Intern
Secure Software Systems Group

Ransomware Detection with Machine Learning

Data has become more critical than ever in today's digital transformation era. The amount of data we produce daily is astonishing — every day, hundreds of millions of people are taking photos, making videos,  and exchanging messages. Given such trends,  the importance of database security is hard to overestimate: The rapid growth of the data volume stored in the databases in cloud environments and enterprise data centers makes them attractive attack targets.

Data has become more critical than ever in today's digital transformation era. The amount of data we produce daily is astonishing — every day, hundreds of millions of people are taking photos, making videos,  and exchanging messages. Given such trends,  the importance of database security is hard to overestimate: The rapid growth of the data volume stored in the databases in cloud environments and enterprise data centers makes them attractive attack targets. Traditionally,  attacks on data aim at undermining confidentiality and authenticity. However, attacks against data availability, services, and users have become more common. Modern attackers deploy ransomware, malicious software that claims to have encrypted all data — while in numerous instances deleting the data — and requires the victim to pay a  ransom for the decryption key. The financial loss from ransomware is significant — it reached 5 billion USD in 2017, rose to 20 billion by  2021, and is predicted to hit 256 billion by 2031.

Existing anti-ransomware solutions limit themselves to client-side ransomware detection and follow two dominant strategies: Signature-based detection of malicious binaries and runtime monitoring and behavioral analysis for anomaly detection. The first one builds upon the detection of malicious binaries and is typically used by antivirus vendors. In contrast, the second strategy relies on runtime monitoring of file accesses and detecting malicious activity based on heuristics. Unfortunately, both techniques are unsuitable for detecting server-side ransomware attack scenarios, where attackers connect to the database remotely and, hence, there is no local malicious binary to detect. Furthermore, monitoring at the file system level for abnormal activity is inappropriate due to a lack of correlation between attacker activity and file access patterns.

The goal of this project is to demonstrate the effectiveness of Machine Learning techniques in the domain of ransomware detection. Specifically, we propose using Deep Learning to detect ransomware in databases effectively. Moreover, we show the clear benefit of Deep Learning by successfully classifying ransomware in a database with minimal performance overhead.

People involved: Prof. A. Dmitrienko,  Christoph Sendner

Publications

2022[ to top ]
  • Ransomware Detection in Databases through Dynamic Analysis of Query Sequences. Sendner, Christoph; Iffländer, Lukas; Schindler, Sebastian; Jobst, Michael; Dmitrienko, Alexandra; Kounev, Samuel; in IEEE Conference on Communications and Network Security (CNS) (2022).
2021[ to top ]
  • Intrusion Detection Using Machine Learning in Databases. Schindler, Sebastian; Thesis; University of Würzburg. (2021, April).
2019[ to top ]
  • Hands off my Database: Ransomware Detection in Databases through Dynamic Analysis of Query Sequences. Iffländer, Lukas; Dmitrienko, Alexandra; Hagen, Christoph; Jobst, Michael; Kounev, Samuel; in ArXiv | arXiv:1907.06775v1 (2019).
2018[ to top ]
  • POSTER: Efficient and Effective Ransomware Detection in Databases. Hagen, Christoph; Dmitrienko, Alexandra; Iffländer, Lukas; Jobst, Michael; Kounev, Samuel; in 34th Annual Computer Security Applications Conference (ACSAC) (2018).
  • DIMAQS - Dynamic Identification of Malicious Query Sequences. Jobst, Michael; Thesis; University of Würzburg. (2018, June).