Malware presents significant challenges to cybersecurity by exploiting system vulnerabilities, compromising sensitive data, disrupting operations, and rapidly evolving to evade traditional detection methods. Many types of malware, such as wipers, are challenging to detect due to their low computational footprint. This low activity level often causes existing detection methods, including those based on hardware performance counters (HPCs), to struggle. This paper investigates the impact of ransomware and wipers on various HPCs. Our study shows that wiper demands minimal computational activity due to its stealthy behaviour, which mostly affects only a small subset of HPCs, while most remain largely unaffected. Leveraging this insight, we propose improvements to supervised and unsupervised malware detection methods. For supervised detection, we introduce an ensemble-based algorithm to identify the most sensitive features (i.e., HPCs), leading to a 98% in-detection accuracy. For unsupervised detection, we propose replacing the commonly used Mean Squared Error (MSE) loss with Maximum Absolute Error (MAE) loss in an autoencoder-based framework, making the reconstruction loss more sensitive to the few HPCs heavily impacted by malware. Experimental results demonstrate that using MAE loss enables consistent detection of ransomware and wipers, whereas MSE loss often fails to detect wipers effectively.

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

WiperSentinel: HPC Based Wiper Detection with Enhanced AutoEncoder

  • Shiva Agarwal,
  • Suvadeep Hajra,
  • Ayantika Chatterjee,
  • Debdeep Mukhopadhyay

摘要

Malware presents significant challenges to cybersecurity by exploiting system vulnerabilities, compromising sensitive data, disrupting operations, and rapidly evolving to evade traditional detection methods. Many types of malware, such as wipers, are challenging to detect due to their low computational footprint. This low activity level often causes existing detection methods, including those based on hardware performance counters (HPCs), to struggle. This paper investigates the impact of ransomware and wipers on various HPCs. Our study shows that wiper demands minimal computational activity due to its stealthy behaviour, which mostly affects only a small subset of HPCs, while most remain largely unaffected. Leveraging this insight, we propose improvements to supervised and unsupervised malware detection methods. For supervised detection, we introduce an ensemble-based algorithm to identify the most sensitive features (i.e., HPCs), leading to a 98% in-detection accuracy. For unsupervised detection, we propose replacing the commonly used Mean Squared Error (MSE) loss with Maximum Absolute Error (MAE) loss in an autoencoder-based framework, making the reconstruction loss more sensitive to the few HPCs heavily impacted by malware. Experimental results demonstrate that using MAE loss enables consistent detection of ransomware and wipers, whereas MSE loss often fails to detect wipers effectively.