In this work, we propose a two-phased approach for real-time detection and deterrence of ransomware. To achieve this, we leverage the capabilities of eBPF (Extended Berkeley Packet Filter) and artificial intelligence to develop both proactive and reactive methods. In the first phase, we utilize signature based detection, where we employ custom eBPF programs to trace the execution of new processes and perform hash-based analysis against a known ransomware dataset. In the second, we employ a behavior-based technique that focuses on monitoring the process activities using a custom eBPF program and the creation of ransom notes, a prominent indicator of ransomware activity through the use of Natural Language Processing (NLP). By leveraging low-level tracing capabilities of eBPF and integrating NLP based machine learning algorithms, our solution achieves an impressive 99.76% accuracy in identifying ransomware incidents within a few seconds on the onset of zero-day attacks.

翻译：本研究提出一种实时检测与遏制勒索软件的双阶段方法。为实现这一目标，我们利用eBPF（扩展型伯克利包过滤器）技术及人工智能能力，开发了主动式与反应式相结合的检测机制。第一阶段采用基于特征的检测方法：通过定制eBPF程序追踪新进程的执行轨迹，并针对已知勒索软件数据集进行哈希值比对分析。第二阶段部署基于行为的检测技术：利用定制eBPF程序监控进程活动，同时通过自然语言处理技术监测勒索信件的生成——这是勒索软件活动的显著特征指标。通过融合eBPF的低层级追踪能力与基于自然语言处理的机器学习算法，本方案在零日攻击爆发数秒内即可实现勒索软件事件的识别，准确率高达99.76%。