real time protection against
play

Real-time Protection Against Ransomware at End-Hosts Written By - PowerPoint PPT Presentation

Oct 18, 2023 •47 likes •527 views

Redemption: Real-time Protection Against Ransomware at End-Hosts Written By Amin Kharraz and Engin Kirda RAJSHAKHAR PAUL Outlines Introduction Existing works Contribution Threat Model Design Overview Evaluation

  1. Redemption: Real-time Protection Against Ransomware at End-Hosts Written By Amin Kharraz and Engin Kirda RAJSHAKHAR PAUL

  2. Outlines  Introduction  Existing works  Contribution  Threat Model  Design Overview  Evaluation  Limitations

  3. Outlines  Introduction  Existing works  Contribution  Threat Model  Design Overview  Evaluation  Limitations

  4. Introduction Ransomware  What is Ransomware? - A type of malware that prevents users from accessing their data by encrypting those and demands ransom payment in order to regain access. - The earliest versions of ransomware were developed in the late 1980s - Attackers generally order the payment via cryptocurrency

  5. Ransomware  One of the biggest security threats of current era  Hospitals and healthcare industries are mainly affected

  6. Data Retrieval How can I get back my data?

  7. Data Retrieval How can I get back my data?  Easiest solution: creating back up of important data  If system is compromised by ransomware, retrieve data from back up

  8. Data Retrieval I don’t have any back up of my data  How can I retrieve??

  9. Data Retrieval  Law enforcement agencies and security firms have launched program to assist ransomware victim in retrieving their data without paying ransom  Used reverse analysis of the cryptosystems used by malware to extract secret keys  Tried to find design flaws of encryption system  Work for weak cryptography But the attackers are smart and use strong cryptography

  10. Prevention How can I prevent this?

  11. Prevention How can I prevent this?  The authors introduce Redemption  An endpoint approach to defend against unknown ransomware attack and recover lost data  Two main approaches: ◦ An abstract characterization of the behavior of the ransomware attacks ◦ Employs a high-performance mechanism to protect and restore all attacked files

  12. Outlines  Introduction  Existing works  Contribution  Threat Model  Design Overview  Evaluation  Limitations

  13. Existing Works UNVEIL  Proposed by Kharraz et al. at 2016  A dynamic analysis system  Specifically designed to assist reverse engineers to analyze the intrinsic behavior of an arbitrary ransomware sample  Not an end-point solution  No real end-user interaction was involved in their test

  14. Existing Works CryptoDrop  Proposed by Scaife et al. at 2016  The approach is able to detect a ransomware attack after a median of ten file losses  Main limitation: the tool does not provide any recovery or minimal data loss guarantees

  15. Existing Works ShieldFS  Proposed by Continella et al. at 2016  Similar goal to Redemption  The authors look into file system layer to find typical ransomware activity  Rely on cryptographic primitive identification  Limitation: not resistant to unknown cryptographic function  Relying on cryptographic primitive identification can result false positive.

  16. Existing Works PayBreak  Proposed by Kolodenker et al. at 2017  Securely stores cryptographic encryption keys in a key vault that is used to decrypt affected files after a ransomware attack  Intercepts calls to functions that provide cryptographic operations, encrypts symmetric encryption keys, and stores the results in the key vault  After a ransomware attack, the user can decrypt the key vault with his private key and decrypt the files without making any payment  Pros: imposes negligible overhead  Cons: like ShieldFS, it depends on identifying functions that implement cryptographic primitives

  17. Outlines  Introduction  Existing works  Contribution  Threat Model  Design Overview  Evaluation  Limitations

  18. Contribution  Presents a general approach to defend unknown ransomware attacks in a transperant manner.  Shows that efficient ransomware protection with zero data loss is possible  Presents a prototype implementation for Windows, and evaluate it with real users to show that the system is able to protect user files during an unknown ransomware attack imposing no observable overhead

  19. Outlines  Introduction  Existing works  Contribution  Threat Model  Design Overview  Evaluation  Limitations

  20. Threat Model Assumptions:  Ransomware can employ any standard, popular techniques to attack machines like other types of malware.  The malicious process can employ any techniques to generate the encryption key, use arbitrary encryption key lengths, or utilize any customized or standard cryptosystems to lock the files  A user can install and run programs from arbitrary untrusted sources, and therefore, that malicious code can execute with the privileges of the user  Trusted components: Display module, OS kernel, and underlying software and hardware

  21. Outlines  Introduction  Existing works  Contribution  Threat Model  Design Overview  Evaluation  Limitations

  22. Design Overview Redemption has two main components 1. A lightweight kernel module - intercepts process interactions and stores the event - manages the changes in a protected area 2. Behavioral monitor and notification module - assigns a malice score to a process - notify the user about the potential malicious behavior of a process

  23. Design Overview

  24. Design Overview  In standard system, the request would succeed if the corresponding file exists, and as long as the process holds the permission  Redemption introduces some changes

  25. Design Overview 1. Redemption receives the request A from the application X to access the file F at the time t

  26. Design Overview 2. If the requests access with write or delete privilege to the file F , and the file F resides in a user defined path, the Redemption’s monitor is called

  27. Design Overview 3. Redemption creates a corresponding file in the protected area, called reflected file, and handles the write requests. These changes are periodically flushed to the storage to ensure that they are physically available on the disk

  28. Design Overview 4. The malice score of the process is updated, and is compared to a pre-configured threshold α

  29. Design Overview 5. The Redemption monitor sends a notification to the display monitor to alert the user depending on the calculated malice score

  30. Design Overview 6. A success/failure notification is generated, and is sent to the system service manager

  31. Detection Approach Malice Score  The malice score of a process represents the risk that the process exhibits ransomware behavior  It determines whether the Redemption monitor should allow the process to access the file, or notify the user

  32. Malice Score Calculation Two features to be considered 1. Content-based features - i.e., changes in the content of each file 2. Behavior-based features - i.e., cross-file behavior of a process

  33. Content-based Features Entropy Ratio of Data Blocks  For every read and write request to a file, Redemption computes the entropy of the corresponding data buffer.  Comparing the entropy of read and write request serves an excellent indicator of ransomware behavior because of the popular strategy of reading in the original file data, encrypting it, and writing the encrypted version

  34. Content-based Features File Content Overwrite  Malicious process overwrites the content of the user files with random data  The system increases the malice score of a process if the process requests write access to different parts of a file  A process is assigned a higher malice score if it overwrites all the content of the files

  35. Content-based Features Delete Operation  Generally ransomware generate an encrypted version of the file, and delete the original file  If a process requests to delete a file that belongs to the enduser, it receives a higher malice score

  36. Behavior-based Features Directory Traversal  During an attack, the malicious process often arbitrarily lists user files, and starts encrypting the files with an encryption key  A process receives a higher malice score if it is iterating over files in a given directory

  37. Behavior-based Features Converting to a Specific File Type  A process receives a higher malice score if it converts files of differing types and extensions to a single known or unknown file type

  38. Behavior-based Features Access Frequency  If a process frequently generates write requests to user files, the process would be given a higher malice score

  39. Malice Score Calculation  Recursive Feature Elimination (RFE) approach to determine the significance of each feature  In each step, a feature with the minimum weight was removed  The FP and TP rates were calculated by performing 10 fold cross-validation to quantify the contribution of each feature  The assigned weights are then used in the formula

  40. Implementation  The authors implemented the system for the Windows environment as Windows OS is the main target of current ransomware attacks

  41. Outlines  Introduction  Existing works  Contribution  Threat Model  Design Overview  Evaluation  Limitations

  42. Evaluation Data Collection - Collect 9432 ransomware samples from public repository - Collect benign applications from normal activities on Windows 7 machine

  43. Results The threshold value α = 0 . 12 gives the best detection and false positive rates (FP = 0.5%)

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Real- Real -Time Systems Time Systems Real- -Time Systems Time Systems Real

Real- Real -Time Systems Time Systems Real- -Time Systems Time Systems Real

EDA222/DIT160 Real-Time Systems, Chalmers/GU, 2008/2009 Lecture #15 Updated 2009-03-03 Dependable Distributed Dependable Distributed Real- Real -Time Systems Time Systems Real- -Time Systems Time Systems Real Aircraft/automotive

501 views • 9 slides
RTOS Real-Time Operating Systems Chenyang Lu OS Support for Real-Time Real-Time OS

RTOS Real-Time Operating Systems Chenyang Lu OS Support for Real-Time Real-Time OS

RTOS Real-Time Operating Systems Chenyang Lu OS Support for Real-Time Real-Time OS Real-time extensions to general-purpose OS Chenyang Lu 2 RTOS: Features for Efficiency Small Minimal set of functionality Fast context switch

504 views • 16 slides
Real Real- -Time Systems Time Systems Designing a real- Designing a real -time system time

Real Real- -Time Systems Time Systems Designing a real- Designing a real -time system time

EDA222/DIT160 Real-Time Systems, Chalmers/GU, 2008/2009 Lecture #10 Updated 2009-02-15 Real Real- -Time Systems Time Systems Designing a real- Designing a real -time system time system Logical function What should be done &

500 views • 8 slides
Redemption: Real-Time Protection Against Ransomware at End-Hosts WRITTEN BY: PRESENTED BY: AMIN

Redemption: Real-Time Protection Against Ransomware at End-Hosts WRITTEN BY: PRESENTED BY: AMIN

Redemption: Real-Time Protection Against Ransomware at End-Hosts WRITTEN BY: PRESENTED BY: AMIN KHARRAZ NICHOLAS BURTON ENGIN KIRDA What is Ransomware? What is Ransomware? u Ransomware is malicious software that encrypts user data, and

718 views • 33 slides
Real-time raise alerts Real-Time Real-time with historical Dashboard Correlate

Real-time raise alerts Real-Time Real-time with historical Dashboard Correlate

Real-time raise alerts Real-Time Real-time with historical Dashboard Correlate Engine + Fabric Offline Develop initial monitoring query Back-test Progressive Non-temporal analysis Interactive Query Authoring

383 views • 15 slides
A PRACTICAL GUIDE FOR USE OF REAL TIME DETECTION SYSTEMS FOR WORKER PROTECTION AND COMPLIANCE

A PRACTICAL GUIDE FOR USE OF REAL TIME DETECTION SYSTEMS FOR WORKER PROTECTION AND COMPLIANCE

A PRACTICAL GUIDE FOR USE OF REAL TIME DETECTION SYSTEMS FOR WORKER PROTECTION AND COMPLIANCE WITH OCCUPATIONAL EXPOSURE LIMITS DOE and DOE Contractors Industrial Hygiene Meeting In conjunction with the 2019 American Industrial Hygiene

726 views • 39 slides
Real-Time Operating system (RTOS) Real-time Embedded systems often have real-time computing

Real-Time Operating system (RTOS) Real-time Embedded systems often have real-time computing

Real-Time Operating system (RTOS) Real-time Embedded systems often have real-time computing constraints (Temporal) Determinism Correctness of system depends not only on the logical result of the computation, but also on the time at which

531 views • 13 slides
Real- Real -time systems time systems Real- Real -time programming time programming

Real- Real -time systems time systems Real- Real -time programming time programming

EDA222/DIT160 Real-Time Systems, Chalmers/GU, 2008/2009 Lecture #2 Updated 2009-01-18 Real- Real -time systems time systems Real- Real -time programming time programming Recommended programming method: Recommended programming method:

251 views • 8 slides
Real-Time Performance of Linux Among others: A Measurement-Based Analysis of the Real-Time

Real-Time Performance of Linux Among others: A Measurement-Based Analysis of the Real-Time

CPSC-663: Real-Time Systems Linux, Preemption, and Real-Time Real-Time Performance of Linux Among others: A Measurement-Based Analysis of the Real-Time Performance of Linux (L. Abeni , A. Goel, C. Krasic, J. Snow, J. Walpole) [RTAS

472 views • 9 slides
Real- -Time Systems Time Systems Real Specification Implementation Task model

Real- -Time Systems Time Systems Real Specification Implementation Task model

EDA222/DIT160 Real-Time Systems, Chalmers/GU, 2008/2009 Lecture #10 Updated 2009-02-15 Real- -Time Systems Time Systems Real Specification Implementation Task model Execution-time analysis Verification Designing a real-

487 views • 15 slides
Real-time KVM from the ground up LinuxCon NA 2016 Rik van Riel Red Hat Real-time KVM What

Real-time KVM from the ground up LinuxCon NA 2016 Rik van Riel Red Hat Real-time KVM What

Real-time KVM from the ground up LinuxCon NA 2016 Rik van Riel Red Hat Real-time KVM What is real time? Hardware pitfalls Realtime preempt Linux kernel patch set KVM & qemu pitfalls KVM configuration Scheduling

400 views • 21 slides
Real Time Operating Systems from Fundamentals of Real Time Systems Mukul Shirvaikar &

Real Time Operating Systems from Fundamentals of Real Time Systems Mukul Shirvaikar &

Real Time Operating Systems from Fundamentals of Real Time Systems Mukul Shirvaikar & Theodore Elbert Chapter 4 1 Real Time Systems Design Various design approaches implemented by system designers to meet real-time requirements

718 views • 36 slides
RAP Tight integration with the physical world Location aware Communication patterns:

RAP Tight integration with the physical world Location aware Communication patterns:

Real-time Systems Speed/RAP/CODA Speed/RAP/CODA Many wireless sensor network applications require real-time support Surveillance and tracking Border patrol Fire fighting Real-time systems: Hard real-time: guarantee

476 views • 9 slides
Real- -Time Systems Time Systems Real Ada 95 Specification Clocks, time, delay Task

Real- -Time Systems Time Systems Real Ada 95 Specification Clocks, time, delay Task

EDA222/DIT160 Real-Time Systems, Chalmers/GU, 2008/2009 Lecture #4 Updated 2009-01-25 Real- -Time Systems Time Systems Real Ada 95 Specification Clocks, time, delay Task priorities Implementation Verification Ada 95

157 views • 13 slides
Real Time Operating Systems Shirvaikar Chapter 4 REAL TIME SYSTEMS SHIRVAIKAR 1 Real Time

Real Time Operating Systems Shirvaikar Chapter 4 REAL TIME SYSTEMS SHIRVAIKAR 1 Real Time

Real Time Operating Systems Shirvaikar Chapter 4 REAL TIME SYSTEMS SHIRVAIKAR 1 Real Time Systems Design Various design approaches implemented by system designers to meet real-time requirements Three general approaches to task

557 views • 37 slides
Real Real- -Time Systems Time Systems Example: scheduling using EDF Example: scheduling using

Real Real- -Time Systems Time Systems Example: scheduling using EDF Example: scheduling using

EDA222/DIT160 Real-Time Systems, Chalmers/GU, 2008/2009 Lecture #14 Updated 2009-03-01 Real Real- -Time Systems Time Systems Example: scheduling using EDF Example: scheduling using EDF Problem: Assume a system with tasks according to the

593 views • 5 slides
What does random mean? Random - Something or a group of things that follow no criteria

What does random mean? Random - Something or a group of things that follow no criteria

What does random mean? Random - Something or a group of things that follow no criteria or pattern. A word often misused by morons who dont know very many other words. -- supaDISC What does random mean? Please

677 views • 32 slides
LEEN : Locality/Fairness- Aware Key Partitioning for MapReduce in the Cloud i # Shadi Ibr ahim,

LEEN : Locality/Fairness- Aware Key Partitioning for MapReduce in the Cloud i # Shadi Ibr ahim,

LEEN : Locality/Fairness- Aware Key Partitioning for MapReduce in the Cloud i # Shadi Ibr ahim, Hai Jin, L u L u, Song Wu, Bingshe ng He *, Qi L Huazho ng Unive r sity o f Sc ie nc e and T e c hno lo gy *Nanyang T e c hno lo gic al Unive

609 views • 19 slides
Creative Audio Programming for the Web with Tone.js Anna Xamb anna.xambo@dmu.ac.uk Music,

Creative Audio Programming for the Web with Tone.js Anna Xamb anna.xambo@dmu.ac.uk Music,

Creative Audio Programming for the Web with Tone.js Anna Xamb anna.xambo@dmu.ac.uk Music, Technology and Innovation - Institute for Sonic Creativity (MTI^2) De Montfort University Women Who Code, School of Media Arts, Columbia College

411 views • 14 slides
Organizational Culture Chris May: Vitae Consulting LLC 630-608-7072 cmayconsulting@gmail.com

Organizational Culture Chris May: Vitae Consulting LLC 630-608-7072 cmayconsulting@gmail.com

Keys to Establishing Healthy Organizational Culture Chris May: Vitae Consulting LLC 630-608-7072 cmayconsulting@gmail.com About the Presenter S u c c e s s f u l c a r e e r f o r 2 f o r t u n e 5 0 0 c o m p a n i e s R e c e i v e d

498 views • 22 slides
Diet monitoring is a big issue in many health- related topics, so there has been many

Diet monitoring is a big issue in many health- related topics, so there has been many

Hamid Hassannejad, Guido Matrella, Monica Mordonini, and Stefano Cagnoni 14 th Conference of the Italian Association for Artificial Intelligence September 2015 Diet monitoring is a big issue in many health- related topics, so there has been

262 views • 13 slides
DAY-2 PRACTICE (ORALLY)

DAY-2 PRACTICE (ORALLY)

DAY-2 PRACTICE (ORALLY) PRACTICE (ORALLY) WRITE IN HINDI 1.Ghaak 2.Kaak

715 views • 23 slides
Lattice-Based Zero-Knowledge Arguments for Integer Relations t Libert 1 San Ling 2 Khoa Nguyen 2

Lattice-Based Zero-Knowledge Arguments for Integer Relations t Libert 1 San Ling 2 Khoa Nguyen 2

Lattice-Based Zero-Knowledge Arguments for Integer Relations t Libert 1 San Ling 2 Khoa Nguyen 2 Huaxiong Wang 2 Beno 1 CNRS and ENS Lyon, France 2 Nanyang Technological University, Singapore CRYPTO 2018, 20 August 2018 Zero-Knowledge

422 views • 30 slides
Zero-Knowledge Arguments for Lattice-Based Accumulators: Logarithmic-Size Ring Signatures and

Zero-Knowledge Arguments for Lattice-Based Accumulators: Logarithmic-Size Ring Signatures and

Zero-Knowledge Arguments for Lattice-Based Accumulators: Logarithmic-Size Ring Signatures and Group Signatures without Trapdoors t Libert 1 San Ling 2 Khoa Nguyen 2 Huaxiong Wang 2 Beno 1 Ecole Normale Sup erieure de Lyon (France) 2

681 views • 33 slides

More recommend