Lavora con noiPolitecnico di MilanoPolitecnico di Milano
  1. Home
  2. Ricerca
  3. La Ricerca al Politecnico
  4. Trasferimento tecnologico
  5. Brevetti e Design

Ransomware-Aware Filesystem for Modern Operating Systems

Data di pubblicazione

27-03-2017

Codice

DEIB.16.068.A

Stato

Disponibile

Data di priorità

12-02-2016

Fase

US

Titolare

Politecnico di Milano

Dipartimento

DIPARTIMENTO DI ELETTRONICA, INFORMAZIONE E BIOINGEGNERIA

Autori

Andrea Continella, Alessandro Guagnelli, Giovanni Zingaro, Giulio De Pasquale, Alessandro Barenghi, Federico Maggi, Stefano Zanero

Descrizione

The goal of the invention is to protect user’s valuable files stored on a computer system from crypto-extortion attacks, also known as ransomware. The idea to protect files from such attacks is that the operating system continuously monitors the filesystem activity (e.g., read or write operations) originating from any running program (i.e., process). In parallel, any file-modifying operation is performed on a separate, shadow copy of the original file, preserving the original file intact. As soon as a process is deemed “benign,” such shadow copy is deleted, directing the future operations to the original file, transparently. Whenever a process is deemed “malicious,” the operating system kills it and replaces the original files, transparently. The novelty of the idea is how to decide whether a process is “benign” or “malicious.” To this end, each process is monitored from two viewpoints: filesystem and memory. For the filesystem part, the procedure is to derive numeric features from the filesystem activity, such that they can be used to tell ransomware and non-ransomware processes apart using a set of supervised classifiers. For the process memory part, the procedure is to scan the memory pages of processes classified as “malicious” (according to the filesystem activity features).

Campo di applicazione

In the short term, the invention can be implemented in an endpoint-protection software (e.g., antivirus). As a matter of fact, major players in the industry are seeking to implement ransomware protection solutions that go beyond the classic detection approach. In the long term, the invention could be embedded in the operating system’s internals, so as to ensure transparent protection from malicious processes that surreptitiously modify, delete or encrypt user’s valuable files.

Vantaggi

ShieldFS is built around the results of an analysis of billions of low-level, I/O filesystem requests generated by thousands of benign applications, which we collected from clean machines in use by real users for about one month. This is the first measurement on the filesystem activity of a large set of benign applications in real working conditions.

Contatto

licensing.tto@polimi.it

PER DOMANDE

Team e Contatti