Ransomware Detection Using Machine Learning in the Linux Kernel

TL;DR

This paper presents a novel approach for real-time ransomware detection in Linux environments by implementing machine learning models directly within the kernel using eBPF, achieving low latency and high accuracy.

Contribution

It introduces the first implementation of ML-based ransomware detection models in the Linux kernel using eBPF, enabling real-time analysis.

Findings

eBPF-based models have lower latency than user space counterparts

Decision tree and MLP models achieve high accuracy in ransomware detection

Kernel-level detection improves response time for ransomware threats

Abstract

Linux-based cloud environments have become lucrative targets for ransomware attacks, employing various encryption schemes at unprecedented speeds. Addressing the urgency for real-time ransomware protection, we propose leveraging the extended Berkeley Packet Filter (eBPF) to collect system call information regarding active processes and infer about the data directly at the kernel level. In this study, we implement two Machine Learning (ML) models in eBPF - a decision tree and a multilayer perceptron. Benchmarking latency and accuracy against their user space counterparts, our findings underscore the efficacy of this approach.