Ransomware-Aware Filesystem for Modern Operating Systems
Data di pubblicazione
Data di priorità
Politecnico di Milano
DIPARTIMENTO DI ELETTRONICA, INFORMAZIONE E BIOINGEGNERIA
Andrea Continella, Alessandro Guagnelli, Giovanni Zingaro, Giulio De Pasquale, Alessandro Barenghi, Federico Maggi, Stefano Zanero
The goal of the invention is to protect user’s valuable files stored on a computer system from crypto-extortion attacks, also known as ransomware. The idea to protect files from such attacks is that the operating system continuously monitors the filesystem activity (e.g., read or write operations) originating from any running program (i.e., process). In parallel, any file-modifying operation is performed on a separate, shadow copy of the original file, preserving the original file intact. As soon as a process is deemed “benign,” such shadow copy is deleted, directing the future operations to the original file, transparently. Whenever a process is deemed “malicious,” the operating system kills it and replaces the original files, transparently. The novelty of the idea is how to decide whether a process is “benign” or “malicious.” To this end, each process is monitored from two viewpoints: filesystem and memory. For the filesystem part, the procedure is to derive numeric features from the filesystem activity, such that they can be used to tell ransomware and non-ransomware processes apart using a set of supervised classifiers. For the process memory part, the procedure is to scan the memory pages of processes classified as “malicious” (according to the filesystem activity features).
Campo di applicazione
In the short term, the invention can be implemented in an endpoint-protection software (e.g., antivirus). As a matter of fact, major players in the industry are seeking to implement ransomware protection solutions that go beyond the classic detection approach. In the long term, the invention could be embedded in the operating system’s internals, so as to ensure transparent protection from malicious processes that surreptitiously modify, delete or encrypt user’s valuable files.
ShieldFS is built around the results of an analysis of billions of low-level, I/O filesystem requests generated by thousands of benign applications, which we collected from clean machines in use by real users for about one month. This is the first measurement on the filesystem activity of a large set of benign applications in real working conditions.