ShieldFS: a self-healing, ransomware-aware filesystem

Proceedings of the 32nd Annual Conference on Computer Security Applications Pub Date : 2016-12-05 DOI:10.1145/2991079.2991110

Andrea Continella, Alessandro Guagnelli, Giovanni Zingaro, Giulio De Pasquale, Alessandro Barenghi, S. Zanero, F. Maggi

{"title":"ShieldFS: a self-healing, ransomware-aware filesystem","authors":"Andrea Continella, Alessandro Guagnelli, Giovanni Zingaro, Giulio De Pasquale, Alessandro Barenghi, S. Zanero, F. Maggi","doi":"10.1145/2991079.2991110","DOIUrl":null,"url":null,"abstract":"Preventive and reactive security measures can only partially mitigate the damage caused by modern ransomware attacks. Indeed, the remarkable amount of illicit profit and the cyber-criminals' increasing interest in ransomware schemes suggest that a fair number of users are actually paying the ransoms. Unfortunately, pure-detection approaches (e.g., based on analysis sandboxes or pipelines) are not sufficient nowadays, because often we do not have the luxury of being able to isolate a sample to analyze, and when this happens it is already too late for several users! We believe that a forward-looking solution is to equip modern operating systems with practical self-healing capabilities against this serious threat. Towards such a vision, we propose ShieldFS, an add-on driver that makes the Windows native filesystem immune to ransomware attacks. For each running process, ShieldFS dynamically toggles a protection layer that acts as a copy-on-write mechanism, according to the outcome of its detection component. Internally, ShieldFS monitors the low-level filesystem activity to update a set of adaptive models that profile the system activity over time. Whenever one or more processes violate these models, their operations are deemed malicious and the side effects on the filesystem are transparently rolled back. We designed ShieldFS after an analysis of billions of low-level, I/O filesystem requests generated by thousands of benign applications, which we collected from clean machines in use by real users for about one month. This is the first measurement on the filesystem activity of a large set of benign applications in real working conditions. We evaluated ShieldFS in real-world working conditions on real, personal machines, against samples from state of the art ransomware families. ShieldFS was able to detect the malicious activity at runtime and transparently recover all the original files. Although the models can be tuned to fit various filesystem usage profiles, our results show that our initial tuning yields high accuracy even on unseen samples and variants.","PeriodicalId":419419,"journal":{"name":"Proceedings of the 32nd Annual Conference on Computer Security Applications","volume":"15 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2016-12-05","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"228","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Proceedings of the 32nd Annual Conference on Computer Security Applications","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/2991079.2991110","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 228

Abstract

Preventive and reactive security measures can only partially mitigate the damage caused by modern ransomware attacks. Indeed, the remarkable amount of illicit profit and the cyber-criminals' increasing interest in ransomware schemes suggest that a fair number of users are actually paying the ransoms. Unfortunately, pure-detection approaches (e.g., based on analysis sandboxes or pipelines) are not sufficient nowadays, because often we do not have the luxury of being able to isolate a sample to analyze, and when this happens it is already too late for several users! We believe that a forward-looking solution is to equip modern operating systems with practical self-healing capabilities against this serious threat. Towards such a vision, we propose ShieldFS, an add-on driver that makes the Windows native filesystem immune to ransomware attacks. For each running process, ShieldFS dynamically toggles a protection layer that acts as a copy-on-write mechanism, according to the outcome of its detection component. Internally, ShieldFS monitors the low-level filesystem activity to update a set of adaptive models that profile the system activity over time. Whenever one or more processes violate these models, their operations are deemed malicious and the side effects on the filesystem are transparently rolled back. We designed ShieldFS after an analysis of billions of low-level, I/O filesystem requests generated by thousands of benign applications, which we collected from clean machines in use by real users for about one month. This is the first measurement on the filesystem activity of a large set of benign applications in real working conditions. We evaluated ShieldFS in real-world working conditions on real, personal machines, against samples from state of the art ransomware families. ShieldFS was able to detect the malicious activity at runtime and transparently recover all the original files. Although the models can be tuned to fit various filesystem usage profiles, our results show that our initial tuning yields high accuracy even on unseen samples and variants.

查看原文本刊更多论文

ShieldFS:一个自我修复的、能感知勒索软件的文件系统

预防性和反应性安全措施只能部分减轻现代勒索软件攻击造成的损害。事实上，数额惊人的非法利润和网络犯罪分子对勒索软件的兴趣日益浓厚表明，有相当数量的用户实际上支付了赎金。不幸的是，纯粹的检测方法(例如，基于分析沙箱或管道)现在是不够的，因为我们经常没有能够分离样本进行分析的奢侈，当这种情况发生时，对几个用户来说已经太晚了!我们认为，一个前瞻性的解决办法是为现代操作系统配备针对这一严重威胁的实际自我修复能力。为了实现这样的愿景，我们提出了ShieldFS，这是一个附加驱动程序，可以使Windows本地文件系统免受勒索软件攻击。对于每个正在运行的进程，ShieldFS根据其检测组件的结果动态地切换充当写时复制机制的保护层。在内部，ShieldFS监视低级文件系统活动，以更新一组自适应模型，这些模型随时间对系统活动进行分析。每当一个或多个进程违反这些模型时，它们的操作就被认为是恶意的，对文件系统的副作用就会被透明地回滚。在对数千个良性应用程序生成的数十亿个低级I/O文件系统请求进行分析之后，我们设计了ShieldFS，这些请求是我们从真实用户使用了大约一个月的干净机器中收集的。这是在实际工作条件下对大量良性应用程序的文件系统活动进行的第一次测量。我们在真实的个人机器上对真实的工作条件下的ShieldFS进行了评估，对比了来自最先进勒索软件家族的样本。ShieldFS能够在运行时检测到恶意活动，并透明地恢复所有原始文件。尽管可以对模型进行调优以适应不同的文件系统使用配置文件，但我们的结果表明，即使在未见过的样本和变体上，我们的初始调优也会产生很高的准确性。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Proceedings of the 32nd Annual Conference on Computer Security Applications

自引率

0.00%

发文量