Related papers: Building a Robust Risk-Based Access Control System to Combat Ransomware's Capability to Encrypt: A Machine Learning Approach

Building a Robust Risk-Based Access Control System to Combat Ransomware's Capability to Encrypt: A Machine Learning Approach

URL: http://arxiv.org/abs/2601.16795v1
Date: Fri, 23 Jan 2026 14:48:35 GMT
Title: Building a Robust Risk-Based Access Control System to Combat Ransomware's Capability to Encrypt: A Machine Learning Approach
Authors: Kenan Begovic, Abdulaziz Al-Ali, Qutaibah Malluhi,
Abstract summary: Ransomware core capability, unauthorized encryption, demands controls that identify and block malicious cryptographic activity without disrupting legitimate use.<n>We present a probabilistic, risk-based access control architecture that couples machine learning inference with mandatory access control to regulate encryption on Linux in real time.
Score: 0.510691253204425
License: http://creativecommons.org/licenses/by/4.0/
Abstract: Ransomware core capability, unauthorized encryption, demands controls that identify and block malicious cryptographic activity without disrupting legitimate use. We present a probabilistic, risk-based access control architecture that couples machine learning inference with mandatory access control to regulate encryption on Linux in real time. The system builds a specialized dataset from the native ftrace framework using the function_graph tracer, yielding high-resolution kernel-function execution traces augmented with resource and I/O counters. These traces support both a supervised classifier and interpretable rules that drive an SELinux policy via lightweight booleans, enabling context-sensitive permit/deny decisions at the moment encryption begins. Compared to approaches centered on sandboxing, hypervisor introspection, or coarse system-call telemetry, the function-level tracing we adopt provides finer behavioral granularity than syscall-only telemetry while avoiding the virtualization/VMI overhead of sandbox-based approaches. Our current user-space prototype has a non-trivial footprint under burst I/O; we quantify it and recognize that a production kernel-space solution should aim to address this. We detail dataset construction, model training and rule extraction, and the run-time integration that gates file writes for suspect encryption while preserving benign cryptographic workflows. During evaluation, the two-layer composition retains model-level detection quality while delivering rule-like responsiveness; we also quantify operational footprint and outline engineering steps to reduce CPU and memory overhead for enterprise deployment. The result is a practical path from behavioral tracing and learning to enforceable, explainable, and risk-proportionate encryption control on production Linux systems.

Related papers

OAMAC: Origin-Aware Mandatory Access Control for Practical Post-Compromise Attack Surface Reduction [0.0]
Execution origin is a missing abstraction in modern operating system security models.<n>We introduce origin-aware mandatory access control (OAMAC)<n> OAMAC treats execution origin as a first-class security attribute.
arXiv Detail & Related papers (2026-01-20T14:40:26Z)
BASICS: Binary Analysis and Stack Integrity Checker System for Buffer Overflow Mitigation [0.0]
Cyber-Physical Systems have played an essential role in our daily lives, providing critical services such as power and water.<n>Traditional vulnerability discovery techniques struggle with scalability and precision when applied directly to the binary code of C programs.<n>This work introduces a novel approach designed to overcome these limitations by leveraging model checking and concolic execution techniques.
arXiv Detail & Related papers (2025-11-24T20:11:41Z)
A Fuzzy Logic-Based Cryptographic Framework For Real-Time Dynamic Key Generation For Enhanced Data Encryption [0.24629531282150874]
Brute-force attacks, key compromise, and unauthorized access have become highly common cyber threats.<n>This research presents a novel fuzzy logic-based cryptographic framework that dynamically generates encryption keys in real-time.
arXiv Detail & Related papers (2025-11-18T04:34:31Z)
Real-time ML-based Defense Against Malicious Payload in Reconfigurable Embedded Systems [0.0]
malicious bitstreams could cause denial-of-service (DoS), data leakage, or covert attacks.<n>We propose a supervised machine learning method to detect malicious bitstreams via static byte-level features.<n>Our approach diverges from existing methods by analyzing bitstreams directly at the binary level.
arXiv Detail & Related papers (2025-09-02T14:52:43Z)
CANDoSA: A Hardware Performance Counter-Based Intrusion Detection System for DoS Attacks on Automotive CAN bus [45.24207460381396]
This paper presents a novel Intrusion Detection System (IDS) designed for the Controller Area Network (CAN) environment.<n>A RISC-V-based CAN receiver is simulated using the gem5 simulator, processing CAN frame payloads with AES-128 encryption as FreeRTOS tasks.<n>Results indicate that this approach could significantly improve CAN security and address emerging challenges in automotive cybersecurity.
arXiv Detail & Related papers (2025-07-19T20:09:52Z)
DRIFT: Dynamic Rule-Based Defense with Injection Isolation for Securing LLM Agents [52.92354372596197]
Large Language Models (LLMs) are increasingly central to agentic systems due to their strong reasoning and planning capabilities.<n>This interaction also introduces the risk of prompt injection attacks, where malicious inputs from external sources can mislead the agent's behavior.<n>We propose a Dynamic Rule-based Isolation Framework for Trustworthy agentic systems, which enforces both control and data-level constraints.
arXiv Detail & Related papers (2025-06-13T05:01:09Z)
Keyed Chaotic Dynamics for Privacy-Preserving Neural Inference [0.0]
This work introduces a novel encryption method for ensuring the security of neural inference.<n>By constructing key-conditioned chaotic graph dynamical systems, we enable the encryption and decryption of real-valued tensors within the neural architecture.
arXiv Detail & Related papers (2025-05-29T17:05:42Z)
CANTXSec: A Deterministic Intrusion Detection and Prevention System for CAN Bus Monitoring ECU Activations [53.036288487863786]
We propose CANTXSec, the first deterministic Intrusion Detection and Prevention system based on physical ECU activations.<n>It detects and prevents classical attacks in the CAN bus, while detecting advanced attacks that have been less investigated in the literature.<n>We prove the effectiveness of our solution on a physical testbed, where we achieve 100% detection accuracy in both classes of attacks while preventing 100% of FIAs.
arXiv Detail & Related papers (2025-05-14T13:37:07Z)
Cryptanalysis via Machine Learning Based Information Theoretic Metrics [58.96805474751668]
We propose two novel applications of machine learning (ML) algorithms to perform cryptanalysis on any cryptosystem.<n>These algorithms can be readily applied in an audit setting to evaluate the robustness of a cryptosystem.<n>We show that our classification model correctly identifies the encryption schemes that are not IND-CPA secure, such as DES, RSA, and AES ECB, with high accuracy.
arXiv Detail & Related papers (2025-01-25T04:53:36Z)
LightFAt: Mitigating Control-flow Explosion via Lightweight PMU-based Control-flow Attestation [0.9999629695552195]
Remote execution often deals with sensitive data or executes proprietary software. It ensures the code is executed in a non-compromised environment by calculating a potentially large sequence of cryptographic hash values. In this work, we propose LightFAt: a Lightweight Control Flow scheme.
arXiv Detail & Related papers (2024-04-03T09:55:15Z)
Fight Hardware with Hardware: System-wide Detection and Mitigation of Side-Channel Attacks using Performance Counters [45.493130647468675]
We present a kernel-level infrastructure that allows system-wide detection of malicious applications attempting to exploit cache-based side-channel attacks. This infrastructure relies on hardware performance counters to collect information at runtime from all applications running on the machine. High-level detection metrics are derived from these measurements to maximize the likelihood of promptly detecting a malicious application.
arXiv Detail & Related papers (2024-02-18T15:45:38Z)
Safe RAN control: A Symbolic Reinforcement Learning Approach [62.997667081978825]
We present a Symbolic Reinforcement Learning (SRL) based architecture for safety control of Radio Access Network (RAN) applications. We provide a purely automated procedure in which a user can specify high-level logical safety specifications for a given cellular network topology. We introduce a user interface (UI) developed to help a user set intent specifications to the system, and inspect the difference in agent proposed actions.
arXiv Detail & Related papers (2021-06-03T16:45:40Z)

This list is automatically generated from the titles and abstracts of the papers in this site.