Mohan Anand Putrevu
Sandeep Kumar Shukla
ABSTRACT
Modern-day ransomware variants are quick in their operations and start to encrypt the files within a few seconds after the initial payload execution. This poses an exigency towards early detection of ransomware payloads. Although there are multiple methods of ransomware detection based on API calls, file entropy, memory forensics, and network indicators – fast and early detection is hard to achieve through these methods. Hardware performance counters (HPC) are special-purpose registers built into current microprocessors that allow for low-level system performance analysis. Although HPC counters provide significant information for identifying ransomware behavior at the hardware level, the difficulty lies in deciding the optimal HPC features required for early detection and the time granularity at which these features are to be collected. In this work, we address this research gap by examining the HPC counters statistics gathered for every 100ms, 500ms, and five seconds to recommend the most effective time frame and the appropriate HPC registers for early detection of ransomware. According to our findings, capturing only 5 HPC registers per 100ms until 3 seconds of payload execution delivers the best results with the AdaBoost classifier, with an accuracy above 90%. Furthermore, we validate our model against recent wiper malware variants (used against organizations in Ukraine). We highlight behavioral patterns of ransomware and wiper malware based on HPC statistics and the challenges in identifying wiper payload behavior using an HPC-based approach.
- Manaar Alam, Sayan Sinha, Sarani Bhattacharya, Swastika Dutta, Debdeep Mukhopadhyay, and Anupam Chattopadhyay. 2020. Rapper: Ransomware prevention via performance counters. arXiv preprint arXiv:2004.01712(2020).Google Scholar
- Omar MK Alhawi, James Baldwin, and Ali Dehghantanha. 2018. Leveraging machine learning techniques for windows ransomware network traffic detection. In Cyber threat intelligence. Springer, 93–106.Google Scholar
- Ahmad O Almashhadani, Mustafa Kaiiali, Sakir Sezer, and Philip O’Kane. 2019. A multi-classifier network-based crypto ransomware detection system: A case study of locky ransomware. IEEE access 7(2019), 47053–47067.Google Scholar
- P Mohan Anand, PV Sai Charan, and Sandeep K Shukla. 2022. A Comprehensive API Call Analysis for Detecting Windows-Based Ransomware. In 2022 IEEE International Conference on Cyber Security and Resilience (CSR). IEEE, 337–344.Google ScholarCross Ref
- P Mohan Anand, T Gireesh Kumar, and PV Sai Charan. 2020. An ensemble approach for algorithmically generated domain name detection using statistical and lexical analysis. Procedia Computer Science 171 (2020), 1129–1136.Google ScholarCross Ref
- Mohammad Bagher Bahador, Mahdi Abadi, and Asghar Tajoddin. 2014. HPCMalHunter: Behavioral malware detection using hardware performance counters and singular value decomposition. In 2014 4th International Conference on Computer and Knowledge Engineering (ICCKE). IEEE, 703–708.Google ScholarCross Ref
- Mohammad Bagher Bahador, Mahdi Abadi, and Asghar Tajoddin. 2019. HLMD: a signature-based approach to hardware-level behavioral malware detection and classification. The Journal of Supercomputing 75, 8 (2019), 5551–5582.Google ScholarDigital Library
- Brendan Gregg. 2020. perf Examples. https://www.brendangregg.com/perf.htmlGoogle Scholar
- PV Charan, Sandeep K Shukla, and P Mohan Anand. 2020. Detecting Word Based DGA Domains Using Ensemble Models. In International Conference on Cryptology and Network Security. Springer, 127–143.Google Scholar
- Zhi-Guo Chen, Ho-Seok Kang, Shang-Nan Yin, and Sung-Ryul Kim. 2017. Automatic ransomware detection and analysis based on dynamic API calls flow graph. In Proceedings of the International Conference on Research in Adaptive and Convergent Systems. 196–201.Google ScholarDigital Library
- Nikolai Hampton, Zubair Baig, and Sherali Zeadally. 2018. Ransomware behavioural analysis on windows platforms. Journal of information security and applications 40 (2018), 44–51.Google ScholarCross Ref
- Sangmoon Jung and Yoojae Won. 2018. Ransomware detection method based on context-aware entropy analysis. Soft Computing 22, 20 (2018), 6731–6740.Google ScholarDigital Library
- Sai Praveen Kadiyala, Pranav Jadhav, Siew-Kei Lam, and Thambipillai Srikanthan. 2020. Hardware performance counter-based fine-grained malware detection. ACM Transactions on Embedded Computing Systems (TECS) 19, 5(2020), 1–17.Google ScholarDigital Library
- SH Kok, Azween Abdullah, NZ Jhanjhi, and Mahadevan Supramaniam. 2019. Prevention of crypto-ransomware using a pre-encryption detection algorithm. Computers 8, 4 (2019), 79.Google ScholarCross Ref
- SH Kok, A Azween, and NZ Jhanjhi. 2020. Evaluation metric for crypto-ransomware detection using machine learning. Journal of Information Security and Applications 55 (2020), 102646.Google ScholarCross Ref
- Miron B Kursa and Witold R Rudnicki. 2010. Feature selection with the Boruta package. Journal of statistical software 36 (2010), 1–13.Google ScholarCross Ref
- Abraham Peedikayil Kuruvila, Shamik Kundu, and Kanad Basu. 2020. Analyzing the efficiency of machine learning classifiers in hardware-based malware detectors. In 2020 IEEE Computer Society Annual Symposium on VLSI (ISVLSI). IEEE, 452–457.Google ScholarCross Ref
- Malware Bazaar. 2022. bazaar.abuse.ch. https://bazaar.abuse.ch/Google Scholar
- Gaddisa Olani, Chun-Feng Wu, Yuan-Hao Chang, and Wei-Kuan Shih. 2022. Deepware: Imaging performance counters with deep learning to detect ransomware. IEEE Trans. Comput. (2022).Google Scholar
- pandamedicenter. 2022. 73 Ransomware Statistics Vital for Security in 2022. https://www.pandasecurity.com/en/mediacenter/security/ransomware-statistics/Google Scholar
- Nisarg Patel, Avesta Sasan, and Houman Homayoun. 2017. Analyzing hardware based malware detectors. In 2017 54th ACM/EDAC/IEEE Design Automation Conference (DAC). IEEE, 1–6.Google ScholarDigital Library
- Nitin Pundir, Mark Tehranipoor, and Fahim Rahman. 2020. RanStop: A Hardware-assisted Runtime Crypto-Ransomware Detection Technique. arXiv preprint arXiv:2011.12248(2020).Google Scholar
- Daniele Sgandurra, Luis Muñoz-González, Rabih Mohsen, and Emil C Lupu. 2016. Automated dynamic analysis of ransomware: Benefits, limitations and use for detection. arXiv preprint arXiv:1609.03020(2016).Google Scholar
- SOC Radar. 2022. Lockbit 3.0: Another Upgrade to World’s Most Active Ransomware. https://socradar.io/lockbit-3-another-upgrade-to-worlds-most-active-ransomware/Google Scholar
- Software Informer. 2022. Software Informer Website to download benign application. https://software.informer.com/Google Scholar
- R Vinayakumar, KP Soman, KK Senthil Velan, and Shaunak Ganorkar. 2017. Evaluating shallow and deep networks for ransomware detection and classification. In 2017 international conference on advances in computing, communications and informatics (ICACCI). IEEE, 259–265.Google ScholarCross Ref
Index Terms
- Early Detection of Ransomware Activity based on Hardware Performance Counters
Recommendations
HiPeR - Early Detection of a Ransomware Attack using Hardware Performance Counters
Ransomware has been one of the most prevalent forms of malware over the previous decade, and it continues to be one of the most significant threats today. Recently, ransomware strategies such as double extortion and rapid encryption have encouraged ...
Machine Learning-Based Detection of Ransomware Using SDN
SDN-NFV Sec'18: Proceedings of the 2018 ACM International Workshop on Security in Software Defined Networks & Network Function VirtualizationThe growth of malware poses a major threat to internet users, governments, and businesses around the world. One of the major types of malware, ransomware, encrypts a user's sensitive information and only returns the original files to the user after a ...
Ransomware early detection: A survey
AbstractIn recent years, ransomware attacks have exploded globally, and it has become one of the most significant cyber threats to digital infrastructure. Such attacks have been targeting ranging from individuals to critical infrastructure or large ...
Comments