GUARDING AGAINST RANSOMWARE: ANOMALY DETECTION WITH CPU AND DISK METRICS
Keywords:
Deep learning, disk statistics, hardware performance counters, machine learning, ransomware, virtual machines.Abstract
The project addresses the challenge of ransomware detection, acknowledging the limitations of current
approaches involving process monitoring and data analysis. The aim is to develop a robust and practical detection
method for ransomware executed on a virtual machine (VM). Data collection focuses on specific processor and disk
I/O events for the entire VM from the host machine. Leveraging machine learning (ML), particularly a random
forest (RF) classifier, the project aims to create an effective detection model. This approach minimizes monitoring
overhead and mitigates the risk of data contamination by ransomware. The proposed method demonstrates resilience
to variations in user workloads, overcoming a common challenge in ransomware detection. By avoiding continuous
monitoring of every process on the target machine, the model remains adaptable to different user scenarios. The
project's effectiveness is measured across various user workloads and 22 ransomware samples. This Project
contributes a practical and efficient solution to the ongoing ransomware threat by providing a reliable detection
model. By utilizing selected processor and disk I/O events and incorporating machine learning, the project
minimizes monitoring overhead, enhances detection speed, and ensures adaptability to evolving ransomware
variants. In this project additional enhancements were introduced, incorporating Convolutional Neural Network 2D
(CNN2D) and an ensemble model with a voting classifier to further improve ransomware detection accuracy. The
voting classifier, comprising multiple machine learning classifiers, demonstrated a remarkable 99% accuracy in
making final predictions, showcasing the effectiveness of combining different models for robust detection.
