Безопасность информационных технологий (Sep 2022)
Ransomware detection based on machine learning models and Event Tracing for Windows
Abstract
Nowadays ransomware cyberattacks are alarmingly increasing. Ransomware is a form of malicious software that locks users’ files by modifying it or it’s parts. To get the files back the users are supposed to pay ransom. Ransomware are using different types of cryptography, from modern symmetric ciphers to asymmetric ciphers that require the both public key and a private key. The analysis of existing ransomware detection techniques reveals some drawbacks. It was decided to develop a new ransomware detection tool based on machine learning. The analysis of recent ransomware attacks helps to find the behaviour patterns during interactions with file system, which are typical only for ransomware. To collect related OS events, the Windows built-in mechanism named Windows Event Tracing for Windows (ETW) was used. The following machine learning algorithms were checked: One Class Support Vector Machines, Isolation Forest and Local Outlier Factor. Isolation Forest algorithm shows better results. The ETW helps to gain two datasets for legitimate software programs and for ransomware apps. The whole dataset was divided into two parts, training and testing, with the training part to be around 30% of the dataset and the testing one to be 70%. The Python has been used to program the proposed ransomware detection system. The developed system was successfully tested using WannaCry and TeslaCrypt encryption programs, as well as legitimate VeraCrypt, TrueCrypt, 7z, Oracle DBMS software.
Keywords
