On the Generalizability of Machine Learning-based Ransomware Detection in Block Storage

TL;DR

This paper presents a lightweight, kernel-based machine learning framework for detecting ransomware in storage systems, demonstrating improved accuracy and generalizability across diverse real-world scenarios.

Contribution

It introduces a computationally efficient, storage-focused ransomware detection method that outperforms existing approaches and analyzes its robustness across various configurations.

Findings

Higher median F1 scores by up to 12.8%

Lower false negative rates by up to 10.9%

Reduced false positive rates by up to 17.1%

Abstract

Ransomware represents a pervasive threat, traditionally countered at the operating system, file-system, or network levels. However, these approaches often introduce significant overhead and remain susceptible to circumvention by attackers. Recent research activity started looking into the detection of ransomware by observing block IO operations. However, this approach exhibits significant detection challenges. Recognizing these limitations, our research pivots towards enabling robust ransomware detection in storage systems keeping in mind their limited computational resources available. To perform our studies, we propose a kernel-based framework capable of efficiently extracting and analyzing IO operations to identify ransomware activity. The framework can be adopted to storage systems using computational storage devices to improve security and fully hide detection overheads. Our method employs a refined set of computationally light features optimized for ML models to accurately discern malicious from benign activities. Using this lightweight approach, we study a wide range of generalizability aspects and analyze the performance of these models across a large space of setups and configurations covering a wide range of realistic real-world scenarios. We reveal various trade-offs and provide strong arguments for the generalizability of storage-based detection of ransomware and show that our approach outperforms currently available ML-based ransomware detection in storage. Empirical validation reveals that our decision tree-based models achieve remarkable effectiveness, evidenced by higher median F1 scores of up to 12.8%, lower false negative rates of up to 10.9% and particularly decreased false positive rates of up to 17.1% compared to existing storage-based detection approaches.