Dataverse, 2022, Doi: 10.7910/DVN/R9FYPL.
K. Thumbpad, R. Boppana, and P. Lama, ‘‘Scripts to reproduce results,’’ Harvard Dataverse, 2023, Doi: 10.7910/DVN/HSX6CS.
M. Rhode, P. Burnap, and A. Wedgbury, ‘‘Real-time malware process detection and automated process killing,’’ Secure. Common. Newt., vol. 2021, pp. 1–23, Dec. 2021.
A. Kharrazi and E. Karda, ‘‘Redemption: Real-time protection against ransomware at end-hosts,’’ in Proc. Int. Symp. Res. Attacks, Intrusions, and Defenses. Cham, Switzerland: Springer, 2017, pp. 98–119.
F. Mabolo, J.-M. Robert, and A. Salishan, ‘‘An efficient approach to detect torrent locker ransomware in computer systems,’’ in Proc. Int. Conf. Cryptal. Newt. Secure. Springer, 2016, pp. 532–541.
K. Lee, S. Lee, and K. Yim, ‘‘Machine learning-based file entropy analysis for ransomware detection in backup systems,’’ IEEE Access, vol. 7, pp. 110205–110215, 2019.
C. J. Chew and V. Kumar, ‘‘Behaviour-based ransomware detection,’’ in Proc. Int. Conf. Compute. Their Appl., in Epic Series in Computing, vol. 58. 2019, pp. 127–136