Paper Title: Efficient ransomware detection with machine learning in storage systems

Paper Abstract: Since several years ransomware is the top malware attack type affecting businesses, organizations and individuals. Research activities on the detection of ransomware have mainly focused on various methods at the OS, file-system, and network level while little is known about approaches running in the storage stack. Is the information that can be extracted on IO operations sufficient for an efficient detection? We demonstrate how storage access patterns can be used to train highly efficient machine learning models and how the feature extraction and inference can be performed without user impact directly in a storage system. To do so, the presented architecture for ransomware detection leverages the capabilities at the controller level in computational storage devices. We further look into various aspects including the feature extraction process executed in computational storage devices and their aggregation to train machine learning models, the integration of the detection mechanism into the storage system stack, the capabilities of ML-models to detect unseen ransomware, and the generalizability of the models to different data storage setups.

Paper Author: Roman Pletka, Research Staff Member, IBM Research

Author Bio: Roman Pletka is a senior research scientist and master inventor for storage and AI systems at the IBM Zurich Research Laboratory where he focuses on non-volatile memory technologies in storage systems. He is a frequent speaker at international conferences, has published over 20 articles and obtained more than 120 patents in managing non-volatile memories, security, scalability, and availability of distributed storage systems as well as quality-of-service in high-speed networks, active networks, and network processors. He has made presentations at many international conferences including the ACM International Conference on Systems and Storage (SYSTOR) and the Nonvolatile Memory Workshop. He has over 18 years experience in storage systems research. He earned a PhD in computer networking from ETH Zurich, Switzerland and an MS in the same subject from EPFL (Swiss Federal Institute of Technology of Lausanne).