使用基于缓冲区的签名验证方法保护共享文件,防止未经授权的加密

IF 3.8 2区 计算机科学 Q2 COMPUTER SCIENCE, INFORMATION SYSTEMS
Arash Mahboubi , Seyit Camtepe , Keyvan Ansari , Marcin Pawłowski , Paweł Morawiecki , Hamed Aboutorab , Josef Pieprzyk , Jarek Duda
{"title":"使用基于缓冲区的签名验证方法保护共享文件,防止未经授权的加密","authors":"Arash Mahboubi ,&nbsp;Seyit Camtepe ,&nbsp;Keyvan Ansari ,&nbsp;Marcin Pawłowski ,&nbsp;Paweł Morawiecki ,&nbsp;Hamed Aboutorab ,&nbsp;Josef Pieprzyk ,&nbsp;Jarek Duda","doi":"10.1016/j.jisa.2024.103873","DOIUrl":null,"url":null,"abstract":"<div><p>Understanding the attributes of critical data and implementing suitable security measures help organisations bolster their data-protection strategies and diminish the potential impacts of ransomware incidents. Unauthorised extraction and acquisition of data are the principal objectives of most cyber invasions. We underscore the severity of this issue using a recent attack by the Clop ransomware group, which exploited the MOVEit Transfer vulnerability and bypassed network-detection mechanisms to exfiltrate data via a Command and Control server. As a countermeasure, we propose a method called Buffer-Based Signature Verification (BBSV). This approach involves embedding 32-byte tags into files prior to their storage in the cloud, thus offering enhanced data protection. The BBSV method can be integrated into software like MOVEit Secure Managed File Transfer, thereby thwarting attempts by ransomware to exfiltrate data. Empirically tested using a BBSV prototype, our approach was able to successfully halt the encryption process for 80 ransomware instances from 70 ransomware families. BBSV not only stops the encryption but also prevents data exfiltration when data are moved or written from the original location by adversaries. We further develop a hypothetical exploit scenario in which an adversary manages to bypass the BBSV, illicitly transmits data to a Command and Control server, and then removes files from the original location. We construct an extended state space, in which each state represents a tuple that integrates user authentication and system components at the filesystem level.</p></div>","PeriodicalId":48638,"journal":{"name":"Journal of Information Security and Applications","volume":"86 ","pages":"Article 103873"},"PeriodicalIF":3.8000,"publicationDate":"2024-09-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://www.sciencedirect.com/science/article/pii/S2214212624001753/pdfft?md5=68d74f2ecd64919a7bca1979c6adbfbd&pid=1-s2.0-S2214212624001753-main.pdf","citationCount":"0","resultStr":"{\"title\":\"Shared file protection against unauthorised encryption using a Buffer-Based Signature Verification Method\",\"authors\":\"Arash Mahboubi ,&nbsp;Seyit Camtepe ,&nbsp;Keyvan Ansari ,&nbsp;Marcin Pawłowski ,&nbsp;Paweł Morawiecki ,&nbsp;Hamed Aboutorab ,&nbsp;Josef Pieprzyk ,&nbsp;Jarek Duda\",\"doi\":\"10.1016/j.jisa.2024.103873\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"<div><p>Understanding the attributes of critical data and implementing suitable security measures help organisations bolster their data-protection strategies and diminish the potential impacts of ransomware incidents. Unauthorised extraction and acquisition of data are the principal objectives of most cyber invasions. We underscore the severity of this issue using a recent attack by the Clop ransomware group, which exploited the MOVEit Transfer vulnerability and bypassed network-detection mechanisms to exfiltrate data via a Command and Control server. As a countermeasure, we propose a method called Buffer-Based Signature Verification (BBSV). This approach involves embedding 32-byte tags into files prior to their storage in the cloud, thus offering enhanced data protection. The BBSV method can be integrated into software like MOVEit Secure Managed File Transfer, thereby thwarting attempts by ransomware to exfiltrate data. Empirically tested using a BBSV prototype, our approach was able to successfully halt the encryption process for 80 ransomware instances from 70 ransomware families. BBSV not only stops the encryption but also prevents data exfiltration when data are moved or written from the original location by adversaries. We further develop a hypothetical exploit scenario in which an adversary manages to bypass the BBSV, illicitly transmits data to a Command and Control server, and then removes files from the original location. We construct an extended state space, in which each state represents a tuple that integrates user authentication and system components at the filesystem level.</p></div>\",\"PeriodicalId\":48638,\"journal\":{\"name\":\"Journal of Information Security and Applications\",\"volume\":\"86 \",\"pages\":\"Article 103873\"},\"PeriodicalIF\":3.8000,\"publicationDate\":\"2024-09-09\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"https://www.sciencedirect.com/science/article/pii/S2214212624001753/pdfft?md5=68d74f2ecd64919a7bca1979c6adbfbd&pid=1-s2.0-S2214212624001753-main.pdf\",\"citationCount\":\"0\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"Journal of Information Security and Applications\",\"FirstCategoryId\":\"94\",\"ListUrlMain\":\"https://www.sciencedirect.com/science/article/pii/S2214212624001753\",\"RegionNum\":2,\"RegionCategory\":\"计算机科学\",\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"Q2\",\"JCRName\":\"COMPUTER SCIENCE, INFORMATION SYSTEMS\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"Journal of Information Security and Applications","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S2214212624001753","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q2","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}
引用次数: 0

摘要

了解关键数据的属性并实施适当的安全措施,有助于组织加强数据保护战略,降低勒索软件事件的潜在影响。未经授权提取和获取数据是大多数网络入侵的主要目的。我们通过 Clop 勒索软件组织最近的一次攻击强调了这一问题的严重性,该组织利用 MOVEit Transfer 漏洞,绕过网络检测机制,通过指挥和控制服务器外泄数据。作为对策,我们提出了一种名为 "基于缓冲区的签名验证"(BBSV)的方法。这种方法是在文件存储到云之前将 32 字节标签嵌入文件,从而提供更强的数据保护。BBSV 方法可以集成到 MOVEit 安全托管文件传输等软件中,从而挫败勒索软件外泄数据的企图。通过使用 BBSV 原型进行经验测试,我们的方法能够成功阻止来自 70 个勒索软件家族的 80 个勒索软件实例的加密过程。BBSV 不仅能阻止加密,还能在数据被对手从原始位置移动或写入时防止数据外泄。我们进一步开发了一种假想的利用场景,即对手设法绕过 BBSV,非法将数据传输到指挥与控制服务器,然后从原始位置删除文件。我们构建了一个扩展的状态空间,其中每个状态都代表一个元组,在文件系统层面集成了用户验证和系统组件。
本文章由计算机程序翻译,如有差异,请以英文原文为准。
Shared file protection against unauthorised encryption using a Buffer-Based Signature Verification Method

Understanding the attributes of critical data and implementing suitable security measures help organisations bolster their data-protection strategies and diminish the potential impacts of ransomware incidents. Unauthorised extraction and acquisition of data are the principal objectives of most cyber invasions. We underscore the severity of this issue using a recent attack by the Clop ransomware group, which exploited the MOVEit Transfer vulnerability and bypassed network-detection mechanisms to exfiltrate data via a Command and Control server. As a countermeasure, we propose a method called Buffer-Based Signature Verification (BBSV). This approach involves embedding 32-byte tags into files prior to their storage in the cloud, thus offering enhanced data protection. The BBSV method can be integrated into software like MOVEit Secure Managed File Transfer, thereby thwarting attempts by ransomware to exfiltrate data. Empirically tested using a BBSV prototype, our approach was able to successfully halt the encryption process for 80 ransomware instances from 70 ransomware families. BBSV not only stops the encryption but also prevents data exfiltration when data are moved or written from the original location by adversaries. We further develop a hypothetical exploit scenario in which an adversary manages to bypass the BBSV, illicitly transmits data to a Command and Control server, and then removes files from the original location. We construct an extended state space, in which each state represents a tuple that integrates user authentication and system components at the filesystem level.

求助全文
通过发布文献求助,成功后即可免费获取论文全文。 去求助
来源期刊
Journal of Information Security and Applications
Journal of Information Security and Applications Computer Science-Computer Networks and Communications
CiteScore
10.90
自引率
5.40%
发文量
206
审稿时长
56 days
期刊介绍: Journal of Information Security and Applications (JISA) focuses on the original research and practice-driven applications with relevance to information security and applications. JISA provides a common linkage between a vibrant scientific and research community and industry professionals by offering a clear view on modern problems and challenges in information security, as well as identifying promising scientific and "best-practice" solutions. JISA issues offer a balance between original research work and innovative industrial approaches by internationally renowned information security experts and researchers.
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
确定
请完成安全验证×
copy
已复制链接
快去分享给好友吧!
我知道了
右上角分享
点击右上角分享
0
联系我们:info@booksci.cn Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。 Copyright © 2023 布克学术 All rights reserved.
京ICP备2023020795号-1
ghs 京公网安备 11010802042870号
Book学术文献互助
Book学术文献互助群
群 号:481959085
Book学术官方微信