{"title":"RanSMAP: Open dataset of Ransomware Storage and Memory Access Patterns for creating deep learning based ransomware detectors","authors":"Manabu Hirano , Ryotaro Kobayashi","doi":"10.1016/j.cose.2024.104202","DOIUrl":null,"url":null,"abstract":"<div><div>Ransomware attacks have become significant cyber threats to enterprises and public sectors. Our previous RanSAP dataset, which contained only low-level storage access patterns collected using a thin hypervisor, was used to create behavioral-based ransomware detectors; it provides an additional protection layer when the OS-level ransomware detection systems are compromised. The previous ransomware detector, which used only low-level storage access patterns, could not detect ransomware when Office applications and web browsers were executed simultaneously. This paper presents a new open dataset named RanSMAP, which stands for Ransomware Storage and Memory Access Patterns. It contains low-level storage and memory access patterns collected using a thin hypervisor. We provide an overview of the open RanSMAP dataset, including directory structure and file formats, to guide researchers in using the dataset. We then present our data preprocessing method and deep-learning-based ransomware detector. The RanSMAP datasets consist of storage and memory access patterns of six ransomware samples and six benign applications, seven Conti ransomware variants, and simultaneous execution of ransomware with benign applications collected on the machines with various CPUs, RAM generations, RAM frequencies, and RAM capacities. The experimental results show that low-level memory access patterns improved ransomware detection performance by 2.3% compared to detectors using only storage access patterns. We confirmed that ransomware detectors trained using the RanSMAP dataset can detect ransomware when Office and web browser programs are executed simultaneously. We presented the survey on state-of-the-art ransomware detection research and the availability of open behavioral-feature datasets to discuss the advantages and limitations of our RanSMAP dataset.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"150 ","pages":"Article 104202"},"PeriodicalIF":4.8000,"publicationDate":"2024-11-16","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Computers & Security","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S0167404824005078","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}
引用次数: 0
Abstract
Ransomware attacks have become significant cyber threats to enterprises and public sectors. Our previous RanSAP dataset, which contained only low-level storage access patterns collected using a thin hypervisor, was used to create behavioral-based ransomware detectors; it provides an additional protection layer when the OS-level ransomware detection systems are compromised. The previous ransomware detector, which used only low-level storage access patterns, could not detect ransomware when Office applications and web browsers were executed simultaneously. This paper presents a new open dataset named RanSMAP, which stands for Ransomware Storage and Memory Access Patterns. It contains low-level storage and memory access patterns collected using a thin hypervisor. We provide an overview of the open RanSMAP dataset, including directory structure and file formats, to guide researchers in using the dataset. We then present our data preprocessing method and deep-learning-based ransomware detector. The RanSMAP datasets consist of storage and memory access patterns of six ransomware samples and six benign applications, seven Conti ransomware variants, and simultaneous execution of ransomware with benign applications collected on the machines with various CPUs, RAM generations, RAM frequencies, and RAM capacities. The experimental results show that low-level memory access patterns improved ransomware detection performance by 2.3% compared to detectors using only storage access patterns. We confirmed that ransomware detectors trained using the RanSMAP dataset can detect ransomware when Office and web browser programs are executed simultaneously. We presented the survey on state-of-the-art ransomware detection research and the availability of open behavioral-feature datasets to discuss the advantages and limitations of our RanSMAP dataset.
期刊介绍:
Computers & Security is the most respected technical journal in the IT security field. With its high-profile editorial board and informative regular features and columns, the journal is essential reading for IT security professionals around the world.
Computers & Security provides you with a unique blend of leading edge research and sound practical management advice. It is aimed at the professional involved with computer security, audit, control and data integrity in all sectors - industry, commerce and academia. Recognized worldwide as THE primary source of reference for applied research and technical expertise it is your first step to fully secure systems.