Ransomware Detection & Defense

Abstract

Ransomware Attack Detection with Intrinsic Explainabilty (RADIX) Ransomware is an umbrella term for a large class of malware that su rreptitiously encrypts critical data on a system (or essentially locks it) rendering the original data inaccessible. The data can be unlocked with a secret key obtained after paying a ransom (today, often in cryptocurrency). Ransoms range from small amounts target ing everyday users to millions of dollars for larger critical systems. The underlying sophisticated programs can possess effective s tealth, communication with a centralized command and control, and autonomously propagate with persistence in storage media. Ransomwa re attacks on critical infrastructure and facilities have become a high-priority threat. News reports in recent weeks have highlight ed attacks on gas pipelines, healthcare systems, food production, and automotive plants. Addressing this threat, SRI International s (SRI) RADIX proposal addresses three key research areas for the automated and robust detection of ransomware activity: 1)representa tions of machine activity, 2)training against imbalanced data, 3)attribution methods for explainability. These are challenging resea rch areas that need to be addressed before machine-learning can be an effective method for defending against ransomware attacks.The three research areas outlined above represent an innovative application of machine learning to ransomware detection. They are premis ed on the case that ransomware has already been installed by evading system security and critical last-line of defense is required. These research areas will enable describing the machine state in a way that is amenable to training for machine learning and detecti ng signature ransomware activity (e.g., file encryption) without false alarms. RADIX aims to achieve these goals, despite the fact t hat ransomware activity is generally scarce amongst a background of busy system activity, by applying generative methods to address the clear imbalancein training data. RADIX will explore methods to explain potential ransomware activity in a way that a user or cyb ersecurity expert can assess and mitigate. Successful outcomes of the three research areas include new and useful representations of system activity, solutions for training with imbalanced data, and improvements in explainable machine- learning systems. These resu lts could enable a new generation of machine-learning-based methods for ransomware detection at encrypt time. Our proposed research areas could also have considerable relevance for machine learning in general.

Document Details

Document Type

DoD Grant Award

Publication Date

Aug 20, 2021

Source ID

N000142112754

Entities

Tags