Authors - S.Venkata Rakesh, K.Tarun Kumar, A.Lohith, M.Nirupama Bhatt Abstract - One of the world's most destructive types of malware is ransomware, which results in huge financial and data loss around the globe. Current signature-based detection methodologies do not work for the detection of these types of ransomware because they have no way to identify them prior to their creation (zero-day) or when a variant of the ransomware is created (polymorphic). A behaviour-based ransomware detection methodology that involves the use of CPU Hardware Performance Counters (HPC) in combination with machine learning models for the purpose of detecting ransomware activity is the focus of this project. The following HPC metrics will be used to monitor the execution of a program or application while it is executing: instruction count; cache references; cache hits; branch instructions; and CPU cycles. These low-level architectural events will provide information on the unique behaviour characteristics of a ransomware program or application based on the types of behaviours exhibited by the encryption pro-cesses of a ransomware program or application. A labelled dataset of HPC traces of typical programs/applications will be developed by running both standard pro-grams/applications and ransomware in a controlled testing environment. Several supervised learning models such as Random Forest, Support Vector Machines, and Logistic Regression will be trained and validated on the labelled dataset. The experimental results show that ransomware activity causes significantly different HPC metrics, thereby allowing the correct identification of ransomware. The pro-posed methodology will offer a real-time, graphical user interface for real-time monitoring and graphical representation of the detected ransomware program or application.
Open Zoom