TY - GEN
T1 - DeepGuard
T2 - 18th IEEE International Conference on Intelligence and Security Informatics, ISI 2020
AU - Ganfure, Gaddisa Olani
AU - Wu, Chun Feng
AU - Chang, Yuan Hao
AU - Shih, Wei Kuan
N1 - Publisher Copyright:
© 2020 IEEE.
PY - 2020/11/9
Y1 - 2020/11/9
N2 - In the last couple of years, the move to cyberspace provides a fertile environment for ransomware criminals like ever before. Notably, since the introduction of WannaCry, numerous ransomware detection solution has been proposed. However, the ransomware incidence report shows that most organizations impacted by ransomware are running state of the art ransomware detection tools. Hence, an alternative solution is an urgent requirement as the existing detection models are not sufficient to spot emerging ransomware treat. With this motivation, our work proposes "DeepGuard, "a novel concept of modeling user behavior for ransomware detection. The main idea is to log the file-interaction pattern of typical user activity and pass it through deep generative autoencoder architecture to recreate the input. With sufficient training data, the model can learn how to reconstruct typical user activity (or input) with minimal reconstruction error. Hence, by applying the three-sigma limit rule on the model's output, DeepGuard can distinguish the ransomware activity from the user activity. The experiment result shows that DeepGuard effectively detects a variant class of ransomware with minimal false-positive rates. Overall, modeling the attack detection with user-behavior permits the proposed strategy to have deep visibility of various ransomware families.
AB - In the last couple of years, the move to cyberspace provides a fertile environment for ransomware criminals like ever before. Notably, since the introduction of WannaCry, numerous ransomware detection solution has been proposed. However, the ransomware incidence report shows that most organizations impacted by ransomware are running state of the art ransomware detection tools. Hence, an alternative solution is an urgent requirement as the existing detection models are not sufficient to spot emerging ransomware treat. With this motivation, our work proposes "DeepGuard, "a novel concept of modeling user behavior for ransomware detection. The main idea is to log the file-interaction pattern of typical user activity and pass it through deep generative autoencoder architecture to recreate the input. With sufficient training data, the model can learn how to reconstruct typical user activity (or input) with minimal reconstruction error. Hence, by applying the three-sigma limit rule on the model's output, DeepGuard can distinguish the ransomware activity from the user activity. The experiment result shows that DeepGuard effectively detects a variant class of ransomware with minimal false-positive rates. Overall, modeling the attack detection with user-behavior permits the proposed strategy to have deep visibility of various ransomware families.
KW - Cybersecurity
KW - Deep Autoencoders
KW - Ransomware Detection
KW - User behavior Analytics
UR - http://www.scopus.com/inward/record.url?scp=85098987972&partnerID=8YFLogxK
U2 - 10.1109/ISI49825.2020.9280508
DO - 10.1109/ISI49825.2020.9280508
M3 - Conference contribution
AN - SCOPUS:85098987972
T3 - Proceedings - 2020 IEEE International Conference on Intelligence and Security Informatics, ISI 2020
BT - Proceedings - 2020 IEEE International Conference on Intelligence and Security Informatics, ISI 2020
PB - Institute of Electrical and Electronics Engineers Inc.
Y2 - 9 November 2020 through 10 November 2020
ER -