POSSE: Patterns of Systems During Software Encryption
David Noever, Samantha Miller Noever
TL;DR
This paper presents a machine learning-based approach to detect ransomware activities by monitoring system performance, achieving over 91% accuracy in classifying idle, encryption, and compression states to prevent data locking.
Contribution
It introduces a novel behavioral detection method using performance metrics and compares multiple machine learning algorithms for ransomware detection.
Findings
Linear regression outperforms other models in classification accuracy.
All tested algorithms achieve over 91% accuracy in classifying system states.
Performance monitoring can effectively anticipate ransomware encryption activities.
Abstract
This research recasts ransomware detection using performance monitoring and statistical machine learning. The work builds a test environment with 41 input variables to label and compares three computing states: idle, encryption and compression. A common goal of this behavioral detector seeks to anticipate and short-circuit the final step of hard-drive locking with encryption and the demand for payment to return the file system to its baseline. Comparing machine learning techniques, linear regression outperforms random forest, decision trees, and support vector machines (SVM). All algorithms classified the 3 possible classes (idle, encryption, and compression) with greater than 91% accuracy.
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsAdvanced Malware Detection Techniques · Security and Verification in Computing · Network Security and Intrusion Detection
MethodsTest · Linear Regression