RanSMAP: Open dataset of Ransomware Storage and Memory Access Patterns for creating deep learning based ransomware detectors

Abstract

Ransomware attacks have become significant cyber threats to enterprises and public sectors. Our previous RanSAP dataset, which contained only low-level storage access patterns collected using a thin hypervisor, was used to create behavioral-based ransomware detectors; it provides an additional protection layer when the OS-level ransomware detection systems are compromised. The previous ransomware detector, which used only low-level storage access patterns, could not detect ransomware when Office applications and web browsers were executed simultaneously. This paper presents a new open dataset named RanSMAP, which stands for Ransomware Storage and Memory Access Patterns. It contains low-level storage and memory access patterns collected using a thin hypervisor. We provide an overview of the open RanSMAP dataset, including directory structure and file formats, to guide researchers in using the dataset. We then present our data preprocessing method and deep-learning-based ransomware detector. The RanSMAP datasets consist of storage and memory access patterns of six ransomware samples and six benign applications, seven Conti ransomware variants, and simultaneous execution of ransomware with benign applications collected on the machines with various CPUs, RAM generations, RAM frequencies, and RAM capacities. The experimental results show that low-level memory access patterns improved ransomware detection performance by 2.3% compared to detectors using only storage access patterns. We confirmed that ransomware detectors trained using the RanSMAP dataset can detect ransomware when Office and web browser programs are executed simultaneously. We presented the survey on state-of-the-art ransomware detection research and the availability of open behavioral-feature datasets to discuss the advantages and limitations of our RanSMAP dataset.