Zhuravchak D. Improvement of real time ransomware detection methods

Українська версія

Thesis for the degree of Doctor of Philosophy (PhD)

State registration number

0824U002923

Thesis Registration Form

0824U002923.pdf

Applicant for

Danyil Zhuravchak

Specialization

125 - Кібербезпека та захист інформації

Date of defense

13-08-2024

Specialized Academic Board

ID 5936

Lviv Polytechnic National University

Essay

The dissertation solved an important scientific and practical problem of increasing the effectiveness of detecting ransomware in the infrastructure of information systems by using machine learning models and eBPF technology. For the first time, a model of an integrated data collection system for the detection of ransomware viruses has been developed, combining the use of eBPF for monitoring system calls, file and cryptographic activity, network traffic and process analysis. This system provides a unique set of data (features) that are used to effectively identify potential threats in real time. For the first time, a complex model for classification of ransomware viruses using an ensemble of decision trees and a random forest is proposed, which allows to distinguish "safe" and "dangerous" programs with high accuracy based on the analysis of complex behavioral patterns and cryptographic activity. For the first time, a methodology for applying deep neural networks is proposed to identify complex patterns in data collected by eBPF modules representing the behavior of ransomware viruses, providing a new level of accuracy in detecting unknown or evolved threats. The methods of detecting cyber threats by analyzing network traffic using eBPF have been further developed, which significantly increases the speed and accuracy of identifying potential ransomware attacks compared to traditional approaches. The method of simulating cyberattacks with the help of a fraudster's action emulation model has been improved to test and evaluate the effectiveness of the developed models, simultaneously, including the launch of ransomware viruses in a controlled laboratory environment. This made it possible to analyze in detail the response of models to various attack scenarios and optimize them for maximum efficiency. Received further development: methods of comparative analysis and evaluation of the effectiveness of mathematical devices for detecting and countering ransomware programs, using the MCC metric (Matthew's correlation coefficient), which proved to be more effective for evaluating models that work with unbalanced data, typical of cyber threat scenarios such as ransomware viruses.

Thesis supervisor

Valeriy B. Dudykevych

Official opponents

Alexsey A. Smirnov
Volodymyr Y. Sokolov

Reviewers

Andriy I. Partyka
Sovyn Yaroslav R.

Research papers

1. Zhuravchak, D. "Створення системи запобігання поширення вірусів вимагачів за допомогою мови програмування Python та утиліти Auditd на базі операційної системи Linux". Електронне фахове наукове видання "Кібербезпека: освіта, наука, техніка", вип. 4, вип. 12, Червень 2021, – С. 108-16.

2. Zhuravchak Danyil, Opanovych Maksym, Dudykevych Valerii, Piskozub Andrian. Detection Method Of Credential Dumping Method Through Exploiting Vulnerable Windows Error Reporting Service In Windows Operating Systems. Сучасна спеціальна техніка, – 2022. № 2 (69), С. 38-52.

3. Zhuravchak, D. ., V. Dudykevych, A. Tolkachova. "Дослідження структури системи виявлення та протидії атакам вірусів вимагачів на базі Endpoint detection and response". Електронне фахове наукове видання "Кібербезпека: освіта, наука, техніка", вип. 3, вип. 19, Березень 2023, – С. 69-82.

4. Zhuravchak, D., Tolkachova, A., Piskozub, A., Dudykevych, V., Korshun, N. Monitoring ransomware with Berkeley packet filter // CEUR Workshop Proceedings, vol. 3550, Cybersecurity Providing in Information and Telecommunication Systems II 2023. Proceedings of the Cybersecurity Providing in Information and Telecommunication Systems II co-located with the International Conference on Problems of Infocommunications. Science and Technology (PICST 2023), Kyiv, Ukraine, October 26, 2023 (online), 2023, pp. 95-106.

5. Піскозуб А.З., Журавчак Д.Ю., Толкачова А.Ю. Дослідження вразливостей у чатботах з використанням великих мовних моделей / Безпека Інформації, – 2023, № 3, том 29. С. 111-117.

6. Д.Журавчак, П.Глущенко, М.Опанович, В.Дудикевич, А.Піскозуб. Концепція нульової довіри для захисту active directory для виявлення програм-вимагачів // Електронне фахове наукове видання "Кібербезпека: освіта, наука, техніка", вип. 2, вип. 22, Грудень 2023, с. 179-90.

7. Журавчак Даниїл, Едуард Кійко, Валерій Дудикевич. Використання EBPF для ідентифікації вірусів-вимагачів, що використовують DNS-запити DGA // Information Technology and Security, vol. 11, no. 2 (21), 2023, pp. 166-174.

8. Журавчак Д. Ю. Моніторинг вірусів-вимагачів за допомогою розширеного Берклійського пакетного фільтра (eBPF) та машинного навчання // Наукоємні технології, том 60, № 4, – 2023, С. 352-363.

0824U002612

Kyrylo O. Bondarenko

Mathematical models and computational methods for detecting anomalies in security systems

0824U002050

Dzianyi Nazarii R

SPEECH INFORMATION PROTECTION FROM LASER SYSTEMS OF ACOUSTIC INTELLIGENCE

0824U001826

Heorhiy A. Zemlynko

Methods and means to ensure cybersecurity of multi-functional fleets of UAV under conditions of combined cyber attacks

0824U001716

Roman Chernenko

Models and Methods of Ensuring the Protection of Information Transmitted Through Open Channels in Internet of Things Networks.

0824U001628

Viktoriia Polutsyhanova

A method of risk assessment based on the analysis of the structure of threat connections and vulnerabilities in cyber systems