AI for Ransomware Detection & Prevention Insights from Patents
0 likes636 views
Ransomware has emerged as a significant cybersecurity threat, exemplified by the 2017 WannaCry attack which caused extensive damage globally. Traditional detection methods struggle against ransomware's adaptive evasion techniques, but artificial intelligence offers innovative solutions for identification and prevention. Patented AI technologies can effectively analyze file behaviors and detect anomalies, thereby mitigating ransomware risks in real-time during cyber attacks.
AI for Ransomware Detection & Prevention Insights from Patents
- 1. 1 ©2021 TechIPm, LLC All Rights Reserved http://www.techipm.com/ AI for Ransomware Detection & Prevention Insights from Patents Alex G. Lee1 Ransomware has become a major cybersecurity threat over the past few years. In 2017, a ransomware attack known as WannaCry become of the biggest cybersecurity attacks ever to hit globally. It shut down hospitals, impacted telecommunications companies, and spread to over 150 countries and approximately 300,000 devices. It is estimated to have cost enterprises upwards of $5 billion in damages annually. Ransomware is a malware that is designed to prevent users to access their computers by locking screen or data by encrypting the data using a strong encryption algorithm known only to the attacker. One difficulty with ransomware attack is that it is resistant to normal data recovery techniques, such as backups. Incremental backups keep copies of the user's data, but when a file is encrypted and then stored with the same name and extension as the original file, the encrypted file overwrites the good file in the next incremental backup. Even a quality cloud backup solution that maintains a number of file versions can be susceptible to this type of attack, as it can be impractical or problematic for users to find and restore a last good version of every file in a directory structure that can have many thousands of individual files. Furthermore, ransomware cannot be defeated by simply resetting the computer or the operating system to a known good state. Even if the device itself can be restored to a known good state, the user's original data or their backups may still be encrypted. 1 Alex G. Lee, Ph.D Esq., is a principal consultant and patent attorney at TechIPm, LLC.
- 2. 2 ©2021 TechIPm, LLC All Rights Reserved http://www.techipm.com/ Conventional attempts to solve these challenges have drawbacks. For example, a heuristic system monitors file I/O patterns (such as read/write/delete/rename) and frequencies. The I/O patterns can be compared to heuristic models to detect irregularities in the pattern. But ransomware can workaround to these heuristic solutions by encrypting files without changing ransomware only at certain intervals or once the machine is idle to make it difficult to distinguish the ransomware attack from ordinary file activity. Static analysis-based solutions scan process memory (either before unpacking or after unpacking) to look for known signatures. But, ransomware can avoid detection by using different signatures. AI can provide an effective solution in detecting malware as an alternative to the use of signatures. Patents are a good information resource for obtaining the state of the art of AI technology innovations for defending against the ransomware attacks. Patent information can provide many valuable insights that can be exploited for developing and implementing new technologies. Patents can also be exploited to identify new product/service development opportunities.
- 3. 3 ©2021 TechIPm, LLC All Rights Reserved http://www.techipm.com/ AI for Ransomware Detection US20210019403 illustrates an AI application method for identifying and mitigating ransomware attacks. The method provides an operating system and file system agnostic way of classifying a computer program as behaving like ransomware or not. The program need not be previously known or trusted. In other words, even a ‘zero-day’ ransomware attack that exploiting unknown vulnerability in hardware or software can be mitigated with the method provided. The AI application method analyzes file content, and when a file is written or newly created on the disk by a program. A ransomware mitigation engine determines whether the file has been compromised by a ransomware attack. The file marked as ransomware or as compromised if the ransomware mitigation engine determines that the file has been compromised. The file analysis can be accomplished by using a deep learning classification layer (e.g., convolutional neural network) to identify a file type of the file, which combines with a heuristic layer to check the byte distribution in the file content for predicting whether the file appears to be encrypted using a statistical analysis (e.g., entropy). Once the examined file is determined as having been compromised by a ransomware attack, the ransomware mitigation engine takes a remedial action such as creating a backup of the file and restoring the file from the backup.
- 4. 4 ©2021 TechIPm, LLC All Rights Reserved http://www.techipm.com/ US20200034537 illustrates a system that detects ransomware infection in file systems. The system detects ransomware infection in two stages. In the first stage, the system analyzes a file system's behavior. The file system's behavior can be obtained by loading the backup data and crawling the file system to create a file system metadata (e.g., a list of entries corresponding to data changes in the file system) including information about file operations during a time interval. The system determines a pattern of the file operations using the set of machine learning models trained to determine the pattern of the file operations. The system compares the pattern to a normal patter to analyze the file system's behavior based on features representing the file system's behavior. If the file system's behavior is abnormal, the system proceeds to the second stage to analyze the content of the files to look for signs of encryption in the file system. The system combines the analysis of both stages to determine whether the file system is infected by ransomware. It is challenging for the backup service provider to determine whether an encrypted file received by the backup service provider from a customer for storage is encrypted only by a normal encryption process or whether the encrypted file contains a ransomware encryption as well. US20200042703 illustrates a system that detects ransomware detection of encrypted files. The system applies an anomaly detection technique to the metadata for an encrypted file to compare attributes (e.g., file extension/ size/name) in the metadata to corresponding historical baseline values for the attributes. The anomaly detection technique comprises a machine learning model that is trained using historical time-series data for each
- 5. 5 ©2021 TechIPm, LLC All Rights Reserved http://www.techipm.com/ of file types. The system determines whether the encrypted file comprises a ransomware encryption based on the comparison.
- 6. 6 ©2021 TechIPm, LLC All Rights Reserved http://www.techipm.com/ AI for Ransomware Prevention Most effective defense against a ransomware attack is a detection of the malware when downloading to the victim computer, which can prevent an attack vector from penetrating a victim’s host computer. Following approaches can mitigate ransomware attacks: 1) backing-up data frequently to back-up storage devices that cab be disconnected from the network before and after the back-up operation is performed; 2) training people on risky security scenarios, such as avoiding clicking on malicious links in phishing emails and spear-phishing campaigns; avoiding opening suspicious email attachments; avoid clicking malicious advertisements on websites; avoid plugging in potentially infected USB s found in untrusted locations; and 3) firewalls that can help block known suspicious IP addresses and domains from communicating with devices in your network, that could host ransom ware command & control servers. US20180248896 illustrates an anti-ransomware system that has a deception component comprising a decoy module to place and monitor decoy segments within file systems. Decoy files and folders contain common file types that ransomware attackers target. The purposes of the decoys are i) alerting about ransomware-like behavior, ii) alerting about “snooping” on the computer, iii) potentially storing anti- malware components disguised as decoys, iv) slowing down the encryption process, yielding additional
- 7. 7 ©2021 TechIPm, LLC All Rights Reserved http://www.techipm.com/ response time, v) deterring attackers, vi) allowing additional opportunities to recover the key, or learn how to recover files. The anti-ransomware system includes a behavioral analysis module to analyze the behavior of a suspected ransomware to monitor ransomware activities in real time using a machine learning module for determining a file system baseline of the computer file structure. The machine learning module observes the normal processes of the machine, including behavior that results in large changes at one time to particular files, such as encrypting files within normal use of the computer, that weren't previously encrypted or representing user content. Once a file change activity exceeds a threshold, the anti- ransomware system takes action by notifying the response component. The response component has a suspend/kill module to suspend the suspected ransomware, a restore files module to restore files from an on-demand backup system, a capture encryption key module to retrieve the encryption used by the suspected ransomware, and a quarantine module to quarantine the suspected ransomware on the device, and to quarantine the device off the network, to prevent spread of infection.
- 8. 8 ©2021 TechIPm, LLC All Rights Reserved http://www.techipm.com/ Cybersecurity & Privacy in ESG Digital Transformation Webinar Recent ransomware cyberattack on a major oil pipeline caused gas prices to surge and gas stations in multiple states to experience shortages due to a several-day outage resulting from the attack. In 2020, a major cyberattack by a group backed by the Russian government caused series of data breaches in the United States federal government. These two cases illustrate the serious harm of cyberattacks and data breaches to society and individuals. As the world recovers from COVID-19 pandemic, ESG (Environmental, Social, and Governance) DX (digital transformation) will be accelerated. As ESG DX is accelerated, cybersecurity and privacy protection will be the top ESG risk management concern for corporations and their stakeholders. In the webinar, Alex G. Lee, Ph.D., Esq. (https://www.linkedin.com/in/alexgeunholee/) will present the potential risks of cybersecurity & privacy in ESG DX. Specifically, Alex will present the state of the art innovations of AI, Blockchain, IoT and their convergence for cybersecurity & privacy in ESG DX. Alex will present specific technical details about the use cases of AI, Blockchain, IoT and their convergence for cybersecurity & privacy in ESG DX based on related patents analysis.
- 9. 9 ©2021 TechIPm, LLC All Rights Reserved http://www.techipm.com/ Alex will also present demos of an innovative cybersecurity solution (Zeus) for protecting systems of digital infrastructure and a cloud based big data/computing platform (Xanadu) for protection against ransomware. Place: Online Zoom meeting Time: June 16, 2021 7 pm – 9.00 pm Eastern Time/EDT (US and Canada) June 16, 2021 4 pm – 6.00 pm Pacific Time/PST (US and Canada) June 17, 2021 8 am – 10.00 am GMT+9 Time Zone (S. Korea and Japan) Registration: https://www.eventbrite.com/e/cybersecurity-privacy-in-esg-digital-transformation-webinar- tickets- 156172081901?utm_source=eventbrite&utm_medium=email&utm_campaign=post_publish&utm_conten t=shortLinkNewEmail