Skip to main content
News Releases

New Approach Allows for Faster Ransomware Detection

computer screen showing a pirate flag
Photo credit: Michael Geiger

For Immediate Release

Paul Franzon
Archit Gajjar

Engineering researchers have developed a new approach for implementing ransomware detection techniques, allowing them to detect a broad range of ransomware far more quickly than previous systems.

Ransomware is a type of malware. When a system is infiltrated by ransomware, the ransomware encrypts that system’s data – making the data inaccessible to users. The people responsible for the ransomware then extort the affected system’s operators, demanding money from the users in exchange for granting them access to their own data.

Ransomware extortion is hugely expensive, and instances of ransomware extortion are on the rise. The FBI reports receiving 3,729 ransomware complaints in 2021, with costs of more than $49 million. What’s more, 649 of those complaints were from organizations classified as critical infrastructure.

“Computing systems already make use of a variety of security tools that monitor incoming traffic to detect potential malware and prevent it from compromising the system,” says Paul Franzon, co-author of a paper on the new ransomware detection approach. “However, the big challenge here is detecting ransomware quickly enough to prevent it from getting a foothold in the system. Because as soon as ransomware enters the system, it begins encrypting files.” Franzon is Cirrus Logic Distinguished Professor of Electrical and Computer Engineering at North Carolina State University.

“There’s a machine-learning algorithm called XGBoost that is very good at detecting ransomware,” says Archit Gajjar, first author of the paper and a Ph.D. student at NC State. “However, when systems run XGBoost as software through a CPU or GPU, it’s very slow. And attempts to incorporate XGBoost into hardware systems have been hampered by a lack of flexibility – they focus on very specific challenges, and that specificity makes it difficult or impossible for them to monitor for the full array of ransomware attacks.

“We’ve developed a hardware-based approach that allows XGBoost to monitor for a wide range of ransomware attacks, but is much faster than any of the software approaches,” Gajjar says.

The new approach is called FAXID, and in proof-of-concept testing, the researchers found it was just as accurate as software-based approaches at detecting ransomware. The big difference was speed. FAXID was up to 65.8 times faster than software running XGBoost on a CPU and up to 5.3 times faster than software running XGBoost on a GPU.

“Another advantage of FAXID is that it allows us to run problems in parallel,” Gajjar says. “You could devote all of the dedicated security hardware’s resources to ransomware detection, and detect ransomware more quickly. But you could also allocate the security hardware’s computing power to separate problems. For example, you could devote a certain percentage of the hardware to ransomware detection and another percentage of the hardware to another challenge – such as fraud detection.”

“Our work on FAXID was funded by the Center for Advanced Electronics through Machine Learning (CAEML), which is a public-private partnership,” Franzon says. “The technology is already being made available to members of the center, and we know of at least one company that is making plans to implement it in their systems.”

The paper, “FAXID: FPGA-Accelerated XGBoost Inference for Data Centers using HLS,” is being presented at the 30th IEEE International Symposium on Field-Programmable Custom Computing Machines (FCCM), being held in New York City from May 15-18. The paper was co-authored by Priyank Kashyap, a Ph.D. student at NC State; Aydin Aysu, an assistant professor of electrical and computer engineering at NC State; and Sumon Dey and Chris Cheng of Hewlett Packard Enterprise.

The work was supported by CAEML, through National Science Foundation grant number CNS #16-244770, and CAEML member companies.

-shipman-

Note to Editors: The study abstract follows.

“FAXID: FPGA-Accelerated XGBoost Inference for Data Centers using HLS”

Authors: Archit Gajjar, Priyank Kashyap, Aydin Aysu and Paul Franzon, North Carolina State University; and Sumon Dey and Chris Cheng, Hewlett Packard Enterprise

Presented: May 15-18, 30th IEEE International Symposium on Field-Programmable Custom Computing Machines (FCCM)

Abstract: Advanced ensemble trees have proven quite effective in providing real-time predictions against ransomware detection, medical diagnosis, recommendation engines, fraud detection, failure predictions, crime risk, to name a few. Especially, XGBoost, one of the most prominent and widely used decision trees, has gained popularity due to various optimizations on gradient boosting framework that provides increased accuracy for classification and regression problems. XGBoost’s ability to train relatively faster, handling missing values, flexibility and parallel processing make it a better candidate to handle data center workload. Today’s data centers with enormous Input/Output Operations per Second (IOPS) demand a real-time accelerated inference with low latency and high throughput because of significant data processing due to applications such as ransomware detection or fraud detection. This paper showcases an FPGA-based XGBoost accelerator designed with High-Level Synthesis (HLS) tools and design flow accelerating binary classification inference.We employ Alveo U50 and U200 to demonstrate the performance of the proposed design and compare it with existing state-of-the-art CPU (Intel Xeon E5-2686 v4) and GPU (Nvidia Tensor Core T4) implementations with relevant datasets. We show a latency speedup of our proposed design over state-of-art CPU and GPU implementations, including energy efficiency and cost-effectiveness. The proposed accelerator is up to 65.8x and 5.3x faster, in terms of latency than CPU and GPU, respectively. The Alveo U50 is a more cost-effective device, and the Alveo U200 stands out as more energy-efficient.