Ransomware Detection Using Machine Learning in the Linux Kernel
Adrian Brodzik, Tomasz Malec-Kruszyński, Wojciech Niewolski, Mikołaj Tkaczyk, Krzysztof Bocianiak, Sok-Yen Loui
TL;DR
This work tackles the need for real-time ransomware detection in Linux-based cloud environments by enabling ML inference directly inside the kernel with eBPF. It implements two lightweight models, a decision tree and a multilayer perceptron, in eBPF to classify in-kernel process activity using system-call-derived features, while adapting computations to fixed-point arithmetic. The results show macro F1 scores above 0.95 and substantial latency reductions (up to several orders of magnitude) compared with user-space implementations, demonstrating the practicality of in-kernel ransomware detection. The approach offers a path toward low-latency, kernel-space defenses and suggests future expansion to additional algorithms to further boost effectiveness and speed.
Abstract
Linux-based cloud environments have become lucrative targets for ransomware attacks, employing various encryption schemes at unprecedented speeds. Addressing the urgency for real-time ransomware protection, we propose leveraging the extended Berkeley Packet Filter (eBPF) to collect system call information regarding active processes and infer about the data directly at the kernel level. In this study, we implement two Machine Learning (ML) models in eBPF - a decision tree and a multilayer perceptron. Benchmarking latency and accuracy against their user space counterparts, our findings underscore the efficacy of this approach.