Deepware: Imaging performance counters with deep learning to detect ransomware

This paper presents“DeepWare,” a ransomware detection model inspired by deep learning and hardware performance counter (HPC). By imaging the HPC values and restructuring the conventional CNN model, DeepWare can address HPC’s nondeterminism issue by extracting the event-specific and event-wise behavioral features, which allows it to distinguish the ransomware activity from the benign one effectively. The experiment results across ransomware families show that the proposed DeepWare is effective at detecting different classes of ransomware with a 98.6% recall score, which is 84.41%, 60.93%, and 21% improvement over RATAFIA, OC-SVM, and EGB models, respectively.