Journal of the Korea Academia-Industrial cooperation Society (한국산학기술학회논문지)

The Korea Academia-Industrial cooperation Society (한국산학기술학회)
권호 표지
DOI QR코드

DOI QR Code

A Study on the Ransomware Detection System Based on User Requirements Analysis for Data Restoration

데이터 복원이 가능한 사용자 요구사항 분석기반 랜섬웨어 탐지 시스템에 관한 연구

  • Ko, Yong-Sun (Department of IT Policy Management, Graduate School, Soongsil University) ;
  • Park, Jae-Pyo (Department of Information Security, Graduate School of Information Sciences, Soongsil University)
  • 고용선 (숭실대학교 대학원 IT정책경영학과) ;
  • 박재표 (숭실대학교 정보과학대학원 정보보호학과)
  • Received : 2019.02.14
  • Accepted : 2019.04.05
  • Published : 2019.04.30
Download PDF
⟨ Previous Next ⟩

Abstract

Recently Ransomware attacks are continuously increasing, and new Ransomware, which is difficult to detect just with a basic vaccine, continuously has its upward trend. Various solutions for Ransomware have been developed and applied. However, due to the disadvantages and limitations of existing solutions, damage caused by Ransomware has not been reduced. Ransomware is attacking various platforms no matter what platform it is, such as Windows, Linux, servers, IoT devices, and block chains. However, most existing solutions for Ransomware are difficult to apply to various platforms, and there is a limit that they are dependent on only some specific platforms while operating. This study analyzes the problems of existing Ransomware detection solutions and proposes the onboard module based Ransomware detection system; after the system defines the function of necessary elements through analyzing requirements that can actually reduce the damage caused by the Ransomware from the viewpoint of users, it supports various OS without pre-installation and is able to restore data even after being infected. We checked the feasibility of each function of the proposed system through the analysis of the existing technology and verified the suitability of the proposed techniques to meet the user's requirements through the questionnaire survey of a total of 264 users of personal and corporate PC users. As a result of statistical analysis of the questionnaire results, it was found that the score of intent to introduce the system was at 6.3 or more which appeared to be good, and the score of intent to change from existing solution to the proposed system was at 6.0 which appeared to be very high.

최근 랜섬웨어의 공격은 끊임없이 증가하고 있으며, 기본 백신으로는 탐지하기 어려운 신종 랜섬웨어도 지속적으로 늘어나고 있는 추세이다. 이로 인해 랜섬웨어 대응 솔루션이 개발되고 있지만, 기존 랜섬웨어 솔루션의 단점과 한계로 인해 그 피해가 감소하지 않고 있는 실정이다. 랜섬웨어는 윈도우, 리눅스, 서버, IoT 장비, 블록체인 등 플랫폼을 가리지 않고 다양하게 공격을 하고 있지만, 대부분의 기존 랜섬웨어 대응 솔루션은 다양한 플랫폼에 적용이 어려우며, 특정 플랫폼에서만 종속되어 동작하는 한계가 있다. 본 연구는 이러한 기존 랜섬웨어 탐지 솔루션이 가지고 있는 문제점에 대해서 분석하고, 사용자 관점에서 실제로 랜섬웨어에 의한 피해를 줄일 수 있는 요구사항 분석을 통해 필요한 요소 기능을 정의한 후 사전 설치 없이도 다양한 OS를 지원하고 감염 이후에도 데이터 복원이 가능한 탑재형 모듈 기반의 랜섬웨어 탐지 시스템을 제안한다. 제안한 시스템의 각 기능이 구현 가능한지에 대해 기존 기술의 분석을 통해서 확인하고, 실제 제안한 기법들이 사용자의 보안 요구사항에 부합한지에 대한 적합성을 개인과 기업의 PC 사용자 총 264명을 대상으로 설문 조사를 통해 검증하였다. 설문 결과를 통계적으로 분석한 결과, 제안 시스템 도입의사의 점수가 7점 만점에 6.3 이상으로 매우 양호한 것으로 나타났고, 기존 솔루션에서 제안 시스템으로의 변경의사 점수도 6.0 이상으로 매우 높은 것으로 나타났다.

Keywords

SHGSCZ_2019_v20n4_50_f0001.png 이미지

Fig. 1. Structure diagram for disk access[8]

SHGSCZ_2019_v20n4_50_f0002.png 이미지

Fig. 2. Structure diagram for disk access

SHGSCZ_2019_v20n4_50_f0003.png 이미지

Fig. 3. Delayed deletion behavior of SSD

SHGSCZ_2019_v20n4_50_f0004.png 이미지

Fig. 4. Data recovery method with garbage collection delay

Table 1. Statistics on PC environment and company size

SHGSCZ_2019_v20n4_50_t0001.png 이미지

Table 2. Security empirical statistics of the sample

SHGSCZ_2019_v20n4_50_t0002.png 이미지

References

  1. N. Scaife, H. Carter, P. Traynor, and K. Butler, "Cryptolock(and drop it): Stopping ransomware attacks on user data", Proceedings of IEEE 36th International Conference on Distributed Computing Systems (ICDCS), pp.303-312, June 2016. DOI: https://doi.org/10.1109/ICDCS.2016.46
  2. Joon-young Paik, Keun-tae Shin, Eun-sun Cho, "Self-Defensible Storage Devices based on Flash memory against Ransomware", IEEE Symposium on Security and Privacy, May 2016.
  3. C. Everette, "Ransomware: to pay or not to pay?" Journal of Computer Fraud & Security, Vol.16, No.4, pp.8-12, April 2016. DOI: https://doi.org/10.1016/S1361-3723(16)30036-7
  4. Y Qin, W Tong, J Liu, Z Zhu, "SmSD: A smart secure deletion scheme for SSDs", Journal of Convergence, Vol.4, No.4, pp.8-12, Dec. 2013.
  5. N. Hampton, Z. Baig, S. Zeadally, "Ransomware behavioural analysis on windows platforms", Journal of Information Security and Applications, Vol.40, pp.44-51, June 2018. DOI: http://dx.doi.org/10.1016/j.jisa.2018.02.008
  6. J. S. Aidan, H. K. Verma, L. K. Awasthi, "Comprehensive Survey on Petya Ransomware Attack", Proceedings of International Conference on Next Generation Computing and Information Systems (ICNGCIS), pp.11-12, Dec. 2017. DOI: https://doi.org/10.1109/ICNGCIS.2017.30
  7. F. Chen, D. A. Koufaty, X. Zhang, "Understanding intrinsic characteristics and system implications of flash memory based solid state drives", Proceedings of the International Joint Conference on Measurement and Modeling of Computer Systems, pp.181-192, June 2009. DOI: https://doi.org/10.1145/1555349.1555371
  8. Yu-Ji Lee, Internet Nayana, Ransomware infection by APT attack, security management, Byline Network, 2017. Available From: https://byline.network/2017/06/1-792/ (accessed Dec. 20, 2018)
  9. C. Moore, "Detecting Ransomware with Honeypot Techniques", Proceedings of Cybersecurity and Cyberforensics Conference(CCC), pp.2-4, Aug. 2016. DOI: https://doi.org/10.1109/CCC.2016.14
  10. H. Orman, "Evil offspring - Ransomware and crypto technology," Journal of IEEE Internet Computing, Vol.20, No.5, pp.89-94, Oct. 2016. DOI: https://doi.org/10.1109/MIC.2016.90
  11. E. Kirda, "UNVEIL: A large-scale, automated approach to detecting ransomware," Proceedings of tIEEE 24th International Conference on Software Analysis, Evolution and Reengineering(SANER), pp.20-24 Feb. 2017. DOI: https://doi.org/10.1109/SANER.2017.7884603