核心概念
Minerva is a novel, robust approach to ransomware detection that constructs file-based behavioral profiles to identify malicious activity, and is designed to be resilient against evasion attacks.
摘要
The paper presents Minerva, a novel ransomware detection approach that leverages file-based behavioral profiling to identify malicious activity. Minerva is designed to be robust against evasion attacks, with architectural and feature selection choices informed by their resilience to adversarial manipulation.
The key insights behind Minerva are:
- Ransomware must ultimately encrypt user files to achieve its objective, so monitoring file-level behavior can detect malicious activity regardless of how tasks are distributed across processes.
- Different aspects of file-based behavioral profiles are interconnected, so attempts to alter one aspect to evade detection will trigger detectable changes in others.
Minerva employs a multi-tier architecture that monitors file activity across different time windows, using an ensemble of machine learning classifiers to detect malicious behavior. The paper conducts a comprehensive analysis of Minerva's performance against traditional, evasive multiprocess, and unseen ransomware, as well as adaptive ransomware specifically engineered to evade Minerva's detection. The results demonstrate Minerva's ability to accurately identify ransomware, generalize to unseen threats, and withstand evasion attacks, with remarkably low detection times.
統計資料
"Minerva detects ransomware activity on average within 0.52 seconds of the onset of malicious activity."
"Minerva achieves over 99% true positive rate and true negative rate against traditional and evasive multiprocess ransomware."
引述
"Minerva is engineered to be robust by design against evasion attacks, with architectural and feature selection choices informed by their resilience to adversarial manipulation."
"Minerva effectively guards against traditional ransomware, evasive multiprocess ransomware, and adaptive ransomware engineered specifically to evade Minerva's detection."