Visible to the public Rapid Ransomware Detection through Side Channel Exploitation

Submitted by aekwall on Thu, 07/14/2022 - 4:21pm
TitleRapid Ransomware Detection through Side Channel Exploitation
Publication TypeConference Paper
Year of Publication2021
AuthorsTaylor, Michael A., Larson, Eric C., Thornton, Mitchell A.
Conference Name2021 IEEE International Conference on Cyber Security and Resilience (CSR)
Keywordscomposability, Encryption, machine learning, machine learning algorithms, Metrics, Physical Sensor, Predictive models, pubcrawl, ransomware, ransomware detection, Resiliency, Sensor phenomena and characterization, Sensor systems, Side channel, Training, Training data
AbstractA new method for the detection of ransomware in an infected host is described and evaluated. The method utilizes data streams from on-board sensors to fingerprint the initiation of a ransomware infection. These sensor streams, which are common in modern computing systems, are used as a side channel for understanding the state of the system. It is shown that ransomware detection can be achieved in a rapid manner and that the use of slight, yet distinguishable changes in the physical state of a system as derived from a machine learning predictive model is an effective technique. A feature vector, consisting of various sensor outputs, is coupled with a detection criteria to predict the binary state of ransomware present versus normal operation. An advantage of this approach is that previously unknown or zero-day version s of ransomware are vulnerable to this detection method since no apriori knowledge of the malware characteristics are required. Experiments are carried out with a variety of different system loads and with different encryption methods used during a ransomware attack. Two test systems were utilized with one having a relatively low amount of available sensor data and the other having a relatively high amount of available sensor data. The average time for attack detection in the "sensor-rich" system was 7.79 seconds with an average Matthews correlation coefficient of 0.8905 for binary system state predictions regardless of encryption method and system load. The model flagged all attacks tested.
DOI10.1109/CSR51186.2021.9527943
Citation Keytaylor_rapid_2021
Groups: