Leveraging eBPF and AI for Ransomware Nose Out

TL;DR

This paper presents a real-time ransomware detection system combining eBPF low-level tracing and AI techniques, achieving high accuracy and rapid response to zero-day attacks.

Contribution

It introduces a novel two-phased approach using eBPF and AI, integrating signature and behavior-based detection for ransomware.

Findings

99.76% detection accuracy on ransomware incidents

Detection within seconds of attack onset

Effective identification of zero-day ransomware

Abstract

In this work, we propose a two-phased approach for real-time detection and deterrence of ransomware. To achieve this, we leverage the capabilities of eBPF (Extended Berkeley Packet Filter) and artificial intelligence to develop both proactive and reactive methods. In the first phase, we utilize signature based detection, where we employ custom eBPF programs to trace the execution of new processes and perform hash-based analysis against a known ransomware dataset. In the second, we employ a behavior-based technique that focuses on monitoring the process activities using a custom eBPF program and the creation of ransom notes, a prominent indicator of ransomware activity through the use of Natural Language Processing (NLP). By leveraging low-level tracing capabilities of eBPF and integrating NLP based machine learning algorithms, our solution achieves an impressive 99.76% accuracy in identifying ransomware incidents within a few seconds on the onset of zero-day attacks.