Detecting Ransomware Execution in a Timely Manner
This work addresses ransomware threats in cyber-physical systems, but it appears incremental as it builds on existing detection approaches.
The paper tackles the problem of detecting ransomware execution by developing a change point detection and learning method using resource utilization data, achieving efficient and timely detection with minimal training samples.
Ransomware has been an ongoing issue since the early 1990s. In recent times ransomware has spread from traditional computational resources to cyber-physical systems and industrial controls. We devised a series of experiments in which virtual instances are infected with ransomware. We instrumented the instances and collected resource utilization data across a variety of metrics (CPU, Memory, Disk Utility). We design a change point detection and learning method for identifying ransomware execution. Finally we evaluate and demonstrate its ability to detect ransomware efficiently in a timely manner when trained on a minimal set of samples. Our results represent a step forward for defense, and we conclude with further remarks for the path forward.