DeepWare: Imaging Performance Counters with Deep Learning to Detect Ransomware

Gaddisa Olani, Chun Feng Wu, Yuan Hao Chang, Wei Kuan Shih

Research output: Contribution to journalArticlepeer-review

8 Scopus citations


In the year passed, rarely a month passes without a ransomware incident published in a newspaper or social media. In addition to the rise in the frequency of ransomware attacks, emerging attacks are very effective as they utilize sophisticated techniques to bypass existing organizational security perimeter. Toward this issue, this paper presents "DeepWare," a simple yet effective concept of imaging hardware performance counters with deep learning to detect ransomware, to identify ransomware efficiently and effectively. By imaging the HPC values and restructuring the conventional CNN model, DeepWare can address HPCs nondeterminism issue by extracting the event-specific and event-wise behavioral features, which allows it to distinguish the ransomware activity from the benign one effectively. The experiment results across ransomware families show that the proposed DeepWare is effective at detecting different classes of ransomware with the highest detection accuracy, which is 30% and 76% improvement over the two baseline models. It achieves an astounding recall score and nearly zero false-positive rates using just a 100 ms snapshot of HPC data. This timeliness of DeepWare is critical on the ground that organizations and individuals have the opportunity to take countermeasures in the first stage of the attack.

Original languageEnglish
Pages (from-to)1
Number of pages1
JournalIEEE Transactions on Computers
StateAccepted/In press - 2022


  • Convolutional Neural Network
  • Dynamic Analysis
  • Encryption
  • Feature extraction
  • Hardware
  • Hardware Performance Counters
  • Market research
  • Monitoring
  • Ransomware
  • Ransomware Detection
  • Switches


Dive into the research topics of 'DeepWare: Imaging Performance Counters with Deep Learning to Detect Ransomware'. Together they form a unique fingerprint.

Cite this