IEEE Access (Jan 2024)

Ransomware Classification Using Hardware Performance Counters on a Non-Virtualized System

  • Jennie E. Hill,
  • T. Owens Walker,
  • Justin A. Blanco,
  • Robert W. Ives,
  • Ryan Rakvic,
  • Bruce Jacob

DOI
https://doi.org/10.1109/ACCESS.2024.3395491
Journal volume & issue
Vol. 12
pp. 63865 – 63884

Abstract

Read online

Ransomware is a type of malicious software designed to encrypt a user’s important data for the purpose of extortion, with a global annual impact of billions of dollars in damages. This research proposes a side-channel-based ransomware detection method that utilizes the microarchitectural side-channel accessed through hardware performance counters. Unlike most ransomware research, which relies on virtual machines to easily restore a system to its uncompromised, pre-encrypted state, this work leverages thousands of trials collected on hardware without the use of virtualization. Trials consist of both benign operations and real-world ransomware executables. Over two hundred distinct hardware events were collected on (non-virtualized) computer hardware to replicate the real-world scenario in which most ransomware attacks occur. Over 30 classifiers were systematically trained with each of the 200+ hardware events to reduce the number of classifiers and performance counters considered, and then five of the top classification algorithms were evaluated to rank which hardware performance counters contributed to the best classification results. Overall, this work showed that classification of ransomware in under two seconds with over 95% accuracy is viable with as few as 3 hardware event features for the Neural Network and Bagged Tree classifiers.

Keywords