...
  • 主题
高级搜索  >
历史搜索 清空历史
首页> 外文期刊>Expert Systems with Application >Trusted detection of ransomware in a private cloud using machine learning methods leveraging meta-features from volatile memory
【24h】

Trusted detection of ransomware in a private cloud using machine learning methods leveraging meta-features from volatile memory

机译:利用机器学习方法,利用易失性存储器中的元功能,可信任地检测私有云中的勒索软件

获取原文
获取原文并翻译 | 示例
           
页面导航
  • 摘要
  • 著录项
  • 相似文献
  • 相关主题

摘要

Cloud computing is one of today's most popular and important IT trends. Currently, most organizations use cloud computing services (public or private) as part of their computer infrastructure. Virtualization technology is at the core of cloud computing, and virtual resources, such as virtual servers, are commonly used to provide services to the entire organization. Due to their importance and prevalence, virtual servers in an organizational cloud are constantly targeted by cyber-attackers who try to inject malicious code or malware into the server (e.g., ransomware). Many times, server administrators are not aware that the server has been compromised, despite the presence of detection solutions on the server (e.g., antivirus engine). In other cases, the breach is detected after a long period of time when significant damage has already occurred. Thus, detecting that a virtual server has been compromised is extremely important for organizational security. Existing security solutions that are installed on the server (e.g., antivirus) are considered untrusted, since malware (particularly sophisticated ones) can evade them. Moreover, these tools are largely incapable of detecting new unknown malware. Machine learning (ML) methods have been shown to be effective at detecting malware in various domains. In this paper, we present a novel methodology for trusted detection of ransomware in virtual servers on an organization's private cloud. We conducted trusted analysis of volatile memory dumps taken from a virtual machine (memory forensics), using the Volatility framework, and created general descriptive meta-features. We leveraged these meta-features, using machine learning algorithms, for the detection of unknown ransomware in virtual servers. We evaluated our methodology extensively in five comprehensive experiments of increasing difficulty, on two different popular servers (IIS server and an email server). We used a collection of real-world, professional, and notorious ransomware and a collection of legitimate programs. The results show that our methodology is able to detect anomalous states of a virtual machine, as well as the presence of both known and unknown ransomware, obtaining the following results: TPR =1, FPR= 0.052, F-measure = 0.976, and AUC= 0.966, using the Random Forest classifier. Finally, we showed that our proposed methodology is also capable of detecting an additional type of malware known as a remote access Trojan (RAT), which is used to attack organizational VMs. (C) 2018 Elsevier Ltd. All rights reserved.
机译:云计算是当今最流行,最重要的IT趋势之一。当前,大多数组织将云计算服务(公共或私有)用作其计算机基础结构的一部分。虚拟化技术是云计算的核心,虚拟资源(例如虚拟服务器)通常用于为整个组织提供服务。由于其重要性和普遍性,组织攻击者不断将组织云中的虚拟服务器作为攻击目标,这些攻击者试图将恶意代码或恶意软件注入服务器(例如勒索软件)中。尽管服务器上存在检测解决方案(例如,防病毒引擎),但服务器管理员常常不知道服务器已受到威胁。在其他情况下,如果已经发生重大损坏,则需要经过很长时间才能检测到违规行为。因此,检测虚拟服务器已受到威胁对于组织安全极为重要。服务器上安装的现有安全解决方案(例如防病毒软件)被认为是不受信任的,因为恶意软件(尤其是复杂的恶意软件)可以逃避它们。此外,这些工具在很大程度上无法检测到新的未知恶意软件。机器学习(ML)方法已被证明可以有效地检测各种领域的恶意软件。在本文中,我们提出了一种新颖的方法,用于在组织的私有云中的虚拟服务器中可靠检测勒索软件。我们使用Volatility框架对从虚拟机获取的易失性内存转储(内存取证)进行了可信赖的分析,并创建了通用的描述性元功能。我们使用机器学习算法利用这些元功能来检测虚拟服务器中未知的勒索软件。我们在两个难度较高的服务器(IIS服务器和电子邮件服务器)上进行了五个难度不断提高的综合实验,对方法进行了广泛的评估。我们使用了一系列真实的,专业的,臭名昭著的勒索软件和一系列合法程序。结果表明,我们的方法能够检测虚拟机的异常状态以及已知和未知勒索软件的存在,从而获得以下结果:TPR = 1,FPR = 0.052,F-measure = 0.976和AUC = 0.966,使用随机森林分类器。最后,我们证明了我们提出的方法还能够检测称为远程访问特洛伊木马(RAT)的另一种恶意软件,该恶意软件可用于攻击组织VM。 (C)2018 Elsevier Ltd.保留所有权利。

著录项

相似文献

  • 外文文献
  • 中文文献
  • 专利
获取原文

客服邮箱:kefu@zhangqiaokeyan.com

京公网安备:11010802029741号 ICP备案号:京ICP备15016152号-6 六维联合信息科技 (北京) 有限公司©版权所有

  • 客服微信

  • 服务号