Combating Ransomware using Content Analysis and Complex File Events

May, Michael J.; Laron, Etamar

doi:10.1109/ntms.2019.8763851

Cited by 17 publications

(20 citation statements)

References 7 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…These algorithms are trained on vast datasets to accurately distinguish between normal operations and potential ransomware threats [17], [24], [25]. In addition to machine learning, heuristic analysis has been pivotal in this area [26], [27]. This method hinges on monitoring distinctive ransomware traits, such as the rapidity of file encryption, which serves as a telltale sign of such an attack [28], [19].…”

Section: A Ransomware Detectionmentioning

confidence: 99%

“…Technically, the development of endpoint security solutions, which integrate state-of-the-art threat prevention capabilities, play an instrumental role in thwarting the execution of ransomware attacks [9], [20], [36]. These solutions are adept at identifying and neutralizing potential threats before they can inflict damage [5], [10], [27]. Email filtering technologies have also been a cornerstone in these preventive measures, effectively screening for phishing attempts, which are frequently employed as a conduit for ransomware delivery [37], [22].…”

Section: B Ransomware Preventionmentioning

confidence: 99%

See 1 more Smart Citation

NTFS+: An Enhanced NTFS File System Against Ransomware Invasions

Gu,

Kang

2023

Preprint

View full text Add to dashboard Cite

Ransomware poses a significant threat to digital security, evolving rapidly with sophisticated encryption and data exfiltration tactics. This study introduces NTFS+, an enhanced version of the New Technology File System (NTFS), designed to combat these emerging ransomware threats. NTFS+ integrates machine learning, specifically Generative Adversarial Networks, to detect abnormal file system activities indicative of ransomware attacks. The system's core architecture features minifilter drivers that analyze file access patterns in real-time, enabling proactive response to potential threats. Evaluation of NTFS+ demonstrates its efficacy in accurately distinguishing between benign and ransomware activities, with a focus on minimizing false positives and negatives. Despite its effectiveness, challenges such as zero-day ransomware attacks highlight areas for future improvement, including enhanced learning capabilities and cloud integration. NTFS+ represents a significant advancement in file system-based ransomware mitigation, offering a scalable, adaptable, and robust solution for modern cybersecurity needs.

show abstract

Section: A Ransomware Detectionmentioning

confidence: 99%

Section: B Ransomware Preventionmentioning

confidence: 99%

NTFS+: An Enhanced NTFS File System Against Ransomware Invasions

Gu,

Kang

2023

Preprint

View full text Add to dashboard Cite

show abstract

“…Features extraction is one of the most important aspects in Machine Learning. As we mentioned above, Kyungroul Lee et al [7] proposed an Entropy Based Detection Method (EBDM for short) which is one useful method of evaluating the performance of cipher text generated from cryptography. They used three different types of entropy measures: Shannon entropy (1), the most common entropy (2), Ré nyi entropy with α = 2 (collision entropy) (3) and compression estimate.…”

Section: B Features Extractionmentioning

confidence: 99%

“…[6] explain on recovering the original file from the backup system by detecting ransomware infected files. Content analysis by using complex events and consider the file lifecycle for combating ransomware is discussed [7].This paper starts from the observation of the status of the file itself and uses a variety of different formats of normal files and infected files. The files infected by the ransomware are mixed as a data set, and the machine learning model is trained through SVM to detect whether the files are maliciously encrypted so that the system has sufficient time to back up or block the service, and remediate the user's files to minimize the damage.…”

Section: Introductionmentioning

confidence: 99%

Enhancing File Entropy Analysis to Improve Machine Learning Detection Rate of Ransomware

et al. 2021

View full text Add to dashboard Cite

Cybersecurity is the biggest threat in the world. More and more people are used to storing personal data on a computer and transmitting it through the Internet. Cybersecurity will be an important issue that everyone continues to pay attention to. One of the most serious problems recently is the prevalence of ransomware, especially crypto-ransomware. Unlike ordinary attacks, crypto-ransomware does not control the victim's computer and steal important data. It focuses on encrypting all data and asking victims to provide ransom to decrypt the data. Currently, many studies focus on various aspects of ransomware, including filebased, behavior-based, and network-based ransomware detection method, and use machine learning to build detection models. In addition to the above research, we found that attackers have begun to develop a new method to encrypt data. It will not only increase the speed of data encryption but also reduce the detection rate in the existing detection system. In any case, we are still facing ransomware dangers, as it is hard to recognize and forestall ransomware executing obscure malicious programs. In other words, user data will be sabotaged as soon as the computer cannot detect the ransomware. To solve the problem, detecting files instead of detecting the executable program might be helpful to establish the backup system immediately before ransomware encrypts all of the user files. We analyze the 22 formats of the encrypted files, extract the specific features and use the Support Vector Machine to distinguish between encrypted and unencrypted files. Conducted analysis results confirm that our method has high performance and can maintain the detection rate of 85.17% (where the detection rate of SVM kernel Trick (Poly) exceeds 92%).

show abstract

“…May and Laron 12 proposed two techniques to combact ransomware by monitoring suspicious modifications on files. They considered two techniques for it, one is file lifecycle and another is use of content analysis.…”

Section: Host-basedmentioning

confidence: 99%

File integrity monitoring tools: Issues, challenges, and solutions

Peddoju

Upadhyay

Lagos

2020

Concurrency and Computation

View full text Add to dashboard Cite

Ensuring integrity of sensitive files in file systems is imperative to computer systems. The vast majority of attacks work through unapproved or unauthorized access to sensitive files to take secret data like secret keys, passwords, credit card numbers, and so on. After that, attackers generally conceal their traces by subverting critical files like system logs. File system integrity monitoring is a well-known way to deal with ensuring integrity of sensitive and critical files. The file system is at the heart of any computing system as it stores the data and executable programs. Malicious users or malwares might change the content of a sensitive data file or insert malicious payload in an executable. Hence, monitoring the integrity of the files in the file system is of utmost importance. Significant research work has been done on file integrity monitoring tools. This article presents the currently available tools for file integrity monitoring and their underlying approaches. K E Y W O R D S file integrity monitoring, malware, security, tools, virtualization 1 INTRODUCTION Every modern operating system is backed by a nonvolatile storage system which stores kernel and program executables and other data files including program logs, configurations, and user defined data. Integrity of these files is important for the seamless operation of a system or business. A malicious attacker can modify the content of a file to perform various malicious activities. For example, corrupting a database configuration could result in failure of a database server. Injecting malicious code in an executable could cause erratic behavior during execution. This kind of malicious activities has already been reported by many users. 1 Furthermore, current rapid progression of ransomwares 2 is compromising integrity of sensitive data in large scale. Many business owners, including large private/public organizations, have paid thousands of dollars as ransom. 3 A secured software solution can be useful for early detection of irregular file modification. File Integrity Monitoring (FIM) is an internal control or procedure that performs and demonstrates integrity of files related to the operating system and application software. It compares and verifies the current state and baseline of files. This examination technique regularly includes computing a known cryptographic checksum of the file's original baseline and contrasting that with the present condition of the file. There should be a check on other attributes such as file size, version, modified by, creation date, modified date, IO operations, and cache operations of file to maintain or observe integrity of file. Apart from this, we should also check credentials, privileges and security settings, hash values, and configuration values. Traditionally, file integrity tools (FITs) are used to detect unauthorized file operations in a system. FITs are some software that can monitor file access in a system and trigger appropriate warnings. Much research has been done on file monitoring tools, which di...

show abstract

Combating Ransomware using Content Analysis and Complex File Events

Cited by 17 publications

References 7 publications

NTFS+: An Enhanced NTFS File System Against Ransomware Invasions

NTFS+: An Enhanced NTFS File System Against Ransomware Invasions

Enhancing File Entropy Analysis to Improve Machine Learning Detection Rate of Ransomware

File integrity monitoring tools: Issues, challenges, and solutions

Contact Info

Product

Resources

About