Hypervisor-based Double Extortion Ransomware Detection Method Using Kitsune Network Features
- URL: http://arxiv.org/abs/2508.08655v1
- Date: Tue, 12 Aug 2025 05:45:05 GMT
- Title: Hypervisor-based Double Extortion Ransomware Detection Method Using Kitsune Network Features
- Authors: Manabu Hirano, Ryotaro Kobayashi,
- Abstract summary: This paper presents detailed attack stages, tactics, procedures, and tools used in the double extortion ransomware attacks.<n>We present a novel detection method using low-level storage and memory behavioral features and network traffic features.<n>Our experimental results showed that the presented method improved by 0.166 in the macro F score of the data exfiltration phase detection rate.
- Score: 0.0
- License: http://arxiv.org/licenses/nonexclusive-distrib/1.0/
- Abstract: Double extortion ransomware attacks have become mainstream since many organizations adopt more robust and resilient data backup strategies against conventional crypto-ransomware. This paper presents detailed attack stages, tactics, procedures, and tools used in the double extortion ransomware attacks. We then present a novel detection method using low-level storage and memory behavioral features and network traffic features obtained from a thin hypervisor to establish a defense-in-depth strategy for when attackers compromise OS-level protection. We employed the lightweight \emph{Kitsune} Network Intrusion Detection System (NIDS)'s network feature to detect the data exfiltration phase in double extortion ransomware attacks. Our experimental results showed that the presented method improved by 0.166 in the macro F score of the data exfiltration phase detection rate. Lastly, we discuss the limitations of the presented method and future work.
Related papers
- Rhea: Detecting Privilege-Escalated Evasive Ransomware Attacks Using Format-Aware Validation in the Cloud [5.685331823106803]
Rhea is a cloud-offloaded ransomware defense system that analyzes replicated data snapshots, so-called mutation snapshots.<n>By leveraging file-format specifications as detection invariants, Rhea can reliably identify fine-grained and evasive encryption even under elevated attacker privileges.
arXiv Detail & Related papers (2026-01-26T07:05:09Z) - Evasive Ransomware Attacks Using Low-level Behavioral Adversarial Examples [0.0]
This paper introduces the concept of low-level behavioral adversarial examples and its threat model of evasive ransomware.<n>We formulate the method and the threat model to generate the optimal source code of evasive malware.<n>We then examine the method using the leaked source code of Conti ransomware with the micro-behavior control function.
arXiv Detail & Related papers (2025-08-12T05:45:28Z) - SHIELD: Secure Host-Independent Extensible Logging for Tamper-Proof Detection and Real-Time Mitigation of Ransomware Threats [17.861324495723487]
We introduce SHIELD: a metric acquisition framework leveraging low-level monitoring and Network Block Device (NBD) technology to provide off-host, tamper-proof measurements for continuous observation of disk activity.<n>We employ deep features along with simplified metrics aggregated based on frequency of disk actions, making the metrics impervious to obfuscation while avoiding reliance on vulnerable host-based logs.<n>In a proof-of-concept deployment, we demonstrate real-time mitigation using models trained on these metrics by halting malicious disk operations after ransomware detection with minimum file loss and memory corruption.
arXiv Detail & Related papers (2025-01-28T01:33:03Z) - A Sysmon Incremental Learning System for Ransomware Analysis and Detection [1.495391051525033]
In the face of increasing cyber threats, particularly ransomware attacks, there is a pressing need for advanced detection and analysis systems.<n>Most of these proposals leverage non-incremental learning approaches that require the underlying models to be updated from scratch to detect new ransomware.<n>This approach is problematic because it leaves sensitive data vulnerable to attack during retraining, as newly emerging ransomware strains may go undetected until the model is updated.<n>We present the Sysmon Incremental Learning System for Analysis and Detection (SILRAD), which enables continuous updates to the underlying model and effectively closes the training gap.
arXiv Detail & Related papers (2025-01-02T06:22:58Z) - Detection of ransomware attacks using federated learning based on the CNN model [3.183529890105507]
This paper offers a ransomware attack modeling technique that targets the disrupted operation of a digital substation.
Experiments demonstrate that the suggested technique detects ransomware with a high accuracy rate.
arXiv Detail & Related papers (2024-05-01T09:57:34Z) - GuardFS: a File System for Integrated Detection and Mitigation of Linux-based Ransomware [8.576433180938004]
GuardFS is a file system-based approach to investigate the integration of detection and mitigation of ransomware.
Using a bespoke overlay file system, data is extracted before files are accessed.
Models trained on this data are used by three novel defense configurations that obfuscate, delay, or track access to the file system.
arXiv Detail & Related papers (2024-01-31T15:33:29Z) - Protecting Model Adaptation from Trojans in the Unlabeled Data [120.42853706967188]
This paper explores the potential trojan attacks on model adaptation launched by well-designed poisoning target data.<n>We propose a plug-and-play method named DiffAdapt, which can be seamlessly integrated with existing adaptation algorithms.
arXiv Detail & Related papers (2024-01-11T16:42:10Z) - DRSM: De-Randomized Smoothing on Malware Classifier Providing Certified
Robustness [58.23214712926585]
We develop a certified defense, DRSM (De-Randomized Smoothed MalConv), by redesigning the de-randomized smoothing technique for the domain of malware detection.
Specifically, we propose a window ablation scheme to provably limit the impact of adversarial bytes while maximally preserving local structures of the executables.
We are the first to offer certified robustness in the realm of static detection of malware executables.
arXiv Detail & Related papers (2023-03-20T17:25:22Z) - TANTRA: Timing-Based Adversarial Network Traffic Reshaping Attack [46.79557381882643]
We present TANTRA, a novel end-to-end Timing-based Adversarial Network Traffic Reshaping Attack.
Our evasion attack utilizes a long short-term memory (LSTM) deep neural network (DNN) which is trained to learn the time differences between the target network's benign packets.
TANTRA achieves an average success rate of 99.99% in network intrusion detection system evasion.
arXiv Detail & Related papers (2021-03-10T19:03:38Z) - Being Single Has Benefits. Instance Poisoning to Deceive Malware
Classifiers [47.828297621738265]
We show how an attacker can launch a sophisticated and efficient poisoning attack targeting the dataset used to train a malware classifier.
As opposed to other poisoning attacks in the malware detection domain, our attack does not focus on malware families but rather on specific malware instances that contain an implanted trigger.
We propose a comprehensive detection approach that could serve as a future sophisticated defense against this newly discovered severe threat.
arXiv Detail & Related papers (2020-10-30T15:27:44Z) - Adversarial EXEmples: A Survey and Experimental Evaluation of Practical
Attacks on Machine Learning for Windows Malware Detection [67.53296659361598]
adversarial EXEmples can bypass machine learning-based detection by perturbing relatively few input bytes.
We develop a unifying framework that does not only encompass and generalize previous attacks against machine-learning models, but also includes three novel attacks.
These attacks, named Full DOS, Extend and Shift, inject the adversarial payload by respectively manipulating the DOS header, extending it, and shifting the content of the first section.
arXiv Detail & Related papers (2020-08-17T07:16:57Z) - Cassandra: Detecting Trojaned Networks from Adversarial Perturbations [92.43879594465422]
In many cases, pre-trained models are sourced from vendors who may have disrupted the training pipeline to insert Trojan behaviors into the models.
We propose a method to verify if a pre-trained model is Trojaned or benign.
Our method captures fingerprints of neural networks in the form of adversarial perturbations learned from the network gradients.
arXiv Detail & Related papers (2020-07-28T19:00:40Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.