Visible to the public Machine Learning Based Ransomware Detection Using Storage Access Patterns Obtained From Live-forensic Hypervisor

TitleMachine Learning Based Ransomware Detection Using Storage Access Patterns Obtained From Live-forensic Hypervisor
Publication TypeConference Paper
Year of Publication2019
AuthorsHirano, Manabu, Kobayashi, Ryotaro
Conference Name2019 Sixth International Conference on Internet of Things: Systems, Management and Security (IOTSMS)
Keywordsbehavioral model, benign application, cloud services, composability, Cyber-physical systems, dynamic analysis, dynamic ransomware analysis, Internet of Things devices, invasive software, large-scale cyber attacks, learning (artificial intelligence), live ransomware samples, live-forensic hypervisor, machine learning, machine learning based ransomware detection, Metrics, mobile devices, prevention systems, pubcrawl, ransomware, ransomware attacks, Resiliency, static ransomware analysis, storage access patterns, support vector machine, Support vector machines, UK National Health Service, Zero-day attacks
AbstractWith the rapid increase in the number of Internet of Things (IoT) devices, mobile devices, cloud services, and cyber-physical systems, the large-scale cyber attacks on enterprises and public sectors have increased. In particular, ransomware attacks damaged UK's National Health Service and many enterprises around the world in 2017. Therefore, researchers have proposed ransomware detection and prevention systems. However, manual inspection in static and dynamic ransomware analysis is time-consuming and it cannot cope with the rapid increase in variants of ransomware family. Recently, machine learning has been used to automate ransomware analysis by creating a behavioral model of same ransomware family. To create effective behavioral models of ransomware, we first obtained storage access patterns of live ransomware samples and of a benign application by using a live-forensic hypervisor called WaybackVisor. To distinguish ransomware from a benign application that has similar behavior to ransomware, we carefully selected five dimensional features that were extracted both from actual ransomware's Input and Output (I/O) logs and from a benign program's I/O logs. We created and evaluated machine learning models by using Random Forest, Support Vector Machine, and K-Nearest Neighbors. Our experiments using the proposed five features of storage access patterns achieved F-measure rate of 98%.
Citation Keyhirano_machine_2019