shieldfs the last word in ransomware resilient filesystems
play

ShieldFS: The Last Word in Ransomware Resilient Filesystems Andrea - PowerPoint PPT Presentation

Nov 16, 2023 •162 likes •976 views

ShieldFS: The Last Word in Ransomware Resilient Filesystems Andrea Continella , Alessandro Guagnelli, Giovanni Zingaro, Giulio De Pasquale, Alessandro Barenghi, Stefano Zanero, Federico Maggi * US patent pending 2016-17 the "years of

  1. ShieldFS: The Last Word in Ransomware Resilient Filesystems Andrea Continella , Alessandro Guagnelli, Giovanni Zingaro, Giulio De Pasquale, Alessandro Barenghi, Stefano Zanero, Federico Maggi * US patent pending

  2. 2016-17 the "years of extortion"

  3. Do you WannaCry?

  4. Do you WannaCry?

  5. ShieldFS vs WannaCry ShieldFS detected WannaCry after it encrypted >=200 files Files lost: zero , all were recovered automatically

  6. It’s not just WannaCry... ➢ Detected: 1436/1483, 96.9% ➢ Files lost: always 0%

  7. Why ShieldFS is different?

  8. ShieldFS: Key Takeaways The way ransomware interacts with the filesystem is significantly different than benign applications

  9. ShieldFS: Key Takeaways The way ransomware interacts with the filesystem is significantly different than benign applications DETECTION. Monitor filesystem activity Usage of crypto primitives

  10. ShieldFS: Key Takeaways The way ransomware interacts with the filesystem is significantly different than benign applications DETECTION. Monitor filesystem activity Usage of crypto primitives PROTECTION. Mere detection is insufficient ➢ Stopping a suspicious process may be too late ➢ We need to protect users’ data , reverting the effects of ransomware attacks.

  11. What does ShieldFS observe?

  12. FS Activity Monitor Process User mode User mode Kernel mode I/O Manager ➢ Windows Kernel module to monitor and log the Filter Manager file system activity ○ Windows Minifilter Driver File System ○ Log IRPs (I/O Request Packets) Storage Driver Hardware

  13. Filter Manager API CONST FLT_OPERATION_REGISTRATION Callbacks[] = { { IRP_MJ_CREATE, 0, PreCreateOperationCallback, PostCreateOperationCallback }, { IRP_MJ_CLOSE, 0, PreCloseOperationCallback, PostCloseOperationCallback }, { IRP_MJ_READ, 0, PreReadOperationCallback, PostReadOperationCallback }, { IRP_MJ_WRITE, 0, PreWriteOperationCallback, PostWriteOperationCallback }, } FltRegisterFilter(DriverObject, &FilterRegistration, &Filter);

  14. IRP Log Example

  15. Where do we start from?

  16. Background/Clean FS Activity Benign User mode ➢ IRP logger on 11 clean machines Kernel mode ➢ FS activity under "typical" usage I/O Manager ○ ~1 month worth of data IRPLogger File System IRPs IRPs Storage Driver IRPs Disk drive IRPs

  17. Collected FS Activity

  18. Collected FS Activity

  19. Analysis Environment Windows 7 VM 383 samples of 5 distinct families Ransomware User mode Kernel mode I/O Manager IRPLogger File System Disk drive VirtualBox Cuckoo Sandbox

  20. Environment Preparation ● Trigger ransomware activity ● Avoid anti-sandbox tricks

  21. Ransomware vs Benign apps ? ? ? Benign Ransomware User mode Kernel mode I/O Manager IRPLogger File System Storage Driver Disk drive

  22. ShieldFS Self-healing Ransomware-aware Filesystem

  23. Ransomware vs Benign apps

  24. Ransomware vs Benign apps MANY PROGRAMS MANY PROGRAMS exhibit exhibit LOW VALUE HIGH VALUE FEW PROGRAMS FEW PROGRAMS exhibit exhibit LOW VALUE HIGH VALUE

  25. Ransomware vs Benign apps Ransomware Benign (1) #Folder-listing

  26. Ransomware vs Benign apps Ransomware Benign (2) #Files-Read

  27. Ransomware vs Benign apps Ransomware Benign (3) #Files-Written

  28. Ransomware vs Benign apps Ransomware Benign (4) #Files-Renamed

  29. Ransomware vs Benign apps Ransomware Benign (5) File type coverage

  30. Ransomware vs Benign apps Ransomware Benign (6) Write-Entropy

  31. Ransomware vs Benign apps

  32. Machine Learning Learned classification model

  33. ShieldFS Self-healing Ransomware-aware Filesystem

  34. ShieldFS: Healing Approach

  35. ShieldFS: Healing Approach

  36. THIS SLIDE IS TO PROVE THAT WE CAN CREATE COMPLEX ANIMATION FLOWS

  37. THIS SLIDE IS TO PROVE THAT WE CAN CREATE COMPLEX ANIMATION FLOWS

  38. Detection Models Process #1 Process #n Process-centric Models K System-centric Model Disk drive

  39. Multi-tier Incremental Models K Long-term horizon Global Model Model 3 Model 3 tiers Model 2 Model 2 Model 2 Short-term horizon Model 1 Model 1 Model 1 Model 1 Model 1 Model 1 log (% accessed files)

  40. Multi-tier Incremental Models tick #0 Long-term horizon Global Model Model 3 Model 3 tiers Model 2 Model 2 Model 2 Short-term horizon Model 1 Model 1 Model 1 Model 1 Model 1 Model 1 #0 #1 #2 #3 log (% accessed files)

  41. Multi-tier Incremental Models tick #1 Long-term horizon Global Model Model 3 Model 3 tiers Model 2 Model 2 Model 2 Short-term horizon Model 1 Model 1 Model 1 Model 1 Model 1 Model 1 #0 #1 #2 #3 log (% accessed files)

  42. Multi-tier Incremental Models tick #2 Long-term horizon Global Model Model 3 Model 3 tiers Model 2 Model 2 Model 2 Short-term horizon Model 1 Model 1 Model 1 Model 1 Model 1 Model 1 #0 #1 #2 #3 log (% accessed files)

  43. Multi-tier Incremental Models tick #3 Long-term horizon Global Model Model 3 Model 3 tiers Model 2 Model 2 Model 2 Short-term horizon Model 1 Model 1 Model 1 Model 1 Model 1 Model 1 #0 #1 #2 #3 log (% accessed files)

  44. Multi-tier Incremental Models tick #4 Long-term horizon Global Model Model 3 Model 3 tiers Model 2 Model 2 Model 2 Short-term horizon Model 1 Model 1 Model 1 Model 1 Model 1 Model 1 #0 #1 #2 #3 log (% accessed files)

  45. Multi-tier Incremental Models tick #5 Long-term horizon Global Model Model 3 Model 3 tiers Model 2 Model 2 Model 2 Short-term horizon Model 1 Model 1 Model 1 Model 1 Model 1 Model 1 #0 #1 #2 #3 log (% accessed files)

  46. Multi-tier Incremental Models Malicious Long-term horizon Global Model Model 3 Model 3 tiers Model 2 Model 2 Model 2 Short-term horizon Model 1 Model 1 Model 1 Model 1 Model 1 Model 1 #0 #1 #2 #3 log (% accessed files)

  47. Multi-tier Incremental Models Benign Long-term horizon Global Model Model 3 Model 3 tiers Model 2 Model 2 Model 2 Short-term horizon Model 1 Model 1 Model 1 Model 1 Model 1 Model 1 #0 #1 #2 #3 log (% accessed files)

  48. Multi-tier Incremental Models ? ? ? Suspicious Long-term horizon Global Model Model 3 Model 3 tiers Model 2 Model 2 Model 2 Short-term horizon Model 1 Model 1 Model 1 Model 1 Model 1 Model 1 #0 #1 #2 #3 log (% accessed files)

  49. I’m Confused.. Suspicious Process #1 Process #n Process-centric Models System-centric Model

  50. I’m Confused.. Suspicious Process #1 Process #n Process-centric Models LOOK FOR TRACES OF CRYPTO FUNCTIONS System-centric Model

  51. Block Ciphers: Key Schedule

  52. Traces of Crypto Primitives Key schedules Encryption Rounds 77 3f 9d 50 2a 91 d5 86 Round 1 a0 89 42 b2 f3 de b8 d3 32 f2 16 b0 88 e3 7e b4 Round 2 1d 2d f4 b2 fa 6f 51 64 bd ce c7 e5 16 1b e1 dc Round 3 8f db 81 e5 50 8b c0 1a 7b 93 8f f4 64 c9 bf f3 Round N a5 f8 25 be f5 9a 48 c8

  53. Traces of Crypto Primitives Key schedules Encryption Rounds 77 3f 9d 50 2a 91 d5 86 Round 1 a0 89 42 b2 f3 de b8 d3 32 f2 16 b0 88 e3 7e b4 Round 2 1d 2d f4 b2 fa 6f 51 64 False Positives for AES: 2 -1344 bd ce c7 e5 16 1b e1 dc Round 3 8f db 81 e5 50 8b c0 1a 7b 93 8f f4 64 c9 bf f3 Round N a5 f8 25 be f5 9a 48 c8

  54. ShieldFS: Architecture Process 1 Process 2 . . . Virtual memory address space address space Process 1 Process 2 ... open("file.txt") read(fp1) ... User space Kernel space I/O Manager (minifilter driver interface)

  55. ShieldFS: Architecture Process 1 Process 2 . . . Virtual memory address space address space Process 1 Process 2 ... open("file.txt") read(fp1) ... User space Kernel space I/O Manager (minifilter driver interface) I/O Request Packets (IRPs) Process centric Process centric ... model 1 model 2 Feature values " process 1 is suspicious" Detector System centric model

  56. ShieldFS: Architecture Process 1 Process 2 . . . Virtual memory address space address space Process 1 Process 2 ... open("file.txt") read(fp1) ... User space " search for crypto key schedule" Kernel space I/O Manager (minifilter driver interface) I/O Request Packets (IRPs) Process centric Process centric ... CryptoFinder model 1 model 2 Feature values " process 1 is suspicious" Detector System centric model

  57. ShieldFS: Architecture Process 1 Process 2 . . . Virtual memory address space address space Process 1 Process 2 ... open("file.txt") read(fp1) ... User space " search for crypto key schedule" Kernel space I/O Manager (minifilter driver interface) I/O Request Packets (IRPs) Process centric Process centric ... CryptoFinder model 1 model 2 Feature values " process 1 is suspicious" Detector System centric model " process 2 is benign", " process 1 is malicious: kill it and restore files" Shielder “delete process 2 file copies” “restore process 1 files copies” Disk drive Shadow drive

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

1 February 4, 2020 Ransomware works Who: Ransomware is a threat vector that is rife for bad

1 February 4, 2020 Ransomware works Who: Ransomware is a threat vector that is rife for bad

Geoff Hale 1 February 4, 2020 Ransomware works Who: Ransomware is a threat vector that is rife for bad actors, both criminal enterprises and nation-states have made use of ransomware. What: Ransomware is a type of malware that encrypts

358 views • 6 slides
Ransomware: DataENcryption made easy The Word Ransom = Ransom Blackmailing

Ransomware: DataENcryption made easy The Word Ransom = Ransom Blackmailing

Ransomware: DataENcryption made easy The Word Ransom = Ransom Blackmailing History 1989 AIDS TROJAN DISK distributed/infected via floppy disk developer was caught and put into jail 2005 first internet attack

748 views • 54 slides
Responding To Ransomware Ransomware Nightmares X by Invincea Ransomware is getting more

Responding To Ransomware Ransomware Nightmares X by Invincea Ransomware is getting more

X by Invincea Responding To Ransomware Ransomware Nightmares X by Invincea Ransomware is getting more sophisticated, and shifting to an enterprise threat Ransomware Nightmares X by Invincea To Pay Or Not To Pay? X by Invincea Your money or

780 views • 23 slides
On Deception-Based Protection Against Cryptographic Ransomware Ziya Alper Gen, Gabriele

On Deception-Based Protection Against Cryptographic Ransomware Ziya Alper Gen, Gabriele

On Deception-Based Protection Against Cryptographic Ransomware Ziya Alper Gen, Gabriele Lenzini, and Daniele Sgandurra June 20, 2019 Ransomware Threat 1 Ransomware Threat 1 Deception-Based Anti-Ransomware In the context of ransomware,

507 views • 22 slides
Redemption: Real-Time Protection Against Ransomware at End-Hosts WRITTEN BY: PRESENTED BY: AMIN

Redemption: Real-Time Protection Against Ransomware at End-Hosts WRITTEN BY: PRESENTED BY: AMIN

Redemption: Real-Time Protection Against Ransomware at End-Hosts WRITTEN BY: PRESENTED BY: AMIN KHARRAZ NICHOLAS BURTON ENGIN KIRDA What is Ransomware? What is Ransomware? u Ransomware is malicious software that encrypts user data, and

718 views • 33 slides
This time we'll talk about filesystems. We'll start out by looking at disk partitions, which are

This time we'll talk about filesystems. We'll start out by looking at disk partitions, which are

Linux System Administration SSU: Disks and Filesystems 1 This time we'll talk about filesystems. We'll start out by looking at disk partitions, which are the traditional places to put filesystems. Then we'll take a look at logical

711 views • 58 slides
Introduction Introduction to storage and to storage and filesystems filesystems Introduction

Introduction Introduction to storage and to storage and filesystems filesystems Introduction

Moreno Baricevic Gilberto Daz Axel Kohlmeyer Stefano Cozzini ULA ICTP CNR-IOM DEMOCRITOS Merida, VENEZUELA Trieste, ITALY Trieste, ITALY Introduction Introduction to storage and to storage and filesystems filesystems Introduction

1.19k views • 51 slides
Ransomware Overview Our analysis leads us to expect increased ransomware activity over 2016 (new

Ransomware Overview Our analysis leads us to expect increased ransomware activity over 2016 (new

Ransomware Overview Our analysis leads us to expect increased ransomware activity over 2016 (new attacker entrants, lower cost through kit automation, etc.) Take consumer and enterprise digital assets hostage using high- strength encryption

365 views • 18 slides
Ransomware Eradication using Biomorphic Perimeterisation Introduction Types of

Ransomware Eradication using Biomorphic Perimeterisation Introduction Types of

Ransomware Eradication using Biomorphic Perimeterisation Introduction Types of Ransomware Technology Perspective and Attacked Devices Ransomware Economy Security Conditions Biomorphic Perimeterisation How to generate a

860 views • 61 slides
Update on Ransomware Technology 60 Minutes Video ransomware ( noun) A type of malware that

Update on Ransomware Technology 60 Minutes Video ransomware ( noun) A type of malware that

Update on Ransomware Technology 60 Minutes Video ransomware ( noun) A type of malware that prevents or limits users from accessing their system, either by locking the system's screen or by locking the users files unless a ransom is paid.

517 views • 30 slides
Troubling Times: Ransomware Across Texas Deputy Chief Information Security Officer Andy

Troubling Times: Ransomware Across Texas Deputy Chief Information Security Officer Andy

Troubling Times: Ransomware Across Texas Deputy Chief Information Security Officer Andy Bennett 2019 Cybersecurity Awareness Month Event October 22, 2019 2019 Texas Headlines Ransomware Ransomware Cyber criminals holding your data and

450 views • 23 slides
Smoking the Locky Ransomware Code Floser Bacurio Jr and Rommel Joven Anti-Virus Analysts,

Smoking the Locky Ransomware Code Floser Bacurio Jr and Rommel Joven Anti-Virus Analysts,

Locky Strike: Smoking the Locky Ransomware Code Floser Bacurio Jr and Rommel Joven Anti-Virus Analysts, FortiGuard Lion Team September 1, 2017 1 Cryptowall 2 This one? 3 Prevalence: Global ransomware Global Ransomware IPS Hits - February

647 views • 49 slides
How To Not Be A Victim Of Ransomware The thoughtful integration of healthcare and technology How

How To Not Be A Victim Of Ransomware The thoughtful integration of healthcare and technology How

How To Not Be A Victim Of Ransomware The thoughtful integration of healthcare and technology How Healthcare IT Differs From General IT Agenda The Growing Threat of Ransomware What You Can Do Today To Protect Your Business How Healthcare IT

440 views • 32 slides
Tracking Ransomware End-to-end Danny Y. Huang Maxwell Matthaios Aliapoulios, Vector Guo Li Luca

Tracking Ransomware End-to-end Danny Y. Huang Maxwell Matthaios Aliapoulios, Vector Guo Li Luca

Tracking Ransomware End-to-end Danny Y. Huang Maxwell Matthaios Aliapoulios, Vector Guo Li Luca Invernizzi, Elie Bursztein, Kylie McRoberts, Jonathan Levin Kirill Levchenko, Alex C. Snoeren, Damon McCoy Ransomware causes financial damages

798 views • 54 slides
UNVEIL: A Large-Scale, Automated Approach to Detecting Ransomware Paul Weliczko

UNVEIL: A Large-Scale, Automated Approach to Detecting Ransomware Paul Weliczko

UNVEIL: A Large-Scale, Automated Approach to Detecting Ransomware Paul Weliczko https://arstechnica.com/information-technology/2012/11/mushrooming-growth-of-ransomware- extorts-5-million-a-year/

298 views • 13 slides
to Defend Against Encryption Ransomware Jian Huang Jun Xu Xinyu Xing Peng Liu

to Defend Against Encryption Ransomware Jian Huang Jun Xu Xinyu Xing Peng Liu

FlashGuard: Leveraging Intrinsic Flash Properties to Defend Against Encryption Ransomware Jian Huang Jun Xu Xinyu Xing Peng Liu Moinuddin K. Qureshi Encryption Ransomware Is Becoming More Aggressive May 12,

772 views • 75 slides
Hyperplasia & Cancer Risk Hyperplasia & Cancer Risk Jim Lacey, Ph.D. City of Hope

Hyperplasia & Cancer Risk Hyperplasia & Cancer Risk Jim Lacey, Ph.D. City of Hope

Hyperplasia & Cancer Risk Hyperplasia & Cancer Risk Jim Lacey, Ph.D. City of Hope Duarte, CA NCI-Designated Comprehensive Cancer Center When EH is Diagnosed When EH is Diagnosed What is the risk of concurrent cancer?

572 views • 36 slides
Disclosures I have nothing to disclose APPLICATION OF IMMUNOHISTOCHEMISTRY TO CHALLENGING

Disclosures I have nothing to disclose APPLICATION OF IMMUNOHISTOCHEMISTRY TO CHALLENGING

5/25/2017 Disclosures I have nothing to disclose APPLICATION OF IMMUNOHISTOCHEMISTRY TO CHALLENGING UROLOGIC PATHOLOGY CASES bradley.stohr@ucsf.edu Bradley Stohr, MD, PhD Assistant Professor, UCSF Pathology Outline Bladder The

894 views • 30 slides
Ontology-based Diagnostic Decision Support for Radiology Charles E. Kahn, Jr., MD, MS Medical

Ontology-based Diagnostic Decision Support for Radiology Charles E. Kahn, Jr., MD, MS Medical

MIE 2014 Ontology-based Diagnostic Decision Support for Radiology Charles E. Kahn, Jr., MD, MS Medical College of Wisconsin Milwaukee, Wisconsin, USA Goals Apply an ontology of disorders and associated imaging findings for differential

347 views • 23 slides
Viscous Flow, Reynolds Number & Boundary Layers Athul Viswam Aerospace Engineering

Viscous Flow, Reynolds Number & Boundary Layers Athul Viswam Aerospace Engineering

AE-705: Introduction to Flight Viscous Flow, Reynolds Number & Boundary Layers Athul Viswam Aerospace Engineering Department IIT Bombay AE-705 Introduction to Flight Lecture-05 Chapter-03 CONTENTS Introduction to Viscous Flow

1.68k views • 54 slides
AppContext: Differentiating Malicious and Benign Mobile App Behavior Under Contexts Tao Xie

AppContext: Differentiating Malicious and Benign Mobile App Behavior Under Contexts Tao Xie

AppContext: Differentiating Malicious and Benign Mobile App Behavior Under Contexts Tao Xie Joint Work w/ David Yang, Sihan Li (Illinois) Xusheng Xiao, Benjamin Andow, Rahul Pandita, William Enck (NCSU) Mobile App Markets Google Play

567 views • 46 slides
Malware Collusions Karim O. Elish, Danfeng (Daphne) Yao, and Barbara G. Ryder Department of

Malware Collusions Karim O. Elish, Danfeng (Daphne) Yao, and Barbara G. Ryder Department of

On the Need of Precise Inter-App ICC Classification for Detecting Android Malware Collusions Karim O. Elish, Danfeng (Daphne) Yao, and Barbara G. Ryder Department of Computer Science Virginia Tech May 21, 2015 Problem and Motivation Malware

139 views • 13 slides
Automatically Evading Classifiers A Case Study on PDF Malware Classifiers Weilin Xu

Automatically Evading Classifiers A Case Study on PDF Malware Classifiers Weilin Xu

Automatically Evading Classifiers A Case Study on PDF Malware Classifiers Weilin Xu David Evans Yanjun Qi University of Virginia Machine Learning is Solving Our Problems Fake Fake Spam IDS

1.07k views • 34 slides
Outline Usability and security CSci 5271 Introduction to Computer Security Announcements

Outline Usability and security CSci 5271 Introduction to Computer Security Announcements

Outline Usability and security CSci 5271 Introduction to Computer Security Announcements intermission Day 25: Usability and security Stephen McCamant Usable security example areas University of Minnesota, Computer Science & Engineering

419 views • 4 slides

More recommend