DeepGuard: Deep Generative User-behavior Analytics for Ransomware Detection

被引:0
作者
Ganfure, Gaddisa Olani [1 ,2 ,3 ]
Wu, Chun-Feng [2 ]
Chang, Yuan-Hao [2 ]
Shih, Wei-Kuan [4 ]
机构
[1] Taiwan Int Grad Program, Social Networks & Human Ctr Comp Program, Taipei, Taiwan
[2] Acad Sinica, Inst Informat Sci, 128 Acad Rd,Sec 2, Taipei 115, Taiwan
[3] Natl Tsing Hua Univ, Inst Informat Syst & Applicat, Hsinchu 30013, Taiwan
[4] Natl Tsing Hua Univ, Dept Comp Sci, Hsinchu, Taiwan
来源
2020 IEEE INTERNATIONAL CONFERENCE ON INTELLIGENCE AND SECURITY INFORMATICS (ISI) | 2020年
关键词
Ransomware Detection; User behavior Analytics; Deep Autoencoders; Cybersecurity;
D O I
暂无
中图分类号
TP18 [人工智能理论];
学科分类号
081104 ; 0812 ; 0835 ; 1405 ;
摘要
In the last couple of years, the move to cyberspace provides a fertile environment for ransomware criminals like ever before. Notably, since the introduction of WannaCry, numerous ransomware detection solution has been proposed. However, the ransomware incidence report shows that most organizations impacted by ransomware are running state of the art ransomware detection tools. Hence, an alternative solution is an urgent requirement as the existing detection models are not sufficient to spot emerging ransomware treat. With this motivation, our work proposes "DeepGuard," a novel concept of modeling user behavior for ransomware detection. The main idea is to log the file-interaction pattern of typical user activity and pass it through deep generative autoencoder architecture to recreate the input. With sufficient training data, the model can learn how to reconstruct typical user activity (or input) with minimal reconstruction error. Hence, by applying the three-sigma limit rule on the model's output, DeepGuard can distinguish the ransomware activity from the user activity. The experiment result shows that DeepGuard effectively detects a variant class of ransomware with minimal false-positive rates. Overall, modeling the attack detection with user-behavior permits the proposed strategy to have deep visibility of various ransomware families.
引用
收藏
页码:199 / 204
页数:6
相关论文
共 18 条
[1]  
Alam M., 2020, ARXIV
[2]  
AV-TEST, 2020, MALW STAT TRENDS REP
[3]   Using Software-Defined Networking for Ransomware Mitigation: The Case of CryptoWall [J].
Cabaj, Krzysztof ;
Mazurczyk, Wojciech .
IEEE NETWORK, 2016, 30 (06) :14-20
[4]  
Chen Z.-G., 2017, P INT C RES ADAPTIVE, P196
[5]  
Feng C, 2017, 2017 IEEE INTERNATIONAL CONFERENCE ON INTELLIGENCE AND SECURITY INFORMATICS (ISI), P173, DOI 10.1109/ISI.2017.8004902
[6]   Bringing science to digital forensics with standardized forensic corpora [J].
Garfinkel, Simson ;
Farrell, Paul ;
Roussev, Vassil ;
Dinolt, George .
DIGITAL INVESTIGATION, 2009, 6 :S2-S11
[7]  
Han J, 2012, MOR KAUF D, P1
[8]  
Hsiao SC, 2018, INT CONF ADV COMMUN, P153, DOI 10.23919/ICACT.2018.8323680
[9]  
Jaitly N, 2015, ARXIV PREPRINT ARXIV
[10]  
Kharraz A, 2016, PROCEEDINGS OF THE 25TH USENIX SECURITY SYMPOSIUM, P757