References & Citations
Computer Science > Cryptography and Security
Title: Machine Learning-based Ransomware Detection Using Low-level Memory Access Patterns Obtained From Live-forensic Hypervisor
(Submitted on 27 May 2022 (v1), last revised 18 Aug 2022 (this version, v2))
Abstract: Since modern anti-virus software mainly depends on a signature-based static analysis, they are not suitable for coping with the rapid increase in malware variants. Moreover, even worse, many vulnerabilities of operating systems enable attackers to evade such protection mechanisms. We, therefore, developed a thin and lightweight live-forensic hypervisor to create an additional protection layer under a conventional protection layer of operating systems with supporting ransomware detection using dynamic behavioral features. The developed live-forensic hypervisor collects low-level memory access patterns instead of high-level information such as process IDs and API calls that modern Virtual Machine Introspection techniques have employed. We then created the low-level memory access patterns dataset of three ransomware samples, one wiper malware sample, and four benign applications. We confirmed that our best machine learning classifier using only low-level memory access patterns achieved an $F_1$ score of 0.95 in detecting ransomware and wiper malware.
Submission history
From: Manabu Hirano [view email][v1] Fri, 27 May 2022 05:50:16 GMT (787kb,D)
[v2] Thu, 18 Aug 2022 06:05:20 GMT (787kb,D)
Link back to: arXiv, form interface, contact.