Ransomware detection in memory of a data processing unit using machine learning detection models

What is claimed is: 1. A method comprising: obtaining, using a data processing unit (DPU) operatively coupled to a host device, a series of snapshots of data stored in physical memory of the host device, the data being associated with one or more computer programs executed by the host device, wherein the series of snapshots of data are obtained by the DPU without detection by the one or more computer programs; extracting, using a machine learning (ML) detection system, a set of features from each snapshot of the series of snapshots, each snapshot representing the data at a point in time; classifying, using the set of features and the ML detection system, a process of the one or more computer programs as ransomware or non-ransomware; and outputting an indication of ransomware responsive to the process being classified as ransomware. 2. The method of claim 1 , wherein the ML detection system comprises a random-forest classification model, wherein the random-forest classification model is a time-series-based model trained to classify a process as ransomware or non-ransomware using cascading of different numbers of snapshots in the series of snapshots. 3. The method of claim 2 , wherein the cascading of different numbers of snapshots in the series of snapshots comprises: a first number of snapshots obtained over a first amount of time; a second number of snapshots obtained over a second amount of time greater than the first amount of time, the second number of snapshots comprising the first number of snapshots; and a third number of snapshots obtained over a third amount of time greater than the second amount of time, the third number of snapshots comprising the second number of snapshots. 4. The method of claim 1 , wherein the ML detection system comprises a time-based classification model trained to a process as ransomware or non-ransomware using different feature sets over different amounts of time. 5. The method of claim 4 , wherein the different feature sets comprises: a first set of features extracted from a first set of snapshots, representing the data stored in the physical memory over a first period; and a second set of features extracted from a second set of snapshots, representing the data stored in the physical memory over a second period greater than the first period. 6. The method of claim 5 , wherein the different feature sets further comprises a third set of features extracted from a third set of snapshots, representing the data stored in the physical memory over a third period greater than the second period. 7. The method of claim 1 , wherein the data comprises information about each process of a list of processes of the one or more computer programs, wherein the set of features further comprises at least one of: information about one or more threads used by one or more processes in the list of processes; information about one or more modules used by one or more processes in the list of processes; information about handles used by one or more processes in the list of processes; information about virtual address descriptors (VADs); or information about environment variables. 8. The method of claim 7 , wherein extracting the set of features comprises extracting the set of features from different memory plugins from each snapshot of the series of snapshots, wherein the different memory plugins comprises at least one of a LdrModules plugin, a VadInfo plugin, a Handles plugin, a ThreadList plugin, or an Envars plugin. 9. An integrated circuit comprising: a host interface operatively coupled to physical memory associated with a host device; a central processing unit (CPU) operatively coupled to the host interface; and an acceleration hardware engine operatively coupled to the host interface and the CPU, wherein the CPU and the acceleration hardware engine are to host a hardware-accelerated security service to protect one or more computer programs executed by the host device, wherein the hardware-accelerated security service is to: obtain a series of snapshots of data stored in the physical memory of the host device, the data being associated with the one or more computer programs, wherein the series of snapshots of data are obtained by the hardware-accelerated security service without detection by the one or more computer programs; extract, using a machine learning (ML) detection system, a set of features from each snapshot of the series of snapshots, each snapshot representing the data at a point in time; classify, using the ML detection system, a process of the one or more computer programs as ransomware or non-ransomware using the set of features; and output an indication of ransomware responsive to the process being classified as ransomware. 10. The integrated circuit of claim 9 , wherein the integrated circuit is a data processing unit (DPU), wherein the DPU is a programmable data center infrastructure on a chip. 11. The integrated circuit of claim 9 , further comprising a network interface operatively coupled to the CPU to handle network data path processing, wherein the CPU is to control path initialization and exception processing. 12. The integrated circuit of claim 9 , wherein the one or more computer programs comprises at least one a host operating system (OS), an application, a guest operating system, or a guest application. 13. The integrated circuit of claim 9 , wherein: the hardware-accelerated security service is to obtain a series of snapshots of the data stored in the physical memory, each snapshot representing the data at a point in time; the ML detection system comprises: feature extraction logic to extract a set of features from different memory plugins from each snapshot of the series of snapshots; and a random-forest classification model, wherein the random-forest classification model is a time-series-based model trained to classify a process as ransomware or non-ransomware using cascading of different numbers of snapshots in the series of snapshots. 14. The integrated circuit of claim 13 , wherein the cascading of different numbers of snapshots in the series of snapshots comprises: a first number of snapshots obtained over a first amount of time; a second number of snapshots obtained over a second amount of time greater than the first amount of time, the second number of snapshots comprising the first number of snapshots; and a third number of snapshots obtained over a third amount of time greater than the second amount of time, the third number of snapshots comprising the second number of snapshots. 15. The integrated circuit of claim 9 , wherein the one or more computer programs reside in a first computing domain, wherein the hardware-accelerated security service and the ML detection system reside in a second computing domain different than the first computing domain. 16. The integrated circuit of claim 9 , wherein the hardware-accelerated security service is out-of-band security software in a trusted domain that is different and isolated from the ransomware. 17. The integrated circuit of claim 9 , further comprising a direct memory access (DMA) controller coupled to the host interface, wherein the DMA controller is to read the data from the physical memory via the host interface. 18. The integrated circuit of claim 17 , wherein the host interface is a Peripheral Component Interconnect Express (PCIe) interface. 19. A computing system comprising: a data processing unit (DPU) comprising a host interface, a central processing unit (CPU), and an acceleration hardware engin