IDEAS home Printed from https://ideas.repec.org/a/aza/csj000/y2023v6i4p301-310.html
   My bibliography  Save this article

Machine learning or behaviour heuristics? The synergy of approaches to defeat advanced ransomware threats

Author

Listed:
  • Strogov, Vladimir

    (Director of Development, Kernel Team, Acronis, Singapore)

  • Ulasen, Sergey

    (Senior Director of AI Development, Rolos, Singapore)

Abstract

This paper focuses on a successful and fruitful combination of machine learning (ML)-based approach and heuristics-based approach in the case of Advanced Ransomware Defence, where the advanced ransomware is the ransomware that maliciously exploits the trusted context of execution, so it is the case of ransomware injection into well-known trusted processes, system services, that are used for the disguise of the malicious encryption. ML is used for malicious or benign classification of call stacks that match injections into trusted processes. The heuristics-based technique is based in our case on just one of the examples of injections, using such API as CreateRemoteThread and WriteProcessMemory. This approach has been used with good results to the case of Ryuk ransomware, one of the deadliest malware weapons. We show how the ML helps to find those call stacks which match malicious injections with high probability. Then we augment the results of the ML classifier with the special detection of threads, created in the trusted process, using other sensors, including kernel drivers. This combination provides the maximum accuracy and the ability to remediate the attack. This paper also presents the architectural materials as well as the links and references to the hands-on demonstration of collecting suspicious stacks. We also show how to use ML decisions and pair these decisions with the thread creation events as the sensor examples. The links with demonstrations use the execution of the real-world Ryuk malware strain. The analysis of the events flow is also shown in the kernel debugger coupled with the case analysis with the help of other tools like Process monitor.

Suggested Citation

  • Strogov, Vladimir & Ulasen, Sergey, 2023. "Machine learning or behaviour heuristics? The synergy of approaches to defeat advanced ransomware threats," Cyber Security: A Peer-Reviewed Journal, Henry Stewart Publications, vol. 6(4), pages 301-310, July.
  • Handle: RePEc:aza:csj000:y:2023:v:6:i:4:p:301-310
    as

    Download full text from publisher

    File URL: https://hstalks.com/article/7923/download/
    Download Restriction: Requires a paid subscription for full access.

    File URL: https://hstalks.com/article/7923/
    Download Restriction: Requires a paid subscription for full access.
    ---><---

    As the access to this document is restricted, you may want to search for a different version of it.

    More about this item

    Keywords

    zero day; anti-ransomware; machine learning; call stack analysis; process injection; automatic remediation;
    All these keywords.

    JEL classification:

    • M15 - Business Administration and Business Economics; Marketing; Accounting; Personnel Economics - - Business Administration - - - IT Management

    Statistics

    Access and download statistics

    Corrections

    All material on this site has been provided by the respective publishers and authors. You can help correct errors and omissions. When requesting a correction, please mention this item's handle: RePEc:aza:csj000:y:2023:v:6:i:4:p:301-310. See general information about how to correct material in RePEc.

    If you have authored this item and are not yet registered with RePEc, we encourage you to do it here. This allows to link your profile to this item. It also allows you to accept potential citations to this item that we are uncertain about.

    We have no bibliographic references for this item. You can help adding them by using this form .

    If you know of missing items citing this one, you can help us creating those links by adding the relevant references in the same way as above, for each refering item. If you are a registered author of this item, you may also want to check the "citations" tab in your RePEc Author Service profile, as there may be some citations waiting for confirmation.

    For technical questions regarding this item, or to correct its authors, title, abstract, bibliographic or download information, contact: Henry Stewart Talks (email available below). General contact details of provider: .

    Please note that corrections may take a couple of weeks to filter through the various RePEc services.

    IDEAS is a RePEc service. RePEc uses bibliographic data supplied by the respective publishers.