RANSOMWARE CLASSIFICATION USING HARDWARE PERFORMANCE COUNTERS ON A NON-VIRTUALIZED SYSTEM

Ransomware Classification Using Hardware Performance Counters on a Non-Virtualized System

Ransomware Classification Using Hardware Performance Counters on a Non-Virtualized System

Blog Article

Ransomware is a type of malicious software designed to encrypt a user’s important data for the purpose of extortion, with a global annual impact of billions of dollars in damages.This research proposes a side-channel-based ransomware detection method that utilizes the microarchitectural side-channel accessed through hardware performance counters.Unlike most ransomware research, which relies on virtual machines to easily restore a system to its uncompromised, pre-encrypted state, this work leverages thousands of trials collected on hardware without the use of virtualization.Trials consist of both benign operations and real-world ransomware executables.

Over two hundred distinct hardware taylor te400 events were collected on (non-virtualized) computer hardware to replicate the real-world scenario in which most ransomware attacks occur.Over 30 classifiers were systematically trained with each of the 200+ hardware events to reduce the number of classifiers and performance counters considered, and then five of the top classification algorithms were evaluated to rank which hardware performance counters contributed to the best classification results.Overall, this work showed that classification of ransomware in under two seconds with over 95% accuracy is viable with as few as ultrastar dc hc550 3 hardware event features for the Neural Network and Bagged Tree classifiers.

Report this page