LARM: Linux Anti Ransomware Monitor

IF 5.4 2区计算机科学 Q1 COMPUTER SCIENCE, INFORMATION SYSTEMS

Computers & Security Pub Date : 2025-10-10 DOI:10.1016/j.cose.2025.104700

P. Mohan Anand , P.V. Sai Charan , Hrushikesh Chunduri , Sandeep Kumar Shukla

{"title":"LARM: Linux Anti Ransomware Monitor","authors":"P. Mohan Anand , P.V. Sai Charan , Hrushikesh Chunduri , Sandeep Kumar Shukla","doi":"10.1016/j.cose.2025.104700","DOIUrl":null,"url":null,"abstract":"<div><div>As Linux becomes more prevalent across servers, desktops, and cloud infrastructures, ransomware groups increasingly focus on targeting Linux-based systems, particularly those running on widely deployed x86 architectures. However, research on real-time, lightweight ransomware detection for Linux systems remains limited. The existing approaches, based on file backups, trap or decoy files, and file I/O behavior monitoring, are found to be ineffective against multithreaded ransomware variants, often leading to delayed detection and false positives. In this work, we introduce LARM (Linux Anti-Ransomware Monitor), a lightweight, real-time detection tool tailored for Linux systems with <span>x86_64</span> architecture. LARM employs a file trap monitoring module that operates at the kernel level using eBPF (extended Berkeley Packet Filter) to detect real-time ransomware activity. LARM dynamically selects trap files for monitoring through a non-parametric clustering approach of Affinity Propagation, combined with the encryption order heuristics observed in ransomware behavior. Since sole reliance on trap file monitoring may result in false positives, LARM integrates a secondary profiling mechanism that analyzes pre-encryption ransomware activity in real-time. We evaluated LARM against 14 modern Linux ransomware families, including multithreaded versions of Avos Locker and Babuk. The evaluation results demonstrate an average detection delay of 1,240 ms and a file loss rate of 0.46%, highlighting the effectiveness of LARM in early detection and mitigation of ransomware in Linux systems.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"159 ","pages":"Article 104700"},"PeriodicalIF":5.4000,"publicationDate":"2025-10-10","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Computers & Security","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S016740482500389X","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}

引用次数: 0

Abstract

As Linux becomes more prevalent across servers, desktops, and cloud infrastructures, ransomware groups increasingly focus on targeting Linux-based systems, particularly those running on widely deployed x86 architectures. However, research on real-time, lightweight ransomware detection for Linux systems remains limited. The existing approaches, based on file backups, trap or decoy files, and file I/O behavior monitoring, are found to be ineffective against multithreaded ransomware variants, often leading to delayed detection and false positives. In this work, we introduce LARM (Linux Anti-Ransomware Monitor), a lightweight, real-time detection tool tailored for Linux systems with x86_64 architecture. LARM employs a file trap monitoring module that operates at the kernel level using eBPF (extended Berkeley Packet Filter) to detect real-time ransomware activity. LARM dynamically selects trap files for monitoring through a non-parametric clustering approach of Affinity Propagation, combined with the encryption order heuristics observed in ransomware behavior. Since sole reliance on trap file monitoring may result in false positives, LARM integrates a secondary profiling mechanism that analyzes pre-encryption ransomware activity in real-time. We evaluated LARM against 14 modern Linux ransomware families, including multithreaded versions of Avos Locker and Babuk. The evaluation results demonstrate an average detection delay of 1,240 ms and a file loss rate of 0.46%, highlighting the effectiveness of LARM in early detection and mitigation of ransomware in Linux systems.

查看原文本刊更多论文

LARM: Linux反勒索软件监控

随着Linux在服务器、桌面和云基础设施中变得越来越普遍，勒索软件组织越来越关注基于Linux的系统，特别是那些在广泛部署的x86架构上运行的系统。然而，针对Linux系统的实时、轻量级勒索软件检测的研究仍然有限。现有的基于文件备份、陷阱或诱饵文件以及文件I/O行为监控的方法被发现对多线程勒索软件变体无效，经常导致延迟检测和误报。在这项工作中，我们介绍了LARM (Linux Anti-Ransomware Monitor)，这是一个为x86_64架构的Linux系统量身定制的轻量级实时检测工具。LARM采用一个文件陷阱监控模块，该模块在内核级别使用eBPF（扩展伯克利包过滤器）来检测实时勒索软件活动。LARM通过亲和传播的非参数聚类方法，结合在勒索软件行为中观察到的加密顺序启发式，动态地选择陷阱文件进行监控。由于仅仅依赖于陷阱文件监控可能会导致误报，因此LARM集成了二级分析机制，可以实时分析加密前的勒索软件活动。我们针对14个现代Linux勒索软件家族对LARM进行了评估，其中包括Avos Locker和Babuk的多线程版本。评估结果表明，平均检测延迟为1,240 ms，文件损失率为0.46%，突出了LARM在Linux系统中早期检测和缓解勒索软件的有效性。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Computers & Security 工程技术-计算机：信息系统

CiteScore

12.40

自引率

7.10%

发文量

365

审稿时长

10.7 months

期刊介绍： Computers & Security is the most respected technical journal in the IT security field. With its high-profile editorial board and informative regular features and columns, the journal is essential reading for IT security professionals around the world. Computers & Security provides you with a unique blend of leading edge research and sound practical management advice. It is aimed at the professional involved with computer security, audit, control and data integrity in all sectors - industry, commerce and academia. Recognized worldwide as THE primary source of reference for applied research and technical expertise it is your first step to fully secure systems.