EconPapers    
Economics at your fingertips  

EconPapers Home
About EconPapers

Working Papers
Journal Articles
Books and Chapters
Software Components

Authors

JEL codes
New Economics Papers

Advanced Search


EconPapers FAQ
Archive maintainers FAQ
Cookies at EconPapers

Format for printing

The RePEc blog
The RePEc plagiarism page

 

Machine learning or behaviour heuristics? The synergy of approaches to defeat advanced ransomware threats

Vladimir Strogov and Sergey Ulasen
Additional contact information
Vladimir Strogov: Director of Development, Kernel Team, Acronis, Singapore
Sergey Ulasen: Senior Director of AI Development, Rolos, Singapore

Cyber Security: A Peer-Reviewed Journal, 2023, vol. 6, issue 4, 301-310

Abstract: This paper focuses on a successful and fruitful combination of machine learning (ML)-based approach and heuristics-based approach in the case of Advanced Ransomware Defence, where the advanced ransomware is the ransomware that maliciously exploits the trusted context of execution, so it is the case of ransomware injection into well-known trusted processes, system services, that are used for the disguise of the malicious encryption. ML is used for malicious or benign classification of call stacks that match injections into trusted processes. The heuristics-based technique is based in our case on just one of the examples of injections, using such API as CreateRemoteThread and WriteProcessMemory. This approach has been used with good results to the case of Ryuk ransomware, one of the deadliest malware weapons. We show how the ML helps to find those call stacks which match malicious injections with high probability. Then we augment the results of the ML classifier with the special detection of threads, created in the trusted process, using other sensors, including kernel drivers. This combination provides the maximum accuracy and the ability to remediate the attack. This paper also presents the architectural materials as well as the links and references to the hands-on demonstration of collecting suspicious stacks. We also show how to use ML decisions and pair these decisions with the thread creation events as the sensor examples. The links with demonstrations use the execution of the real-world Ryuk malware strain. The analysis of the events flow is also shown in the kernel debugger coupled with the case analysis with the help of other tools like Process monitor.

Keywords: zero day; anti-ransomware; machine learning; call stack analysis; process injection; automatic remediation (search for similar items in EconPapers)
JEL-codes: M15 (search for similar items in EconPapers)
Date: 2023
References: Add references at CitEc
Citations:

Downloads: (external link)
https://hstalks.com/article/7923/download/ (application/pdf)
https://hstalks.com/article/7923/ (text/html)
Requires a paid subscription for full access.

Related works:
This item may be available elsewhere in EconPapers: Search for items with the same title.

Export reference: BibTeX RIS (EndNote, ProCite, RefMan) HTML/Text

Persistent link: https://EconPapers.repec.org/RePEc:aza:csj000:y:2023:v:6:i:4:p:301-310

Access Statistics for this article

More articles in Cyber Security: A Peer-Reviewed Journal from Henry Stewart Publications
Bibliographic data for series maintained by Henry Stewart Talks ().

 
Share

RePEc
This site is part of RePEc and all the data displayed here is part of the RePEc data set.

Is your work missing from RePEc? Here is how to contribute.

Questions or problems? Check the EconPapers FAQ or send mail to .

Örebro UniversityEconPapers is hosted by the School of Business at Örebro University.

Page updated 2025-03-19
Handle: RePEc:aza:csj000:y:2023:v:6:i:4:p:301-310