Visible to the public HARD-Lite: A Lightweight Hardware Anomaly Realtime Detection Framework Targeting Ransomware

TitleHARD-Lite: A Lightweight Hardware Anomaly Realtime Detection Framework Targeting Ransomware
Publication TypeConference Paper
Year of Publication2022
AuthorsWoralert, Chutitep, Liu, Chen, Blasingame, Zander
Conference Name2022 Asian Hardware Oriented Security and Trust Symposium (AsianHOST)
Keywordsanomaly detection, Behavioral sciences, composability, Hardware, Metrics, Performance Monitoring Counters, pubcrawl, ransomware, resilience, Resiliency, security, semi-supervised learning, Servers, Surge protection, Time series analysis
AbstractRecent years have witnessed a surge in ransomware attacks. Especially, many a new variant of ransomware has continued to emerge, employing more advanced techniques distributing the payload while avoiding detection. This renders the traditional static ransomware detection mechanism ineffective. In this paper, we present our Hardware Anomaly Realtime Detection - Lightweight (HARD-Lite) framework that employs semi-supervised machine learning method to detect ransomware using low-level hardware information. By using an LSTM network with a weighted majority voting ensemble and exponential moving average, we are able to take into consideration the temporal aspect of hardware-level information formed as time series in order to detect deviation in system behavior, thereby increasing the detection accuracy whilst reducing the number of false positives. Testing against various ransomware across multiple families, HARD-Lite has demonstrated remarkable effectiveness, detecting all cases tested successfully. What's more, with a hierarchical design that distributing the classifier from the user machine that is under monitoring to a server machine, Hard-Lite enables good scalability as well.
DOI10.1109/AsianHOST56390.2022.10022111
Citation Keyworalert_hard-lite_2022