RD-FAXID: Ransomware Detection with FPGA-Accelerated XGBoost-Reference-Cited by-同舟云学术

RD-FAXID: Ransomware Detection with FPGA-Accelerated XGBoost

Published:2024-08-12 Issue: Volume: Page:
ISSN:1936-7406
Container-title:ACM Transactions on Reconfigurable Technology and Systems
language:en
Short-container-title:ACM Trans. Reconfigurable Technol. Syst.

Author:

Gajjar Archit¹^ORCID,Kashyap Priyank²^ORCID,Aysu Aydin³^ORCID,Franzon Paul³^ORCID,Choi Yongjin⁴^ORCID,Cheng Chris⁴^ORCID,Pedretti Giacomo⁵^ORCID,Ignowski Jim⁵^ORCID

Affiliation:

1. Artificial Intelligence Research Lab (AIRL), Hewlett Packard Labs / North Carolina State University, USA

2. Hewlett Packard Enterprise / North Carolina State University, USA

3. North Carolina State University, USA

4. Hewlett Packard Enterprise, USA

5. Artificial Intelligence Research Lab (AIRL), Hewlett Packard Labs, USA

Abstract

Over the last decade, there has been a rise in cyberattacks, particularly ransomware, causing significant disruption and financial repercussions across public and private sectors. Tremendous efforts have been spent on developing techniques to detect ransomware to, ideally, protect data or have as minimum data loss as possible. Ransomware attacks are becoming more frequent and sophisticated as there is a constant tussle between attackers and cybersecurity defenders. Machine Learning (ML) approaches have proven more effective in detecting ransomware than classical signature-based detection. In particular, tree-based algorithms such as Decision Trees (DT), Random Forest (RF), and eXtreme Gradient Boosting (XGBoost) spike up interest among cybersecurity researchers. However, due to the nature of the problem, traditional CPUs and GPUs fail to keep up with the desired performance, especially for large data workloads. Thus, the problem demands a customized solution to detect the ransomware. Here, we propose an FPGA accelerated tree-based ML model for multi-dataset ransomware detection. We show the capability of the proposed prototype to address the problem from more than one set of features, reducing false positive and negative rates to have robust predictions by looking at Hardware Performance Counters (HPCs), Operating System (OS) calls, and network traffic information simultaneously. With 1000 samples per batch, the FPGA prototype has 65.8x and 4.1x lower latency over the CPU and GPU, respectively. Moreover, the FPGA design is up to 11.3x cost-effective and 643x energy-efficient compared to the CPU and 3x cost-effective and 16.8x energy-efficient over the GPU.

Publisher

Association for Computing Machinery (ACM)

Link

https://dl.acm.org/doi/pdf/10.1145/3688396

Reference92 articles.

1. HLS-based High-throughput and Work-efficient Synthesizable Graph Processing Template Pipeline

2. Bander Ali Saleh Al-rimy, Mohd Aizaini Maarof, and Syed Zainuddin Mohd Shaid. 2017. A 0-day aware crypto-ransomware early behavioral detection framework. In International Conference of Reliable Information and Communication Technology. Springer, 758–766.

3. Manaar Alam, Sayan Sinha, Sarani Bhattacharya, Swastika Dutta, Debdeep Mukhopadhyay, and Anupam Chattopadhyay. 2020. Rapper: Ransomware prevention via performance counters. arXiv preprint arXiv:2004.01712 (2020).

4. FPGA Accelerator for Gradient Boosting Decision Trees

5. Omar MK Alhawi, James Baldwin, and Ali Dehghantanha. 2018. Leveraging machine learning techniques for windows ransomware network traffic detection. In Cyber Threat Intelligence. Springer, 93–106.