HARD-Lite: A Lightweight Hardware Anomaly Realtime Detection Framework Targeting Ransomware

Recent years have witnessed a surge in ransomware attacks. Especially, many new variants of ransomware have continued to emerge, employing more advanced techniques to distribute the payload while avoiding detection. This renders the traditional static ransomware detection mechanism ineffective. In this paper, we present our Hardware Anomaly Realtime Detection-Lightweight (HARD-Lite) framework that employs a semi-supervised machine learning method to detect ransomware using low-level hardware information. By using an LSTM network with a weighted majority voting ensemble and exponential moving average, we are able to take into consideration the temporal aspect of hardware-level information formed as time series in order to detect deviation in system behavior, thereby increasing the detection accuracy whilst reducing the number of false positives. Testing against various ransomware families across multiple hardware platforms, HARD-Lite has demonstrated remarkable effectiveness, detecting all cases tested successfully. What’s more, by having a separate machine for the classifier while the user machine is under monitoring, it allows the classifier machine to enforce strict protection and offload the heavy-weight classification work, without impeding the functionality of the user machine. This hierarchical design enables good scalability for the proposed framework.