Related Resources
Cybersecurity

Supercharge Ransomware Detection with AI-Enhanced Cybersecurity Solutions

Sep 06, 2023
By Nir Rosen, Haim Elisha, Ahmad Saleh, Vadim Gechman and Sharon Mashhadi
Discuss (0)
Cybersecurity abstract image


Ransomware attacks have become increasingly popular, more sophisticated, and harder to detect. For example, in 2022, a destructive ransomware attack took 233 days to identify and 91 days to contain, for a total lifecycle of 324 days. Going undetected for this amount of time can cause irreversible damage. Faster and smarter detection capabilities are critical to addressing these attacks. 

Behavioral ransomware detection with NVIDIA DPUs and GPUs 

Adversaries and malware are evolving faster than defenders, making it hard for security teams to track changes and maintain signatures for known threats.  To address this, a combination of AI and advanced security monitoring is needed. Developers can build solutions for detecting ransomware attacks faster using advanced technologies including NVIDIA BlueField Data Processing Units (DPUs), the NVIDIA DOCA SDK with DOCA App Shield, and NVIDIA Morpheus cybersecurity AI framework.

Intrusion detection with BlueField DPU

BlueField DPUs are ideal for enabling best-in-class, zero-trust security, and extending that security to include host-based protection. With built-in isolation, this creates a separate trust domain from the host system, where intrusion detection system (IDS) security agents are deployed. If a host is compromised, the isolation layer between the security control agents on the DPU and the host prevents the attack from spreading throughout the data center.

DOCA App-Shield is one of the libraries provided with the NVIDIA DOCA software framework. It is a security framework for host monitoring, enabling cybersecurity vendors to create IDS solutions that can quickly identify an attack on any physical server or virtual machine.

DOCA App-Shield runs on the NVIDIA DPU as an out-of-band (OOB) device in a separate domain from the host CPU and OS and is:

  1. Resilient against attacks on a host machine.
  2. Least disruptive to the execution of host applications.

DOCA App Shield exposes an API to users developing security applications. For detecting malicious activities from the DPU Arm processor, it uses DMA without involving the host OS or CPU. In contrast, a standard agent of anti-virus or endpoint-detection-response runs on the host and can be seen or‌ compromised by an attacker or malware. 

Image of an NVIDIA BlueField-3 DPU.
Figure 1. NVIDIA BlueField-3 DPU 400 Gb/s infrastructure compute platform

Morpheus AI framework for cybersecurity 

Morpheus is part of the NVIDIA AI Enterprise software product family and is designed to build complex ML and AI-based pipelines. It provides significant acceleration of AI pipelines to deal with high data volumes, classify data, and identify anomalies, vulnerabilities, phishing, compromised machines, and many other security issues. 

Morpheus can be deployed on-premise with a GPU-accelerated server like the NVIDIA EGX Enterprise Platform, and it is also accessible through cloud deployment

A workflow showing Morpheus consisting of a GPU-accelerated server with SmartNic/DPU and software stack of RAPIDS, Cyber Logs Accelerator, NVIDIA Triton, and NVIDIA TensorRT for real-time telemetry from BlueField DPUs.
Figure 2. NVIDIA Morpheus with BlueField DPU Telemetry

Addressing ransomware with AI

One of the pretrained AI models in Morpheus is the ransomware detection pipeline that leverages NVIDIA DOCA App-Shield as a data source. This brings a new level of security for detecting ransomware attacks that were previously impossible to detect in real time.

Ransomware detection AI pipeline showing a DPU monitoring virtual machines. The Morpheus AI server receives DOCA AppShield events and alerts high anomaly processes.
Figure 3. Ransomware detection AI pipeline

Inside BlueField DPU

BlueField DPU offers the new OS-Inspector app to leverage DOCA App-Shield host monitoring capabilities and enables a constant collection of OS attributes from the monitored host or virtual machine. OS-Inspector app is now available through early access. Contact us for more information.

The collected operating system attributes include processes, threads, libraries, handles, and vads (for a complete API list, see the App-Shield programming guide).

OS-Inspector App then uses DOCA Telemetry Service to stream the attributes to the Morpheus inference server using the Kafka event streaming platform. 

Inside the Morpheus Inference Framework

The Morpheus ransomware detection AI pipeline processes the data using GPU acceleration and feeds the data to the ransomware detection AI model.

This tree-based model detects ransomware attacks based on suspicious attributes in the servers. It uses N-gram features to capture the change in attributes through time and detect any suspicious anomaly. 

When an attack is detected, Morpheus generates an inference event and triggers a real-time alert to the security team for further mitigation steps.

A ransomware detection model detects a ransomware process named sample.exe.
Figure 4. Ransomware detection model

FinSec lab use case 

NVIDIA partner FinSec Innovation Lab, a joint venture between Mastercard and Enel X, demonstrated their solution for combating ransomware attacks at NVIDIA GTC 2023.

FinSec ran a POC, which used BlueField DPUs and the Morpheus cybersecurity AI framework to train a model that detected a ransomware attack in less than 12 seconds. This real-time response enabled them to isolate a virtual machine and save 80% of the data on the infected servers. 

Learn more

BlueField DPU running DOCA App Shield enables OOB host monitoring. Together with Morpheus, developers can quickly build AI models to protect against cyber attacks, better than ever before. OS-Inspector app is now available through early access.  Contact us for more information.

Related resources

Discuss (0)

Tags

Cybersecurity | Data Science | Financial Services | Public Sector | BlueField DPU | DOCA | Morpheus | Intermediate Technical | Deep dive | featured

About the Authors

Avatar photo
About Nir Rosen
Nir Rosen is a senior security architect with 9 years of experience in cybersecurity. Nir is developing machine learning models for malicious activity detection. Nir holds a BSc in Computer Science from Haifa University and an MSc in Computer Science from Reichman University.
Avatar photo
About Haim Elisha
Haim Elisha is a senior data scientist with more than 7 years of experience in data science and cybersecurity. Haim is currently developing ML solutions for cybersecurity and networking. His work includes the development of ML models to detect malicious activities and attacks for Windows and Linux, along with supervised and unsupervised learning. Haim holds a BSc and MSc in electrical engineering from Ben Gurion University and is a Ph.D. student in the electrical engineering department at Ben Gurion University.
Avatar photo
About Ahmad Saleh
Ahmad Saleh is a solution architect at NVIDIA Networking Cybersecurity Labs with 7 years of experience. Ahmad’s primary areas of expertise are NVIDIA BlueField Data Processing Unit, K8s, Linux, and Windows cybersecurity solutions.
Avatar photo
About Vadim Gechman
Vadim Gechman is a director of Networking Cyber-AI at NVIDIA with more than 20 years of experience. Vadim is designing and leading the development of cybersecurity and networking AI/ML big data solutions, including anomaly detection, forecasting, malicious activity detection, and network monitoring. Vadim holds a BSc of engineering from Tel Aviv University and MSM in technology management from New York Polytechnic University.
Avatar photo
About Sharon Mashhadi
Sharon Mashhadi is senior manager of Networking Cybersecurity Labs at NVIDIA leading initiatives such as the development of networking cybersecurity capabilities, security networking AI/ML-based solutions, product security, and integrating third-party cybersecurity solutions. Sharon is a veteran practical engineer with more than 34 years of experience in information technologies, at global companies Digital DEC, Amdocs, and Bank Hapoalim.

Comments