GuardFS: A file system for integrated detection and mitigation of Linux-based ransomware

IF 3.7 2区计算机科学 Q2 COMPUTER SCIENCE, INFORMATION SYSTEMS

Journal of Information Security and Applications Pub Date : 2025-06-24 DOI:10.1016/j.jisa.2025.104078

Jan von der Assen , Chao Feng , Alberto Huertas Celdrán , Róbert Oleš , Gérôme Bovet , Burkhard Stiller

{"title":"GuardFS: A file system for integrated detection and mitigation of Linux-based ransomware","authors":"Jan von der Assen , Chao Feng , Alberto Huertas Celdrán , Róbert Oleš , Gérôme Bovet , Burkhard Stiller","doi":"10.1016/j.jisa.2025.104078","DOIUrl":null,"url":null,"abstract":"<div><div>Although ransomware has received broad attention in media and research, this evolving threat vector still poses a systematic threat. Related literature has explored their detection using various approaches leveraging Machine and Deep Learning. While these approaches are effective in detecting malware, they do not answer how to use this intelligence to protect against threats, raising concerns about their applicability in a hostile environment. Solutions that focus on mitigation rarely explore how to prevent and not just alert or halt its execution, especially when considering Linux-based samples. This paper presents <em>GuardFS</em>, a file system-based approach to investigate the integration of detection and mitigation of ransomware. Using a bespoke overlay file system, data is extracted before files are accessed. Models trained on this data are used by three novel defense configurations that obfuscate, delay, or track access to the file system. The experiments on <em>GuardFS</em> test the configurations in a reactive setting. The results demonstrate that although data loss cannot be completely prevented, it can be significantly reduced. Usability and performance analysis demonstrate that the defense effectiveness of the configurations relates to their impact on resource consumption and usability.</div></div>","PeriodicalId":48638,"journal":{"name":"Journal of Information Security and Applications","volume":"93 ","pages":"Article 104078"},"PeriodicalIF":3.7000,"publicationDate":"2025-06-24","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Journal of Information Security and Applications","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S2214212625001152","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q2","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}

引用次数: 0

Abstract

Although ransomware has received broad attention in media and research, this evolving threat vector still poses a systematic threat. Related literature has explored their detection using various approaches leveraging Machine and Deep Learning. While these approaches are effective in detecting malware, they do not answer how to use this intelligence to protect against threats, raising concerns about their applicability in a hostile environment. Solutions that focus on mitigation rarely explore how to prevent and not just alert or halt its execution, especially when considering Linux-based samples. This paper presents GuardFS, a file system-based approach to investigate the integration of detection and mitigation of ransomware. Using a bespoke overlay file system, data is extracted before files are accessed. Models trained on this data are used by three novel defense configurations that obfuscate, delay, or track access to the file system. The experiments on GuardFS test the configurations in a reactive setting. The results demonstrate that although data loss cannot be completely prevented, it can be significantly reduced. Usability and performance analysis demonstrate that the defense effectiveness of the configurations relates to their impact on resource consumption and usability.

查看原文本刊更多论文

GuardFS：用于集成检测和缓解基于linux的勒索软件的文件系统

尽管勒索软件在媒体和研究中受到广泛关注，但这种不断发展的威胁媒介仍然构成系统性威胁。相关文献探讨了利用机器和深度学习的各种方法来检测它们。虽然这些方法在检测恶意软件方面是有效的，但它们并没有回答如何使用这种情报来抵御威胁，这引起了人们对它们在敌对环境中的适用性的担忧。专注于缓解的解决方案很少探索如何预防，而不仅仅是警告或停止其执行，特别是在考虑基于linux的示例时。本文提出了GuardFS，一种基于文件系统的方法来研究勒索软件检测和缓解的集成。使用定制的覆盖文件系统，在访问文件之前提取数据。在这些数据上训练的模型被三种新的防御配置所使用，这些配置可以混淆、延迟或跟踪对文件系统的访问。GuardFS上的实验是在反应设置下测试这些配置的。结果表明，虽然不能完全防止数据丢失，但可以显著减少数据丢失。可用性和性能分析表明，配置的防御有效性与它们对资源消耗和可用性的影响有关。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Journal of Information Security and Applications Computer Science-Computer Networks and Communications

CiteScore

10.90

自引率

5.40%

发文量

206

审稿时长

56 days

期刊介绍： Journal of Information Security and Applications (JISA) focuses on the original research and practice-driven applications with relevance to information security and applications. JISA provides a common linkage between a vibrant scientific and research community and industry professionals by offering a clear view on modern problems and challenges in information security, as well as identifying promising scientific and "best-practice" solutions. JISA issues offer a balance between original research work and innovative industrial approaches by internationally renowned information security experts and researchers.