Data Aware Defense (DaD): Towards a Generic and Practical Ransomware Countermeasure

Palisse, Aurélien; Durand, Antoine; Bouder, Hélène Le; Guernic, Colas Le; Lanet, Jean‐Louis

doi:10.1007/978-3-319-70290-2_12

Cited by 33 publications

(47 citation statements)

References 9 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In order to achieve detection, some Data Source is required along with the Processing of this data. The data source used for a given detection technique may require access to Kernel Space (such as in Data Aware Defense [22]), User Space (such as in RAPPER [23]) or both (such as in UNVEIL [20]). Additionally, any results from the raw data sources or the data processing steps could optionally be fed into Machine Learning algorithms in order to detect subtle patterns in the data to build models to distinguish between benign and malicious behaviour (as in ShieldFS [19]).…”

Section: Related Workmentioning

confidence: 99%

A Roadmap for Improving the Impact of Anti-ransomware Research

Pont

Oun

Brierley

et al. 2019

Lecture Notes in Computer Science

View full text Add to dashboard Cite

show abstract

Section: Related Workmentioning

confidence: 99%

A Roadmap for Improving the Impact of Anti-ransomware Research

Pont

Oun

Brierley

et al. 2019

Lecture Notes in Computer Science

View full text Add to dashboard Cite

show abstract

“…This paper improves our first countermeasure presented in [1], which targets crypto-ransomware. The main idea is that encrypted data is indistinguishable from perfectly random data.…”

Section: Introductionmentioning

confidence: 73%

Discriminating Unknown Software Using Distance Model

Bouder¹,

Lanet²

2019

2019 International Conference on Advanced Computer Science and Information Systems (ICACSIS)

Self Cite

View full text Add to dashboard Cite

Crypto-ransomware is a class of malware that encrypt their victim's data and only return the decryption key in exchange for a ransom. In a previous work, we have yet designed a solution able to detect any ciphering of files using statistical estimator. Once detected, a pop up requests the user to verify if that operation is allowed on not. To improve our tool, automation is needed. In this paper, an anomaly detection mechanism to determine if a suspected group of threads is an authorized cryptographic software or a malicious code is presented. The effectiveness of our solution to correctly distinguish between valid programs and ransomware is evaluated using a string analysis. The tf-idf metric is used to choose the most pertinent features. The distance of a candidate software with a vector representing the allowed cryptographic software is measured. If the distance exceeds a threshold, the suspected process is flagged as a ransomware. We have evaluated our approach with the samples provided by open databases and executed on our bare metal platform.

show abstract

“…A high detection rate was achieved by their solution: 99.95%. A similar approach is used by Palisse et al, however, using the goodness-of-fit test to distinguish between encrypted and non encrypted files achieving 99.3% true positive rate [30].…”

Section: Host Based Ransomware Detectionmentioning

confidence: 99%

Ransomware Network Traffic Analysis for Pre-encryption Alert

Moussaileb

Cuppens

Lanet³

et al. 2020

Lecture Notes in Computer Science

Self Cite

View full text Add to dashboard Cite

Cyber Security researchers are in an ongoing battle against ransomware attacks. Some exploits begin with social engineering methods to install payloads on victims' computers, followed by a communication with command and control servers for data exchange. To scale down these attacks, scientists should shed light on the danger of those rising intrusions to prevent permanent data loss. To join this arm race against malware, we propose in this paper an analysis of various ransomware families based on the collected system and network logs from a computer. We delve into malicious network traffic generated by these samples to perform a packet level detection. Our goal is to reconstruct ransomware's full activity to check if its network communication is distinguishable from benign traffic. Then, we examine if the first packet sent occurs before data's encryption to alert the administrators or afterwards. We aim to define the first occurrence of the alert raised by malicious network traffic and where it takes place in a ransomware workflow. Logs collected are available at http://serveur2.seres.rennes.telecom-bretagne.eu/data/RansomwareData/.

show abstract

Data Aware Defense (DaD): Towards a Generic and Practical Ransomware Countermeasure

Cited by 33 publications

References 9 publications

A Roadmap for Improving the Impact of Anti-ransomware Research

A Roadmap for Improving the Impact of Anti-ransomware Research

Discriminating Unknown Software Using Distance Model

Ransomware Network Traffic Analysis for Pre-encryption Alert

Contact Info

Product

Resources

About