Ransomware Detection Using Machine Learning in the Linux Kernel
This addresses ransomware threats for Linux cloud users, but is incremental as it applies existing ML models in a new kernel context.
The paper tackled real-time ransomware detection in Linux cloud environments by implementing decision tree and multilayer perceptron models in the eBPF kernel, achieving improved latency and accuracy compared to user-space counterparts.
Linux-based cloud environments have become lucrative targets for ransomware attacks, employing various encryption schemes at unprecedented speeds. Addressing the urgency for real-time ransomware protection, we propose leveraging the extended Berkeley Packet Filter (eBPF) to collect system call information regarding active processes and infer about the data directly at the kernel level. In this study, we implement two Machine Learning (ML) models in eBPF - a decision tree and a multilayer perceptron. Benchmarking latency and accuracy against their user space counterparts, our findings underscore the efficacy of this approach.