DeepWare: Imaging Performance Counters With Deep Learning to Detect Ransomware

DeepWare: Imaging Performance Counters With Deep Learning to Detect Ransomware

In the year passed, rarely a month passes without a ransomware incident being published in a newspaper or social media. In addition to the rise in the frequency of ransomware attacks, emerging attacks are very effective as they utilize sophisticated techniques to bypass existing organizational secur...

Ausführliche Beschreibung

Gespeichert in:
Bibliographische Detailangaben
Veröffentlicht in:IEEE transactions on computers 2023-03, Vol.72 (3), p.600-613
Hauptverfasser: Ganfure, Gaddisa Olani, Wu, Chun-Feng, Chang, Yuan-Hao, Shih, Wei-Kuan
Format: Artikel
Sprache:eng
Schlagworte:
convolutional neural network
Deep learning
dynamic analysis
Encryption
Feature extraction
Hardware
hardware performance counters
Imaging
Monitoring
Ransomware
Ransomware detection
Switches
Online-Zugang:Volltext bestellen
Tags: Tag hinzufügen
Keine Tags, Fügen Sie den ersten Tag hinzu!
container_end_page 613
container_issue 3
container_start_page 600
container_title IEEE transactions on computers
container_volume 72
creator Ganfure, Gaddisa Olani
Wu, Chun-Feng
Chang, Yuan-Hao
Shih, Wei-Kuan
description In the year passed, rarely a month passes without a ransomware incident being published in a newspaper or social media. In addition to the rise in the frequency of ransomware attacks, emerging attacks are very effective as they utilize sophisticated techniques to bypass existing organizational security perimeter. To tackle this issue, this paper presents "DeepWare," which is a ransomware detection model inspired by deep learning and hardware performance counter (HPC). Different from previous works aiming to check all HPC results returned from a single timing for every running process, DeepWare carries out a simple yet effective concept of " imaging hardware performance counters with deep learning to detect ransomware ," so as to identify ransomware efficiently and effectively. To be more specific, DeepWare monitors the system-wide change in the distribution of HPC data. By imaging the HPC values and restructuring the conventional CNN model, DeepWare can address HPC's nondeterminism issue by extracting the event-specific and event-wise behavioral features, which allows it to distinguish the ransomware activity from the benign one effectively. The experiment results across ransomware families show that the proposed DeepWare is effective at detecting different classes of ransomware with the 98.6% recall score, which is 84.41%, 60.93%, and 21% improvement over RATAFIA , OC-SVM , and EGB models respectively. DeepWare achieves an average MCC score of 96.8% and nearly zero false-positive rates by using just a 100 ms snapshot of HPC data. This timeliness of DeepWare is critical on the ground that organizations and individuals have the opportunity to take countermeasures in the first stage of the attack. Besides, the experiment conducted on unseen ransomware families such as CoronaVirus, Ryuk, and Dharma demonstrates that DeepWare has excellent potential to be a useful tool for zero-day attack detection.
doi_str_mv 10.1109/TC.2022.3173149
format Article
fullrecord <record><control><sourceid>proquest_RIE</sourceid><recordid>TN_cdi_proquest_journals_2775104799</recordid><sourceformat>XML</sourceformat><sourcesystem>PC</sourcesystem><ieee_id>9770351</ieee_id><sourcerecordid>2775104799</sourcerecordid><originalsourceid>FETCH-LOGICAL-c335t-a30944d7f023a829be5a52f331b87026d1e4f8c07f840ccd31888335ea23aede3</originalsourceid><addsrcrecordid>eNo9kE1LAzEURYMoWKtrF24GXE_7kkyaxJ2MX4WiIpUuQ5p5U6c4k5qkiP_eGSquHlzOuQ8uIZcUJpSCni7LCQPGJpxKTgt9REZUCJlrLWbHZARAVa55AafkLMYtAMwY6BF5vkPcrWzAm2ze2k3TbbJXDLUPre0cZqXfdwlDzFZN-sgGNlugDd3AJd8HCV3K3mwXffvdt5yTk9p-Rrz4u2Py_nC_LJ_yxcvjvLxd5I5zkXLLQRdFJWtg3Cqm1yisYDXndK0ksFlFsaiVA1mrApyrOFVK9SbanscK-ZhcH3p3wX_tMSaz9fvQ9S8Nk1JQKKTWPTU9UC74GAPWZhea1oYfQ8EMo5llaYbRzN9ovXF1MBpE_Ke1lMAF5b-pbWav</addsrcrecordid><sourcetype>Aggregation Database</sourcetype><iscdi>true</iscdi><recordtype>article</recordtype><pqid>2775104799</pqid></control><display><type>article</type><title>DeepWare: Imaging Performance Counters With Deep Learning to Detect Ransomware</title><source>IEEE Electronic Library (IEL)</source><creator>Ganfure, Gaddisa Olani ; Wu, Chun-Feng ; Chang, Yuan-Hao ; Shih, Wei-Kuan</creator><creatorcontrib>Ganfure, Gaddisa Olani ; Wu, Chun-Feng ; Chang, Yuan-Hao ; Shih, Wei-Kuan</creatorcontrib><description>In the year passed, rarely a month passes without a ransomware incident being published in a newspaper or social media. In addition to the rise in the frequency of ransomware attacks, emerging attacks are very effective as they utilize sophisticated techniques to bypass existing organizational security perimeter. To tackle this issue, this paper presents "DeepWare," which is a ransomware detection model inspired by deep learning and hardware performance counter (HPC). Different from previous works aiming to check all HPC results returned from a single timing for every running process, DeepWare carries out a simple yet effective concept of " imaging hardware performance counters with deep learning to detect ransomware ," so as to identify ransomware efficiently and effectively. To be more specific, DeepWare monitors the system-wide change in the distribution of HPC data. By imaging the HPC values and restructuring the conventional CNN model, DeepWare can address HPC's nondeterminism issue by extracting the event-specific and event-wise behavioral features, which allows it to distinguish the ransomware activity from the benign one effectively. The experiment results across ransomware families show that the proposed DeepWare is effective at detecting different classes of ransomware with the 98.6% recall score, which is 84.41%, 60.93%, and 21% improvement over RATAFIA , OC-SVM , and EGB models respectively. DeepWare achieves an average MCC score of 96.8% and nearly zero false-positive rates by using just a 100 ms snapshot of HPC data. This timeliness of DeepWare is critical on the ground that organizations and individuals have the opportunity to take countermeasures in the first stage of the attack. Besides, the experiment conducted on unseen ransomware families such as CoronaVirus, Ryuk, and Dharma demonstrates that DeepWare has excellent potential to be a useful tool for zero-day attack detection.</description><identifier>ISSN: 0018-9340</identifier><identifier>EISSN: 1557-9956</identifier><identifier>DOI: 10.1109/TC.2022.3173149</identifier><identifier>CODEN: ITCOB4</identifier><language>eng</language><publisher>New York: IEEE</publisher><subject>convolutional neural network ; Deep learning ; dynamic analysis ; Encryption ; Feature extraction ; Hardware ; hardware performance counters ; Imaging ; Monitoring ; Ransomware ; Ransomware detection ; Switches</subject><ispartof>IEEE transactions on computers, 2023-03, Vol.72 (3), p.600-613</ispartof><rights>Copyright The Institute of Electrical and Electronics Engineers, Inc. (IEEE) 2023</rights><lds50>peer_reviewed</lds50><woscitedreferencessubscribed>false</woscitedreferencessubscribed><citedby>FETCH-LOGICAL-c335t-a30944d7f023a829be5a52f331b87026d1e4f8c07f840ccd31888335ea23aede3</citedby><cites>FETCH-LOGICAL-c335t-a30944d7f023a829be5a52f331b87026d1e4f8c07f840ccd31888335ea23aede3</cites><orcidid>0000-0002-6367-0517 ; 0000-0001-8356-2495 ; 0000-0002-1282-2111 ; 0000-0001-8603-3062</orcidid></display><links><openurl>$$Topenurl_article</openurl><openurlfulltext>$$Topenurlfull_article</openurlfulltext><thumbnail>$$Tsyndetics_thumb_exl</thumbnail><linktohtml>$$Uhttps://ieeexplore.ieee.org/document/9770351$$EHTML$$P50$$Gieee$$H</linktohtml><link.rule.ids>314,780,784,796,27924,27925,54758</link.rule.ids><linktorsrc>$$Uhttps://ieeexplore.ieee.org/document/9770351$$EView_record_in_IEEE$$FView_record_in_$$GIEEE</linktorsrc></links><search><creatorcontrib>Ganfure, Gaddisa Olani</creatorcontrib><creatorcontrib>Wu, Chun-Feng</creatorcontrib><creatorcontrib>Chang, Yuan-Hao</creatorcontrib><creatorcontrib>Shih, Wei-Kuan</creatorcontrib><title>DeepWare: Imaging Performance Counters With Deep Learning to Detect Ransomware</title><title>IEEE transactions on computers</title><addtitle>TC</addtitle><description>In the year passed, rarely a month passes without a ransomware incident being published in a newspaper or social media. In addition to the rise in the frequency of ransomware attacks, emerging attacks are very effective as they utilize sophisticated techniques to bypass existing organizational security perimeter. To tackle this issue, this paper presents "DeepWare," which is a ransomware detection model inspired by deep learning and hardware performance counter (HPC). Different from previous works aiming to check all HPC results returned from a single timing for every running process, DeepWare carries out a simple yet effective concept of " imaging hardware performance counters with deep learning to detect ransomware ," so as to identify ransomware efficiently and effectively. To be more specific, DeepWare monitors the system-wide change in the distribution of HPC data. By imaging the HPC values and restructuring the conventional CNN model, DeepWare can address HPC's nondeterminism issue by extracting the event-specific and event-wise behavioral features, which allows it to distinguish the ransomware activity from the benign one effectively. The experiment results across ransomware families show that the proposed DeepWare is effective at detecting different classes of ransomware with the 98.6% recall score, which is 84.41%, 60.93%, and 21% improvement over RATAFIA , OC-SVM , and EGB models respectively. DeepWare achieves an average MCC score of 96.8% and nearly zero false-positive rates by using just a 100 ms snapshot of HPC data. This timeliness of DeepWare is critical on the ground that organizations and individuals have the opportunity to take countermeasures in the first stage of the attack. Besides, the experiment conducted on unseen ransomware families such as CoronaVirus, Ryuk, and Dharma demonstrates that DeepWare has excellent potential to be a useful tool for zero-day attack detection.</description><subject>convolutional neural network</subject><subject>Deep learning</subject><subject>dynamic analysis</subject><subject>Encryption</subject><subject>Feature extraction</subject><subject>Hardware</subject><subject>hardware performance counters</subject><subject>Imaging</subject><subject>Monitoring</subject><subject>Ransomware</subject><subject>Ransomware detection</subject><subject>Switches</subject><issn>0018-9340</issn><issn>1557-9956</issn><fulltext>true</fulltext><rsrctype>article</rsrctype><creationdate>2023</creationdate><recordtype>article</recordtype><sourceid>RIE</sourceid><recordid>eNo9kE1LAzEURYMoWKtrF24GXE_7kkyaxJ2MX4WiIpUuQ5p5U6c4k5qkiP_eGSquHlzOuQ8uIZcUJpSCni7LCQPGJpxKTgt9REZUCJlrLWbHZARAVa55AafkLMYtAMwY6BF5vkPcrWzAm2ze2k3TbbJXDLUPre0cZqXfdwlDzFZN-sgGNlugDd3AJd8HCV3K3mwXffvdt5yTk9p-Rrz4u2Py_nC_LJ_yxcvjvLxd5I5zkXLLQRdFJWtg3Cqm1yisYDXndK0ksFlFsaiVA1mrApyrOFVK9SbanscK-ZhcH3p3wX_tMSaz9fvQ9S8Nk1JQKKTWPTU9UC74GAPWZhea1oYfQ8EMo5llaYbRzN9ovXF1MBpE_Ke1lMAF5b-pbWav</recordid><startdate>20230301</startdate><enddate>20230301</enddate><creator>Ganfure, Gaddisa Olani</creator><creator>Wu, Chun-Feng</creator><creator>Chang, Yuan-Hao</creator><creator>Shih, Wei-Kuan</creator><general>IEEE</general><general>The Institute of Electrical and Electronics Engineers, Inc. (IEEE)</general><scope>97E</scope><scope>RIA</scope><scope>RIE</scope><scope>AAYXX</scope><scope>CITATION</scope><scope>7SC</scope><scope>7SP</scope><scope>8FD</scope><scope>JQ2</scope><scope>L7M</scope><scope>L~C</scope><scope>L~D</scope><orcidid>https://orcid.org/0000-0002-6367-0517</orcidid><orcidid>https://orcid.org/0000-0001-8356-2495</orcidid><orcidid>https://orcid.org/0000-0002-1282-2111</orcidid><orcidid>https://orcid.org/0000-0001-8603-3062</orcidid></search><sort><creationdate>20230301</creationdate><title>DeepWare: Imaging Performance Counters With Deep Learning to Detect Ransomware</title><author>Ganfure, Gaddisa Olani ; Wu, Chun-Feng ; Chang, Yuan-Hao ; Shih, Wei-Kuan</author></sort><facets><frbrtype>5</frbrtype><frbrgroupid>cdi_FETCH-LOGICAL-c335t-a30944d7f023a829be5a52f331b87026d1e4f8c07f840ccd31888335ea23aede3</frbrgroupid><rsrctype>articles</rsrctype><prefilter>articles</prefilter><language>eng</language><creationdate>2023</creationdate><topic>convolutional neural network</topic><topic>Deep learning</topic><topic>dynamic analysis</topic><topic>Encryption</topic><topic>Feature extraction</topic><topic>Hardware</topic><topic>hardware performance counters</topic><topic>Imaging</topic><topic>Monitoring</topic><topic>Ransomware</topic><topic>Ransomware detection</topic><topic>Switches</topic><toplevel>peer_reviewed</toplevel><toplevel>online_resources</toplevel><creatorcontrib>Ganfure, Gaddisa Olani</creatorcontrib><creatorcontrib>Wu, Chun-Feng</creatorcontrib><creatorcontrib>Chang, Yuan-Hao</creatorcontrib><creatorcontrib>Shih, Wei-Kuan</creatorcontrib><collection>IEEE All-Society Periodicals Package (ASPP) 2005-present</collection><collection>IEEE All-Society Periodicals Package (ASPP) 1998-Present</collection><collection>IEEE Electronic Library (IEL)</collection><collection>CrossRef</collection><collection>Computer and Information Systems Abstracts</collection><collection>Electronics &amp; Communications Abstracts</collection><collection>Technology Research Database</collection><collection>ProQuest Computer Science Collection</collection><collection>Advanced Technologies Database with Aerospace</collection><collection>Computer and Information Systems Abstracts – Academic</collection><collection>Computer and Information Systems Abstracts Professional</collection><jtitle>IEEE transactions on computers</jtitle></facets><delivery><delcategory>Remote Search Resource</delcategory><fulltext>fulltext_linktorsrc</fulltext></delivery><addata><au>Ganfure, Gaddisa Olani</au><au>Wu, Chun-Feng</au><au>Chang, Yuan-Hao</au><au>Shih, Wei-Kuan</au><format>journal</format><genre>article</genre><ristype>JOUR</ristype><atitle>DeepWare: Imaging Performance Counters With Deep Learning to Detect Ransomware</atitle><jtitle>IEEE transactions on computers</jtitle><stitle>TC</stitle><date>2023-03-01</date><risdate>2023</risdate><volume>72</volume><issue>3</issue><spage>600</spage><epage>613</epage><pages>600-613</pages><issn>0018-9340</issn><eissn>1557-9956</eissn><coden>ITCOB4</coden><abstract>In the year passed, rarely a month passes without a ransomware incident being published in a newspaper or social media. In addition to the rise in the frequency of ransomware attacks, emerging attacks are very effective as they utilize sophisticated techniques to bypass existing organizational security perimeter. To tackle this issue, this paper presents "DeepWare," which is a ransomware detection model inspired by deep learning and hardware performance counter (HPC). Different from previous works aiming to check all HPC results returned from a single timing for every running process, DeepWare carries out a simple yet effective concept of " imaging hardware performance counters with deep learning to detect ransomware ," so as to identify ransomware efficiently and effectively. To be more specific, DeepWare monitors the system-wide change in the distribution of HPC data. By imaging the HPC values and restructuring the conventional CNN model, DeepWare can address HPC's nondeterminism issue by extracting the event-specific and event-wise behavioral features, which allows it to distinguish the ransomware activity from the benign one effectively. The experiment results across ransomware families show that the proposed DeepWare is effective at detecting different classes of ransomware with the 98.6% recall score, which is 84.41%, 60.93%, and 21% improvement over RATAFIA , OC-SVM , and EGB models respectively. DeepWare achieves an average MCC score of 96.8% and nearly zero false-positive rates by using just a 100 ms snapshot of HPC data. This timeliness of DeepWare is critical on the ground that organizations and individuals have the opportunity to take countermeasures in the first stage of the attack. Besides, the experiment conducted on unseen ransomware families such as CoronaVirus, Ryuk, and Dharma demonstrates that DeepWare has excellent potential to be a useful tool for zero-day attack detection.</abstract><cop>New York</cop><pub>IEEE</pub><doi>10.1109/TC.2022.3173149</doi><tpages>14</tpages><orcidid>https://orcid.org/0000-0002-6367-0517</orcidid><orcidid>https://orcid.org/0000-0001-8356-2495</orcidid><orcidid>https://orcid.org/0000-0002-1282-2111</orcidid><orcidid>https://orcid.org/0000-0001-8603-3062</orcidid></addata></record>
fulltext fulltext_linktorsrc
identifier ISSN: 0018-9340
ispartof IEEE transactions on computers, 2023-03, Vol.72 (3), p.600-613
issn 0018-9340
1557-9956
language eng
recordid cdi_proquest_journals_2775104799
source IEEE Electronic Library (IEL)
subjects convolutional neural network
Deep learning
dynamic analysis
Encryption
Feature extraction
Hardware
hardware performance counters
Imaging
Monitoring
Ransomware
Ransomware detection
Switches
title DeepWare: Imaging Performance Counters With Deep Learning to Detect Ransomware
url https://sfx.bib-bvb.de/sfx_tum?ctx_ver=Z39.88-2004&ctx_enc=info:ofi/enc:UTF-8&ctx_tim=2025-01-01T21%3A19%3A56IST&url_ver=Z39.88-2004&url_ctx_fmt=infofi/fmt:kev:mtx:ctx&rfr_id=info:sid/primo.exlibrisgroup.com:primo3-Article-proquest_RIE&rft_val_fmt=info:ofi/fmt:kev:mtx:journal&rft.genre=article&rft.atitle=DeepWare:%20Imaging%20Performance%20Counters%20With%20Deep%20Learning%20to%20Detect%20Ransomware&rft.jtitle=IEEE%20transactions%20on%20computers&rft.au=Ganfure,%20Gaddisa%20Olani&rft.date=2023-03-01&rft.volume=72&rft.issue=3&rft.spage=600&rft.epage=613&rft.pages=600-613&rft.issn=0018-9340&rft.eissn=1557-9956&rft.coden=ITCOB4&rft_id=info:doi/10.1109/TC.2022.3173149&rft_dat=%3Cproquest_RIE%3E2775104799%3C/proquest_RIE%3E%3Curl%3E%3C/url%3E&disable_directlink=true&sfx.directlink=off&sfx.report_link=0&rft_id=info:oai/&rft_pqid=2775104799&rft_id=info:pmid/&rft_ieee_id=9770351&rfr_iscdi=true