Machine Learning-based Ransomware Detection Using Low-level Memory Access Patterns Obtained From Live-forensic Hypervisor

TL;DR

This paper introduces a lightweight live-forensic hypervisor that detects ransomware by analyzing low-level memory access patterns with machine learning, providing a dynamic and effective alternative to signature-based methods.

Contribution

It presents a novel hypervisor-based approach that captures low-level memory access patterns for ransomware detection, outperforming traditional signature-based techniques.

Findings

Achieved an F1 score of 0.95 in ransomware detection.

Successfully distinguished ransomware and wiper malware from benign applications.

Demonstrated effectiveness of low-level memory features for malware detection.

Abstract

Since modern anti-virus software mainly depends on a signature-based static analysis, they are not suitable for coping with the rapid increase in malware variants. Moreover, even worse, many vulnerabilities of operating systems enable attackers to evade such protection mechanisms. We, therefore, developed a thin and lightweight live-forensic hypervisor to create an additional protection layer under a conventional protection layer of operating systems with supporting ransomware detection using dynamic behavioral features. The developed live-forensic hypervisor collects low-level memory access patterns instead of high-level information such as process IDs and API calls that modern Virtual Machine Introspection techniques have employed. We then created the low-level memory access patterns dataset of three ransomware samples, one wiper malware sample, and four benign applications. We confirmed that our best machine learning classifier using only low-level memory access patterns achieved an $F_1$ score of 0.95 in detecting ransomware and wiper malware.