Detecting Ransomware on the Linux Desktop: A behavioral approach to Host-based Intrusion Detection
Bachelor's Thesis by David Zeugner, serving as the foundational paper for TiamatAV - a free and open-source antivirus engine for the Linux Desktop.
- tags
- #Antivirus #Linux #Ransomware #TiamatAV #Ebpf
- categories
- Cybersecurity
- published
- reading time
- 2 minutes
Abstract
Despite the steadily increasing popularity of the Linux desktop in recent years and its resulting attractiveness as a target for cyberattacks, the current landscape of open source antivirus solutions - which effectively consists solely of the signature-based scanner ClamAV - remains highly inadequate. To meaningfully complement the existing solution landscape, an eBPF-based solution for the behavioral detection of ransomware on the Linux desktop was developed in the course of this work. This system is designed to detect malicious processes in real time by analyzing system events from the kernel against specific patterns using predefined, deterministic rules.
In tests using real ransomware from online repositories, the developed solution - hereinafter referred to as TiamatAV - was able to detect over 90% of all executable, malicious samples, whereas the current industry standard ClamAV failed to identify a single sample (0%) as malicious in this test group. At the same time, TiamatAV’s susceptibility to false positives was assessed through the simulation of synthetic workloads, such as compiling the Linux kernel, with TiamatAV producing no false positives in this series of experiments. These same workloads were also used to measure the impact of real-time analysis on system performance. In its current state of development, TiamatAV exhibited significantly higher resource consumption compared to a reference system running no antivirus solution or ClamAV.
Although further research and optimization are necessary regarding the solution’s performance, this work successfully demonstrated that behavior-based malware detection on Linux via eBPF is fundamentally possible and highly effective in detecting ransomware. Further development of TiamatAV could represent a valuable addition to the existing landscape of signature-based scanners on Linux, particularly in the context of detecting zero-day malware.