Browse > Article
http://dx.doi.org/10.13089/JKIISC.2018.28.2.357

Ransomware Detection and Recovery System Based on Cloud Storage through File System Monitoring  

Kim, Juhwan (Sejong University)
Choi, Min-Jun (Sejong University)
Yun, Joobeom (Sejong University)
Abstract
As information technology of modern society develops, various malicious codes with the purpose of seizing or destroying important system information are developing together. Among them, ransomware is a typical malicious code that prevents access to user's resources. Although researches on detecting ransomware performing encryption have been conducted a lot in recent years, no additional methods have been proposed to recover damaged files after an attack. Also, because the similarity comparison technique was used without considering the repeated encryption, it is highly likely to be recognized as a normal behavior. Therefore, this paper implements a filter driver to control the file system and performs a similarity comparison method that is verified based on the analysis of the encryption pattern of the ransomware. We propose a system to detect the malicious process of the accessed process and recover the damaged file based on the cloud storage.
Keywords
ransomware; data similarity; filter driver; file system; cloud storage;
Citations & Related Records
Times Cited By KSCI : 1  (Citation Analysis)
연도 인용수 순위
1 J. Kornblum, "Identifying almost identical files using context triggered piecewise hashing," Digital Investigation, vol. 3, no. 9, pp. 91-97, Sep. 2006.   DOI
2 V. Roussev, "An evaluation of forensic similarity hashes," Digital Investigation, vol. 8, no. 8, pp. 34-41, Aug. 2011.   DOI
3 Govdocs1 Report, https://digital-corpora.org/corpora/files
4 Malware Analysis Site, https://www.payload-security.com/
5 B. Bloom, "Space-Time Trade-offs in Hash Coding with Allowable Errors," Communications of the ACM, vol. 13, no. 7, pp. 422-426, Nov. 1970.   DOI
6 Sangmin Ha, Taehoon Kim and Souhwan Jung, "Design and Implementation of a Cloud-Based Recovery System against Ransomware Attacks", Journal of The Korea Institute of information Security & Cryptology, 27(3), pp. 521-530, Jun. 2017   DOI
7 A. Kharraz, S. Arshad, C. Mulliner, W. Robertson, and E. Kirda, "Unveil: a large-scale, automated approach to detecting ransomware," 25th USENIX Security Symposium, pp. 757-772, Aug. 2016.
8 A. Kharraz, W. Robertson, D. Balzarotti, L. Bilge, and E. Kirda, "Cutting the gordian knot: a look under the hood of ransomware attacks," Detection of Intrusions and Malware, and Vulnerability Assessment:12th International Conference, LNCS 9148, pp. 3-24, 2015.
9 Boan News, http://www.boannews.com/media/view.asp?idx=52688
10 Microsoft Tech Report, https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
11 AhnLab Tech Report, http://asec.ahnlab.com/1067
12 N. Scaife, H. Carter, P. Traynor, and K.R.B. Butler, "Cryptolock (and drop it): stopping ransomware attacks on user data," 2016 IEEE 36th International Conference on Distributed Computing Systems (ICDCS), pp.303-312, June. 2016.
13 V. Roussev, "Data fingerprinting with similarity digests," Sixth IFIP WG 11.9 International Conference on Digital Forensics, pp.207-226, Jan. 2010.
14 J. Lin, "Divergence measures based on the shannon entropy," IEEE Transactions on Information Theory, vol. 37, no. 1, pp.145-151, Jan. 1991.   DOI