ebpfangel - Ransomware Detection using Machine Learning with eBPF for Linux

Authors: Max Willers, Tomás Philippart

This is the final result of an Offensive Technologies research project for the MSc Security and Network Engineering program of the University of Amsterdam. This is not intended to be a final product/solution to use in any productions environment whatsoever, it is simply the byproduct of research and therefore is intended to use as so.

Slides, Paper

Software architecture

flowchart LR
  subgraph sandbox_VM
    ransomware
  end
  ransomware --> network_hook & filesystem_hooks & crypto_hooks
  subgraph host_kernel
    network_hook & filesystem_hooks & crypto_hooks --> ebpf_c

  end
  subgraph host_userland
    ebpf_c -- events --> ebpf_python
    ebpf_python -- patterns + config --> ebpf_c
    ebpf_python --> machine_learning
  end

eBPF C program

flowchart LR
  A(event) --> B(compute stats <br/>per pid)
  B --> C(detect event pattern <br/>and threshold counts)
  X(python) -. patterns + config .-> C
  C --> D{report event?}
  D -- yes --> E(submit event <br/>to ring buffer) -->F(end)
  D -- no --> F

Learning resources and references

• UNVEIL: A Large-Scale, Automated Approach to Detecting Ransomware (Kharraz et al., 2016-08)

• A Multi-Classifier Network-Based Crypto Ransomware Detection System: A Case Study of Locky Ransomware (Almashhadani et al., 2019-03)

• Ransomware: Recent advances, analysis, challenges and future research directions (Beaman et al., 2021-12)

• Ransomware deployment methods and analysis: views from a predictive model and human responses (Hull et al., 2019-02)

• An empirical study of ransomware attacks on organizations: an assessment of severity and salient factors affecting vulnerability (Yuryna Connolly et al., 2020-01-01)

• Introduction of the ARDS—Anti-Ransomware Defense System Model—Based on the Systematic Review of Worldwide Ransomware Attacks (Szücs et al., 2021-01)

• The rise of ransomware: Forensic analysis for windows based ransomware attacks (Kara & Aydos, 2022-03-15)

• Ransomware detection using machine learning algorithms (Bae et al., 2020)

• A comprehensive survey on deep learning based malware detection techniques (Gopinath & Chakkaravarthy Sethuraman, 2023-02-01)

• A behavioral analysis of the ransomware strain NEFILIM (Groenewegen et al., 2020-10-25)

• The State of Ransomware 2022 (SOPHOS, 2022-04)

• IceFire ransomware now encrypts both Linux and Windows systems (Gatlan, 2023-03-09)

• What is eBPF? An Introduction and Deep Dive into the eBPF Technology

• BCC (IO Visor Project)

Contributing

To foster progress in the field of ransomware detection, collaboration and knowledge sharing within the research community are essential. Encouraging open collaboration, sharing of datasets, methodologies, and findings will enable researchers to collectively combat the growing threat of ransomware attacks. By fostering collaboration, we can pool resources and expertise to develop more advanced and robust ransomware detection techniques, ultimately enhancing the overall security posture against this persistent threat.

If you are forking this project for your own uses, please consider creating a Pull Request with your changes.

There are some open (un-assigned) issues created that would be good for new comers and people who would like to contribute to the project.

License

The MIT License (MIT). Please see License File for more information.