Research and Implementation of Ransomware Detection Technology Based on Hardware Performance Counters

doi:10.3969/j.issn.1671-1122.2025.09.008

Abstract

Abstract:

To address the challenge posed by modern ransomware techniques—such as code obfuscation, dynamic encryption/decryption, and process splitting—which aim to evade detection by concealing behavioral features and thereby render traditional behavior-based detection methods ineffective, this paper proposed a ransomware detection approach based on Hardware Performance Counters (HPCs) and a transformer architecture. The method first collected time-series HPCs data from program executions within a KVM virtualized environment to extract microarchitectural features. Then, it applied a multi-head attention mechanism for hierarchical modeling of the HPCs sequences, combined with positional encoding to enhance the model’s ability to capture temporal dependencies, thereby overcoming the limitations of traditional dynamic behavior analysis. A dataset comprising 9,900 ransomware samples and 9,900 benign software samples was collected. After feature selection, five HPCs events strongly associated with ransomware behavior were used as inputs. Experimental results show that the proposed method achieves an accuracy of 99.36% within a 500 ms time window, offering strong support for the efficient identification and defense against ransomware.

Key words: hardware performance counters, transformer architecture, ransomware detection, time series feature extraction

CLC Number:

TP309

ZHAO Wenyu, DANG Chenxi, DU Zhenhua, ZHANG Jian. Research and Implementation of Ransomware Detection Technology Based on Hardware Performance Counters[J]. Netinfo Security, 2025, 25(9): 1397-1406.

Figures/Tables 11

References 24

[1]	360 Digital Security Group. 2024 Ransomware Trends Report[EB/OL]. (2025-01-09)[2025-05-20]. https://360.cn/n/12648.html.
[2]	Cybersecurity Ventures. 2024 Cybersecurity Almanac: 100 Facts, Figures, Predictions And Statistics[EB/OL]. (2024-06-24)[2025-05-20]. https://cybersecurityventures.com/cybersecurity-almanac-2024/.
[3]	KHARAZ A, ARSHAD S, MULLINER C, et al. UNVEIL:A Large-Scale, Automated Approach to Detecting Ransomware[C]// USENIX. 25th USENIX Security Symposium (USENIX Security 16). Berkeley: USENIX Association, 2016: 757-772.
[4]	SCAIFE N, CARTER H, TRAYNOR P, et al. Cryptolock (and Drop It): Stopping Ransomware Attacks on User Data[C]// IEEE. 2016 IEEE 36th International Conference on Distributed Computing Systems (ICDCS). New York: IEEE, 2016: 303-312.
[5]	CHEN ZhiGuo, KANG H S, YIN Shangnan, et al. Automatic Ransomware Detection and Analysis Based on Dynamic API Calls Flow Graph[C]// ACM. The International Conference on Research in Adaptive and Convergent Systems. New York: ACM, 2017: 196-201.
[6]	LEE J, JEONG K, LEE H. Detecting Metamorphic Malwares Using Code Graphs[C]// ACM. The 2010 ACM Symposium on Applied Computing. New York: ACM, 2010: 1970-1977.
[7]	KOK S H, ABDULLAH A, JHANJHI N Z, et al. Prevention of Crypto-Ransomware Using a Pre-Encryption Detection Algorithm[J]. Computers, 2019, 8(4): 79-94.
[8]	ALHAWI O M K, BALDWIN J, DEHGHANTANHA A. Leveraging Machine Learning Techniques for Windows Ransomware Network Traffic Detection[J]. Cyber Threat Intelligence, 2018: 93-106.
[9]	ZHOU Boyou, GUPTA A, JAHANSHAHI R, et al. Hardware Performance Counters can Detect Malware: Myth or Fact?[C]// ACM. The 2018 on Asia Conference on Computer and Communications Security. New York: ACM, 2018: 457-468.
[10]	ZHOU Hongwei, WU Xin, SHI Wenchang, et al. HDROP: Detecting ROP Attacks Using Performance Monitoring Counters[C]// Springer. International Conference on Information Security Practice and Experience. Heidelberg: Springer, 2014: 172-186.
[11]	HERATH N, FOGH A. CPU Hardware Performance Counters for Security[EB/OL]. (2015-08-01)[2025-08-20]. https://www.blackhat.com/us-15/briefings.html.
[12]	CARVALHO DE MELO A. The New Linux Perf Tools[J]. Slides from Linux Kongress. 2010, 18(1): 1-42.
[13]	ALAM M, BHATTACHARYA S, DUTTA S, et al. RATAFIA: Ransomware Analysis Using Time and Frequency Informed Autoencoders[C]// IEEE. 2019 IEEE International Symposium on Hardware Oriented Security and Trust (HOST). New York: IEEE, 2019: 218-227.
[14]	WANG Xueyang, CHAI S, ISNARDI M, et al. Hardware Performance Counter-Based Malware Identification and Detection with Adaptive Compressive Sensing[J]. ACM Transactions on Architecture and Code Optimization (TACO), 2016, 13(1): 1-23.
[15]	DEMME J, MAYCOCK M, SCHMITZ J, et al. On the Feasibility of Online Malware Detection with Performance Counters[J]. ACM SIGARCH Computer Architecture News, 2013, 41(3): 559-570.
[16]	KAZDAGLI M, REDDI V J, TIWARI M. Quantifying and Improving the Efficiency of Hardware-Based Mobile Malware Detectors[C]// IEEE. 2016 49th Annual IEEE/ACM International Symposium on Microarchitecture (MICRO). New York: IEEE, 2016: 1-13.
[17]	KRISHNAMURTHY P, RAMESH K, FAARSHAD K. Anomaly Detection in Real-Time Multi-Threaded Processes Using Hardware Performance Counters[J]. IEEE Transactions on Information Forensics and Security, 2020, 15: 666-680.
[18]	HE Zhangying, HOUMAN H, HOSSEIN S. Beyond Conventional Defenses: Proactive and Adversarial-Resilient Hardware Malware Detection Using Deep Reinforcement Learning[C]// ACM. The 61st ACM/IEEE Design Automation Conference. New York: ACM, 2024: 1-6.
[19]	LI Congmiao, GAUDIOT J L. Detecting Spectre Attacks Using Hardware Performance Counters[J]. IEEE Transactions on Computers, 2022, 71(6): 1320-1331.
[20]	GANFURE G O, WU Chunfeng, CHANG Yuanhao, et al. Deepware: Imaging Performance Counters with Deep Learning to Detect Ransomware[J]. IEEE Transactions on Computers, 2022, 72(3): 600-613.
[21]	HOCHREITER S, SCHMIDHUBER J. Long Short-Term Memory[J]. Neural Computation, 1997, 9(8): 1735-1780. doi: 10.1162/neco.1997.9.8.1735 pmid: 9377276
[22]	GRAVES A. Supervised Sequence Labelling with Recurrent Neural Networks[M]. Heidelberg: Springer, 2012.
[23]	VASWANI A, SHAZEER N, PARMAR N, et al. Attention is all you need[C]// Curran Associates Inc. Proceedings of the 31st International Conference on Neural Information Processing Systems. New York: Curran Associates Inc, 2017: 6000-6010.
[24]	AURANGZEB S, RAIS R N B, ALEEM M, et al. On the Classification of Microsoft-Windows Ransomware Using Hardware Profile[EB/OL]. (2021-02-02) [2025-08-20]. https://peerj.com/articles/cs-361/#intro.

类型	训练集/个	验证集/个
良性软件	7920	1980
勒索软件	7920	1980

模型	Accuracy	Precision	Recall	F1	MCC	FPR	FNR
LSTM	95.51%	96.79%	94.45%	95.10%	93.31%	3.09%	0.55%
BiLSTM	97.75%	97.44%	96.16%	97.80%	95.50%	2.67%	1.83%
Transformer	99.36%	99.35%	99.12%	99.38%	98.73%	0.92%	0.59%

模型	独立训练	Accuracy	Precision	Recall	F1	MCC	FPR	FNR
EGB	1	96.65%	95.33%	95.20%	96.73%	94.08%	2.67%	1.83%
	2	96.55%	96.57%	95.84%	95.18%	93.65%	3.77%	1.32%
	3	95.12%	96.74%	95.90%	95.80%	94.09%	2.98%	2.11%
	平均	96.10%	96.21%	95.64%	95.90%	93.94%	3.14%	1.75%
本文模型	1	99.28%	99.21%	99.37%	99.41%	99.11%	0.84%	0.35%
	2	99.17%	99.45%	99.45%	99.49%	98.29%	1.02%	0.78%
	3	99.63%	99.39%	98.54%	99.24%	98.79%	0.009%	0.64%
	平均	99.36%	99.35%	99.12%	99.38%	98.73%	0.92%	0.59%