Machine learning or behaviour heuristics? The synergy of approaches to defeat advanced ransomware threats
The paper focuses on a successful and fruitful combination of the ML-based approach and the heuristics-based approach in the case of Advanced Ransomware Defense, where the advanced ransomware is the ransomware that maliciously exploits the trusted context of execution, so it is the case of ransomware injection into well-known trusted processes, system services, that are used for the disguise of the malicious encryption.
The Machine Learning is used for malicious or benign classification of call stacks that match injections into trusted processes. The heuristics-based technique is based in our case on just one of the examples of injections, using such API as CreateRemoteThread1 and WriteProcessMemory2. This approach is applied with good results to the case of Ruyk ransomware3, one of the deadliest malware weapons.
We show how the Machine Learning helps to find those call stacks which with high probability match malicious injections. Then we augment the results of the ML classifier with the special detection of threads, created in the trusted process, using other sensors, including kernel drivers. This combination provides the maximum accuracy and the ability to remediate the attack.
The paper also presents the architectural materials as well as the links and references to the hands-on demonstration of collecting suspicious stacks. We also show how to use ML decisions and pair these decisions with the thread creation events as the sensor examples. The links with demonstrations use the execution of the real-world Ryuk malware strain (other malwares can be considered for the presentation). The analysis of the events flow is also shown in the kernel debugger coupled with the case analysis with the help of other tools like Process monitor.
Mr. Vladimir Strogov
Vladimir Strogov has 30+ years of experience in kernel level development in both storage and security areas (file systems, virtualization, data protection, reverse engineering, anti-malware solutions). He has worked on multiple Veritas and Symantec projects for nearly a decade. Additionally, he has worked at Kaspersky Lab in Core Drivers Group in roles of technical expert and team leads. Strogov is currently the Director of Development, Kernel Team at Acronis, having joined the team in 2016.
Mr. Sergey Ulasen
Sergey Ulasen, PhD is Senior Director of AI Development at Constructor Technology, leading AI/ML/NLP research and development areas. He is the developer of the “Eugene Goostman” bot, the first ever bot to pass the Turing test. Ulasen is an expert in artificial intelligence computer systems with emphasis in natural language processing, speech recognition, image processing, and complex system modelling and research. He has 20+ years of experience in developing robust, scalable, and configurable commercial software for scientific and business applications. Ulasen developed the award-winning Natural Language Processing software.