How do you distinguish between benign user actions, like compressing and encrypting files, and ransomware attacks?

Server Defender distinguishes benign user actions from malicious activities through behavioral analysis and monitoring of specific parameters. When a user legitimately compresses and encrypts files, it follows a typical sequence of events. If an anomaly occurs, such as unusual file access patterns or unauthorized process ID changes, the system recognizes this as a potential ransomware attack. Authentic users perform a unique set of operations to encrypt files compared to nonauthentic users. The entry points for authentic users differ significantly from those of suspicious attackers. Our AI identifies these distinctions through the examination of encrypted data and process IDs, etc. In another instance, users with access to an ABC account may engage in processes such as zipping files, leading to specific activities like archiving and file permission accesses. This differs from the actions of a ransomware attacker. The AI evaluates the network layer and application level to understand the access levels of each user. The differentiation helps us identify the purpose behind specific activities, such as compressing zip files. In the case of ransomware detection, the AI has been trained to recognize over 31,000 parameters, including system directory access, NT open file entries, create process execution, file access, system information retrieval, and more. Ransomware attacks involve modifications to these parameters, leading to their identification. The AI’s ability to distinguish between normal user flows and ransomware attacks is highly accurate, with less than an 8- 10% probability of classifying a generic user flow as a ransomware attack, as ransomware attacks entail specific parameter Changes.

Example: When a user compresses and encrypts files, the system observes typical system processes and file access activities. However, if ransomware infects the system, it may exhibit erratic behavior, such as accessing critical system files or modifying processes without authorization. Server Defender’s AI model is trained to detect these irregularities and respond accordingly.