HiPeR - Early Detection of a Ransomware Attack using Hardware Performance Counters

P. Mohan Anand; P. V. Sai Charan; Sandeep K. Shukla

doi:10.1145/3608484

journal article Sep 30, 2023

HiPeR - Early Detection of a Ransomware Attack using Hardware Performance Counters

P. Mohan Anand

P. V. Sai Charan

Sandeep K. Shukla

Digital Threats: Research and Practice Vol. 4 No. 3 pp. 1-24 · Association for Computing Machinery (ACM)

View at Publisher Save 10.1145/3608484

Abstract

Ransomware has been one of the most prevalent forms of malware over the previous decade, and it continues to be one of the most significant threats today. Recently, ransomware strategies such as double extortion and rapid encryption have encouraged attacker communities to consider ransomware as a business model. With the advent of Ransomware as a Service (RaaS) models, ransomware spread and operations continue to increase. Even though machine learning and signature-based detection methods for ransomware have been proposed, they often fail to achieve very accurate detection. Ransomware that evades detection moves to the execution phase after initial access and installation. Due to the catastrophic nature of a ransomware attack, it is crucial to detect in its early stages of execution. If there is a method to detect ransomware in its execution phase early enough, then one can kill the processes to stop the ransomware attack. However, early detection with dynamic API call analysis is not an ideal solution, as the contemporary ransomware variants use low-level system calls to circumvent the detection methods. In this work, we use hardware performance counters (HPC) as features to detect the ransomware within 3-4 seconds - which may be sufficient, at least in the case of ransomware that takes longer to complete its full execution.

Topics

No keywords indexed for this article. Browse by subject →

References

36

[1]

Manaar Alam, Sayan Sinha, Sarani Bhattacharya, Swastika Dutta, Debdeep Mukhopadhyay, and Anupam Chattopadhyay. 2020. Rapper: Ransomware prevention via performance counters. arXiv preprint arXiv:2004.01712 (2020).

[2]

Omar M. K. Alhawi, James Baldwin, and Ali Dehghantanha. 2018. Leveraging machine learning techniques for windows ransomware network traffic detection. In Cyber Threat Intelligence. Springer, 93–106. 10.1007/978-3-319-73951-9_5

[3]

10.1109/access.2019.2907485

[4]

10.1109/csr54599.2022.9850320

[5]

10.1016/j.procs.2020.04.121

[6]

10.1109/iccke.2014.6993402

[7]

10.1007/s11227-019-02810-z

[8]

Brendan Gregg. 2020. perf Examples. https://www.brendangregg.com/perf.html

[9]

10.1007/978-3-030-65411-5_7

[10]

P. V. Sai Charan, P. Mohan Anand, Sandeep K. Shukla, Naveen Selvan, and Hrushikesh Chunduri. 2022. DOTMUG: A threat model for target specific APT attacks–misusing google teachable machine. In 2022 10th International Symposium on Digital Forensics and Security (ISDFS). IEEE, 1–8.

[11]

10.1145/3129676.3129704

[12]

cm-alliance. 2022. 5 Major Ransomware Attacks of 2022. https://www.cm-alliance.com/cybersecurity-blog/5-major-ransomware-attacks-of-2022

[13]

Alberto Garcia-Serrano. 2015. Anomaly detection for malware identification using hardware performance counters. arXiv preprint arXiv:1508.07482 (2015).

[14]

10.1016/j.jisa.2018.02.008

[15]

10.1007/s00500-018-3257-z

[16]

10.1145/3403943

[17]

10.1016/j.heliyon.2021.e07356

[18]

Kaspersky. 2022. Kaspersky publishes practical guide to top ransomware groups’ techniques. https://securelist.com/modern-ransomware-groups-ttps/106824/

[19]

10.3390/computers8040079

[20]

10.1016/j.jisa.2020.102646

[21]

10.1145/3052973.3053035

[22]

10.1109/isvlsi49217.2020.00-15

[23]

m0rv4i. 2021. MALWARE ANALYSIS: SYSCALLS. https://jmpesp.me/malware-analysis-syscalls-example/

[24]

Malware Bazaar. 2022. bazaar.abuse.ch. https://bazaar.abuse.ch/

[25]

Mozilla Foundation. 2023. Mozilla Firefox Browser. https://www.mozilla.org/en-US/firefox/new/

[26]

Nelson Ruto. 2022. How to Get Started with the Boruta Algorithm in Machine Learning. https://www.section.io/engineering-education/getting-started-with-boruta-algorithm

[27]

Norton. 2023. Norton Antivirus Application. https://in.norton.com/

[28]

10.1109/tc.2022.3173149

[29]

10.1145/3061639.3062202

[30]

Nitin Pundir, Mark Tehranipoor, and Fahim Rahman. 2020. RanStop: A hardware-assisted runtime crypto-ransomware detection technique. arXiv preprint arXiv:2011.12248 (2020).

[31]

10.1145/3579375.3579377

[32]

Daniele Sgandurra, Luis Muñoz-González, Rabih Mohsen, and Emil C. Lupu. 2016. Automated dynamic analysis of ransomware: Benefits, limitations and use for detection. arXiv preprint arXiv:1609.03020 (2016).

[33]

Software Informer. 2022. Software Informer Website to download benign application. https://software.informer.com/

[34]

Vera Crypt. 2023. Vera Crypt. https://www.veracrypt.fr/code/VeraCrypt/

[35]

R. Vinayakumar, K. P. Soman, K. K. Senthil Velan, and Shaunak Ganorkar. 2017. Evaluating shallow and deep networks for ransomware detection and classification. In 2017 International Conference on Advances in Computing, Communications and Informatics (ICACCI), IEEE, 259–265.

[36]

Void Tools. 2023. Everything file search application. https://www.voidtools.com/

Metrics

25

Citations

36

References

Details

Published: Sep 30, 2023
Vol/Issue: 4(3)
Pages: 1-24
License: View

Authors

P

P. Mohan Anand

Department of Computer Science and Engineering, Indian Institute of Technology Kanpur, India

P

P. V. Sai Charan

Department of Computer Science and Engineering, Indian Institute of Technology Kanpur, India

S

Sandeep K. Shukla

Department of Computer Science and Engineering, Indian Institute of Technology Kanpur, India

Cite This Article

P. Mohan Anand, P. V. Sai Charan, Sandeep K. Shukla (2023). HiPeR - Early Detection of a Ransomware Attack using Hardware Performance Counters. Digital Threats: Research and Practice, 4(3), 1-24. https://doi.org/10.1145/3608484

HiPeR - Early Detection of a Ransomware Attack using Hardware Performance Counters

You May Also Like