CanCal: Towards Real-time and Lightweight Ransomware Detection and Response in Industrial Environments

TL;DR

CanCal is a real-time, lightweight ransomware detection system designed for industrial environments, significantly reducing system overhead and alert fatigue while maintaining high detection accuracy and rapid response.

Contribution

It introduces a selective filtering and behavioral analysis approach that minimizes overhead and alert fatigue, enabling effective real-time ransomware detection in large-scale industrial settings.

Findings

Achieves detection within 30ms and response within 3 seconds.

Reduces CPU utilization by over 90%.

Successfully detected and thwarted 61 ransomware attacks in real-world deployment.

Abstract

Ransomware attacks have emerged as one of the most significant cybersecurity threats. Despite numerous proposed detection and defense methods, existing approaches face two fundamental limitations in large-scale industrial applications: intolerable system overheads and notorious alert fatigue. To address these challenges, we propose CanCal, a real-time and lightweight ransomware detection system. Specifically, CanCal selectively filters suspicious processes by the monitoring layers and then performs in-depth behavioral analysis to isolate ransomware activities from benign operations, minimizing alert fatigue while ensuring lightweight computational and storage overhead. The experimental results on a large-scale industrial environment~(1,761 ransomware, ~3 million events, continuous test over 5 months) indicate that CanCal is as effective as state-of-the-art techniques while enabling rapid inference within 30ms and real-time response within a maximum of 3 seconds. CanCal dramatically reduces average CPU utilization by 91.04% (from 6.7% to 0.6%) and peak CPU utilization by 76.69% (from 26.6% to 6.2%), while avoiding 76.50% (from 3,192 to 750) of the inspection efforts from security analysts. By the time of this writing, CanCal has been integrated into a commercial product and successfully deployed on 3.32 million endpoints for over a year. From March 2023 to April 2024, CanCal successfully detected and thwarted 61 ransomware attacks, demonstrating the effectiveness of CanCal in combating sophisticated ransomware threats in real-world scenarios.