On the Generalizability of Machine Learning-based Ransomware Detection in Block Storage

• URL: http://arxiv.org/abs/2412.21084v1
• Date: Mon, 30 Dec 2024 17:02:37 GMT
• Title: On the Generalizability of Machine Learning-based Ransomware Detection in Block Storage
• Authors: Nicolas Reategui, Roman Pletka, Dionysios Diamantopoulos,
• Abstract summary: We propose a kernel-based framework capable of efficiently extracting and analyzing IO operations to identify ransomware activity. Our method employs a refined set of computationally light features optimized for ML models to accurately discern malicious from benign activities. Empirical validation reveals that our decision tree-based models achieve remarkable effectiveness.
• Score: 0.0
• License:
• Abstract: Ransomware represents a pervasive threat, traditionally countered at the operating system, file-system, or network levels. However, these approaches often introduce significant overhead and remain susceptible to circumvention by attackers. Recent research activity started looking into the detection of ransomware by observing block IO operations. However, this approach exhibits significant detection challenges. Recognizing these limitations, our research pivots towards enabling robust ransomware detection in storage systems keeping in mind their limited computational resources available. To perform our studies, we propose a kernel-based framework capable of efficiently extracting and analyzing IO operations to identify ransomware activity. The framework can be adopted to storage systems using computational storage devices to improve security and fully hide detection overheads. Our method employs a refined set of computationally light features optimized for ML models to accurately discern malicious from benign activities. Using this lightweight approach, we study a wide range of generalizability aspects and analyze the performance of these models across a large space of setups and configurations covering a wide range of realistic real-world scenarios. We reveal various trade-offs and provide strong arguments for the generalizability of storage-based detection of ransomware and show that our approach outperforms currently available ML-based ransomware detection in storage. Empirical validation reveals that our decision tree-based models achieve remarkable effectiveness, evidenced by higher median F1 scores of up to 12.8%, lower false negative rates of up to 10.9% and particularly decreased false positive rates of up to 17.1% compared to existing storage-based detection approaches.

Related papers

• Decentralized Entropy-Driven Ransomware Detection Using Autonomous Neural Graph Embeddings [0.0]
  The framework operates on a distributed network of nodes, eliminating single points of failure and enhancing resilience against targeted attacks. The integration of graph-based modeling and machine learning techniques enables the framework to capture complex system interactions. Case studies validate its effectiveness in real-world scenarios, showcasing its ability to detect and mitigate ransomware attacks within minutes of their initiation.
  arXiv  Detail & Related papers  (2025-02-11T11:59:10Z)
• Efficient Denial of Service Attack Detection in IoT using Kolmogorov-Arnold Networks [22.036794530902608]
  This paper introduces a novel lightweight approach to DoS attack detection based on Kolmogorov-Arnold Networks (KANs) KAN achieves state-of-the-art detection performance while maintaining minimal resource requirements. Compared to existing solutions, KAN reduces memory requirements by up to 98% while maintaining competitive detection rates.
  arXiv  Detail & Related papers  (2025-02-03T21:19:46Z)
• Unveiling Zero-Space Detection: A Novel Framework for Autonomous Ransomware Identification in High-Velocity Environments [0.0]
  The proposed Zero-Space Detection framework identifies latent behavioral patterns through unsupervised clustering and advanced deep learning techniques. It operates effectively in high-velocity environments by integrating multi-phase filtering and ensemble learning for refined decision-making. Experimental evaluation reveals high detection rates across diverse ransomware families, including LockBit, Conti, REvil, and BlackMatter.
  arXiv  Detail & Related papers  (2025-01-22T11:41:44Z)
• A Sysmon Incremental Learning System for Ransomware Analysis and Detection [1.495391051525033]
  In the face of increasing cyber threats, particularly ransomware attacks, there is a pressing need for advanced detection and analysis systems. Most of these proposals leverage non-incremental learning approaches that require the underlying models to be updated from scratch to detect new ransomware. This approach is problematic because it leaves sensitive data vulnerable to attack during retraining, as newly emerging ransomware strains may go undetected until the model is updated. We present the Sysmon Incremental Learning System for Analysis and Detection (SILRAD), which enables continuous updates to the underlying model and effectively closes the training gap.
  arXiv  Detail & Related papers  (2025-01-02T06:22:58Z)
• Ransomware Detection and Classification Using Random Forest: A Case Study with the UGRansome2024 Dataset [0.0]
  We introduce UGRansome2024, an optimised dataset for ransomware detection in network traffic. This dataset is derived from the UGRansome data using an intuitionistic feature engineering approach. The study presents an analysis of ransomware detection using the UGRansome2024 dataset and the Random Forest algorithm.
  arXiv  Detail & Related papers  (2024-04-19T12:50:03Z)
• Model X-ray:Detecting Backdoored Models via Decision Boundary [62.675297418960355]
  Backdoor attacks pose a significant security vulnerability for deep neural networks (DNNs) We propose Model X-ray, a novel backdoor detection approach based on the analysis of illustrated two-dimensional (2D) decision boundaries. Our approach includes two strategies focused on the decision areas dominated by clean samples and the concentration of label distribution.
  arXiv  Detail & Related papers  (2024-02-27T12:42:07Z)
• DRSM: De-Randomized Smoothing on Malware Classifier Providing Certified Robustness [58.23214712926585]
  We develop a certified defense, DRSM (De-Randomized Smoothed MalConv), by redesigning the de-randomized smoothing technique for the domain of malware detection. Specifically, we propose a window ablation scheme to provably limit the impact of adversarial bytes while maximally preserving local structures of the executables. We are the first to offer certified robustness in the realm of static detection of malware executables.
  arXiv  Detail & Related papers  (2023-03-20T17:25:22Z)
• Detection of Adversarial Supports in Few-shot Classifiers Using Feature Preserving Autoencoders and Self-Similarity [89.26308254637702]
  We propose a detection strategy to highlight adversarial support sets. We make use of feature preserving autoencoder filtering and also the concept of self-similarity of a support set to perform this detection. Our method is attack-agnostic and also the first to explore detection for few-shot classifiers to the best of our knowledge.
  arXiv  Detail & Related papers  (2020-12-09T14:13:41Z)
• Adversarial EXEmples: A Survey and Experimental Evaluation of Practical Attacks on Machine Learning for Windows Malware Detection [67.53296659361598]
  adversarial EXEmples can bypass machine learning-based detection by perturbing relatively few input bytes. We develop a unifying framework that does not only encompass and generalize previous attacks against machine-learning models, but also includes three novel attacks. These attacks, named Full DOS, Extend and Shift, inject the adversarial payload by respectively manipulating the DOS header, extending it, and shifting the content of the first section.
  arXiv  Detail & Related papers  (2020-08-17T07:16:57Z)
• Bayesian Optimization with Machine Learning Algorithms Towards Anomaly Detection [66.05992706105224]
  In this paper, an effective anomaly detection framework is proposed utilizing Bayesian Optimization technique. The performance of the considered algorithms is evaluated using the ISCX 2012 dataset. Experimental results show the effectiveness of the proposed framework in term of accuracy rate, precision, low-false alarm rate, and recall.
  arXiv  Detail & Related papers  (2020-08-05T19:29:35Z)
• AutoOD: Automated Outlier Detection via Curiosity-guided Search and Self-imitation Learning [72.99415402575886]
  Outlier detection is an important data mining task with numerous practical applications. We propose AutoOD, an automated outlier detection framework, which aims to search for an optimal neural network model. Experimental results on various real-world benchmark datasets demonstrate that the deep model identified by AutoOD achieves the best performance.
  arXiv  Detail & Related papers  (2020-06-19T18:57:51Z)

This list is automatically generated from the titles and abstracts of the papers in this site.

This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.