Visible to the public DeepGuard: Deep Generative User-behavior Analytics for Ransomware Detection

TitleDeepGuard: Deep Generative User-behavior Analytics for Ransomware Detection
Publication TypeConference Paper
Year of Publication2020
AuthorsGanfure, G. O., Wu, C.-F., Chang, Y.-H., Shih, W.-K.
Conference Name2020 IEEE International Conference on Intelligence and Security Informatics (ISI)
Date PublishedNov. 2020
PublisherIEEE
ISBN Number978-1-7281-8800-3
Keywordsattack detection, cybersecurity, data mining, Deep Autoencoders, deep generative autoencoder architecture, deep generative user-behavior analytics, DeepGuard, file-interaction pattern logging, Human Behavior, human factors, Informatics, invasive software, learning (artificial intelligence), neural nets, Organizations, pubcrawl, ransomware, ransomware activity, ransomware criminals, ransomware detection, ransomware incidence report, security, system monitoring, three-sigma limit rule, Tools, Training, Training data, user activity, User behavior Analytics, user behavior modeling, WannaCry
Abstract

In the last couple of years, the move to cyberspace provides a fertile environment for ransomware criminals like ever before. Notably, since the introduction of WannaCry, numerous ransomware detection solution has been proposed. However, the ransomware incidence report shows that most organizations impacted by ransomware are running state of the art ransomware detection tools. Hence, an alternative solution is an urgent requirement as the existing detection models are not sufficient to spot emerging ransomware treat. With this motivation, our work proposes "DeepGuard," a novel concept of modeling user behavior for ransomware detection. The main idea is to log the file-interaction pattern of typical user activity and pass it through deep generative autoencoder architecture to recreate the input. With sufficient training data, the model can learn how to reconstruct typical user activity (or input) with minimal reconstruction error. Hence, by applying the three-sigma limit rule on the model's output, DeepGuard can distinguish the ransomware activity from the user activity. The experiment result shows that DeepGuard effectively detects a variant class of ransomware with minimal false-positive rates. Overall, modeling the attack detection with user-behavior permits the proposed strategy to have deep visibility of various ransomware families.

URLhttps://ieeexplore.ieee.org/document/9280508
DOI10.1109/ISI49825.2020.9280508
Citation Keyganfure_deepguard_2020