English

Peeler: Profiling Kernel-Level Events to Detect Ransomware

Cryptography and Security 2021-02-01 v1

Abstract

Ransomware is a growing threat that typically operates by either encrypting a victim's files or locking a victim's computer until the victim pays a ransom. However, it is still challenging to detect such malware timely with existing traditional malware detection techniques. In this paper, we present a novel ransomware detection system, called "Peeler" (Profiling kErnEl -Level Events to detect Ransomware). Peeler deviates from signatures for individual ransomware samples and relies on common and generic characteristics of ransomware depicted at the kernel-level. Analyzing diverse ransomware families, we observed ransomware's inherent behavioral characteristics such as stealth operations performed before the attack, file I/O request patterns, process spawning, and correlations among kernel-level events. Based on those characteristics, we develop Peeler that continuously monitors a target system's kernel events and detects ransomware attacks on the system. Our experimental results show that Peeler achieves more than 99\% detection rate with 0.58\% false-positive rate against 43 distinct ransomware families, containing samples from both crypto and screen-locker types of ransomware. For crypto ransomware, Peeler detects them promptly after only one file is lost (within 115 milliseconds on average). Peeler utilizes around 4.9\% of CPU time with only 9.8 MB memory under the normal workload condition. Our analysis demonstrates that Peeler can efficiently detect diverse malware families by monitoring their kernel-level events.

Keywords

Cite

@article{arxiv.2101.12434,
  title  = {Peeler: Profiling Kernel-Level Events to Detect Ransomware},
  author = {Muhammad Ejaz Ahmed and Hyoungshick Kim and Seyit Camtepe and Surya Nepal},
  journal= {arXiv preprint arXiv:2101.12434},
  year   = {2021}
}

Comments

15 pages, 10 figures

R2 v1 2026-06-23T22:38:51.834Z