A Comparison of One-class and Two-class Models for Ransomware Detection via Low-level Hardware Information

Recent years have witnessed a dramatic growth in ransomware attacks. Even though many tools have been developed to help combat against these attacks, new varieties of ransomware keep emerging and hence are difficult to keep track of with the traditional signature detection method. On the other hand, neural networks have been a popular technique that can be used to help enhance ransomware detection accuracy. Long Short-Term Memory (LSTM) network, in particular, is able to learn the temporal aspect of the time-series data which is suitable for the online behavioral analysis. In this paper, we compared the anomaly detection models trained with LSTM semi-supervised learning method against the LSTM model trained with the supervised learning method for ransomware detection, utilizing low-level hardware information. Overall, we are able to detect ransomware attacks with a detection accuracy of 98.60% for the supervised learning two-class model and 89.65% for the semi-supervised one-class model. Both models achieve a very high detection rate across multiple ransomware families with recall rates of 99.70% and 93.00% for two-class and one-class models, respectively. The supervised learning model demonstrates exceptional capability in detecting unseen ransomware attacks, which demonstrates the ability to overcome the limitation of static signature detection by performing live analysis of the system behavior. The model is able to retain a recall rate of 99.52% on average when facing against ransomware variety it has not seen during training. We hope the proposed methods shed light on our fight against ransomware.