基于硬件性能计数器的勒索软件检测技术研究与实现

doi:10.3969/j.issn.1671-1122.2025.09.008

信息网络安全 ›› 2025, Vol. 25 ›› Issue (9): 1397-1406.doi: 10.3969/j.issn.1671-1122.2025.09.008

基于硬件性能计数器的勒索软件检测技术研究与实现

赵文宇¹, 党晨曦²^,³, 杜振华⁴, 张健²^,³()

1.天津航海仪器研究所，天津 300131
2.南开大学密码与网络空间安全学院，天津 300350
3.天津市网络与数据安全技术重点实验室，天津 300350
4.国家计算机病毒应急处理中心，天津 300392

收稿日期:2025-06-15 出版日期:2025-09-10 发布日期:2025-09-18
通讯作者: 张健 zhang.jian@nankai.edu.cn
作者简介:赵文宇（1989—），男，安徽，高级工程师，硕士，主要研究方向为数据安全、网络安全|党晨曦（2003—），男，河南，硕士研究生，主要研究方向为云安全、网络安全|杜振华（1982—），男，黑龙江，正高级工程师，硕士，主要研究方向为网络安全、恶意软件防治|张健（1968—），男，天津，教授，博士，CCF高级会员，主要研究方向为云安全、网络安全、恶意软件分析和系统安全
基金资助:
国家重点研发计划(2022YFB3103202)

Research and Implementation of Ransomware Detection Technology Based on Hardware Performance Counters

ZHAO Wenyu¹, DANG Chenxi²^,³, DU Zhenhua⁴, ZHANG Jian²^,³()

1. Tianjin Institute of Navigational Instruments, Tianjin 300131, China
2. College of Cryptology and Cyber Science, Nankai University, Tianjin 300350, China
3. Tianjin Key Laboratory of Network and Data Security Technology, Tianjin 300350, China
4. National Computer Virus Emergency Response Center, Tianjin 300392, China

Received:2025-06-15 Online:2025-09-10 Published:2025-09-18

摘要/Abstract

摘要：

针对当前勒索软件广泛采用代码混淆、动态加解密及进程拆分等对抗性技术以规避检测并隐藏自身特征，导致传统基于软件行为分析的方法难以有效识别此类复杂恶意样本、检测性能显著下降的问题，文章提出一种基于硬件性能计数器HPCs与Transformer架构的勒索软件检测方法。该方法首先在KVM虚拟化环境中采集样本运行过程中的HPCs时序数据，提取其微架构层面的运行特征；然后，利用多头注意力机制对HPCs序列进行分层建模，并结合位置嵌入机制增强时序依赖建模能力，有效克服传统方法在动态行为分析中的局限性。实验采集9900个勒索软件样本与9900个良性软件样本，经过特征筛选，最终选取5个与勒索行为高度相关的HPCs事件作为输入。实验结果表明，该方法在500 ms时间窗口内的检测准确率达到99.36%，为勒索软件的高效识别与防御提供了有力支持。

关键词: 硬件性能计数器, Transformer架构, 勒索软件检测, 时序特征提取

Abstract:

To address the challenge posed by modern ransomware techniques—such as code obfuscation, dynamic encryption/decryption, and process splitting—which aim to evade detection by concealing behavioral features and thereby render traditional behavior-based detection methods ineffective, this paper proposed a ransomware detection approach based on Hardware Performance Counters (HPCs) and a transformer architecture. The method first collected time-series HPCs data from program executions within a KVM virtualized environment to extract microarchitectural features. Then, it applied a multi-head attention mechanism for hierarchical modeling of the HPCs sequences, combined with positional encoding to enhance the model’s ability to capture temporal dependencies, thereby overcoming the limitations of traditional dynamic behavior analysis. A dataset comprising 9,900 ransomware samples and 9,900 benign software samples was collected. After feature selection, five HPCs events strongly associated with ransomware behavior were used as inputs. Experimental results show that the proposed method achieves an accuracy of 99.36% within a 500 ms time window, offering strong support for the efficient identification and defense against ransomware.

Key words: hardware performance counters, transformer architecture, ransomware detection, time series feature extraction

中图分类号:

TP309

赵文宇, 党晨曦, 杜振华, 张健. 基于硬件性能计数器的勒索软件检测技术研究与实现[J]. 信息网络安全, 2025, 25(9): 1397-1406.

ZHAO Wenyu, DANG Chenxi, DU Zhenhua, ZHANG Jian. Research and Implementation of Ransomware Detection Technology Based on Hardware Performance Counters[J]. Netinfo Security, 2025, 25(9): 1397-1406.

图/表 11

图1

图2

图3

表1

图4

图5

图6

表2

表3

图7

图8

参考文献 24

[1]	360 Digital Security Group. 2024 Ransomware Trends Report[EB/OL]. (2025-01-09)[2025-05-20]. https://360.cn/n/12648.html.
[2]	Cybersecurity Ventures. 2024 Cybersecurity Almanac: 100 Facts, Figures, Predictions And Statistics[EB/OL]. (2024-06-24)[2025-05-20]. https://cybersecurityventures.com/cybersecurity-almanac-2024/.
[3]	KHARAZ A, ARSHAD S, MULLINER C, et al. UNVEIL:A Large-Scale, Automated Approach to Detecting Ransomware[C]// USENIX. 25th USENIX Security Symposium (USENIX Security 16). Berkeley: USENIX Association, 2016: 757-772.
[4]	SCAIFE N, CARTER H, TRAYNOR P, et al. Cryptolock (and Drop It): Stopping Ransomware Attacks on User Data[C]// IEEE. 2016 IEEE 36th International Conference on Distributed Computing Systems (ICDCS). New York: IEEE, 2016: 303-312.
[5]	CHEN ZhiGuo, KANG H S, YIN Shangnan, et al. Automatic Ransomware Detection and Analysis Based on Dynamic API Calls Flow Graph[C]// ACM. The International Conference on Research in Adaptive and Convergent Systems. New York: ACM, 2017: 196-201.
[6]	LEE J, JEONG K, LEE H. Detecting Metamorphic Malwares Using Code Graphs[C]// ACM. The 2010 ACM Symposium on Applied Computing. New York: ACM, 2010: 1970-1977.
[7]	KOK S H, ABDULLAH A, JHANJHI N Z, et al. Prevention of Crypto-Ransomware Using a Pre-Encryption Detection Algorithm[J]. Computers, 2019, 8(4): 79-94.
[8]	ALHAWI O M K, BALDWIN J, DEHGHANTANHA A. Leveraging Machine Learning Techniques for Windows Ransomware Network Traffic Detection[J]. Cyber Threat Intelligence, 2018: 93-106.
[9]	ZHOU Boyou, GUPTA A, JAHANSHAHI R, et al. Hardware Performance Counters can Detect Malware: Myth or Fact?[C]// ACM. The 2018 on Asia Conference on Computer and Communications Security. New York: ACM, 2018: 457-468.
[10]	ZHOU Hongwei, WU Xin, SHI Wenchang, et al. HDROP: Detecting ROP Attacks Using Performance Monitoring Counters[C]// Springer. International Conference on Information Security Practice and Experience. Heidelberg: Springer, 2014: 172-186.
[11]	HERATH N, FOGH A. CPU Hardware Performance Counters for Security[EB/OL]. (2015-08-01)[2025-08-20]. https://www.blackhat.com/us-15/briefings.html.
[12]	CARVALHO DE MELO A. The New Linux Perf Tools[J]. Slides from Linux Kongress. 2010, 18(1): 1-42.
[13]	ALAM M, BHATTACHARYA S, DUTTA S, et al. RATAFIA: Ransomware Analysis Using Time and Frequency Informed Autoencoders[C]// IEEE. 2019 IEEE International Symposium on Hardware Oriented Security and Trust (HOST). New York: IEEE, 2019: 218-227.
[14]	WANG Xueyang, CHAI S, ISNARDI M, et al. Hardware Performance Counter-Based Malware Identification and Detection with Adaptive Compressive Sensing[J]. ACM Transactions on Architecture and Code Optimization (TACO), 2016, 13(1): 1-23.
[15]	DEMME J, MAYCOCK M, SCHMITZ J, et al. On the Feasibility of Online Malware Detection with Performance Counters[J]. ACM SIGARCH Computer Architecture News, 2013, 41(3): 559-570.
[16]	KAZDAGLI M, REDDI V J, TIWARI M. Quantifying and Improving the Efficiency of Hardware-Based Mobile Malware Detectors[C]// IEEE. 2016 49th Annual IEEE/ACM International Symposium on Microarchitecture (MICRO). New York: IEEE, 2016: 1-13.
[17]	KRISHNAMURTHY P, RAMESH K, FAARSHAD K. Anomaly Detection in Real-Time Multi-Threaded Processes Using Hardware Performance Counters[J]. IEEE Transactions on Information Forensics and Security, 2020, 15: 666-680.
[18]	HE Zhangying, HOUMAN H, HOSSEIN S. Beyond Conventional Defenses: Proactive and Adversarial-Resilient Hardware Malware Detection Using Deep Reinforcement Learning[C]// ACM. The 61st ACM/IEEE Design Automation Conference. New York: ACM, 2024: 1-6.
[19]	LI Congmiao, GAUDIOT J L. Detecting Spectre Attacks Using Hardware Performance Counters[J]. IEEE Transactions on Computers, 2022, 71(6): 1320-1331.
[20]	GANFURE G O, WU Chunfeng, CHANG Yuanhao, et al. Deepware: Imaging Performance Counters with Deep Learning to Detect Ransomware[J]. IEEE Transactions on Computers, 2022, 72(3): 600-613.
[21]	HOCHREITER S, SCHMIDHUBER J. Long Short-Term Memory[J]. Neural Computation, 1997, 9(8): 1735-1780. doi: 10.1162/neco.1997.9.8.1735 pmid: 9377276
[22]	GRAVES A. Supervised Sequence Labelling with Recurrent Neural Networks[M]. Heidelberg: Springer, 2012.
[23]	VASWANI A, SHAZEER N, PARMAR N, et al. Attention is all you need[C]// Curran Associates Inc. Proceedings of the 31st International Conference on Neural Information Processing Systems. New York: Curran Associates Inc, 2017: 6000-6010.
[24]	AURANGZEB S, RAIS R N B, ALEEM M, et al. On the Classification of Microsoft-Windows Ransomware Using Hardware Profile[EB/OL]. (2021-02-02) [2025-08-20]. https://peerj.com/articles/cs-361/#intro.

类型	训练集/个	验证集/个
良性软件	7920	1980
勒索软件	7920	1980

模型	Accuracy	Precision	Recall	F1	MCC	FPR	FNR
LSTM	95.51%	96.79%	94.45%	95.10%	93.31%	3.09%	0.55%
BiLSTM	97.75%	97.44%	96.16%	97.80%	95.50%	2.67%	1.83%
Transformer	99.36%	99.35%	99.12%	99.38%	98.73%	0.92%	0.59%

模型	独立训练	Accuracy	Precision	Recall	F1	MCC	FPR	FNR
EGB	1	96.65%	95.33%	95.20%	96.73%	94.08%	2.67%	1.83%
	2	96.55%	96.57%	95.84%	95.18%	93.65%	3.77%	1.32%
	3	95.12%	96.74%	95.90%	95.80%	94.09%	2.98%	2.11%
	平均	96.10%	96.21%	95.64%	95.90%	93.94%	3.14%	1.75%
本文模型	1	99.28%	99.21%	99.37%	99.41%	99.11%	0.84%	0.35%
	2	99.17%	99.45%	99.45%	99.49%	98.29%	1.02%	0.78%
	3	99.63%	99.39%	98.54%	99.24%	98.79%	0.009%	0.64%
	平均	99.36%	99.35%	99.12%	99.38%	98.73%	0.92%	0.59%

基于硬件性能计数器的勒索软件检测技术研究与实现

Research and Implementation of Ransomware Detection Technology Based on Hardware Performance Counters

RichHTML

PDF (PC)

可视化

摘要/Abstract

引用本文

使用本文

图/表 11

参考文献 24

相关文章 1

编辑推荐

Metrics

本文评价