A new approach enables faster detection of ransomware
Engineering researchers have developed a new approach to implementing ransomware detection techniques, allowing them to detect a wide range of ransomware much faster than previous systems.
Ransomware is a type of malware. When a system is infiltrated by ransomware, the ransomware encrypts data on that system, making the data inaccessible to users. The ransomware owners then extort the operators of the affected system, demanding money from users in exchange for granting them access to their own data.
Ransomware extortion is extremely expensive and cases of ransomware extortion are on the rise. The FBI reports receiving 3,729 ransomware complaints in 2021, with costs exceeding $49 million. Additionally, 649 of these complaints came from organizations classified as critical infrastructure.
“Computer systems already use a variety of security tools that monitor incoming traffic to detect potential malware and prevent it from compromising the system,” says Paul Franzon, co-author of a paper on the new approach to ransomware detection. “However, the big challenge here is to detect ransomware fast enough to prevent it from getting a foothold in the system. Because as soon as ransomware enters the system, it starts encrypting files.” Franzon is the Cirrus Logic Professor Emeritus of Electrical and Computer Engineering at North Carolina State University.
“There is a machine learning algorithm called XGBoost which is very good at detecting ransomware,” says Archit Gajjar, the paper’s first author and Ph.D. student at NC State. “However, when systems run XGBoost as software through a CPU or GPU, it’s very slow. And attempts to integrate XGBoost into hardware systems have been hampered by a lack of flexibility – they focus on very specific challenges, and this specificity makes it difficult or impossible for them to monitor the full spectrum of ransomware attacks.
“We developed a hardware-based approach that allows XGBoost to monitor a wide range of ransomware attacks, but is much faster than any software-based approach,” says Gajjar.
The new approach is called FAXID, and during proof-of-concept testing, researchers found it to be just as accurate as software-based approaches at detecting ransomware. The big difference was the speed. FAXID was up to 65.8 times faster than software running XGBoost on a CPU and up to 5.3 times faster than software running XGBoost on a GPU.
“Another advantage of FAXID is that it allows us to run problems in parallel,” says Gajjar. “You can devote all the resources of dedicated security hardware to ransomware detection and detect ransomware faster. But you can also allocate security hardware computing power to separate issues. For example, you can dedicate a certain percentage of the hardware to ransomware detection. and another percentage of the hardware to another challenge, such as fraud detection.”
“Our work on FAXID was funded by the Center for Advanced Electronics through Machine Learning (CAEML), which is a public-private partnership,” says Franzon. “The technology is already available to center members, and we know of at least one company that is planning to implement it into their systems.”
The paper, “FAXID: FPGA-Accelerated XGBoost Inference for Data Centers using HLS,” is being presented at the 30th IEEE International Symposium on Field Programmable Custom Computing Machines (FCCM), to be held in New York City May 15-18 . The article was co-authored by Priyank Kashyap, a Ph.D. student at NC State; Aydin Aysu, assistant professor of electrical and computer engineering at NC State; and Sumon Dey and Chris Cheng of Hewlett Packard Enterprise.
The work was supported by CAEML, through National Science Foundation grant number CNS # 16-244770, and CAEML member companies.
Source of the story:
Material provided by North Carolina State University. Original written by Matt Shipman. Note: Content may be edited for style and length.