Ransomware Detection with Machine Learning
01.02.2022Data has become more critical than ever in today's digital transformation era.
Data has become more critical than ever in today's digital transformation era. The amount of data we produce daily is astonishing — every day, hundreds of millions of people are taking photos, making videos, and exchanging messages. Given such trends, the importance of database security is hard to overestimate: The rapid growth of the data volume stored in the databases in cloud environments and enterprise data centers makes them attractive attack targets. Traditionally, attacks on data aim at undermining confidentiality and authenticity. However, attacks against data availability, services, and users have become more common. Modern attackers deploy ransomware, malicious software that claims to have encrypted all data — while in numerous instances deleting the data — and requires the victim to pay a ransom for the decryption key. The financial loss from ransomware is significant — it reached 5 billion USD in 2017, rose to 20 billion by 2021, and is predicted to hit 256 billion by 2031.
Existing anti-ransomware solutions limit themselves to client-side ransomware detection and follow two dominant strategies: Signature-based detection of malicious binaries and runtime monitoring and behavioral analysis for anomaly detection. The first one builds upon the detection of malicious binaries and is typically used by antivirus vendors. In contrast, the second strategy relies on runtime monitoring of file accesses and detecting malicious activity based on heuristics. Unfortunately, both techniques are unsuitable for detecting server-side ransomware attack scenarios, where attackers connect to the database remotely and, hence, there is no local malicious binary to detect. Furthermore, monitoring at the file system level for abnormal activity is inappropriate due to a lack of correlation between attacker activity and file access patterns.
The goal of this project is to demonstrate the effectiveness of Machine Learning techniques in the domain of ransomware detection. Specifically, we propose using Deep Learning to detect ransomware in databases effectively. Moreover, we show the clear benefit of Deep Learning by successfully classifying ransomware in a database with minimal performance overhead.
People involved: Prof. A. Dmitrienko, Christoph Sendner
Zurück