Skip to main content
SpringerLink
Log in

Peeler: Profiling Kernel-Level Events to Detect Ransomware

  • Conference paper
  • First Online:
Computer Security – ESORICS 2021 (ESORICS 2021)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 12972))

Included in the following conference series:

Abstract

Because the recent ransomware families are becoming progressively more advanced, it is challenging to detect ransomware using static features only. However, their behaviors are still more generic and universal to analyze due to their inherent goals and functions. Therefore, we can capture their behaviors by monitoring their system-level activities on files and processes. In this paper, we present a novel ransomware detection system called “Peeler” (Profiling kErnEl -Level Events to detect Ransomware). Peeler first identifies ransomware’s inherent behavioral characteristics such as stealth operations performed during the attack, processes execution patterns, and correlations among different kernel-level events by analysing a large-scaled OS-level provenance data collected from a diverse set of ransomware families. Peeler specifically uses a novel NLP-based deep learning model to fingerprint the contextual behavior of applications by leveraging Bidirectional Encoder Representations from Transformers (BERT) pre-trained model. We evaluate Peeler on a large ransomware dataset including 67 ransomware families and demonstrate that it achieves a 99.5% F1-score.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 89.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 119.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    Windows OS is becoming the most attractive targets for ransomware writers, i.e., 87% of the existing ransomware were developed to target Windows [10].

  2. 2.

    ETW was first introduced in Windows 2000 and is now built-in to all Windows OS versions.

References

  1. About Event Tracing. https://docs.microsoft.com/en-us/windows/win32/etw/about-event-tracing

  2. Global Ransomware Damage Costs Predicted To Reach \$20 Billion (USD) By 2021. https://cybersecurityventures.com/global-ransomware-damage-costs-predicted-to-reach-20-billion-usd-by-2021/

  3. Krabsetw. https://github.com/microsoft/krabsetw

  4. A Live Malware Repository. https://github.com/ytisf/theZoo

  5. Malware samples. https://github.com/fabrimagic72/malware-samples

  6. MalwareBazaar. https://bazaar.abuse.ch/

  7. Pretrained models. https://huggingface.co/transformers/pretrained_models.html

  8. VirtualBox. https://www.virtualbox.org

  9. VirusTotal. https://www.virustotal.com/

  10. What systems have you seen infected by ransomware? https://www.statista.com/statistics/701020/major-operating-systems-targeted-by-ransomware/

  11. Al-rimy, B.A.S., Maarof, M.A., Shaid, S.Z.M.: A 0-day aware crypto-ransomware early behavioral detection framework. In: International Conference of Reliable Information and Communication Technology, pp. 758–766 (2017)

    Google Scholar 

  12. Continella, A., et al.: Shieldfs: a self-healing, ransomware-aware filesystem. In: Proceedings of the 32nd Annual Conference on Computer Security Applications, pp. 336–347 (2016)

    Google Scholar 

  13. Devlin, J., Chang, M.W., Lee, K., Toutanova, K.: Bert: Pre-training of deep bidirectional transformers for language understanding. arXiv preprint arXiv:1810.04805 (2018)

  14. Gómez-Hernández, J., Álvarez-González, L., García-Teodoro, P.: R-Locker: thwarting ransomware action through a honeyfile-based approach. Comput. Secur. 73, 389–398 (2018)

    Article  Google Scholar 

  15. Hendler, D., Kels, S., Rubin, A.: Detecting malicious powershell commands using deep neural networks. In: Proceedings of the 2018 on Asia Conference on Computer and Communications Security, pp. 187–197 (2018)

    Google Scholar 

  16. Hendler, D., Kels, S., Rubin, A.: Amsi-based detection of malicious powershell code using contextual embeddings. In: Proceedings of the 15th ACM Asia Conference on Computer and Communications Security, pp. 679–693 (2020)

    Google Scholar 

  17. Hirano, M., Kobayashi, R.: Machine learning based ransomware detection using storage access patterns obtained from live-forensic hypervisor. In: Sixth IEEE International Conference on Internet of Things: Systems, Management and Security (IOTSMS), pp. 1–6 (2019)

    Google Scholar 

  18. Homayoun, S., Dehghantanha, A., Ahmadzadeh, M., Hashemi, S., Khayami, R.: Know abnormal, find evil: frequent pattern mining for ransomware threat hunting and intelligence. IEEE transactions on emerging topics in computing (2017)

    Google Scholar 

  19. Huang, J., Xu, J., Xing, X., Liu, P., Qureshi, M.K.: Flashguard: Leveraging intrinsic flash properties to defend against encryption ransomware. In: Proceedings of the ACM SIGSAC Conference on Computer and Communications Security, pp. 2231–2244 (2017)

    Google Scholar 

  20. Jin, B., Choi, J., Kim, H., Hong, J.B.: Fumvar: a practical framework for generating fully-working and unseen malware variants. In: Proceedings of the 36th Annual ACM Symposium on Applied Computing (SAC) (2021)

    Google Scholar 

  21. Kharaz, A., Arshad, S., Mulliner, C., Robertson, W., Kirda, E.: UNVEIL: a large-scale, automated approach to detecting ransomware. In: 25th USENIX Security Symposium (USENIX Security 16), pp. 757–772 (2016)

    Google Scholar 

  22. Kharraz, A., Kirda, E.: Redemption: real-time protection against ransomware at end-hosts. In: International Symposium on Research in Attacks, Intrusions, and Defenses, pp. 98–119 (2017)

    Google Scholar 

  23. Kharraz, A., Robertson, W., Balzarotti, D., Bilge, L., Kirda, E.: Cutting the gordian knot: a look under the hood of ransomware attacks. In: International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, pp. 3–24 (2015)

    Google Scholar 

  24. Kolodenker, E., Koch, W., Stringhini, G., Egele, M.: Paybreak: defense against cryptographic ransomware. In: Proceedings ACM on Asia Conference on Computer and Communications Security, pp. 599–611 (2017)

    Google Scholar 

  25. Lab, E.M.: The State of Ransomware in the US. https://blog.emsisoft.com/en/34822/the-state-of-ransomware-in-the-us-report-and-statistics-2019/

  26. Lelonek, B., Rogers, N.: Make ETW greate again. https://ruxcon.org.au/assets/2016/slides/ETW_16_RUXCON_NJR_no_notes.pdf

  27. Mehnaz, S., Mudgerikar, A., Bertino, E.: RWGuard: a real-time detection system against cryptographic ransomware. In: International Symposium on Research in Attacks, Intrusions, and Defenses, pp. 114–136 (2018)

    Google Scholar 

  28. Milajerdi, S.M., Eshete, B., Gjomemo, R., Venkatakrishnan, V.: Poirot: aligning attack behavior with kernel audit records for cyber threat hunting. In: Proceedings of ACM SIGSAC Conference on Computer and Communications Security, pp. 1795–1812 (2019)

    Google Scholar 

  29. Miramirkhani, N., Appini, M.P., Nikiforakis, N., Polychronakis, M.: Spotless sandboxes: evading malware analysis systems using wear-and-tear artifacts. In: IEEE Symposium on Security and Privacy (SP), pp. 1009–1024 (2017)

    Google Scholar 

  30. Morato, D., Berrueta, E., Magaña, E., Izal, M.: Ransomware early detection by the analysis of file sharing traffic. J. Network Comput. Appl. 124, 14–32 (2018)

    Article  Google Scholar 

  31. Nieuwenhuizen, D.: A behavioural-based approach to ransomware detection. Whitepaper, MWR Labs Whitepaper (2017)

    Google Scholar 

  32. Scaife, N., Carter, H., Traynor, P., Butler, K.R.: Cryptolock (and drop it): stopping ransomware attacks on user data. In: 36th IEEE International Conference on Distributed Computing Systems (ICDCS), pp. 303–312 (2016)

    Google Scholar 

  33. Sgandurra, D., Muñoz-González, L., Mohsen, R., Lupu, E.C.: Automated dynamic analysis of ransomware: Benefits, limitations and use for detection. arXiv preprint arXiv:1609.03020 (2016)

  34. Sivakorn, S., et al.: Countering malicious processes with process-dns association. In: Network and Distributed Systems Security (2019)

    Google Scholar 

  35. Wang, Q., et al.: You are what you do: Hunting stealthy malware via data provenance analysis. In: Symposium on Network and Distributed System Security (NDSS) (2020)

    Google Scholar 

  36. WatchGuard: Internet Security Report - Q4 2020. https://www.watchguard.com/wgrd-resource-center/security-report-q4-2020

  37. Zhao, L., Mannan, M.: TEE-aided write protection against privileged data tampering. arXiv preprint arXiv:1905.10723 (2019)

Download references

Author information

Authors and Affiliations

  1. Data61 CSIRO, Marsfield, NSW, 2122, Australia

    Muhammad Ejaz Ahmed, Seyit Camtepe & Surya Nepal

  2. Sungkyunkwan University, Suwon, South Korea

    Hyoungshick Kim

Authors
  1. Muhammad Ejaz Ahmed
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Hyoungshick Kim
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Seyit Camtepe
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Surya Nepal
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Muhammad Ejaz Ahmed .

Editor information

Editors and Affiliations

  1. Purdue University, West Lafayette, IN, USA

    Elisa Bertino

  2. National Research Center for Applied Cybersecurity ATHENE, Fraunhofer Institute for Secure Information Technology SIT, Darmstadt, Germany

    Haya Shulman

  3. National Research Center for Applied Cybersecurity ATHENE , Technische Universität Darmstadt, Fraunhofer Institute for Secure Information Technology SIT, Darmstadt, Germany

    Michael Waidner

A Dataset

A Dataset

1.1 A.1 Ransomware families

We provide a comprehensive list of both ransomware families and benign applications used to evaluate Peeler. Table 6 presents two sets of ransomware families used in Sect. 6.1 and Sect. 6.3, respectively.

Table 6. Ransomware families and samples.
Full size table

1.2 A.2 Benign applications

In this section, we present benign applications that potentially show ransomware-like behaviors that are used in the evaluation of Peeler: 1) benign encryption, compression, and shredder applications (see Table 7); 2) benign application spawning multiple processes; and 3) benign applications that are most popularly used on Windows PC (see Table 8).

Table 7. Ransomware-like benign applications.
Full size table
Table 8. Benign applications spawning multiple processes.
Full size table

Rights and permissions

Reprints and permissions

Copyright information

© 2021 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Ahmed, M.E., Kim, H., Camtepe, S., Nepal, S. (2021). Peeler: Profiling Kernel-Level Events to Detect Ransomware. In: Bertino, E., Shulman, H., Waidner, M. (eds) Computer Security – ESORICS 2021. ESORICS 2021. Lecture Notes in Computer Science(), vol 12972. Springer, Cham. https://doi.org/10.1007/978-3-030-88418-5_12

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-88418-5_12

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-88417-8

  • Online ISBN: 978-3-030-88418-5

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation