Ransomware Detection using Process Memory

TL;DR

This paper proposes a ransomware detection method based on analyzing process memory access privileges, leveraging machine learning algorithms to identify ransomware behavior accurately before damage occurs.

Contribution

It introduces a novel approach focusing on process memory features and signatures for more precise ransomware detection, improving over traditional general feature-based methods.

Findings

Achieved detection accuracy between 81.38% and 96.28%.

Confirmed the feasibility of process memory analysis for ransomware detection.

Identified new signatures for ransomware classification.

Abstract

Ransomware attacks have increased significantly in recent years, causing great destruction and damage to critical systems and business operations. Attackers are unfailingly finding innovative ways to bypass detection mechanisms, whichencouraged the adoption of artificial intelligence. However, most research summarizes the general features of AI and induces many false positives, as the behavior of ransomware constantly differs to bypass detection. Focusing on the key indicating features of ransomware becomes vital as this guides the investigator to the inner workings and main function of ransomware itself. By utilizing access privileges in process memory, the main function of the ransomware can be detected more easily and accurately. Furthermore, new signatures and fingerprints of ransomware families can be identified to classify novel ransomware attacks correctly. The current research used the process memory access privileges of the different memory regions of the behavior of an executable to quickly determine its intent before serious harm can occur. To achieve this aim, several well-known machine learning algorithms were explored with an accuracy range of 81.38 to 96.28 percents. The study thus confirms the feasibility of utilizing process memory as a detection mechanism for ransomware.