Peeler: Profiling Kernel-Level Events to Detect Ransomware

Because the recent ransomware families are becoming progressively more advanced, it is challenging to detect ransomware using static features only. However, their behaviors are still more generic and universal to analyze due to their inherent goals and functions. Therefore, we can capture their behaviors by monitoring their system-level activities on files and processes. In this paper, we present a novel ransomware detection system called "Peeler" (Profiling kErnEl -Level Events to detect Ransomware). Peeler first identifies ransomware's inherent behavioral characteristics such as stealth operations performed during the attack, processes execution patterns, and correlations among different kernel-level events by analysing a large-scaled OS-level provenance data collected from a diverse set of ransomware families. Peeler specifically uses a novel NLP-based deep learning model to fingerprint the contextual behavior of applications by leveraging Bidirectional Encoder Representations from Transformers (BERT) pre-trained model. We evaluate Peeler on a large ransomware dataset including 67 ransomware families and demonstrate that it achieves a 99.5% F1-score.