Professional Documents
Culture Documents
Ransomware-aware Filesystem
Politecnico di Milano
2
2016 the "year of extortion"
3
How to Deal With Ransomware?
[1] A.Kharraz, W. Robertson, D. Balzarotti, L. Bilge, E. Kirda, Cutting the Gordian Knot: A Look Under the Hood of Ransomware Attacks, DIMVA 2015
[2] A. Kharaz, S. Arshad, W. Robertson, E. Kirda, UNVEIL: A Large-Scale, Automated Approach to Detecting Ransomware, USENIX Sec 2016
[3] N.Scaife, H. Carter, P. Traynor, K. Butler, CryptoLock (and Drop It): Stopping Ransomware Attacks on User Data, ICDCS 2016
4
FS Activity Monitor
5
Filter Manager APIs
CONST FLT_OPERATION_REGISTRATION Callbacks[] = {
{ IRP_MJ_CREATE,
0,
PreCreateOperationCallback,
PostCreateOperationCallback },
{ IRP_MJ_CLOSE,
0,
PreCloseOperationCallback,
PostCloseOperationCallback },
{ IRP_MJ_READ,
0,
PreReadOperationCallback,
PostReadOperationCallback },
{ IRP_MJ_WRITE,
0,
PreWriteOperationCallback,
PostWriteOperationCallback },
}
FltRegisterFilter ( DriverObject,
&FilterRegistration,
&Filter );
6
Statistics of the collected data
7
Analysis Environment
Windows 7 VM
Ransomware
User mode
Kernel mode
I/O Manager
IRPLogger
File System
Virtualized
Hardware
VirtualBox
Cuckoo Sandbox
8
Training Dataset
9
Ransomware vs Benign programs
Cumulative Distribution Functions
Benign Ransomware
11
ShieldFS: Approach
12
Detection Models
13
Multi-tier Incremental Models
Long-term
Global Model horizon
Model 3 Model 3
tiers
14
CryptoFinder
15
ShieldFS Architecture
Process 1 Process 2
address space address space ... Virtual memory
16
ShieldFS Architecture
Process 1 Process 2
address space address space ... Virtual memory
Detector
System centric model
17
ShieldFS Architecture
Process 1 Process 2
address space address space ... Virtual memory
Kernel space
model 1 model 2
Feature
"process 1 is suspicious" values
Detector
System centric model
18
ShieldFS Architecture
Process 1 Process 2
address space address space ... Virtual memory
Kernel space
model 1 model 2
Feature
"process 1 is suspicious" values
Detector
System centric model
Shielder
19
Automatic File Recovery Workflow
Start
Unknown
Monitor &
COW on first write
20
Experimental Results
21
Detection Accuracy
22
False Positive Evaluation
23
Detection and Recovery Capabilities
24
System Overhead
25
Perceived Overhead
26
Storage Overhead
27
Limitations & Future work
28
Conclusions
Ransomware significantly differs from benign
software from the filesystems viewpoint
first, large-scale data collection of IRPs generated by
benign applications
ShieldFS creates generic models to identify
ransomware behaviors
Filesystem activity
Use of symmetric crypto primitives
Pure detection is not enough
ShieldFS applies detection in a self-healing virtual
FS able to transparently revert the effects of
ransomware attacks, once detected
29
Thank you!
Questions?
andrea.continella@polimi.it
@_conand
http://shieldfs.necst.it/