Ransomware Detection Using Machine Learning and Physical Sensor Data

摘要

A new method for the detection of ransomware in an infected host during the initiation of its payload execution is proposed and evaluated. Data streams from on-board sensors present in modern computing systems are monitored and appropriate criteria are used that enable the sensor data to effectively detect the presence of ransomware infections. Encryp- tion detection depends upon the use of small yet distinguishable changes in the physical state of a system as reported through on-board sensor readings. A feature vector is formulated consisting of various sensor outputs that is coupled with a detection criteria for the binary states of ransomware present versus normal operation. An advantage of this approach is that previously unknown or zero-day versions of ransomware are vulnerable to this detection method since no a priori knowledge of the malware, such as a data signature, is required for this method to be deployed and used. Experimental results from a system which underwent testing with 18 different test configurations comprised of different simulated system loads unknown to the model and different AES encryption methods used during a simulated ransomware attack showed an average precision of 95.27% and an average false positive rate of 1.57% for predictions made once every second about the state of the system under test.