TY - JOUR
T1 - DeepWare
T2 - Imaging Performance Counters With Deep Learning to Detect Ransomware
AU - Ganfure, Gaddisa Olani
AU - Wu, Chun Feng
AU - Chang, Yuan Hao
AU - Shih, Wei Kuan
N1 - Publisher Copyright:
© 1968-2012 IEEE.
PY - 2023/3/1
Y1 - 2023/3/1
N2 - In the year passed, rarely a month passes without a ransomware incident being published in a newspaper or social media. In addition to the rise in the frequency of ransomware attacks, emerging attacks are very effective as they utilize sophisticated techniques to bypass existing organizational security perimeter. To tackle this issue, this paper presents 'DeepWare,' which is a ransomware detection model inspired by deep learning and hardware performance counter (HPC). Different from previous works aiming to check all HPC results returned from a single timing for every running process, DeepWare carries out a simple yet effective concept of 'imaging hardware performance counters with deep learning to detect ransomware,' so as to identify ransomware efficiently and effectively. To be more specific, DeepWare monitors the system-wide change in the distribution of HPC data. By imaging the HPC values and restructuring the conventional CNN model, DeepWare can address HPC's nondeterminism issue by extracting the event-specific and event-wise behavioral features, which allows it to distinguish the ransomware activity from the benign one effectively. The experiment results across ransomware families show that the proposed DeepWare is effective at detecting different classes of ransomware with the 98.6% recall score, which is 84.41%, 60.93%, and 21% improvement over RATAFIA, OC-SVM, and EGB models respectively. DeepWare achieves an average MCC score of 96.8% and nearly zero false-positive rates by using just a 100 ms snapshot of HPC data. This timeliness of DeepWare is critical on the ground that organizations and individuals have the opportunity to take countermeasures in the first stage of the attack. Besides, the experiment conducted on unseen ransomware families such as CoronaVirus, Ryuk, and Dharma demonstrates that DeepWare has excellent potential to be a useful tool for zero-day attack detection.
AB - In the year passed, rarely a month passes without a ransomware incident being published in a newspaper or social media. In addition to the rise in the frequency of ransomware attacks, emerging attacks are very effective as they utilize sophisticated techniques to bypass existing organizational security perimeter. To tackle this issue, this paper presents 'DeepWare,' which is a ransomware detection model inspired by deep learning and hardware performance counter (HPC). Different from previous works aiming to check all HPC results returned from a single timing for every running process, DeepWare carries out a simple yet effective concept of 'imaging hardware performance counters with deep learning to detect ransomware,' so as to identify ransomware efficiently and effectively. To be more specific, DeepWare monitors the system-wide change in the distribution of HPC data. By imaging the HPC values and restructuring the conventional CNN model, DeepWare can address HPC's nondeterminism issue by extracting the event-specific and event-wise behavioral features, which allows it to distinguish the ransomware activity from the benign one effectively. The experiment results across ransomware families show that the proposed DeepWare is effective at detecting different classes of ransomware with the 98.6% recall score, which is 84.41%, 60.93%, and 21% improvement over RATAFIA, OC-SVM, and EGB models respectively. DeepWare achieves an average MCC score of 96.8% and nearly zero false-positive rates by using just a 100 ms snapshot of HPC data. This timeliness of DeepWare is critical on the ground that organizations and individuals have the opportunity to take countermeasures in the first stage of the attack. Besides, the experiment conducted on unseen ransomware families such as CoronaVirus, Ryuk, and Dharma demonstrates that DeepWare has excellent potential to be a useful tool for zero-day attack detection.
KW - Ransomware detection
KW - convolutional neural network
KW - dynamic analysis
KW - hardware performance counters
UR - http://www.scopus.com/inward/record.url?scp=85131124968&partnerID=8YFLogxK
U2 - 10.1109/TC.2022.3173149
DO - 10.1109/TC.2022.3173149
M3 - Article
AN - SCOPUS:85131124968
SN - 0018-9340
VL - 72
SP - 600
EP - 613
JO - IEEE Transactions on Computers
JF - IEEE Transactions on Computers
IS - 3
ER -