AI for Ransomware Detection & Prevention Insights from Patents

1

©2021 TechIPm, LLC All Rights Reserved http://www.techipm.com/

AI for Ransomware Detection & Prevention Insights from Patents
Alex G. Lee1
Ransomware has become a major cybersecurity threat over the past few years. In 2017, a ransomware
attack known as WannaCry become of the biggest cybersecurity attacks ever to hit globally. It shut down
hospitals, impacted telecommunications companies, and spread to over 150 countries and
approximately 300,000 devices. It is estimated to have cost enterprises upwards of $5 billion in damages
annually. Ransomware is a malware that is designed to prevent users to access their computers by
locking screen or data by encrypting the data using a strong encryption algorithm known only to the
attacker. One difficulty with ransomware attack is that it is resistant to normal data recovery techniques,
such as backups. Incremental backups keep copies of the user's data, but when a file is encrypted and
then stored with the same name and extension as the original file, the encrypted file overwrites the good
file in the next incremental backup. Even a quality cloud backup solution that maintains a number of file
versions can be susceptible to this type of attack, as it can be impractical or problematic for users to find
and restore a last good version of every file in a directory structure that can have many thousands of
individual files. Furthermore, ransomware cannot be defeated by simply resetting the computer or the
operating system to a known good state. Even if the device itself can be restored to a known good state,
the user's original data or their backups may still be encrypted.

1
Alex G. Lee, Ph.D Esq., is a principal consultant and patent attorney at TechIPm, LLC.

2


Conventional attempts to solve these challenges have drawbacks. For example, a heuristic system
monitors file I/O patterns (such as read/write/delete/rename) and frequencies. The I/O patterns can be
compared to heuristic models to detect irregularities in the pattern. But ransomware can workaround to
these heuristic solutions by encrypting files without changing ransomware only at certain intervals or
once the machine is idle to make it difficult to distinguish the ransomware attack from ordinary file
activity. Static analysis-based solutions scan process memory (either before unpacking or after
unpacking) to look for known signatures. But, ransomware can avoid detection by using different
signatures. AI can provide an effective solution in detecting malware as an alternative to the use of
signatures.
Patents are a good information resource for obtaining the state of the art of AI technology innovations for
defending against the ransomware attacks. Patent information can provide many valuable insights that
can be exploited for developing and implementing new technologies. Patents can also be exploited to
identify new product/service development opportunities.

3


AI for Ransomware Detection
US20210019403 illustrates an AI application method for identifying and mitigating ransomware attacks.
The method provides an operating system and file system agnostic way of classifying a computer
program as behaving like ransomware or not. The program need not be previously known or trusted. In
other words, even a ‘zero-day’ ransomware attack that exploiting unknown vulnerability in hardware or
software can be mitigated with the method provided.
The AI application method analyzes file content, and when a file is written or newly created on the disk
by a program. A ransomware mitigation engine determines whether the file has been compromised by a
ransomware attack. The file marked as ransomware or as compromised if the ransomware mitigation
engine determines that the file has been compromised. The file analysis can be accomplished by using
a deep learning classification layer (e.g., convolutional neural network) to identify a file type of the file,
which combines with a heuristic layer to check the byte distribution in the file content for predicting
whether the file appears to be encrypted using a statistical analysis (e.g., entropy). Once the examined
file is determined as having been compromised by a ransomware attack, the ransomware mitigation
engine takes a remedial action such as creating a backup of the file and restoring the file from the
backup.

4


US20200034537 illustrates a system that detects ransomware infection in file systems. The system
detects ransomware infection in two stages. In the first stage, the system analyzes a file system's
behavior. The file system's behavior can be obtained by loading the backup data and crawling the file
system to create a file system metadata (e.g., a list of entries corresponding to data changes in the file
system) including information about file operations during a time interval. The system determines a
pattern of the file operations using the set of machine learning models trained to determine the pattern of
the file operations. The system compares the pattern to a normal patter to analyze the file system's
behavior based on features representing the file system's behavior. If the file system's behavior is
abnormal, the system proceeds to the second stage to analyze the content of the files to look for signs of
encryption in the file system. The system combines the analysis of both stages to determine whether the
file system is infected by ransomware.
It is challenging for the backup service provider to determine whether an encrypted file received by the
backup service provider from a customer for storage is encrypted only by a normal encryption process or
whether the encrypted file contains a ransomware encryption as well. US20200042703 illustrates a
system that detects ransomware detection of encrypted files. The system applies an anomaly detection
technique to the metadata for an encrypted file to compare attributes (e.g., file extension/ size/name) in
the metadata to corresponding historical baseline values for the attributes. The anomaly detection
technique comprises a machine learning model that is trained using historical time-series data for each

5


of file types. The system determines whether the encrypted file comprises a ransomware encryption
based on the comparison.

6


AI for Ransomware Prevention
Most effective defense against a ransomware attack is a detection of the malware when downloading to
the victim computer, which can prevent an attack vector from penetrating a victim’s host computer.
Following approaches can mitigate ransomware attacks: 1) backing-up data frequently to back-up
storage devices that cab be disconnected from the network before and after the back-up operation is
performed; 2) training people on risky security scenarios, such as avoiding clicking on malicious links in
phishing emails and spear-phishing campaigns; avoiding opening suspicious email attachments; avoid
clicking malicious advertisements on websites; avoid plugging in potentially infected USB s found in
untrusted locations; and 3) firewalls that can help block known suspicious IP addresses and domains
from communicating with devices in your network, that could host ransom ware command & control
servers.
US20180248896 illustrates an anti-ransomware system that has a deception component comprising a
decoy module to place and monitor decoy segments within file systems. Decoy files and folders contain
common file types that ransomware attackers target. The purposes of the decoys are i) alerting about
ransomware-like behavior, ii) alerting about “snooping” on the computer, iii) potentially storing anti-
malware components disguised as decoys, iv) slowing down the encryption process, yielding additional

7


response time, v) deterring attackers, vi) allowing additional opportunities to recover the key, or learn
how to recover files.
The anti-ransomware system includes a behavioral analysis module to analyze the behavior of a
suspected ransomware to monitor ransomware activities in real time using a machine learning module
for determining a file system baseline of the computer file structure. The machine learning module
observes the normal processes of the machine, including behavior that results in large changes at one
time to particular files, such as encrypting files within normal use of the computer, that weren't previously
encrypted or representing user content. Once a file change activity exceeds a threshold, the anti-
ransomware system takes action by notifying the response component.
The response component has a suspend/kill module to suspend the suspected ransomware, a restore
files module to restore files from an on-demand backup system, a capture encryption key module to
retrieve the encryption used by the suspected ransomware, and a quarantine module to quarantine the
suspected ransomware on the device, and to quarantine the device off the network, to prevent spread of
infection.

8


Cybersecurity & Privacy in ESG Digital Transformation Webinar
Recent ransomware cyberattack on a major oil pipeline caused gas prices to surge and gas stations in
multiple states to experience shortages due to a several-day outage resulting from the attack.
In 2020, a major cyberattack by a group backed by the Russian government caused series of data
breaches in the United States federal government. These two cases illustrate the serious harm of
cyberattacks and data breaches to society and individuals.
As the world recovers from COVID-19 pandemic, ESG (Environmental, Social, and Governance) DX
(digital transformation) will be accelerated. As ESG DX is accelerated, cybersecurity and privacy
protection will be the top ESG risk management concern for corporations and their stakeholders.
In the webinar, Alex G. Lee, Ph.D., Esq. (https://www.linkedin.com/in/alexgeunholee/) will present the
potential risks of cybersecurity & privacy in ESG DX. Specifically, Alex will present the state of the art
innovations of AI, Blockchain, IoT and their convergence for cybersecurity & privacy in ESG DX. Alex
will present specific technical details about the use cases of AI, Blockchain, IoT and their convergence
for cybersecurity & privacy in ESG DX based on related patents analysis.

9


Alex will also present demos of an innovative cybersecurity solution (Zeus) for protecting systems of
digital infrastructure and a cloud based big data/computing platform (Xanadu) for protection against
ransomware.
Place: Online Zoom meeting
Time: June 16, 2021 7 pm – 9.00 pm Eastern Time/EDT (US and Canada)
June 16, 2021 4 pm – 6.00 pm Pacific Time/PST (US and Canada)
June 17, 2021 8 am – 10.00 am GMT+9 Time Zone (S. Korea and Japan)
Registration: https://www.eventbrite.com/e/cybersecurity-privacy-in-esg-digital-transformation-webinar-
tickets-
156172081901?utm_source=eventbrite&utm_medium=email&utm_campaign=post_publish&utm_conten
t=shortLinkNewEmail

AI for Ransomware Detection & Prevention Insights from Patents

Recommended

More Related Content

What's hot (20)

Similar to AI for Ransomware Detection & Prevention Insights from Patents (20)

More from Alex G. Lee, Ph.D. Esq. CLP (20)

Recently uploaded (20)

AI for Ransomware Detection & Prevention Insights from Patents