Abstract
Because the recent ransomware families are becoming progressively more advanced, it is challenging to detect ransomware using static features only. However, their behaviors are still more generic and universal to analyze due to their inherent goals and functions. Therefore, we can capture their behaviors by monitoring their system-level activities on files and processes. In this paper, we present a novel ransomware detection system called “Peeler” (Profiling kErnEl -Level Events to detect Ransomware). Peeler first identifies ransomware’s inherent behavioral characteristics such as stealth operations performed during the attack, processes execution patterns, and correlations among different kernel-level events by analysing a large-scaled OS-level provenance data collected from a diverse set of ransomware families. Peeler specifically uses a novel NLP-based deep learning model to fingerprint the contextual behavior of applications by leveraging Bidirectional Encoder Representations from Transformers (BERT) pre-trained model. We evaluate Peeler on a large ransomware dataset including 67 ransomware families and demonstrate that it achieves a 99.5% F1-score.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
Windows OS is becoming the most attractive targets for ransomware writers, i.e., 87% of the existing ransomware were developed to target Windows [10].
- 2.
ETW was first introduced in Windows 2000 and is now built-in to all Windows OS versions.
References
About Event Tracing. https://docs.microsoft.com/en-us/windows/win32/etw/about-event-tracing
Global Ransomware Damage Costs Predicted To Reach \$20 Billion (USD) By 2021. https://cybersecurityventures.com/global-ransomware-damage-costs-predicted-to-reach-20-billion-usd-by-2021/
Krabsetw. https://github.com/microsoft/krabsetw
A Live Malware Repository. https://github.com/ytisf/theZoo
Malware samples. https://github.com/fabrimagic72/malware-samples
MalwareBazaar. https://bazaar.abuse.ch/
Pretrained models. https://huggingface.co/transformers/pretrained_models.html
VirtualBox. https://www.virtualbox.org
VirusTotal. https://www.virustotal.com/
What systems have you seen infected by ransomware? https://www.statista.com/statistics/701020/major-operating-systems-targeted-by-ransomware/
Al-rimy, B.A.S., Maarof, M.A., Shaid, S.Z.M.: A 0-day aware crypto-ransomware early behavioral detection framework. In: International Conference of Reliable Information and Communication Technology, pp. 758–766 (2017)
Continella, A., et al.: Shieldfs: a self-healing, ransomware-aware filesystem. In: Proceedings of the 32nd Annual Conference on Computer Security Applications, pp. 336–347 (2016)
Devlin, J., Chang, M.W., Lee, K., Toutanova, K.: Bert: Pre-training of deep bidirectional transformers for language understanding. arXiv preprint arXiv:1810.04805 (2018)
Gómez-Hernández, J., Álvarez-González, L., García-Teodoro, P.: R-Locker: thwarting ransomware action through a honeyfile-based approach. Comput. Secur. 73, 389–398 (2018)
Hendler, D., Kels, S., Rubin, A.: Detecting malicious powershell commands using deep neural networks. In: Proceedings of the 2018 on Asia Conference on Computer and Communications Security, pp. 187–197 (2018)
Hendler, D., Kels, S., Rubin, A.: Amsi-based detection of malicious powershell code using contextual embeddings. In: Proceedings of the 15th ACM Asia Conference on Computer and Communications Security, pp. 679–693 (2020)
Hirano, M., Kobayashi, R.: Machine learning based ransomware detection using storage access patterns obtained from live-forensic hypervisor. In: Sixth IEEE International Conference on Internet of Things: Systems, Management and Security (IOTSMS), pp. 1–6 (2019)
Homayoun, S., Dehghantanha, A., Ahmadzadeh, M., Hashemi, S., Khayami, R.: Know abnormal, find evil: frequent pattern mining for ransomware threat hunting and intelligence. IEEE transactions on emerging topics in computing (2017)
Huang, J., Xu, J., Xing, X., Liu, P., Qureshi, M.K.: Flashguard: Leveraging intrinsic flash properties to defend against encryption ransomware. In: Proceedings of the ACM SIGSAC Conference on Computer and Communications Security, pp. 2231–2244 (2017)
Jin, B., Choi, J., Kim, H., Hong, J.B.: Fumvar: a practical framework for generating fully-working and unseen malware variants. In: Proceedings of the 36th Annual ACM Symposium on Applied Computing (SAC) (2021)
Kharaz, A., Arshad, S., Mulliner, C., Robertson, W., Kirda, E.: UNVEIL: a large-scale, automated approach to detecting ransomware. In: 25th USENIX Security Symposium (USENIX Security 16), pp. 757–772 (2016)
Kharraz, A., Kirda, E.: Redemption: real-time protection against ransomware at end-hosts. In: International Symposium on Research in Attacks, Intrusions, and Defenses, pp. 98–119 (2017)
Kharraz, A., Robertson, W., Balzarotti, D., Bilge, L., Kirda, E.: Cutting the gordian knot: a look under the hood of ransomware attacks. In: International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, pp. 3–24 (2015)
Kolodenker, E., Koch, W., Stringhini, G., Egele, M.: Paybreak: defense against cryptographic ransomware. In: Proceedings ACM on Asia Conference on Computer and Communications Security, pp. 599–611 (2017)
Lab, E.M.: The State of Ransomware in the US. https://blog.emsisoft.com/en/34822/the-state-of-ransomware-in-the-us-report-and-statistics-2019/
Lelonek, B., Rogers, N.: Make ETW greate again. https://ruxcon.org.au/assets/2016/slides/ETW_16_RUXCON_NJR_no_notes.pdf
Mehnaz, S., Mudgerikar, A., Bertino, E.: RWGuard: a real-time detection system against cryptographic ransomware. In: International Symposium on Research in Attacks, Intrusions, and Defenses, pp. 114–136 (2018)
Milajerdi, S.M., Eshete, B., Gjomemo, R., Venkatakrishnan, V.: Poirot: aligning attack behavior with kernel audit records for cyber threat hunting. In: Proceedings of ACM SIGSAC Conference on Computer and Communications Security, pp. 1795–1812 (2019)
Miramirkhani, N., Appini, M.P., Nikiforakis, N., Polychronakis, M.: Spotless sandboxes: evading malware analysis systems using wear-and-tear artifacts. In: IEEE Symposium on Security and Privacy (SP), pp. 1009–1024 (2017)
Morato, D., Berrueta, E., Magaña, E., Izal, M.: Ransomware early detection by the analysis of file sharing traffic. J. Network Comput. Appl. 124, 14–32 (2018)
Nieuwenhuizen, D.: A behavioural-based approach to ransomware detection. Whitepaper, MWR Labs Whitepaper (2017)
Scaife, N., Carter, H., Traynor, P., Butler, K.R.: Cryptolock (and drop it): stopping ransomware attacks on user data. In: 36th IEEE International Conference on Distributed Computing Systems (ICDCS), pp. 303–312 (2016)
Sgandurra, D., Muñoz-González, L., Mohsen, R., Lupu, E.C.: Automated dynamic analysis of ransomware: Benefits, limitations and use for detection. arXiv preprint arXiv:1609.03020 (2016)
Sivakorn, S., et al.: Countering malicious processes with process-dns association. In: Network and Distributed Systems Security (2019)
Wang, Q., et al.: You are what you do: Hunting stealthy malware via data provenance analysis. In: Symposium on Network and Distributed System Security (NDSS) (2020)
WatchGuard: Internet Security Report - Q4 2020. https://www.watchguard.com/wgrd-resource-center/security-report-q4-2020
Zhao, L., Mannan, M.: TEE-aided write protection against privileged data tampering. arXiv preprint arXiv:1905.10723 (2019)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A Dataset
A Dataset
1.1 A.1 Ransomware families
We provide a comprehensive list of both ransomware families and benign applications used to evaluate Peeler. Table 6 presents two sets of ransomware families used in Sect. 6.1 and Sect. 6.3, respectively.
1.2 A.2 Benign applications
In this section, we present benign applications that potentially show ransomware-like behaviors that are used in the evaluation of Peeler: 1) benign encryption, compression, and shredder applications (see Table 7); 2) benign application spawning multiple processes; and 3) benign applications that are most popularly used on Windows PC (see Table 8).
Rights and permissions
Copyright information
© 2021 Springer Nature Switzerland AG
About this paper
Cite this paper
Ahmed, M.E., Kim, H., Camtepe, S., Nepal, S. (2021). Peeler: Profiling Kernel-Level Events to Detect Ransomware. In: Bertino, E., Shulman, H., Waidner, M. (eds) Computer Security – ESORICS 2021. ESORICS 2021. Lecture Notes in Computer Science(), vol 12972. Springer, Cham. https://doi.org/10.1007/978-3-030-88418-5_12
Download citation
DOI: https://doi.org/10.1007/978-3-030-88418-5_12
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-88417-8
Online ISBN: 978-3-030-88418-5
eBook Packages: Computer ScienceComputer Science (R0)