Open AccessRansomware Detection using Process Memory
Author(s) -
Avinash Singh,
Richard Adeyemi Ikuesan,
Hein S. Venter
Publication year - 2022
Publication title -
proceedings of the ... international conference on information warfare and security/the proceedings of the ... international conference on information warfare and security
Language(s) - English
Resource type - Journals
eISSN - 2048-9889
pISSN - 2048-9870
DOI - 10.34190/iccws.17.1.53
Subject(s) - ransomware , computer science , process (computing) , false positive paradox , computer security , executable , artificial intelligence , malware , operating system
Ransomware attacks have increased significantly in recent years, causing great destruction and damage to critical systems and business operations. Attackers are unfailingly finding innovative ways to bypass detection mechanisms, which encouraged the adoption of artificial intelligence. However, most research summarizes the general features of AI and induces many false positives, as the behavior of ransomware constantly differs to bypass detection. Focusing on the key indicating features of ransomware becomes vital as this guides the investigator to the inner workings and main function of ransomware itself. By utilizing access privileges in process memory, the main function of the ransomware can be detected more easily and accurately. Furthermore, new signatures and fingerprints of ransomware families can be identified to classify novel ransomware attacks correctly. The current research used the process memory access privileges of the different memory regions of the behavior of an executable to quickly determine its intent before serious harm can occur. To achieve this aim, several well-known machine learning algorithms were explored with an accuracy range of 81.38% – 96.28%. The study thus confirms the feasibility of utilizing process memory as a detection mechanism for ransomware.