Efficient ransomware detection with machine learning in storage systems

Abstract

Since several years ransomware is the top malware attack type affecting businesses, organizations and individuals. Research activities on the detection of ransomware have mainly focused on various methods at the OS, file-system, and network level while little is known about approaches running in the storage stack. Is the information that can be extracted on IO operations sufficient for an efficient detection? We demonstrate how storage access patterns can be used to train highly efficient machine learning models and how the feature extraction and inference can be performed without user impact directly in a storage system. To do so, the presented architecture for ransomware detection leverages the capabilities at the controller level in computational storage devices. We further look into various aspects including the feature extraction process executed in computational storage devices and their aggregation to train machine learning models, the integration of the detection mechanism into the storage system stack, the capabilities of ML-models to detect unseen ransomware, and the generalizability of the models to different data storage setups.