Evan C. Yang
Intel Lab
Towards a Trustworthy and Resilient Machine Learning Classifier - a Case Study of Ransomware Behavior Detector (pdf, video)
The crypto-ransomware is a type of malware which hijacks user’s resources and demands for a ransom. It was expected to cost business more than $75 billion in 2019 and continues to be a problem for enterprises*. Due to the encryption, the damage caused by the crypto-ransomware is difficult to revert. Even equipping with an endpoint protection software, infections may still occur*. To block an unseen ransomware, behavior-based detection with a proper backup mechanism is one of mitigation solutions.
In this presentation, machine learning (ML) and deep learning (DL) classifiers were proposed to detect the ransomware behaviors. We executed ransomwares in Windows sandboxes and collected their input/output activities (I/O). The time-series behavior data was analyzed by long short term memory (LSTM) or N-gram featured support vector machine (SVM). We found a naïve trained classifier even with good accuracy (>98%) and low false positive rate (<1.4%)) didn’t perform well at online detector in the wild. To boost the early detection rate and to overcome the potential overfitting issue, data augmentation techniques were definitely needed. Also to avoid the sensitivity of the sliding window size, an over-sampling mechanism was deployed to synthesize samples similar to the ones from I/O event stream.
A ML/DL model without adversarial mitigation may be vulnerable to adversarial attacks. A simulated ransomware, the Red team, was developed to probe the blind spots of our classifiers. This simulated program can perform core ransomware behaviors, the malicious encryption, and configurable benign I/O activities, e.g. file creation or modification etc. With minor change to the I/O pattern of encryption, the Red team found no difficulty to bypass the detection. We conclude that an adversarial mitigation is necessary procedure to fortify the ML/DL classifier especially when dataset size is limited. For security application, it is important to ensure the classifier making decision based on meaningful features. The Integrated Gradient method was selected in our experiment to show the attribution of each time steps in LSTM model. We observed that the attribution pattern did match the known malicious series activities and the fidelity of classifier can be confirmed. We can also apply the same method to understand how an adversarial sample bypasses the detection.
By building a ransomware detector, this presentation demonstrates a full stack of ML/DL development process. We found the simulated adversarial program is very helpful which can disclose the weakness of the model and also serve as an adversarial sample generator. In addition to the regular ML/DL training-testing iteration for model optimization, we proposed to synthesize adversarial samples by a polymorphic Red team program for adversarial training iteration. Combining with data augmentation and model explanation techniques, the resiliency and fidelity of the model can be enhanced and ensured. The tips and lessons learned for each steps of two-iteration pipeline will be shared in our presentation. We believe this in-depth analysis can be a general recommendation for all cybersecurity ML/DL development.