EVALUATION OF SELECTED SIDE-CHANNEL ANALYSIS METHODS FOR RANSOMWARE CLASSIFICATION AND DETECTION

Abstract

The physical implementation of computer hardware leads necessarily to physical behavioron the part of an operating computer. This physical behavior has physical characteristics, many of which become channels of information leakage that can be observed by an unintended receiver. This poses a serious threat to computer security. These “side-channels” of computer operations, such as current usage and power consumption, generation of heat and electromagnetic radiation, and events at the micro-architectural level, can be exploited to compromise the confidentiality of a system. This work considers side-channel analysis techniques for the temperature, power, and micro-architectural side-channels for the purpose of classifying state-of-the-art ransomware on real world, non-virtualized Windows systems. Over three thousand ransomware and benign trials were collected to generate training and testing data sets, which required development of a process to synchronize collection of on-system (e.g. performance counters) and off-system (e.g. power) measurements, safely transfer trial data from the encrypted system, and restore the system to a “clean” state without the use of virtualization techniques, which negatively impact the validity of side-channel measurements. Side-channels were evaluated on their effectiveness in accurately differentiating between ransomware and benign operations such as background operating system activity, 7zip encryption, and SPEC benchmarks, in a given time duration, with Matthews’ Correlation Coefficient (MCC) used to measure overall classifier performance of five machine learning classification algorithms.

The temperature side-channel, accessed through thermal imaging, was found to be unsuitablefor the ransomware detection/classification application due to its sensitivity to thermal noise, significant pre-processing requirements, and slow response times due to the loss of signal components above the low kHz range. This limited its ability to identify ransomware before encryption operations typically begin (within 2 seconds of execution, on average). The power side-channel, accessed by monitoring the current drawn by a solid state drive, generated best-case classification accuracy results of 96% (0.92 MCC) with 15 seconds of current data and ≥ 90% (MCC ≥ 0.8) for all five classifiers tested with at least 5 seconds of data. Tests demonstrated at least four seconds of data were required to attain a best case classification accuracy greater than 90%, and at 2 seconds the best-performing classifier attained an MCC of just 0.66 with 83.3% accuracy. The micro-architectural side-channel was accessed through hardware performance counters, which provided the highest MCC and accuracy results in the shortest period of time. Hardware performance counters are registers built into a CPU’s Performance Monitoring Unit, and measure events related to processor and memory system operations (e.g. CPU clock cycles, total instructions retired, memory accesses, cache hits/misses, branches taken, etc.). Over 230 hardware events were collected, tested, and ranked by their contribution to overall classifier performance. Each classification algorithm was found to have a distinct performance counter feature ranking, and the selected features could be further optimized by desired detection window duration. Examination of results showed that, despite the quantity of features collected, classifier performance only marginally improved after 6 features for ≤ 2 seconds, with MCC ≥ 0.9 for 1 second of data for 3 of 5 classifiers tested with just 4-6 performance counter features, and a best-case MCC of 0.98 with 1 second of data and 4 performance counter features. MCC results for the shortest duration event window (0.1s) were found to be within 0-7% of the best case MCC result window (1-2 s) for each classifier, indicating that ransomware can be classified using only a tenth of a second of 4-6 performance event measurements with greater than 90% accuracy for four of five classifiers tested, which makes the implementation of this approach in a real-time ransomware detector feasible. With the financial impact of ransomware estimated to cost more than $30 billion globally this year, the usefulness of new detection techniques for non-virtualized computer systems has significant real-world implications.