Windows Ransomware detection using KERNEL level features with machine learning

Abstract

Ransomware is a type of malware which denies access to a user’s data by employing locking, deletion especially encryption mechanisms. Due to increasing trends of ransomware in new malwares and disastrous nature of malware, a lot of work has been done to effectively detect and prevent ransomware attacks. Behavior Based detection is carried out by differentiating dynamic behavior of malign and benign applications and creating model to detect malign behavior. Studies conclude that the behavior of ransomware applications from most benign application is very different and easy to detect while some applications like Desktop Encryptors, Compressors and Shredders depict almost same behavior as a ransomware. Dynamic analysis focused on such applications will be helpful in decreasing the false positives of already defined and tested models for ransomware detection. We have conducted a study to find common and differentiable features on kernel level to identify legitimate full desktop encryptor applications and ransomware by analyzing IRPs using a customized minfilter driver, to improve the ransomware detection model. The functional objective of both type of applications is same since it both are required to make the target data inaccessible for unauthorized personnel without a key. We researched the pattern of encryption for both applications and were able to identify encryptors from ransomware and hence, participated in the improvement of detection capability of existing models.