| 摘要: |
| 勒索软件攻击以其瞬间的数据劫持速度、众多变体和高度伪装能力,对网络安全构成了巨大挑战,使得依赖长期行为监测的传统检测方法在实时监测能力和准确性上应对乏力。本文提出了一种新型的勒索软件检测方法,以硬件性能计数器(Hardware Performance Counters,HPC)为特征,融合无监督学习与有监督学习方法,提高了针对勒索软件的检测准确性和实时性。该方法从程序执行的初始阶段开始收集硬件性能计数器的事件数据,特别关注实际加密行为发生前的数据特征。硬件性能计数器可以区分多种程序行为事件,为分析攻击软件加密行为发生前的系统状态,提供了丰富全面的监测信息。为了区分无关事件,本文通过Boruta算法,进一步从计数器数据中筛选出最能识别勒索软件行为的核心硬件事件。使用Transformer网络架构,结合序列预测和对比学习这两种无监督学习任务,在分析未标记的计数器时间序列数据中,实现数据表征和分类。此外,通过在有标记的数据集上进行微调和迭代,检测模型进一步提高了准确性。本文方法在27类勒索软件家族数据集上进行了广泛的实验测试,实验结果能有效检测勒索软件的动态行为事件,在10 s的检测窗口中检测准确率高达98.2%,性能超过同类检测方法。 |
| 关键词: 勒索软件 恶意软件检测 网络安全 硬件性能计数器 动态检测 |
| DOI:10.19363/J.cnki.cn10-1380/tn.2025.11.10 |
| 投稿时间:2024-02-06修订日期:2024-04-18 |
| 基金项目:本课题得到了国家重点研发计划项目(No.2020YFB1804604),国家自然科学基金项目(No.61802186)资助。 |
|
| Detecting Ransomware with Hardware Performance Counters |
| YUAN Junyi,YANG Zhipeng,LIU Daidong,WEI Songjie |
| School of Computer Science and Engineering, Nanjing University of Science and Technology, Nanjing 210094, China;School of Cyber Science and Engineering, Nanjing University of Science and Technology, Nanjing 210094, China |
| Abstract: |
| Ransomware attacks are increasingly recognized as a formidable threat to cybersecurity, characterized by their rapid data hijacking capabilities, a multitude of variants, and sophisticated levels of disguise. These malicious threats continuously evolve, posing significant challenges to traditional detection methodologies that predominantly rely on long-term behavioral monitoring. Such conventional approaches often struggle with limitations in real-time monitoring capabilities and fail to deliver the necessary accuracy. In response, this paper introduces a novel ransomware detection method that utilizes hardware performance counters (HPC) as distinctive features, ingeniously combining unsupervised and supervised learning techniques to significantly enhance detection efficiency and accuracy. This method starts by meticulously collecting event data from hardware performance counters at the onset of program execution, focusing specifically on data characteristics before the actual encryption activities. Hardware performance counters can monitor hundreds of system events, providing a rich and comprehensive dataset that details the pre-encryption state of the system. However, many events may be irrelevant to detecting malicious activities. To address this challenge, the Boruta algorithm is employed to intelligently filter out the most indicative hardware events associated with ransomware behaviors, refining the data for further analysis. Building on this filtered dataset, the model leverages a sophisticated Transformer network architecture that integrates sequence prediction and contrastive learning—two powerful types of unsupervised learning tasks. This integration enables the model to develop robust data representation capabilities, effectively analyzing and interpreting unlabeled time-series data. The approach's robustness lies in its ability to capture and learn from the subtle nuances and patterns distinguishing normal operations from potential threats. Further enhancing the model's efficacy, it undergoes fine-tuning on a carefully curated labeled dataset, transitioning into the supervised learning phase to refine predictive accuracy. The practical application and effectiveness of this method have been rigorously tested on a dataset that includes 27 distinct ransomware families. The results from these extensive tests are highly encouraging. They demonstrate that the proposed method not only effectively detects ransomware but does so with remarkable precision, significantly outperforming traditional detection methods. The method achieved a detection accuracy rate of up to 98.2% within a 10-second detection window. The performance exceeds that of similar detection methods. |
| Key words: ransomware malware detection cybersecurity hardware performance counters dynamic detection |
