Among many prevailing malware, crypto-ransomware poses a significant threat as it financially extorts affected users by creating denial of access via unauthorized encryption of their documents as well as holding their documents hostage and financially extorting them. This results in millions of dollars of annual losses worldwide. Multiple variants of ransomware are growing in number with capabilities of evasion from many anti-viruses and software-only malware detection schemes that rely on static execution signatures. In this paper, we propose a hardware-assisted scheme, called RanStop, for early detection of crypto-ransomware infection in commodity processors. RanStop leverages the information of hardware performance counters embedded in the performance monitoring unit in modern processors to observe micro-architectural event sets and detects known and unknown crypto-ransomware variants. In this paper, we train a recurrent neural network-based machine learning architecture using long short-term memory (LSTM) model for analyzing micro-architectural events in the hardware domain when executing multiple variants of ransomware as well as benign programs. We create timeseries to develop intrinsic statistical features using the information of related HPCs and improve the detection accuracy of RanStop and reduce noise by via LSTM and global average pooling. As an early detection scheme, RanStop can accurately and quickly identify ransomware within 2ms from the start of the program execution by analyzing HPC information collected for 20 timestamps each 100us apart. This detection time is too early for a ransomware to make any significant damage, if none. Moreover, validation against benign programs with behavioral (sub-routine-centric) similarity with that of a crypto-ransomware shows that RanStop can detect ransomware with an average of 97% accuracy for fifty random trials.
翻译:在许多流行的恶意软件中,加密软件在财务上通过未经授权加密其文件以及扣留其文件作为人质和在财务上敲诈勒索这些用户,从而在财务上敲诈受影响用户,从而导致拒绝其进入,从而导致每年损失数百万美元。许多变式的赎金软件正在增加,其逃逸能力来自许多依赖静态执行签名的抗病毒和软件专用恶意软件检测计划。在本文件中,我们提议了一个硬件辅助方案,称为RanStop,用于早期检测商品处理器中的加密软件感染。RanStop利用了现代处理器内安装的硬件性能计信息,以观察微结构设计事件,并扣扣压文件,以观察微结构事件,并检测出已知和未知的加密软件变异。我们用长期记忆(LSTM)模型来分析硬件域内的微结构构造事件,用于执行多种变异体的赎金软件以及良性程序。我们创建了一个时间序列,以便利用S Stal-RODER系统进行内部的精确性统计特征,通过相关的RARCS的测算算法,通过S-ral-ralalalalalalalalalalalalalalalalalalalalalalalalalalalalalalalalalalalalalalalalalalalalalalalsalsalalalalsalsal 系统,可以改进每10系统,通过每10的每进行一次测试系统,通过每10的测算算算算算算算算算算算算算出每20一个频率测算算出一个50公算算算算算算算算算算算算算出一个50公尺法系统,可以通过一个经常性的精度能系统,可以精确度系统,通过一个长期测算算出一个长期的精度系统,通过一个50公尺法系统,可以通过一个普通算。