diff --git a/models/README.md b/models/README.md index 13af809486..1e25eaa3e7 100644 --- a/models/README.md +++ b/models/README.md @@ -148,3 +148,20 @@ An anomalous score of transactions indicates a probability score of being a frau - https://stellargraph.readthedocs.io/en/stable/hinsage.html?highlight=hinsage - https://github.com/rapidsai/clx/blob/branch-0.20/examples/forest_inference/xgboost_training.ipynb - Rafaël Van Belle, Charles Van Damme, Hendrik Tytgat, Jochen De Weerdt,Inductive Graph Representation Learning for fraud detection (https://www.sciencedirect.com/science/article/abs/pii/S0957417421017449) + +## Ransomware Detection via AppShield +### Model Overview +This model shows an application of DOCA AppShield to use data from volatile memory to classify processes as ransomware or bengin. This model uses a sliding window over time and feeds derived data into a random forest classifiers of various lengths depending on the amount of data collected. +### Model Architecture +The model uses input from Volatility plugins in DOCA AppShield to aggregate and derive features over snapshots in time. The features are used as input into three random forest binary classifiers. +### Training +Training data consists of 87968 labeled AppShield processes from 32 snapshots collected from 256 unique benign and ransomware activities. +### How To Use This Model +Combined with host data from DOCA AppShield, this model can be used to detect ransomware. A training notebook is also included so that users can update the model as more labeled data is collected. +#### Input +Snapshots collected from DOCA AppShield +#### Output +For each process_id and snapshot there is a probablity score between 1 and 0, where 1 is ransomware and 0 is benign. +### References +- Cohen, A,. & Nissim, N. (2018). Trusted detection of ransomware in a private cloud using machine learning methods leveraging meta-features from volatile memory. In Expert Systems With Applications. (https://www.sciencedirect.com/science/article/abs/pii/S0957417418301283) +- https://developer.nvidia.com/networking/doca diff --git a/models/datasets/training-data/ransomware-training-data.csv b/models/datasets/training-data/ransomware-training-data.csv new file mode 100644 index 0000000000..bb11b6b8c9 --- /dev/null +++ b/models/datasets/training-data/ransomware-training-data.csv @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:61243c983ea9ee0b07da25c1ba72db08d2ef73a2f7553624193817de1b8a613c +size 346662095 diff --git a/models/model-information.csv b/models/model-information.csv index a14ba4eb62..2a4815c29b 100644 --- a/models/model-information.csv +++ b/models/model-information.csv @@ -4,4 +4,5 @@ phishing-bert-20211006.onnx,phishing-detection,Gorkem Batmaz,0.1.0,Phishing emai sid-minibert-20211021.onnx,sensitive-information-detection,Rachel Allen,0.2.0,"SID is a classifier, designed to detect sensitive information (e.g., AWS credentials, GitHub credentials) in unencrypted data. This example model classifies text containing these 10 categories of sensitive information- address, bank account, credit card number, email address, government id number, full name, password, phone number, secret keys, and usernames.",Compact BERT-mini transformer model,Training consisted of fine-tuning the original pretrained [model from google](https://huggingface.co/google/bert_uncased_L-4_H-256_A-4). The labeled training dataset is 2 million synthetic pcap payloads generated using the [faker package](https://github.com/joke2k/faker) to mimic sensitive and benign data found in nested jsons from web APIs and environmental variables.,This model is an example of customized transformer-based sensitive information detection. It can be further fine-tuned for specific detection needs or retrained for alternative categorizations using the fine-tuning scripts in the repo.,English text from PCAP payloads,Multi-label sequence classification for 10 sensitive information categories,This model version is designed for english language text data. It may not perform well on other languages.,N/A,"Well-Read Students Learn Better: On the Importance of Pre-training Compact Models, 2019,Ê https://arxiv.org/abs/1908.08962",1,32,V100,0.96,0.96,0.9875,43MB,N/A,bert-base-uncased,256,64,TRUE,FALSE,11,1.8,3.8.10,18.04.5 LTS,4.5 hammah-user123-20211017.pkl and hammah-role-g-20211017.pkl,digital-fingerprinting/ humans-as-machines,Gorkem Batmaz,0.1.0,This model is one example of an Autoencoder trained from a baseline for benign activity from synthetic `user-123` and `role-g`. This model combined with validation data from Morpheus examples can be used to test the HAMMAH Morpheus pipeline. It has little utility outside of testing.,"The model is an ensemble of an Autoencoder and a fast Fourier transform reconstruction. The reconstruction loss of new log data through the trained Autoencoder is used as an anomaly score. Concurrently, the timestamps of user/entity activity are used for a time series analysis to flag activity with poor reconstruction after a fast Fourier transform.",,This model is one example of an Autoencoder trained from a baseline for benign activity from synthetic `user-123` and `role-g`. This model combined with validation data from Morpheus examples can be used to test the HAMMAH Morpheus pipeline. It has little utility outside of testing.,aws-cloudtrail logs,"Anomalous score of Autoencoder, Binary classification of time series anomaly detection",This particular model is an example based on a synthetic users baseline behavior. Use on other datasets will require retraining.,N/A,https://github.com/AlliedToasters/dfencoder/blob/master/dfencoder/autoencoder.py https://github.com/rapidsai/clx/blob/branch-22.04/notebooks/anomaly_detection/FFT_Outlier_Detection.ipynb Rasheed Peng Alhajj Rokne Jon: Fourier Transform Based Spatial Outlier Mining 2009 - https://link.springer.com/chapter/10.1007/978-3-642-04394-9_39,25,,V100,1,1,1,3MB and 9MB,"ae=4, ts=4",N/A,N/A,N/A,N/A,N/A,11,1.7.1,3.8.10,18.04.5 LTS,N/A hinsage-model.pt and xgb.pth,fraud-detection,Tad Zemicheal,0.1.0,"This model shows an application of a graph neural network for fraud detection in a credit card transaction graph. A transaction dataset that includes three types of nodes, transaction, client, and merchant nodes is used for modeling. A combination of `GraphSAGE` along `XGBoost` is used to identify frauds in the transaction networks.","It uses a bipartite heterogeneous graph representation as input for `GraphSAGE` for feature learning and `XGBoost` as a classifier. Since the input graph is heterogenous, a heterogeneous implementation of `GraphSAGE` (HinSAGE) is used for feature embedding.",This model is an example of a fraud detection pipeline using a graph neural network and gradient boosting trees. This can be further retrained or fine-tuned to be used for similar types of transaction networks with similar graph structures.,This model is an example of a fraud detection pipeline using a graph neural network and gradient boosting trees. This can be further retrained or fine-tuned to be used for similar types of transaction networks with similar graph structures.,"Transaction data with nodes including transaction, client, and merchant.",An anomalous score of transactions indicates a probability score of being a fraud.,These particular model files are based on a synthetic transaction graph. Use with other datasets will require retraining.,N/A," https://stellargraph.readthedocs.io/en/stable/hinsage.html?highlight=hinsage https://github.com/rapidsai/clx/blob/branch-0.20/examples/forest_inference/xgboost_training.ipynb [Rafa‘l Van Belle, Charles Van Damme, Hendrik Tytgat, Jochen De Weerdt,Inductive Graph Representation Learning for fraud detection] (https:/www.sciencedirect.com/science/article/abs/pii/S0957417421017449)",30,5,V100, NA,0.96, NA, 756KB,N/A and 0.5,N/A,N/A,N/A,N/A,N/A,11.0/11.4,1.9.1,3.8.10,18.04.5 LTS,N/A -log-parsing-20220418.onnx,log-parsing,Rachel Allen,0.1.0,"This model is an example of using Named Entity Recognition (NER) for log parsing, specifically apache web logs.",bert-base-cased transformer model,Training consisted of fine-tuning the original pretrained [model from google](https://huggingface.co/bert-base-cased). The labeled training dataset is 1000 parsed apache web logs from a public dataset [logpai](https://github.com/logpai/loghub),This model is one example of a BERT-model trained to parse raw logs. It can be used to parse apache web logs or retrained to parse other types of logs as well. The model file has a corresponding config.json file with the names of the fields it parses.,raw apache web logs,parsed apache web log as jsonlines,This model version is designed for english language text data. It may not perform well on other languages.,N/A,[1](https://arxiv.org/abs/1810.04805) [2](https://medium.com/rapids-ai/cybert-28b35a4c81c4) [3](https://www.splunk.com/en_us/blog/it/how-splunk-is-parsing-machine-logs-with-machine-learning-on-nvidia-s-triton-and-morpheus.html),2,32,V100,0.99,0.99,0.999,431MB,N/A,bert-base-cased,256,64,FALSE,FALSE,11,1.9.1,3.8.10,18.04.5 LTS,4.18 \ No newline at end of file +log-parsing-20220418.onnx,log-parsing,Rachel Allen,0.1.0,"This model is an example of using Named Entity Recognition (NER) for log parsing, specifically apache web logs.",bert-base-cased transformer model,Training consisted of fine-tuning the original pretrained [model from google](https://huggingface.co/bert-base-cased). The labeled training dataset is 1000 parsed apache web logs from a public dataset [logpai](https://github.com/logpai/loghub),This model is one example of a BERT-model trained to parse raw logs. It can be used to parse apache web logs or retrained to parse other types of logs as well. The model file has a corresponding config.json file with the names of the fields it parses.,raw apache web logs,parsed apache web log as jsonlines,This model version is designed for english language text data. It may not perform well on other languages.,N/A,[1](https://arxiv.org/abs/1810.04805) [2](https://medium.com/rapids-ai/cybert-28b35a4c81c4) [3](https://www.splunk.com/en_us/blog/it/how-splunk-is-parsing-machine-logs-with-machine-learning-on-nvidia-s-triton-and-morpheus.html),2,32,V100,0.99,0.99,0.999,431MB,N/A,bert-base-cased,256,64,FALSE,FALSE,11,1.9.1,3.8.10,18.04.5 LTS,4.18 +ransomw-model-short-rf-20220126.sav,ransomware-detection,Haim Elisha,0.1.0,This model detects ransomware from host volitile memory features collected from DOCA AppShield,Binary random forest classifier ,Training data consists of 87968 labeled AppShield processes from 32 snapshots collected from 256 unique benign and ransomware activities.,"Combined with host data from DOCA AppShield, this model can be used to detect ransomware. A training notebook is also included so that users can update the model as more labeled data is collected.",Snapshots collected from DOCA AppShield,"For each process_id and snapshot there is a probablity score between 1 and 0, where 1 is ransomware and 0 is benign.",This model was trained in the lab on windows machines,N/A,"ohen, A,. & Nissim, N. (2018). Trusted detection of ransomware in a private cloud using machine learning methods leveraging meta-features from volatile memory. In Expert Systems With Applications. (https://www.sciencedirect.com/science/article/abs/pii/S0957417418301283)",,,V100,recall= 0.9,,,946KB,N/A,,,,,,,,,, \ No newline at end of file diff --git a/models/ransomware-models/ransomw-model-short-rf-20220126.sav b/models/ransomware-models/ransomw-model-short-rf-20220126.sav new file mode 100644 index 0000000000..3a85e16ea4 Binary files /dev/null and b/models/ransomware-models/ransomw-model-short-rf-20220126.sav differ diff --git a/models/training-tuning-scripts/ransomware-models/ransomware-appshield-training.ipynb b/models/training-tuning-scripts/ransomware-models/ransomware-appshield-training.ipynb new file mode 100644 index 0000000000..0a2c4b5e7b --- /dev/null +++ b/models/training-tuning-scripts/ransomware-models/ransomware-appshield-training.ipynb @@ -0,0 +1,2044 @@ +{ + "cells": [ + { + "cell_type": "markdown", + "metadata": {}, + "source": [ + "# Ransomware detection model- Windows OS" + ] + }, + { + "cell_type": "markdown", + "metadata": {}, + "source": [ + "## Table of Contents\n", + "* Introduction\n", + "* Dataset & Volatility Plugins\n", + "* Data Preprocessing\n", + "* Model Training\n", + "* Model Evaluation\n", + "* Conclusions\n", + "* References" + ] + }, + { + "cell_type": "markdown", + "metadata": {}, + "source": [ + "## Introduction\n", + "\n", + "Ransomware attacks are growing in volume and sophistication. Many attackers evade detection from traditional file scanning techniques. Here we use data sampled from volatile memory (RAM) to detect the presence of ransomware in Windows OS. We engineer several features from a dataset containing artifacts from running both benign and ransomware processses and train a random forest classifier. We can create multiple models based on the number of samples or snapshots available." + ] + }, + { + "cell_type": "markdown", + "metadata": {}, + "source": [ + "## Dataset" + ] + }, + { + "cell_type": "markdown", + "metadata": {}, + "source": [ + "We ran hundreds of ransomwares in our lab environment and have recorded the generated process features using the [Volatility framework](https://github.com/volatilityfoundation/volatility3) to create a labeled dataset.\n", + "\n", + "The csv file contains 530 columns- a combination of features from 5 different Volatility Plugins. This data collection is part of [DOCA AppShield](https://developer.nvidia.com/networking/doca)" + ] + }, + { + "cell_type": "markdown", + "metadata": {}, + "source": [ + "## Volatility Plugin Features\n", + "\n", + "#### Envars Plugin\n", + "Displays a process's environment variables. Typically this will show the number of CPUs installed and the hardware architecture, the process's current directory, temporary directory, session name, computer name, user name, and various other interesting artifacts.\n", + "\n", + "#### Threadlist Plugin\n", + "Displays the threads that are used by a process.\n", + "\n", + "#### VadInfo Plugin\n", + "Displays extended information about a process's VAD nodes.\n", + "- The address of the MMVAD structure in kernel memory\n", + "- The starting and ending virtual addresses in process memory that the MMVAD structure pertains to\n", + "- The VAD Tag\n", + "- The VAD flags, control flags, etc\n", + "- The name of the memory mapped file (if one exists)\n", + "- The memory protection constant (permissions)\n", + "\n", + "#### Handles Plugin\n", + "Displays the open handles in a process, use the handles command. This applies to files, registry keys, mutexes, named pipes, events, window stations, desktops, threads, and all other types of securable executive objects\n", + "\n", + "#### LdrModules Plugin\n", + "Displays a process's loaded DLLs. LdrModules detects a dll-hiding or injection kind of activities in a process memory." + ] + }, + { + "cell_type": "markdown", + "metadata": {}, + "source": [ + "### Imports" + ] + }, + { + "cell_type": "code", + "execution_count": 1, + "metadata": {}, + "outputs": [], + "source": [ + "import pandas as pd\n", + "import numpy as np\n", + "import matplotlib.pyplot as plt\n", + "import seaborn as sns\n", + "import pickle\n", + "import random\n", + "\n", + "from sklearn.ensemble import RandomForestClassifier" + ] + }, + { + "cell_type": "markdown", + "metadata": {}, + "source": [ + "## Data Preprocessing" + ] + }, + { + "cell_type": "code", + "execution_count": 2, + "metadata": {}, + "outputs": [], + "source": [ + "TRAINING_DATA_PATH = \"../../datasets/training-data/ransomware-training-data.csv\"\n", + "\n", + "# Read CSV of Data from Plugins with Ransomware labels\n", + "ransom_df = pd.read_csv(TRAINING_DATA_PATH)" + ] + }, + { + "cell_type": "code", + "execution_count": 3, + "metadata": {}, + "outputs": [], + "source": [ + "# Sorting the dataframe by ransomware_name, PID_Process and snapshot to make the dataframe for time series\n", + "sortby_cols = ['ransomware_name', 'PID_Process', 'snapshot']\n", + "ransom_df = ransom_df.sort_values(by=sortby_cols)\n", + "ransom_df = ransom_df.reset_index(drop=True)" + ] + }, + { + "cell_type": "code", + "execution_count": 4, + "metadata": {}, + "outputs": [], + "source": [ + "# Using only 99 of the 530 features based on prior experimentation \n", + "# In the prior experiment that we did, we select the best 99 features of Random-Forest model based on single snapshot\n", + "\n", + "# Information and defenitions about the important features:\n", + "# Defenitions:\n", + " # Commit charged - the total amount of virtual memory of all processes that must be backed by either physical memory or the page file\n", + " # vad - virtual address descriptor\n", + " # vads - virtual address descriptor short\n", + " # private memory - this field refers to committed regions that cannot be shared with other processes.\n", + "# In the features engineering stage we are using several memory plugins as raw data:\n", + "# Environment variables plugin feature engineering:\n", + " # Check if the extended PATHEXT environment variable is exists\n", + " # Claculating the amount of environment variables for each process\n", + "# Threadlist plugin feature engineering:\n", + " # Count amount of unique states and wait reasons and thread with staten - '2'-'Running' and wait reason - '9'-'WrPageIn', '13'-'WrUserRequest', '31'-'WrDispatchInt'\n", + " # Calculate the amount of unique states\n", + " # Calculate the amount of unique wait reasons\n", + "# Vadinfo plugin feature engineering:\n", + " # Calculate the amount of vad, vads and private memory\n", + " # Calculate the ratio of vad, vads and private memory in vadinfo df\n", + " # Calculate the mean, max, sum and len of commit charged\n", + " # Calculate the mean, max, sum of vad commit charged\n", + " # Calculate the min of vads commit charged\n", + " # Calculate for each page protection: 'PAGE_EXECUTE_READWRITE ','PAGE_EXECUTE_WRITECOPY ','PAGE_NOACCESS ' min commit charged\n", + " # Calculate min commit charged for vad with 'PAGE_NOACCESS' protection\n", + " # Calculate for each page protection: 'PAGE_EXECUTE_READWRITE ','PAGE_NOACCESS ','PAGE_READONLY ' mean commit charged\n", + " # Calculate mean commit charged for vad with 'PAGE_NOACCESS' protection\n", + " # Calculate for each page protection: 'PAGE_EXECUTE_READWRITE ','PAGE_NOACCESS ' max commit charged\n", + " # Calculate for each page protection: 'PAGE_EXECUTE_READWRITE ','PAGE_NOACCESS ','PAGE_EXECUTE_WRITECOPY ' sum commit charged\n", + " # Calculate the std of commit charge with 'PAGE_EXECUTE_READWRITE' protection\n", + " # Calculate the amount of entire memory commit charged of vads\n", + " # Count the amount and ratio of each page protection: 'PAGE_READONLY ','PAGE_NOACCESS ','PAGE_EXECUTE_READWRITE ','PAGE_EXECUTE_WRITECOPY '\n", + " # Count the amount and ratio of vads with each page protection: 'PAGE_READONLY ','PAGE_NOACCESS ','PAGE_EXECUTE_READWRITE ','PAGE_READWRITE ','PAGE_EXECUTE_READWRITE '\n", + " # Count the amount and ratio of vad with each page protection: 'PAGE_READONLY ','PAGE_NOACCESS ','PAGE_EXECUTE_WRITECOPY ','PAGE_READWRITE '\n", + " # Count vadinfo unique paths\n", + " # Calculate the ratio between vads amount and amount pages with PAGE_EXECUTE_WRITECOPY access + 1\n", + " # Count amount of unique extensions\n", + "# Handles plugin feature engineering:\n", + " # Count double extensions file handles\n", + " # Count amount of files with common file extension\n", + " # Count amount of directories with personal user directory\n", + " # Count amount of directories with windows directory\n", + " # Count amount of unique directories\n", + " # Count unique file extension\n", + " # Count amount of handles\n", + " # Count amount and ration of unique handles names\n", + " # Count amount and ration of unique handles type\n", + " # Count amount and ratio of handles type\n", + "# LdrModules plugin feature engineering:\n", + " # Extract process size and path\n", + "REQ_FEATURES = ['envirs_pathext', 'count_double_extension_count_handles', 'page_readonly_vads_count', 'double_extension_len_handles', 'get_commit_charge_max_vad', 'count_entire_commit_charge_vads', 'get_commit_charge_min_vad_page_noaccess', 'check_doc_file_handle_count', 'envars_df_count', 'page_noaccess_vad_count', 'get_commit_charge_min_vads', 'get_commit_charge_mean_vad_page_noaccess', 'page_noaccess_vad_ratio', 'handles_df_directory_count', 'threadlist_df_wait_reason_9', 'page_noaccess_count', 'get_commit_charge_mean_page_noaccess', 'ldrmodules_df_size_int', 'get_commit_charge_max_page_execute_readwrite', 'ratio_private_memory', 'get_commit_charge_max_page_noaccess', 'page_readwrite_ratio', 'get_commit_charge_mean_page_execute_readwrite', 'handles_df_section_ratio', 'vad_ratio', 'page_noaccess_ratio', 'page_execute_writecopy_vad_ratio', 'handles_df_section_count', 'handles_df_tpworkerfactory_count', 'page_readonly_count', 'handles_df_waitcompletionpacket_count', 'get_commit_charge_mean_page_readonly', 'page_readonly_vad_ratio', 'handles_df_event_ratio', 'handles_df_semaphore_ratio', 'get_commit_charge_sum_page_execute_readwrite', 'threadlist_df_state_2', 'handles_df_iocompletionreserve_count', 'handles_df_directory_ratio', 'handles_df_iocompletionreserve_ratio', 'get_commit_charge_mean_vad', 'get_commit_charge_sum_page_execute_writecopy', 'page_execute_readwrite_ratio', 'get_commit_charge_min_page_execute_readwrite', 'threadlist_df_wait_reason_31', 'get_commit_charge_sum_page_noaccess', 'page_readwrite_vads_ratio', 'handles_df_mutant_ratio', 'get_commit_charge_sum_vad', 'get_commit_charge_max', 'handles_df_type_unique', 'handles_df_iocompletion_ratio', 'handles_df_waitcompletionpacket_ratio', 'handles_df_tpworkerfactory_ratio', 'vadinfo_df_path_unique', 'vad_count', 'page_readonly_ratio', 'count_private_memory', 'page_execute_readwrite_vads_ratio', 'vads_page_execute_writecopy_ratio', 'handles_df_file_ratio', 'handles_df_etwregistration_ratio', 'handles_df_key_ratio', 'get_commit_charge_min_page_noaccess', 'page_readonly_vads_ratio', 'handles_df_thread_ratio', 'handles_df_file_count', 'handles_df_thread_count', 'threadlist_df_count', 'get_commit_charge_len', 'get_commit_charge_min_page_execute_writecopy', 'handles_df_alpc port_ratio', 'file_users_exists', 'file_windows_count', 'handles_df_key_count', 'threadlist_df_wait_reason_13', 'threadlist_df_wait_reason_unique', 'handles_df_semaphore_count', 'handles_df_name_unique_ratio', 'threadlist_df_state_unique', 'get_count_unique_extensions', 'handles_df_name_unique', 'page_noaccess_vads_ratio', 'handles_df_event_count', 'page_readwrite_vad_ratio', 'handles_df_alpc port_count', 'get_commit_charge_std_page_execute_readwrite', 'count_directories_handles_uniques', 'count_extension_handles_uniques', 'page_readwrite_vad_count', 'get_commit_charge_sum', 'get_commit_charge_mean', 'handles_df_desktop_ratio', 'handles_df_count', 'handles_df_mutant_count', 'handles_df_windowstation_ratio', 'page_execute_readwrite_vads_count', 'handles_df_type_unique_ratio', 'page_execute_readwrite_count']" + ] + }, + { + "cell_type": "markdown", + "metadata": {}, + "source": [ + "### Split Dataset Into Training and Validation" + ] + }, + { + "cell_type": "code", + "execution_count": 5, + "metadata": {}, + "outputs": [], + "source": [ + "# Spliting into training and validation sets by ransomware name\n", + "files = ransom_df.ransomware_name.unique()\n", + "files_count = len(files)\n", + "\n", + "# We randomize the files to remove biases related to recording process\n", + "random.shuffle(files)\n", + "\n", + "train_files = files[:int(files_count*0.8)]\n", + "test_files = files[int(files_count*0.8):]" + ] + }, + { + "cell_type": "code", + "execution_count": 6, + "metadata": {}, + "outputs": [], + "source": [ + "train_df = ransom_df[ransom_df.ransomware_name.isin(train_files)]\n", + "val_df = ransom_df[ransom_df.ransomware_name.isin(test_files)]" + ] + }, + { + "cell_type": "code", + "execution_count": 7, + "metadata": {}, + "outputs": [], + "source": [ + "class FeaturesData():\n", + " \n", + " def __init__(self, df, labels, rw_names, pid_processes, snapshot_ids):\n", + " self._df = df\n", + " self._labels = labels\n", + " self._rw_names = rw_names\n", + " self._pid_processes = pid_processes\n", + " self._snapshot_ids = snapshot_ids\n", + " \n", + " @property\n", + " def df(self):\n", + " return self._df\n", + " \n", + " @property\n", + " def labels(self):\n", + " return self._labels\n", + " \n", + " @property\n", + " def rw_names(self):\n", + " return self._rw_names\n", + " \n", + " @property\n", + " def pid_processes(self):\n", + " return self._pid_processes\n", + " \n", + " @property\n", + " def snapshot_ids(self):\n", + " return self._snapshot_ids" + ] + }, + { + "cell_type": "code", + "execution_count": 8, + "metadata": {}, + "outputs": [], + "source": [ + "def sort_entries(df, columns):\n", + " df = df.sort_values(by=columns).reset_index(drop=True)\n", + " return df\n", + "\n", + "\n", + "def sliding_window_offsets(ids, window):\n", + " \"\"\"\n", + " Create snapshot_id's sliding sequence for a given window\n", + " \"\"\"\n", + " ids_len = len(ids)\n", + "\n", + " sliding_window_offsets = []\n", + "\n", + " for start in range(ids_len - (window - 1)):\n", + " stop = start + window\n", + " sequence = ids[start:stop]\n", + " consecutive = sorted(sequence) == list(range(min(sequence), max(sequence) + 1))\n", + " if consecutive:\n", + " sliding_window_offsets.append((start, stop))\n", + "\n", + " return sliding_window_offsets\n", + "\n", + "\n", + "def generate_sequences(df, window=3):\n", + " \"\"\"\n", + " Generate time series sequences.\n", + " \"\"\"\n", + " features_data = []\n", + " labels = []\n", + " snapshots = []\n", + " rw_names = []\n", + " pid_processes = []\n", + " \n", + " pid_processes_unique = list(df.PID_Process.unique())\n", + "\n", + " for pid_process in pid_processes_unique:\n", + "\n", + " pid_process_df = df[df.PID_Process==pid_process]\n", + " pid_process_df.index = pid_process_df.snapshot\n", + " pid_process_df = pid_process_df[~pid_process_df.index.duplicated(keep='last')]\n", + " pid_process_labels = pid_process_df.label.values\n", + " pid_process_rwname = pid_process_df.ransomware_name.values\n", + " pid_process_df = pid_process_df[REQ_FEATURES]\n", + " \n", + " if len(pid_process_df) >= window:\n", + " snapshot_ids = pid_process_df.index.values\n", + " offsets = sliding_window_offsets(snapshot_ids, window)\n", + " for start, stop in offsets:\n", + " features_data.append(list(pid_process_df[start:stop].values.ravel()))\n", + " labels.append(pid_process_labels[start])\n", + " snapshots.append(snapshot_ids[start])\n", + " rw_names.append(pid_process_rwname[start])\n", + " pid_processes.append(pid_process)\n", + "\n", + " features_df = pd.DataFrame(np.array(features_data))\n", + " \n", + " sd = FeaturesData(features_df, labels, rw_names, pid_processes, snapshots)\n", + " \n", + " return sd\n", + " " + ] + }, + { + "cell_type": "code", + "execution_count": 9, + "metadata": {}, + "outputs": [], + "source": [ + "columns = [\"PID_Process\", \"snapshot\", \"ransomware_name\"]\n", + "# sort the entries by [\"PID_Process\", \"snapshot\", \"ransomware_name\"] to create time series data.\n", + "train_df = sort_entries(train_df, columns)\n", + "val_df = sort_entries(val_df, columns)" + ] + }, + { + "cell_type": "code", + "execution_count": 10, + "metadata": {}, + "outputs": [], + "source": [ + "train_data = generate_sequences(train_df)\n", + "val_data = generate_sequences(val_df)" + ] + }, + { + "cell_type": "markdown", + "metadata": {}, + "source": [ + "## Model Training" + ] + }, + { + "cell_type": "code", + "execution_count": 11, + "metadata": {}, + "outputs": [], + "source": [ + "X_df_train = train_data.df\n", + "Y_train = train_data.labels" + ] + }, + { + "cell_type": "code", + "execution_count": 12, + "metadata": {}, + "outputs": [ + { + "data": { + "text/plain": [ + "RandomForestClassifier(max_depth=10, min_samples_split=10, n_estimators=250)" + ] + }, + "execution_count": 12, + "metadata": {}, + "output_type": "execute_result" + } + ], + "source": [ + "# RandomForest model parameters\n", + "MAX_DEPTH=10\n", + "MIN_SAMPLES_SPLIT=10\n", + "N_ESTIMATORS=250\n", + "\n", + "# For our model we select RandomForest to avoid overfitting\n", + "model = RandomForestClassifier(max_depth=MAX_DEPTH, \n", + " min_samples_split=MIN_SAMPLES_SPLIT, \n", + " n_estimators=N_ESTIMATORS)\n", + "model.fit(X_df_train, Y_train)" + ] + }, + { + "cell_type": "code", + "execution_count": 13, + "metadata": {}, + "outputs": [], + "source": [ + "# Save model\n", + "def save_model(model, output_file='ransomware_model_new.sav'):\n", + " pickle.dump(model, open(output_file, 'wb'))" + ] + }, + { + "cell_type": "markdown", + "metadata": {}, + "source": [ + "## Model Evaluation" + ] + }, + { + "cell_type": "code", + "execution_count": 14, + "metadata": {}, + "outputs": [], + "source": [ + "# Evaluate model\n", + "def model_eval(model, val_data):\n", + " df_val = val_data.df\n", + " Y_pred = model.predict_proba(df_val)\n", + " df_val['pred'] = Y_pred[:, 1]\n", + "\n", + " Pre = []\n", + " Rec = []\n", + " \n", + " df_val['label'] = val_data.labels\n", + " df_val['PID_Process'] = val_data.pid_processes\n", + " df_val['ransomware_name'] = val_data.rw_names\n", + " \n", + " x = df_val[df_val.label == 0]\n", + " y = df_val[df_val.label == 1]\n", + " \n", + " tp_fn_len = len(x)\n", + " \n", + " # Changing the threshold to calculate precision and recall and plot them\n", + " for thr in np.arange(0, 1, 0.01):\n", + " print(f\"thr: {thr}\")\n", + "\n", + " fp_df = x[x.pred > thr]\n", + " tp_df = y[y.pred > thr]\n", + " fn_df = y[y.pred < thr]\n", + "\n", + " tp_len = len(tp_df)\n", + " fp_len = len(fp_df)\n", + "\n", + " # Calculating the Recall = TP/(TP+FN)\n", + " recall_val = tp_len / tp_fn_len\n", + " # Calculating the precision = TP/(TP+FP)\n", + " precision_val = tp_len / (tp_len + fp_len)\n", + "\n", + " Rec.append(recall_val)\n", + " Pre.append(precision_val)\n", + "\n", + " print(f\"Recall val: \\n{recall_val}\")\n", + " print(f\"Precision val: \\n{precision_val}\")\n", + "\n", + " include_cols = ['ransomware_name', 'PID_Process']\n", + "\n", + " # Printing the TPs, FNs and FPs by name recording to see which ransomware we detected or missed and which\n", + " # legitimate software we detected as ransomware (FP)\n", + " if precision_val > 0.85:\n", + " print(f\"TPs: \\n{tp_df[include_cols].value_counts()}\")\n", + " print(f\"FNs: \\n{fn_df[include_cols].value_counts()}\")\n", + " print(f\"FPs: \\n{fp_df[include_cols].value_counts()}\")\n" + ] + }, + { + "cell_type": "code", + "execution_count": 15, + "metadata": {}, + "outputs": [ + { + "name": "stdout", + "output_type": "stream", + "text": [ + "thr: 0.0\n", + "Recall val: \n", + "0.03128321943811693\n", + "Precision val: \n", + "0.030334265940214992\n", + "thr: 0.01\n", + "Recall val: \n", + "0.03128321943811693\n", + "Precision val: \n", + "0.2881118881118881\n", + "thr: 0.02\n", + "Recall val: \n", + "0.03128321943811693\n", + "Precision val: \n", + "0.3249211356466877\n", + "thr: 0.03\n", + "Recall val: \n", + "0.03128321943811693\n", + "Precision val: \n", + "0.34563758389261745\n", + "thr: 0.04\n", + "Recall val: \n", + "0.03128321943811693\n", + "Precision val: \n", + "0.36589698046181174\n", + "thr: 0.05\n", + "Recall val: \n", + "0.03128321943811693\n", + "Precision val: \n", + "0.37522768670309653\n", + "thr: 0.06\n", + "Recall val: \n", + "0.03128321943811693\n", + "Precision val: \n", + "0.3850467289719626\n", + "thr: 0.07\n", + "Recall val: \n", + "0.03128321943811693\n", + "Precision val: \n", + "0.39768339768339767\n", + "thr: 0.08\n", + "Recall val: \n", + "0.03128321943811693\n", + "Precision val: \n", + "0.40234375\n", + "thr: 0.09\n", + "Recall val: \n", + "0.03128321943811693\n", + "Precision val: \n", + "0.41282565130260523\n", + "thr: 0.1\n", + "Recall val: \n", + "0.03128321943811693\n", + "Precision val: \n", + "0.4256198347107438\n", + "thr: 0.11\n", + "Recall val: \n", + "0.03128321943811693\n", + "Precision val: \n", + "0.4345991561181435\n", + "thr: 0.12\n", + "Recall val: \n", + "0.03128321943811693\n", + "Precision val: \n", + "0.4355179704016913\n", + "thr: 0.13\n", + "Recall val: \n", + "0.03128321943811693\n", + "Precision val: \n", + "0.43736730360934184\n", + "thr: 0.14\n", + "Recall val: \n", + "0.03128321943811693\n", + "Precision val: \n", + "0.43829787234042555\n", + "thr: 0.15\n", + "Recall val: \n", + "0.03128321943811693\n", + "Precision val: \n", + "0.43829787234042555\n", + "thr: 0.16\n", + "Recall val: \n", + "0.03128321943811693\n", + "Precision val: \n", + "0.4458874458874459\n", + "thr: 0.17\n", + "Recall val: \n", + "0.03128321943811693\n", + "Precision val: \n", + "0.44782608695652176\n", + "thr: 0.18\n", + "Recall val: \n", + "0.03128321943811693\n", + "Precision val: \n", + "0.45374449339207046\n", + "thr: 0.19\n", + "Recall val: \n", + "0.03128321943811693\n", + "Precision val: \n", + "0.45374449339207046\n", + "thr: 0.2\n", + "Recall val: \n", + "0.03128321943811693\n", + "Precision val: \n", + "0.4577777777777778\n", + "thr: 0.21\n", + "Recall val: \n", + "0.031131359149582385\n", + "Precision val: \n", + "0.47344110854503463\n", + "thr: 0.22\n", + "Recall val: \n", + "0.031131359149582385\n", + "Precision val: \n", + "0.5049261083743842\n", + "thr: 0.23\n", + "Recall val: \n", + "0.031131359149582385\n", + "Precision val: \n", + "0.5256410256410257\n", + "thr: 0.24\n", + "Recall val: \n", + "0.030827638572513288\n", + "Precision val: \n", + "0.5328083989501312\n", + "thr: 0.25\n", + "Recall val: \n", + "0.03067577828397874\n", + "Precision val: \n", + "0.5358090185676393\n", + "thr: 0.26\n", + "Recall val: \n", + "0.03067577828397874\n", + "Precision val: \n", + "0.5386666666666666\n", + "thr: 0.27\n", + "Recall val: \n", + "0.03052391799544419\n", + "Precision val: \n", + "0.5374331550802139\n", + "thr: 0.28\n", + "Recall val: \n", + "0.030372057706909643\n", + "Precision val: \n", + "0.5449591280653951\n", + "thr: 0.29\n", + "Recall val: \n", + "0.030220197418375096\n", + "Precision val: \n", + "0.5497237569060773\n", + "thr: 0.3\n", + "Recall val: \n", + "0.030220197418375096\n", + "Precision val: \n", + "0.5558659217877095\n", + "thr: 0.31\n", + "Recall val: \n", + "0.030220197418375096\n", + "Precision val: \n", + "0.5574229691876751\n", + "thr: 0.32\n", + "Recall val: \n", + "0.030220197418375096\n", + "Precision val: \n", + "0.5835777126099707\n", + "thr: 0.33\n", + "Recall val: \n", + "0.030220197418375096\n", + "Precision val: \n", + "0.5852941176470589\n", + "thr: 0.34\n", + "Recall val: \n", + "0.030068337129840545\n", + "Precision val: \n", + "0.5875370919881305\n", + "thr: 0.35000000000000003\n", + "Recall val: \n", + "0.02976461655277145\n", + "Precision val: \n", + "0.6125\n", + "thr: 0.36\n", + "Recall val: \n", + "0.029612756264236904\n", + "Precision val: \n", + "0.6587837837837838\n", + "thr: 0.37\n", + "Recall val: \n", + "0.029612756264236904\n", + "Precision val: \n", + "0.6610169491525424\n", + "thr: 0.38\n", + "Recall val: \n", + "0.029460895975702353\n", + "Precision val: \n", + "0.6736111111111112\n", + "thr: 0.39\n", + "Recall val: \n", + "0.029460895975702353\n", + "Precision val: \n", + "0.6736111111111112\n", + "thr: 0.4\n", + "Recall val: \n", + "0.029460895975702353\n", + "Precision val: \n", + "0.6736111111111112\n", + "thr: 0.41000000000000003\n", + "Recall val: \n", + "0.029460895975702353\n", + "Precision val: \n", + "0.6736111111111112\n", + "thr: 0.42\n", + "Recall val: \n", + "0.029460895975702353\n", + "Precision val: \n", + "0.6736111111111112\n", + "thr: 0.43\n", + "Recall val: \n", + "0.029460895975702353\n", + "Precision val: \n", + "0.6736111111111112\n", + "thr: 0.44\n", + "Recall val: \n", + "0.029460895975702353\n", + "Precision val: \n", + "0.6736111111111112\n", + "thr: 0.45\n", + "Recall val: \n", + "0.029460895975702353\n", + "Precision val: \n", + "0.6736111111111112\n", + "thr: 0.46\n", + "Recall val: \n", + "0.029460895975702353\n", + "Precision val: \n", + "0.6736111111111112\n", + "thr: 0.47000000000000003\n", + "Recall val: \n", + "0.029460895975702353\n", + "Precision val: \n", + "0.6736111111111112\n", + "thr: 0.48\n", + "Recall val: \n", + "0.029460895975702353\n", + "Precision val: \n", + "0.6736111111111112\n", + "thr: 0.49\n", + "Recall val: \n", + "0.029460895975702353\n", + "Precision val: \n", + "0.6830985915492958\n", + "thr: 0.5\n", + "Recall val: \n", + "0.029460895975702353\n", + "Precision val: \n", + "0.6879432624113475\n", + "thr: 0.51\n", + "Recall val: \n", + "0.029460895975702353\n", + "Precision val: \n", + "0.6928571428571428\n", + "thr: 0.52\n", + "Recall val: \n", + "0.029460895975702353\n", + "Precision val: \n", + "0.6928571428571428\n", + "thr: 0.53\n", + "Recall val: \n", + "0.029460895975702353\n", + "Precision val: \n", + "0.6928571428571428\n", + "thr: 0.54\n", + "Recall val: \n", + "0.028549734244495063\n", + "Precision val: \n", + "0.6861313868613139\n", + "thr: 0.55\n", + "Recall val: \n", + "0.028549734244495063\n", + "Precision val: \n", + "0.6861313868613139\n", + "thr: 0.56\n", + "Recall val: \n", + "0.028549734244495063\n", + "Precision val: \n", + "0.6861313868613139\n", + "thr: 0.5700000000000001\n", + "Recall val: \n", + "0.028549734244495063\n", + "Precision val: \n", + "0.6861313868613139\n", + "thr: 0.58\n", + "Recall val: \n", + "0.028549734244495063\n", + "Precision val: \n", + "0.6861313868613139\n", + "thr: 0.59\n", + "Recall val: \n", + "0.028397873955960516\n", + "Precision val: \n", + "0.684981684981685\n", + "thr: 0.6\n", + "Recall val: \n", + "0.028397873955960516\n", + "Precision val: \n", + "0.700374531835206\n", + "thr: 0.61\n", + "Recall val: \n", + "0.028397873955960516\n", + "Precision val: \n", + "0.7540322580645161\n", + "thr: 0.62\n", + "Recall val: \n", + "0.028397873955960516\n", + "Precision val: \n", + "0.7601626016260162\n", + "thr: 0.63\n", + "Recall val: \n", + "0.02824601366742597\n", + "Precision val: \n", + "0.768595041322314\n", + "thr: 0.64\n", + "Recall val: \n", + "0.02794229309035687\n", + "Precision val: \n", + "0.7829787234042553\n", + "thr: 0.65\n", + "Recall val: \n", + "0.027790432801822324\n", + "Precision val: \n", + "0.7956521739130434\n", + "thr: 0.66\n", + "Recall val: \n", + "0.027790432801822324\n", + "Precision val: \n", + "0.7991266375545851\n", + "thr: 0.67\n", + "Recall val: \n", + "0.027790432801822324\n", + "Precision val: \n", + "0.8026315789473685\n", + "thr: 0.68\n", + "Recall val: \n", + "0.027790432801822324\n", + "Precision val: \n", + "0.8026315789473685\n", + "thr: 0.6900000000000001\n", + "Recall val: \n", + "0.02733485193621868\n", + "Precision val: \n", + "0.8\n", + "thr: 0.7000000000000001\n", + "Recall val: \n", + "0.02733485193621868\n", + "Precision val: \n", + "0.8\n", + "thr: 0.71\n", + "Recall val: \n", + "0.02703113135914958\n", + "Precision val: \n", + "0.8240740740740741\n", + "thr: 0.72\n", + "Recall val: \n", + "0.02703113135914958\n", + "Precision val: \n", + "0.8557692307692307\n", + "TPs: \n", + "ransomware_name PID_Process \n", + "Shacker 2212_sample.exe 18\n", + "Green 5092_sample.exe 16\n", + "Minjal 6128_sample.exe 13\n", + "Beaf 1088_sample.exe 12\n", + "SystemXTBL 3256_systems.exe 12\n", + "Nread 5852_sample.exe 12\n", + "WastedLocker 1680_Property 12\n", + "Kitty 5060_sample.exe 12\n", + "SunCrypt 1816_sample.exe 11\n", + "Teslacrypt2 1744_uyavudaiwoyc.e 11\n", + "DearCry 1084_sample.exe 10\n", + "Medusa_long 6052_sample.exe 8\n", + "Sodinokibi_long 6020_sample.exe 7\n", + "Prilux 1696_sample.exe 6\n", + "Ransom6_long 3320_sample.exe 5\n", + "CMD_Ransom 2884_sample.exe 4\n", + "Trash 3996_sample.exe 4\n", + "Ragnar 3532_sample.exe 3\n", + "Ku_long 5876_sample.exe 1\n", + "Btcware 5436_sample.exe 1\n", + "dtype: int64\n", + "FNs: \n", + "ransomware_name PID_Process \n", + "Trash 3996_sample.exe 14\n", + "Exedat_long 2400_sample.exe 6\n", + "WindowsUpdate 1272_sample.exe 6\n", + "Atten_long 5064_sample.exe 2\n", + "dtype: int64\n", + "FPs: \n", + "ransomware_name PID_Process \n", + "Avemaria_Rat_Trojan_Stealer 4776_images.exe 18\n", + "benign_dap10 4200_sample.exe 6\n", + "benign_setup_x86_x64_install 6088_odbcconf.exe 4\n", + "Avemaria_Rat_Trojan_Stealer 6132_sample.exe 2\n", + "dtype: int64\n", + "thr: 0.73\n", + "Recall val: \n", + "0.02703113135914958\n", + "Precision val: \n", + "0.8640776699029126\n", + "TPs: \n", + "ransomware_name PID_Process \n", + "Shacker 2212_sample.exe 18\n", + "Green 5092_sample.exe 16\n", + "Minjal 6128_sample.exe 13\n", + "Beaf 1088_sample.exe 12\n", + "SystemXTBL 3256_systems.exe 12\n", + "Nread 5852_sample.exe 12\n", + "WastedLocker 1680_Property 12\n", + "Kitty 5060_sample.exe 12\n", + "SunCrypt 1816_sample.exe 11\n", + "Teslacrypt2 1744_uyavudaiwoyc.e 11\n", + "DearCry 1084_sample.exe 10\n", + "Medusa_long 6052_sample.exe 8\n", + "Sodinokibi_long 6020_sample.exe 7\n", + "Prilux 1696_sample.exe 6\n", + "Ransom6_long 3320_sample.exe 5\n", + "CMD_Ransom 2884_sample.exe 4\n", + "Trash 3996_sample.exe 4\n", + "Ragnar 3532_sample.exe 3\n", + "Ku_long 5876_sample.exe 1\n", + "Btcware 5436_sample.exe 1\n", + "dtype: int64\n", + "FNs: \n", + "ransomware_name PID_Process \n", + "Trash 3996_sample.exe 14\n", + "Exedat_long 2400_sample.exe 6\n", + "WindowsUpdate 1272_sample.exe 6\n", + "Atten_long 5064_sample.exe 2\n", + "dtype: int64\n", + "FPs: \n", + "ransomware_name PID_Process \n", + "Avemaria_Rat_Trojan_Stealer 4776_images.exe 18\n", + "benign_dap10 4200_sample.exe 6\n", + "Avemaria_Rat_Trojan_Stealer 6132_sample.exe 2\n", + "benign_setup_x86_x64_install 6088_odbcconf.exe 2\n", + "dtype: int64\n", + "thr: 0.74\n", + "Recall val: \n", + "0.026879271070615034\n", + "Precision val: \n", + "0.9267015706806283\n", + "TPs: \n", + "ransomware_name PID_Process \n", + "Shacker 2212_sample.exe 18\n", + "Green 5092_sample.exe 16\n", + "Minjal 6128_sample.exe 13\n", + "Beaf 1088_sample.exe 12\n", + "SystemXTBL 3256_systems.exe 12\n", + "Nread 5852_sample.exe 12\n", + "WastedLocker 1680_Property 12\n", + "Kitty 5060_sample.exe 12\n", + "SunCrypt 1816_sample.exe 11\n", + "Teslacrypt2 1744_uyavudaiwoyc.e 11\n", + "DearCry 1084_sample.exe 10\n", + "Medusa_long 6052_sample.exe 8\n", + "Sodinokibi_long 6020_sample.exe 7\n", + "Prilux 1696_sample.exe 6\n", + "Ransom6_long 3320_sample.exe 5\n", + "CMD_Ransom 2884_sample.exe 4\n", + "Trash 3996_sample.exe 4\n", + "Ragnar 3532_sample.exe 2\n", + "Ku_long 5876_sample.exe 1\n", + "Btcware 5436_sample.exe 1\n", + "dtype: int64\n", + "FNs: \n", + "ransomware_name PID_Process \n", + "Trash 3996_sample.exe 14\n", + "Exedat_long 2400_sample.exe 6\n", + "WindowsUpdate 1272_sample.exe 6\n", + "Atten_long 5064_sample.exe 2\n", + "Ragnar 3532_sample.exe 1\n", + "dtype: int64\n", + "FPs: \n", + "ransomware_name PID_Process \n", + "benign_dap10 4200_sample.exe 6\n", + "Avemaria_Rat_Trojan_Stealer 4776_images.exe 4\n", + " 6132_sample.exe 2\n", + "benign_setup_x86_x64_install 6088_odbcconf.exe 2\n", + "dtype: int64\n", + "thr: 0.75\n", + "Recall val: \n", + "0.026727410782080487\n", + "Precision val: \n", + "0.9263157894736842\n", + "TPs: \n", + "ransomware_name PID_Process \n", + "Shacker 2212_sample.exe 18\n", + "Green 5092_sample.exe 16\n", + "Minjal 6128_sample.exe 13\n", + "Beaf 1088_sample.exe 12\n", + "SystemXTBL 3256_systems.exe 12\n", + "Nread 5852_sample.exe 12\n", + "WastedLocker 1680_Property 12\n", + "Kitty 5060_sample.exe 12\n", + "SunCrypt 1816_sample.exe 11\n", + "Teslacrypt2 1744_uyavudaiwoyc.e 11\n", + "DearCry 1084_sample.exe 10\n", + "Medusa_long 6052_sample.exe 8\n", + "Sodinokibi_long 6020_sample.exe 7\n", + "Prilux 1696_sample.exe 6\n", + "Ransom6_long 3320_sample.exe 5\n", + "CMD_Ransom 2884_sample.exe 4\n", + "Trash 3996_sample.exe 3\n", + "Ragnar 3532_sample.exe 2\n", + "Ku_long 5876_sample.exe 1\n", + "Btcware 5436_sample.exe 1\n", + "dtype: int64\n", + "FNs: \n", + "ransomware_name PID_Process \n", + "Trash 3996_sample.exe 15\n", + "Exedat_long 2400_sample.exe 6\n", + "WindowsUpdate 1272_sample.exe 6\n", + "Atten_long 5064_sample.exe 2\n", + "Ragnar 3532_sample.exe 1\n", + "dtype: int64\n", + "FPs: \n", + "ransomware_name PID_Process \n", + "benign_dap10 4200_sample.exe 6\n", + "Avemaria_Rat_Trojan_Stealer 4776_images.exe 4\n", + " 6132_sample.exe 2\n", + "benign_setup_x86_x64_install 6088_odbcconf.exe 2\n", + "dtype: int64\n", + "thr: 0.76\n", + "Recall val: \n", + "0.026271829916476842\n", + "Precision val: \n", + "0.9611111111111111\n", + "TPs: \n", + "ransomware_name PID_Process \n", + "Shacker 2212_sample.exe 18\n", + "Green 5092_sample.exe 16\n", + "Minjal 6128_sample.exe 13\n", + "Beaf 1088_sample.exe 12\n", + "SystemXTBL 3256_systems.exe 12\n", + "Nread 5852_sample.exe 12\n", + "WastedLocker 1680_Property 12\n", + "Kitty 5060_sample.exe 12\n", + "SunCrypt 1816_sample.exe 11\n", + "Teslacrypt2 1744_uyavudaiwoyc.e 11\n", + "DearCry 1084_sample.exe 9\n", + "Medusa_long 6052_sample.exe 8\n", + "Sodinokibi_long 6020_sample.exe 7\n", + "Ransom6_long 3320_sample.exe 5\n", + "Prilux 1696_sample.exe 5\n", + "CMD_Ransom 2884_sample.exe 4\n", + "Ragnar 3532_sample.exe 2\n", + "Trash 3996_sample.exe 2\n", + "Ku_long 5876_sample.exe 1\n", + "Btcware 5436_sample.exe 1\n", + "dtype: int64\n", + "FNs: \n", + "ransomware_name PID_Process \n", + "Trash 3996_sample.exe 16\n", + "Exedat_long 2400_sample.exe 6\n", + "WindowsUpdate 1272_sample.exe 6\n", + "Atten_long 5064_sample.exe 2\n", + "DearCry 1084_sample.exe 1\n", + "Prilux 1696_sample.exe 1\n", + "Ragnar 3532_sample.exe 1\n", + "dtype: int64\n", + "FPs: \n", + "ransomware_name PID_Process \n", + "Avemaria_Rat_Trojan_Stealer 4776_images.exe 3\n", + " 6132_sample.exe 2\n", + "benign_setup_x86_x64_install 6088_odbcconf.exe 2\n", + "dtype: int64\n", + "thr: 0.77\n", + "Recall val: \n", + "0.026271829916476842\n", + "Precision val: \n", + "0.9774011299435028\n", + "TPs: \n", + "ransomware_name PID_Process \n", + "Shacker 2212_sample.exe 18\n", + "Green 5092_sample.exe 16\n", + "Minjal 6128_sample.exe 13\n", + "Beaf 1088_sample.exe 12\n", + "SystemXTBL 3256_systems.exe 12\n", + "Nread 5852_sample.exe 12\n", + "WastedLocker 1680_Property 12\n", + "Kitty 5060_sample.exe 12\n", + "SunCrypt 1816_sample.exe 11\n", + "Teslacrypt2 1744_uyavudaiwoyc.e 11\n", + "DearCry 1084_sample.exe 9\n", + "Medusa_long 6052_sample.exe 8\n", + "Sodinokibi_long 6020_sample.exe 7\n", + "Ransom6_long 3320_sample.exe 5\n", + "Prilux 1696_sample.exe 5\n", + "CMD_Ransom 2884_sample.exe 4\n", + "Ragnar 3532_sample.exe 2\n", + "Trash 3996_sample.exe 2\n", + "Ku_long 5876_sample.exe 1\n", + "Btcware 5436_sample.exe 1\n", + "dtype: int64\n", + "FNs: \n", + "ransomware_name PID_Process \n", + "Trash 3996_sample.exe 16\n", + "Exedat_long 2400_sample.exe 6\n", + "WindowsUpdate 1272_sample.exe 6\n", + "Atten_long 5064_sample.exe 2\n", + "DearCry 1084_sample.exe 1\n", + "Prilux 1696_sample.exe 1\n", + "Ragnar 3532_sample.exe 1\n", + "dtype: int64\n", + "FPs: \n", + "ransomware_name PID_Process \n", + "Avemaria_Rat_Trojan_Stealer 4776_images.exe 2\n", + " 6132_sample.exe 2\n", + "dtype: int64\n", + "thr: 0.78\n", + "Recall val: \n", + "0.025968109339407745\n", + "Precision val: \n", + "0.9941860465116279\n", + "TPs: \n", + "ransomware_name PID_Process \n", + "Shacker 2212_sample.exe 18\n", + "Green 5092_sample.exe 16\n", + "Minjal 6128_sample.exe 13\n", + "Beaf 1088_sample.exe 12\n", + "SystemXTBL 3256_systems.exe 12\n", + "Nread 5852_sample.exe 12\n", + "WastedLocker 1680_Property 12\n", + "Kitty 5060_sample.exe 12\n", + "SunCrypt 1816_sample.exe 11\n", + "Teslacrypt2 1744_uyavudaiwoyc.e 11\n", + "Medusa_long 6052_sample.exe 8\n", + "DearCry 1084_sample.exe 8\n", + "Sodinokibi_long 6020_sample.exe 7\n", + "Ransom6_long 3320_sample.exe 5\n", + "CMD_Ransom 2884_sample.exe 4\n", + "Prilux 1696_sample.exe 4\n", + "Ragnar 3532_sample.exe 2\n", + "Trash 3996_sample.exe 2\n", + "Ku_long 5876_sample.exe 1\n", + "Btcware 5436_sample.exe 1\n", + "dtype: int64\n", + "FNs: \n", + "ransomware_name PID_Process \n", + "Trash 3996_sample.exe 16\n", + "Exedat_long 2400_sample.exe 6\n", + "WindowsUpdate 1272_sample.exe 6\n", + "Atten_long 5064_sample.exe 2\n", + "DearCry 1084_sample.exe 2\n", + "Prilux 1696_sample.exe 2\n", + "Ragnar 3532_sample.exe 1\n", + "dtype: int64\n", + "FPs: \n", + "ransomware_name PID_Process \n", + "Avemaria_Rat_Trojan_Stealer 4776_images.exe 1\n", + "dtype: int64\n", + "thr: 0.79\n", + "Recall val: \n", + "0.025208807896735005\n", + "Precision val: \n", + "1.0\n", + "TPs: \n", + "ransomware_name PID_Process \n", + "Shacker 2212_sample.exe 18\n", + "Green 5092_sample.exe 16\n", + "Minjal 6128_sample.exe 13\n", + "WastedLocker 1680_Property 12\n", + "Nread 5852_sample.exe 12\n", + "SystemXTBL 3256_systems.exe 12\n", + "Kitty 5060_sample.exe 12\n", + "Teslacrypt2 1744_uyavudaiwoyc.e 11\n", + "SunCrypt 1816_sample.exe 11\n", + "Beaf 1088_sample.exe 9\n", + "Medusa_long 6052_sample.exe 8\n", + "DearCry 1084_sample.exe 8\n", + "Sodinokibi_long 6020_sample.exe 7\n", + "Ransom6_long 3320_sample.exe 5\n", + "CMD_Ransom 2884_sample.exe 4\n", + "Prilux 1696_sample.exe 4\n", + "Btcware 5436_sample.exe 1\n", + "Ragnar 3532_sample.exe 1\n", + "Ku_long 5876_sample.exe 1\n", + "Trash 3996_sample.exe 1\n", + "dtype: int64\n", + "FNs: \n", + "ransomware_name PID_Process \n", + "Trash 3996_sample.exe 17\n", + "Exedat_long 2400_sample.exe 6\n", + "WindowsUpdate 1272_sample.exe 6\n", + "Beaf 1088_sample.exe 3\n", + "Atten_long 5064_sample.exe 2\n", + "DearCry 1084_sample.exe 2\n", + "Prilux 1696_sample.exe 2\n", + "Ragnar 3532_sample.exe 2\n", + "dtype: int64\n", + "FPs: \n", + "Series([], dtype: int64)\n", + "thr: 0.8\n", + "Recall val: \n", + "0.024145785876993165\n", + "Precision val: \n", + "1.0\n", + "TPs: \n", + "ransomware_name PID_Process \n", + "Shacker 2212_sample.exe 18\n", + "Green 5092_sample.exe 16\n", + "Minjal 6128_sample.exe 13\n", + "Nread 5852_sample.exe 12\n", + "SystemXTBL 3256_systems.exe 12\n", + "WastedLocker 1680_Property 12\n", + "Kitty 5060_sample.exe 12\n", + "SunCrypt 1816_sample.exe 11\n", + "Teslacrypt2 1744_uyavudaiwoyc.e 11\n", + "Medusa_long 6052_sample.exe 8\n", + "Sodinokibi_long 6020_sample.exe 7\n", + "DearCry 1084_sample.exe 6\n", + "Ransom6_long 3320_sample.exe 5\n", + "Beaf 1088_sample.exe 5\n", + "Prilux 1696_sample.exe 4\n", + "CMD_Ransom 2884_sample.exe 4\n", + "Ku_long 5876_sample.exe 1\n", + "Btcware 5436_sample.exe 1\n", + "Ragnar 3532_sample.exe 1\n", + "dtype: int64\n", + "FNs: \n", + "ransomware_name PID_Process \n", + "Trash 3996_sample.exe 18\n", + "Beaf 1088_sample.exe 7\n", + "Exedat_long 2400_sample.exe 6\n", + "WindowsUpdate 1272_sample.exe 6\n", + "DearCry 1084_sample.exe 4\n", + "Atten_long 5064_sample.exe 2\n", + "Prilux 1696_sample.exe 2\n", + "Ragnar 3532_sample.exe 2\n", + "dtype: int64\n", + "FPs: \n", + "Series([], dtype: int64)\n", + "thr: 0.81\n", + "Recall val: \n", + "0.023386484434320426\n", + "Precision val: \n", + "1.0\n", + "TPs: \n", + "ransomware_name PID_Process \n", + "Shacker 2212_sample.exe 18\n", + "Green 5092_sample.exe 16\n", + "Minjal 6128_sample.exe 13\n", + "Nread 5852_sample.exe 12\n", + "SystemXTBL 3256_systems.exe 12\n", + "WastedLocker 1680_Property 12\n", + "Kitty 5060_sample.exe 12\n", + "Teslacrypt2 1744_uyavudaiwoyc.e 11\n", + "SunCrypt 1816_sample.exe 10\n", + "Medusa_long 6052_sample.exe 8\n", + "Sodinokibi_long 6020_sample.exe 7\n", + "Ransom6_long 3320_sample.exe 5\n", + "Prilux 1696_sample.exe 4\n", + "DearCry 1084_sample.exe 4\n", + "CMD_Ransom 2884_sample.exe 4\n", + "Beaf 1088_sample.exe 3\n", + "Ku_long 5876_sample.exe 1\n", + "Btcware 5436_sample.exe 1\n", + "Ragnar 3532_sample.exe 1\n", + "dtype: int64\n", + "FNs: \n", + "ransomware_name PID_Process \n", + "Trash 3996_sample.exe 18\n", + "Beaf 1088_sample.exe 9\n", + "DearCry 1084_sample.exe 6\n", + "Exedat_long 2400_sample.exe 6\n", + "WindowsUpdate 1272_sample.exe 6\n", + "Atten_long 5064_sample.exe 2\n", + "Prilux 1696_sample.exe 2\n", + "Ragnar 3532_sample.exe 2\n", + "SunCrypt 1816_sample.exe 1\n", + "dtype: int64\n", + "FPs: \n", + "Series([], dtype: int64)\n", + "thr: 0.8200000000000001\n", + "Recall val: \n", + "0.02293090356871678\n", + "Precision val: \n", + "1.0\n", + "TPs: \n", + "ransomware_name PID_Process \n", + "Shacker 2212_sample.exe 18\n", + "Green 5092_sample.exe 16\n", + "Minjal 6128_sample.exe 13\n", + "Nread 5852_sample.exe 12\n", + "SystemXTBL 3256_systems.exe 12\n", + "WastedLocker 1680_Property 12\n", + "Kitty 5060_sample.exe 12\n", + "Teslacrypt2 1744_uyavudaiwoyc.e 11\n", + "SunCrypt 1816_sample.exe 10\n", + "Medusa_long 6052_sample.exe 8\n", + "Sodinokibi_long 6020_sample.exe 7\n", + "Ransom6_long 3320_sample.exe 5\n", + "Prilux 1696_sample.exe 4\n", + "CMD_Ransom 2884_sample.exe 4\n", + "Beaf 1088_sample.exe 3\n", + "Ku_long 5876_sample.exe 1\n", + "Btcware 5436_sample.exe 1\n", + "Ragnar 3532_sample.exe 1\n", + "DearCry 1084_sample.exe 1\n", + "dtype: int64\n", + "FNs: \n", + "ransomware_name PID_Process \n", + "Trash 3996_sample.exe 18\n", + "Beaf 1088_sample.exe 9\n", + "DearCry 1084_sample.exe 9\n", + "Exedat_long 2400_sample.exe 6\n", + "WindowsUpdate 1272_sample.exe 6\n", + "Atten_long 5064_sample.exe 2\n", + "Prilux 1696_sample.exe 2\n", + "Ragnar 3532_sample.exe 2\n", + "SunCrypt 1816_sample.exe 1\n", + "dtype: int64\n", + "FPs: \n", + "Series([], dtype: int64)\n", + "thr: 0.8300000000000001\n", + "Recall val: \n", + "0.02217160212604404\n", + "Precision val: \n", + "1.0\n", + "TPs: \n", + "ransomware_name PID_Process \n", + "Shacker 2212_sample.exe 18\n", + "Green 5092_sample.exe 16\n", + "Minjal 6128_sample.exe 13\n", + "WastedLocker 1680_Property 12\n", + "Kitty 5060_sample.exe 12\n", + "Nread 5852_sample.exe 12\n", + "Teslacrypt2 1744_uyavudaiwoyc.e 11\n", + "SunCrypt 1816_sample.exe 10\n", + "SystemXTBL 3256_systems.exe 9\n", + "Medusa_long 6052_sample.exe 8\n", + "Sodinokibi_long 6020_sample.exe 7\n", + "Ransom6_long 3320_sample.exe 5\n", + "Prilux 1696_sample.exe 4\n", + "CMD_Ransom 2884_sample.exe 4\n", + "Beaf 1088_sample.exe 2\n", + "Ragnar 3532_sample.exe 1\n", + "Btcware 5436_sample.exe 1\n", + "Ku_long 5876_sample.exe 1\n", + "dtype: int64\n", + "FNs: \n", + "ransomware_name PID_Process \n", + "Trash 3996_sample.exe 18\n", + "Beaf 1088_sample.exe 10\n", + "DearCry 1084_sample.exe 10\n", + "Exedat_long 2400_sample.exe 6\n", + "WindowsUpdate 1272_sample.exe 6\n", + "SystemXTBL 3256_systems.exe 3\n", + "Atten_long 5064_sample.exe 2\n", + "Prilux 1696_sample.exe 2\n", + "Ragnar 3532_sample.exe 2\n", + "SunCrypt 1816_sample.exe 1\n", + "dtype: int64\n", + "FPs: \n", + "Series([], dtype: int64)\n", + "thr: 0.84\n", + "Recall val: \n", + "0.02050113895216401\n", + "Precision val: \n", + "1.0\n", + "TPs: \n", + "ransomware_name PID_Process \n", + "Shacker 2212_sample.exe 18\n", + "Green 5092_sample.exe 16\n", + "Minjal 6128_sample.exe 13\n", + "Kitty 5060_sample.exe 12\n", + "Nread 5852_sample.exe 12\n", + "Teslacrypt2 1744_uyavudaiwoyc.e 11\n", + "SunCrypt 1816_sample.exe 10\n", + "Medusa_long 6052_sample.exe 8\n", + "WastedLocker 1680_Property 7\n", + "Sodinokibi_long 6020_sample.exe 7\n", + "SystemXTBL 3256_systems.exe 5\n", + "Ransom6_long 3320_sample.exe 5\n", + "Prilux 1696_sample.exe 4\n", + "CMD_Ransom 2884_sample.exe 4\n", + "Ragnar 3532_sample.exe 1\n", + "Ku_long 5876_sample.exe 1\n", + "Btcware 5436_sample.exe 1\n", + "dtype: int64\n", + "FNs: \n", + "ransomware_name PID_Process \n", + "Trash 3996_sample.exe 18\n", + "Beaf 1088_sample.exe 12\n", + "DearCry 1084_sample.exe 10\n", + "SystemXTBL 3256_systems.exe 7\n", + "Exedat_long 2400_sample.exe 6\n", + "WindowsUpdate 1272_sample.exe 6\n", + "WastedLocker 1680_Property 5\n", + "Atten_long 5064_sample.exe 2\n", + "Prilux 1696_sample.exe 2\n", + "Ragnar 3532_sample.exe 2\n", + "SunCrypt 1816_sample.exe 1\n", + "dtype: int64\n", + "FPs: \n", + "Series([], dtype: int64)\n", + "thr: 0.85\n", + "Recall val: \n", + "0.019438116932422173\n", + "Precision val: \n", + "1.0\n", + "TPs: \n", + "ransomware_name PID_Process \n", + "Shacker 2212_sample.exe 18\n", + "Green 5092_sample.exe 16\n", + "Minjal 6128_sample.exe 13\n", + "Kitty 5060_sample.exe 12\n", + "Nread 5852_sample.exe 12\n", + "Teslacrypt2 1744_uyavudaiwoyc.e 11\n", + "SunCrypt 1816_sample.exe 9\n", + "Medusa_long 6052_sample.exe 8\n", + "Sodinokibi_long 6020_sample.exe 7\n", + "WastedLocker 1680_Property 6\n", + "Ransom6_long 3320_sample.exe 5\n", + "CMD_Ransom 2884_sample.exe 4\n", + "Prilux 1696_sample.exe 4\n", + "Ku_long 5876_sample.exe 1\n", + "Ragnar 3532_sample.exe 1\n", + "SystemXTBL 3256_systems.exe 1\n", + "dtype: int64\n", + "FNs: \n", + "ransomware_name PID_Process \n", + "Trash 3996_sample.exe 18\n", + "Beaf 1088_sample.exe 12\n", + "SystemXTBL 3256_systems.exe 11\n", + "DearCry 1084_sample.exe 10\n", + "Exedat_long 2400_sample.exe 6\n", + "WastedLocker 1680_Property 6\n", + "WindowsUpdate 1272_sample.exe 6\n", + "Atten_long 5064_sample.exe 2\n", + "Prilux 1696_sample.exe 2\n", + "Ragnar 3532_sample.exe 2\n", + "SunCrypt 1816_sample.exe 2\n", + "Btcware 5436_sample.exe 1\n", + "dtype: int64\n", + "FPs: \n", + "Series([], dtype: int64)\n", + "thr: 0.86\n", + "Recall val: \n", + "0.018830675778283977\n", + "Precision val: \n", + "1.0\n", + "TPs: \n", + "ransomware_name PID_Process \n", + "Shacker 2212_sample.exe 18\n", + "Green 5092_sample.exe 16\n", + "Minjal 6128_sample.exe 13\n", + "Kitty 5060_sample.exe 12\n", + "Nread 5852_sample.exe 12\n", + "Teslacrypt2 1744_uyavudaiwoyc.e 11\n", + "SunCrypt 1816_sample.exe 9\n", + "Medusa_long 6052_sample.exe 8\n", + "Sodinokibi_long 6020_sample.exe 7\n", + "Ransom6_long 3320_sample.exe 5\n", + "WastedLocker 1680_Property 5\n", + "CMD_Ransom 2884_sample.exe 4\n", + "Prilux 1696_sample.exe 2\n", + "Ku_long 5876_sample.exe 1\n", + "Ragnar 3532_sample.exe 1\n", + "dtype: int64\n", + "FNs: \n", + "ransomware_name PID_Process \n", + "Trash 3996_sample.exe 18\n", + "Beaf 1088_sample.exe 12\n", + "SystemXTBL 3256_systems.exe 12\n", + "DearCry 1084_sample.exe 10\n", + "WastedLocker 1680_Property 7\n", + "Exedat_long 2400_sample.exe 6\n", + "WindowsUpdate 1272_sample.exe 6\n", + "Prilux 1696_sample.exe 4\n", + "Atten_long 5064_sample.exe 2\n", + "Ragnar 3532_sample.exe 2\n", + "SunCrypt 1816_sample.exe 2\n", + "Btcware 5436_sample.exe 1\n", + "dtype: int64\n", + "FPs: \n", + "Series([], dtype: int64)\n", + "thr: 0.87\n", + "Recall val: \n", + "0.017160212604403948\n", + "Precision val: \n", + "1.0\n", + "TPs: \n", + "ransomware_name PID_Process \n", + "Shacker 2212_sample.exe 18\n", + "Green 5092_sample.exe 16\n", + "Minjal 6128_sample.exe 13\n", + "Kitty 5060_sample.exe 12\n", + "Nread 5852_sample.exe 12\n", + "Teslacrypt2 1744_uyavudaiwoyc.e 11\n", + "Medusa_long 6052_sample.exe 7\n", + "Sodinokibi_long 6020_sample.exe 7\n", + "Ransom6_long 3320_sample.exe 5\n", + "CMD_Ransom 2884_sample.exe 4\n", + "SunCrypt 1816_sample.exe 4\n", + "Prilux 1696_sample.exe 2\n", + "Ku_long 5876_sample.exe 1\n", + "Ragnar 3532_sample.exe 1\n", + "dtype: int64\n", + "FNs: \n", + "ransomware_name PID_Process \n", + "Trash 3996_sample.exe 18\n", + "Beaf 1088_sample.exe 12\n", + "SystemXTBL 3256_systems.exe 12\n", + "WastedLocker 1680_Property 12\n", + "DearCry 1084_sample.exe 10\n", + "SunCrypt 1816_sample.exe 7\n", + "Exedat_long 2400_sample.exe 6\n", + "WindowsUpdate 1272_sample.exe 6\n", + "Prilux 1696_sample.exe 4\n", + "Atten_long 5064_sample.exe 2\n", + "Ragnar 3532_sample.exe 2\n", + "Btcware 5436_sample.exe 1\n", + "Medusa_long 6052_sample.exe 1\n", + "dtype: int64\n", + "FPs: \n", + "Series([], dtype: int64)\n", + "thr: 0.88\n", + "Recall val: \n", + "0.016552771450265756\n", + "Precision val: \n", + "1.0\n", + "TPs: \n", + "ransomware_name PID_Process \n", + "Shacker 2212_sample.exe 18\n", + "Green 5092_sample.exe 16\n", + "Minjal 6128_sample.exe 13\n", + "Kitty 5060_sample.exe 12\n", + "Nread 5852_sample.exe 12\n", + "Teslacrypt2 1744_uyavudaiwoyc.e 11\n", + "Sodinokibi_long 6020_sample.exe 7\n", + "Medusa_long 6052_sample.exe 6\n", + "Ransom6_long 3320_sample.exe 5\n", + "CMD_Ransom 2884_sample.exe 4\n", + "SunCrypt 1816_sample.exe 3\n", + "Ku_long 5876_sample.exe 1\n", + "Prilux 1696_sample.exe 1\n", + "dtype: int64\n", + "FNs: \n", + "ransomware_name PID_Process \n", + "Trash 3996_sample.exe 18\n", + "Beaf 1088_sample.exe 12\n", + "SystemXTBL 3256_systems.exe 12\n", + "WastedLocker 1680_Property 12\n", + "DearCry 1084_sample.exe 10\n", + "SunCrypt 1816_sample.exe 8\n", + "Exedat_long 2400_sample.exe 6\n", + "WindowsUpdate 1272_sample.exe 6\n", + "Prilux 1696_sample.exe 5\n", + "Ragnar 3532_sample.exe 3\n", + "Atten_long 5064_sample.exe 2\n", + "Medusa_long 6052_sample.exe 2\n", + "Btcware 5436_sample.exe 1\n", + "dtype: int64\n", + "FPs: \n", + "Series([], dtype: int64)\n", + "thr: 0.89\n", + "Recall val: \n", + "0.01624905087319666\n", + "Precision val: \n", + "1.0\n", + "TPs: \n", + "ransomware_name PID_Process \n", + "Shacker 2212_sample.exe 18\n", + "Green 5092_sample.exe 16\n", + "Minjal 6128_sample.exe 13\n", + "Kitty 5060_sample.exe 12\n", + "Nread 5852_sample.exe 12\n", + "Teslacrypt2 1744_uyavudaiwoyc.e 11\n", + "Medusa_long 6052_sample.exe 6\n", + "Sodinokibi_long 6020_sample.exe 6\n", + "Ransom6_long 3320_sample.exe 5\n", + "CMD_Ransom 2884_sample.exe 4\n", + "SunCrypt 1816_sample.exe 3\n", + "Ku_long 5876_sample.exe 1\n", + "dtype: int64\n", + "FNs: \n", + "ransomware_name PID_Process \n", + "Trash 3996_sample.exe 18\n", + "Beaf 1088_sample.exe 12\n", + "SystemXTBL 3256_systems.exe 12\n", + "WastedLocker 1680_Property 12\n", + "DearCry 1084_sample.exe 10\n", + "SunCrypt 1816_sample.exe 8\n", + "Exedat_long 2400_sample.exe 6\n", + "Prilux 1696_sample.exe 6\n", + "WindowsUpdate 1272_sample.exe 6\n", + "Ragnar 3532_sample.exe 3\n", + "Atten_long 5064_sample.exe 2\n", + "Medusa_long 6052_sample.exe 2\n", + "Btcware 5436_sample.exe 1\n", + "Sodinokibi_long 6020_sample.exe 1\n", + "dtype: int64\n", + "FPs: \n", + "Series([], dtype: int64)\n", + "thr: 0.9\n", + "Recall val: \n", + "0.015641609719058466\n", + "Precision val: \n", + "1.0\n", + "TPs: \n", + "ransomware_name PID_Process \n", + "Shacker 2212_sample.exe 18\n", + "Green 5092_sample.exe 16\n", + "Minjal 6128_sample.exe 13\n", + "Kitty 5060_sample.exe 11\n", + "Teslacrypt2 1744_uyavudaiwoyc.e 11\n", + "Nread 5852_sample.exe 10\n", + "Sodinokibi_long 6020_sample.exe 6\n", + "Medusa_long 6052_sample.exe 5\n", + "Ransom6_long 3320_sample.exe 5\n", + "CMD_Ransom 2884_sample.exe 4\n", + "SunCrypt 1816_sample.exe 3\n", + "Ku_long 5876_sample.exe 1\n", + "dtype: int64\n", + "FNs: \n", + "ransomware_name PID_Process \n", + "Trash 3996_sample.exe 18\n", + "Beaf 1088_sample.exe 12\n", + "SystemXTBL 3256_systems.exe 12\n", + "WastedLocker 1680_Property 12\n", + "DearCry 1084_sample.exe 10\n", + "SunCrypt 1816_sample.exe 8\n", + "Exedat_long 2400_sample.exe 6\n", + "Prilux 1696_sample.exe 6\n", + "WindowsUpdate 1272_sample.exe 6\n", + "Medusa_long 6052_sample.exe 3\n", + "Ragnar 3532_sample.exe 3\n", + "Atten_long 5064_sample.exe 2\n", + "Nread 5852_sample.exe 2\n", + "Btcware 5436_sample.exe 1\n", + "Kitty 5060_sample.exe 1\n", + "Sodinokibi_long 6020_sample.exe 1\n", + "dtype: int64\n", + "FPs: \n", + "Series([], dtype: int64)\n", + "thr: 0.91\n", + "Recall val: \n", + "0.015489749430523917\n", + "Precision val: \n", + "1.0\n", + "TPs: \n", + "ransomware_name PID_Process \n", + "Shacker 2212_sample.exe 18\n", + "Green 5092_sample.exe 16\n", + "Minjal 6128_sample.exe 13\n", + "Kitty 5060_sample.exe 11\n", + "Teslacrypt2 1744_uyavudaiwoyc.e 11\n", + "Nread 5852_sample.exe 10\n", + "Sodinokibi_long 6020_sample.exe 6\n", + "Medusa_long 6052_sample.exe 5\n", + "Ransom6_long 3320_sample.exe 5\n", + "CMD_Ransom 2884_sample.exe 4\n", + "SunCrypt 1816_sample.exe 2\n", + "Ku_long 5876_sample.exe 1\n", + "dtype: int64\n", + "FNs: \n", + "ransomware_name PID_Process \n", + "Trash 3996_sample.exe 18\n", + "Beaf 1088_sample.exe 12\n", + "SystemXTBL 3256_systems.exe 12\n", + "WastedLocker 1680_Property 12\n", + "DearCry 1084_sample.exe 10\n", + "SunCrypt 1816_sample.exe 9\n", + "Exedat_long 2400_sample.exe 6\n", + "Prilux 1696_sample.exe 6\n", + "WindowsUpdate 1272_sample.exe 6\n", + "Medusa_long 6052_sample.exe 3\n", + "Ragnar 3532_sample.exe 3\n", + "Atten_long 5064_sample.exe 2\n", + "Nread 5852_sample.exe 2\n", + "Btcware 5436_sample.exe 1\n", + "Kitty 5060_sample.exe 1\n", + "Sodinokibi_long 6020_sample.exe 1\n", + "dtype: int64\n", + "FPs: \n", + "Series([], dtype: int64)\n", + "thr: 0.92\n", + "Recall val: \n", + "0.01457858769931663\n", + "Precision val: \n", + "1.0\n", + "TPs: \n", + "ransomware_name PID_Process \n", + "Shacker 2212_sample.exe 18\n", + "Green 5092_sample.exe 16\n", + "Minjal 6128_sample.exe 13\n", + "Kitty 5060_sample.exe 11\n", + "Teslacrypt2 1744_uyavudaiwoyc.e 11\n", + "Nread 5852_sample.exe 6\n", + "Sodinokibi_long 6020_sample.exe 6\n", + "Medusa_long 6052_sample.exe 5\n", + "Ransom6_long 3320_sample.exe 5\n", + "CMD_Ransom 2884_sample.exe 4\n", + "Ku_long 5876_sample.exe 1\n", + "dtype: int64\n", + "FNs: \n", + "ransomware_name PID_Process \n", + "Trash 3996_sample.exe 18\n", + "Beaf 1088_sample.exe 12\n", + "SystemXTBL 3256_systems.exe 12\n", + "WastedLocker 1680_Property 12\n", + "SunCrypt 1816_sample.exe 11\n", + "DearCry 1084_sample.exe 10\n", + "Exedat_long 2400_sample.exe 6\n", + "Nread 5852_sample.exe 6\n", + "Prilux 1696_sample.exe 6\n", + "WindowsUpdate 1272_sample.exe 6\n", + "Medusa_long 6052_sample.exe 3\n", + "Ragnar 3532_sample.exe 3\n", + "Atten_long 5064_sample.exe 2\n", + "Btcware 5436_sample.exe 1\n", + "Kitty 5060_sample.exe 1\n", + "Sodinokibi_long 6020_sample.exe 1\n", + "dtype: int64\n", + "FPs: \n", + "Series([], dtype: int64)\n", + "thr: 0.93\n", + "Recall val: \n", + "0.013211845102505695\n", + "Precision val: \n", + "1.0\n", + "TPs: \n", + "ransomware_name PID_Process \n", + "Shacker 2212_sample.exe 18\n", + "Green 5092_sample.exe 16\n", + "Minjal 6128_sample.exe 13\n", + "Teslacrypt2 1744_uyavudaiwoyc.e 11\n", + "Kitty 5060_sample.exe 9\n", + "Sodinokibi_long 6020_sample.exe 6\n", + "CMD_Ransom 2884_sample.exe 4\n", + "Medusa_long 6052_sample.exe 4\n", + "Nread 5852_sample.exe 4\n", + "Ransom6_long 3320_sample.exe 2\n", + "dtype: int64\n", + "FNs: \n", + "ransomware_name PID_Process \n", + "Trash 3996_sample.exe 18\n", + "WastedLocker 1680_Property 12\n", + "SystemXTBL 3256_systems.exe 12\n", + "Beaf 1088_sample.exe 12\n", + "SunCrypt 1816_sample.exe 11\n", + "DearCry 1084_sample.exe 10\n", + "Nread 5852_sample.exe 8\n", + "Prilux 1696_sample.exe 6\n", + "WindowsUpdate 1272_sample.exe 6\n", + "Exedat_long 2400_sample.exe 6\n", + "Medusa_long 6052_sample.exe 4\n", + "Ragnar 3532_sample.exe 3\n", + "Ransom6_long 3320_sample.exe 3\n", + "Kitty 5060_sample.exe 3\n", + "Atten_long 5064_sample.exe 2\n", + "Sodinokibi_long 6020_sample.exe 1\n", + "Ku_long 5876_sample.exe 1\n", + "Btcware 5436_sample.exe 1\n", + "dtype: int64\n", + "FPs: \n", + "Series([], dtype: int64)\n", + "thr: 0.9400000000000001\n", + "Recall val: \n", + "0.011996962794229309\n", + "Precision val: \n", + "1.0\n", + "TPs: \n", + "ransomware_name PID_Process \n", + "Shacker 2212_sample.exe 18\n", + "Green 5092_sample.exe 16\n", + "Minjal 6128_sample.exe 13\n", + "Teslacrypt2 1744_uyavudaiwoyc.e 11\n", + "Sodinokibi_long 6020_sample.exe 6\n", + "CMD_Ransom 2884_sample.exe 4\n", + "Medusa_long 6052_sample.exe 4\n", + "Kitty 5060_sample.exe 3\n", + "Nread 5852_sample.exe 2\n", + "Ransom6_long 3320_sample.exe 2\n", + "dtype: int64\n", + "FNs: \n", + "ransomware_name PID_Process \n", + "Trash 3996_sample.exe 18\n", + "Beaf 1088_sample.exe 12\n", + "WastedLocker 1680_Property 12\n", + "SystemXTBL 3256_systems.exe 12\n", + "SunCrypt 1816_sample.exe 11\n", + "DearCry 1084_sample.exe 10\n", + "Nread 5852_sample.exe 10\n", + "Kitty 5060_sample.exe 9\n", + "Prilux 1696_sample.exe 6\n", + "WindowsUpdate 1272_sample.exe 6\n", + "Exedat_long 2400_sample.exe 6\n", + "Medusa_long 6052_sample.exe 4\n", + "Ragnar 3532_sample.exe 3\n", + "Ransom6_long 3320_sample.exe 3\n", + "Atten_long 5064_sample.exe 2\n", + "Sodinokibi_long 6020_sample.exe 1\n", + "Ku_long 5876_sample.exe 1\n", + "Btcware 5436_sample.exe 1\n", + "dtype: int64\n", + "FPs: \n", + "Series([], dtype: int64)\n", + "thr: 0.9500000000000001\n", + "Recall val: \n", + "0.010174639331814731\n", + "Precision val: \n", + "1.0\n", + "TPs: \n", + "ransomware_name PID_Process \n", + "Shacker 2212_sample.exe 18\n", + "Green 5092_sample.exe 14\n", + "Minjal 6128_sample.exe 13\n", + "Teslacrypt2 1744_uyavudaiwoyc.e 9\n", + "Sodinokibi_long 6020_sample.exe 6\n", + "CMD_Ransom 2884_sample.exe 4\n", + "Kitty 5060_sample.exe 1\n", + "Medusa_long 6052_sample.exe 1\n", + "Nread 5852_sample.exe 1\n", + "dtype: int64\n", + "FNs: \n", + "ransomware_name PID_Process \n", + "Trash 3996_sample.exe 18\n", + "Beaf 1088_sample.exe 12\n", + "WastedLocker 1680_Property 12\n", + "SystemXTBL 3256_systems.exe 12\n", + "Kitty 5060_sample.exe 11\n", + "SunCrypt 1816_sample.exe 11\n", + "Nread 5852_sample.exe 11\n", + "DearCry 1084_sample.exe 10\n", + "Medusa_long 6052_sample.exe 7\n", + "Prilux 1696_sample.exe 6\n", + "WindowsUpdate 1272_sample.exe 6\n", + "Exedat_long 2400_sample.exe 6\n", + "Ransom6_long 3320_sample.exe 5\n", + "Ragnar 3532_sample.exe 3\n", + "Green 5092_sample.exe 2\n", + "Teslacrypt2 1744_uyavudaiwoyc.e 2\n", + "Atten_long 5064_sample.exe 2\n", + "Sodinokibi_long 6020_sample.exe 1\n", + "Ku_long 5876_sample.exe 1\n", + "Btcware 5436_sample.exe 1\n", + "dtype: int64\n", + "FPs: \n", + "Series([], dtype: int64)\n", + "thr: 0.96\n", + "Recall val: \n", + "0.009111617312072893\n", + "Precision val: \n", + "1.0\n", + "TPs: \n", + "ransomware_name PID_Process \n", + "Shacker 2212_sample.exe 18\n", + "Minjal 6128_sample.exe 13\n", + "Green 5092_sample.exe 11\n", + "Teslacrypt2 1744_uyavudaiwoyc.e 9\n", + "Sodinokibi_long 6020_sample.exe 5\n", + "CMD_Ransom 2884_sample.exe 4\n", + "dtype: int64\n", + "FNs: \n", + "ransomware_name PID_Process \n", + "Trash 3996_sample.exe 18\n", + "Beaf 1088_sample.exe 12\n", + "WastedLocker 1680_Property 12\n", + "SystemXTBL 3256_systems.exe 12\n", + "Kitty 5060_sample.exe 12\n", + "Nread 5852_sample.exe 12\n", + "SunCrypt 1816_sample.exe 11\n", + "DearCry 1084_sample.exe 10\n", + "Medusa_long 6052_sample.exe 8\n", + "Prilux 1696_sample.exe 6\n", + "WindowsUpdate 1272_sample.exe 6\n", + "Exedat_long 2400_sample.exe 6\n", + "Ransom6_long 3320_sample.exe 5\n", + "Green 5092_sample.exe 5\n", + "Ragnar 3532_sample.exe 3\n", + "Sodinokibi_long 6020_sample.exe 2\n", + "Teslacrypt2 1744_uyavudaiwoyc.e 2\n", + "Atten_long 5064_sample.exe 2\n", + "Ku_long 5876_sample.exe 1\n", + "Btcware 5436_sample.exe 1\n", + "dtype: int64\n", + "FPs: \n", + "Series([], dtype: int64)\n", + "thr: 0.97\n", + "Recall val: \n", + "0.006074411541381929\n", + "Precision val: \n", + "1.0\n", + "TPs: \n", + "ransomware_name PID_Process \n", + "Shacker 2212_sample.exe 18\n", + "Minjal 6128_sample.exe 11\n", + "CMD_Ransom 2884_sample.exe 4\n", + "Teslacrypt2 1744_uyavudaiwoyc.e 4\n", + "Sodinokibi_long 6020_sample.exe 2\n", + "Green 5092_sample.exe 1\n", + "dtype: int64\n", + "FNs: \n", + "ransomware_name PID_Process \n", + "Trash 3996_sample.exe 18\n", + "Green 5092_sample.exe 15\n", + "Nread 5852_sample.exe 12\n", + "WastedLocker 1680_Property 12\n", + "Kitty 5060_sample.exe 12\n", + "SystemXTBL 3256_systems.exe 12\n", + "Beaf 1088_sample.exe 12\n", + "SunCrypt 1816_sample.exe 11\n", + "DearCry 1084_sample.exe 10\n", + "Medusa_long 6052_sample.exe 8\n", + "Teslacrypt2 1744_uyavudaiwoyc.e 7\n", + "WindowsUpdate 1272_sample.exe 6\n", + "Prilux 1696_sample.exe 6\n", + "Exedat_long 2400_sample.exe 6\n", + "Ransom6_long 3320_sample.exe 5\n", + "Sodinokibi_long 6020_sample.exe 5\n", + "Ragnar 3532_sample.exe 3\n", + "Minjal 6128_sample.exe 2\n", + "Atten_long 5064_sample.exe 2\n", + "Ku_long 5876_sample.exe 1\n", + "Btcware 5436_sample.exe 1\n", + "dtype: int64\n", + "FPs: \n", + "Series([], dtype: int64)\n", + "thr: 0.98\n", + "Recall val: \n", + "0.004555808656036446\n", + "Precision val: \n", + "1.0\n", + "TPs: \n", + "ransomware_name PID_Process \n", + "Shacker 2212_sample.exe 18\n", + "Minjal 6128_sample.exe 8\n", + "CMD_Ransom 2884_sample.exe 4\n", + "dtype: int64\n", + "FNs: \n", + "ransomware_name PID_Process \n", + "Trash 3996_sample.exe 18\n", + "Green 5092_sample.exe 16\n", + "Nread 5852_sample.exe 12\n", + "WastedLocker 1680_Property 12\n", + "Kitty 5060_sample.exe 12\n", + "SystemXTBL 3256_systems.exe 12\n", + "Beaf 1088_sample.exe 12\n", + "Teslacrypt2 1744_uyavudaiwoyc.e 11\n", + "SunCrypt 1816_sample.exe 11\n", + "DearCry 1084_sample.exe 10\n", + "Medusa_long 6052_sample.exe 8\n", + "Sodinokibi_long 6020_sample.exe 7\n", + "WindowsUpdate 1272_sample.exe 6\n", + "Prilux 1696_sample.exe 6\n", + "Exedat_long 2400_sample.exe 6\n", + "Ransom6_long 3320_sample.exe 5\n", + "Minjal 6128_sample.exe 5\n", + "Ragnar 3532_sample.exe 3\n", + "Atten_long 5064_sample.exe 2\n", + "Ku_long 5876_sample.exe 1\n", + "Btcware 5436_sample.exe 1\n", + "dtype: int64\n", + "FPs: \n", + "Series([], dtype: int64)\n", + "thr: 0.99\n", + "Recall val: \n", + "0.003948367501898253\n", + "Precision val: \n", + "1.0\n", + "TPs: \n", + "ransomware_name PID_Process \n", + "Shacker 2212_sample.exe 18\n", + "Minjal 6128_sample.exe 5\n", + "CMD_Ransom 2884_sample.exe 3\n", + "dtype: int64\n", + "FNs: \n", + "ransomware_name PID_Process \n", + "Trash 3996_sample.exe 18\n", + "Green 5092_sample.exe 16\n", + "Nread 5852_sample.exe 12\n", + "WastedLocker 1680_Property 12\n", + "Kitty 5060_sample.exe 12\n", + "SystemXTBL 3256_systems.exe 12\n", + "Beaf 1088_sample.exe 12\n", + "Teslacrypt2 1744_uyavudaiwoyc.e 11\n", + "SunCrypt 1816_sample.exe 11\n", + "DearCry 1084_sample.exe 10\n", + "Medusa_long 6052_sample.exe 8\n", + "Minjal 6128_sample.exe 8\n", + "Sodinokibi_long 6020_sample.exe 7\n", + "WindowsUpdate 1272_sample.exe 6\n", + "Prilux 1696_sample.exe 6\n", + "Exedat_long 2400_sample.exe 6\n", + "Ransom6_long 3320_sample.exe 5\n", + "Ragnar 3532_sample.exe 3\n", + "Atten_long 5064_sample.exe 2\n", + "Ku_long 5876_sample.exe 1\n", + "CMD_Ransom 2884_sample.exe 1\n", + "Btcware 5436_sample.exe 1\n", + "dtype: int64\n", + "FPs: \n", + "Series([], dtype: int64)\n" + ] + } + ], + "source": [ + "model_eval(model, val_data)" + ] + }, + { + "cell_type": "markdown", + "metadata": {}, + "source": [ + "## Save Model" + ] + }, + { + "cell_type": "code", + "execution_count": 16, + "metadata": {}, + "outputs": [], + "source": [ + "save_model(model)" + ] + }, + { + "cell_type": "markdown", + "metadata": {}, + "source": [ + "## Conclusions\n", + "Here we show an example of how to train a single-model for a time window of 3 snapshots. If we extened this training to create three cascading models with time windows of 3, 5, and 10 snapshots our precision is 90% and our recall is also 90%. Our model based on AppShield - BlueField which is an agentless system. By using AppShield we succeeded to detect ransomware without the ransomware is knowing that we are monitoring. " + ] + }, + { + "cell_type": "markdown", + "metadata": {}, + "source": [ + "## References\n", + "##### https://github.com/volatilityfoundation/volatility3\n", + "##### https://developer.nvidia.com/networking/doca" + ] + } + ], + "metadata": { + "kernelspec": { + "display_name": "Python 3", + "language": "python", + "name": "python3" + }, + "language_info": { + "codemirror_mode": { + "name": "ipython", + "version": 3 + }, + "file_extension": ".py", + "mimetype": "text/x-python", + "name": "python", + "nbconvert_exporter": "python", + "pygments_lexer": "ipython3", + "version": "3.8.10" + } + }, + "nbformat": 4, + "nbformat_minor": 4 +}