Abstract
This study introduces the Digital Immunity Module (DIM), a novel pass-through file system gateway, positioned strategically between storage and endpoints to enhance the security of files accessed via network protocols such as NFS and SMB on SharePoint. DIM serves as a protective layer against ransomware, designed with dual objectives: (1) detecting statistical anomalies that may indicate potential encryption within the network file system, and (2) proactively expanding under-attack files using a reverse source-coding algorithm to deprive ransomware of the resources it needs to operate. For practical deployment, we have developed a proxy gateway that connects endpoints to Azure storage using the SMB protocol. This setup effectively differentiates between benign and malicious activities without needing to identify specific processes at the endpoints, i.e., a critical advantage in combating fileless ransomware, which often eludes conventional security mechanisms such as behavioral analysis. Upon detecting malicious encryption, DIM reacts by expanding the size of buffer blocks, preventing ransomware from accessing subsequent files and frequently causing the ransomware to self-terminate. Our comprehensive evaluation, involving a benign dataset of 11,928 files against 75 ransomware families, including fileless types, demonstrates that DIM significantly impedes and often terminates ransomware operations early in the attack life cycle. This confirms the practicality and effectiveness of this pass-through defence strategy.
Original language | English |
---|---|
Title of host publication | Advances in Information and Computer Security |
Subtitle of host publication | 19th International Workshop on Security, IWSEC 2024, Proceedings |
Editors | Kazuhiko Minematsu, Mamoru Mimura |
Publisher | Springer Science and Business Media Deutschland GmbH |
Pages | 213-233 |
Number of pages | 21 |
Volume | 14977 |
ISBN (Electronic) | 9789819777372 |
ISBN (Print) | 9789819777365 |
DOIs | |
Publication status | Published - 2024 |
Event | 19th International Workshop on Security, IWSEC 2024 - Kyoto International Conference Center, Kyoto, Japan Duration: 17 Sept 2024 → 19 Sept 2024 https://link-springer-com.ezproxy.csu.edu.au/book/10.1007/978-981-97-7737-2 (Proceedings) https://www.iwsec.org/2024/ (Conference website) https://www.iwsec.org/2024/program.html (Program) |
Publication series
Name | Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) |
---|---|
Volume | 14977 LNCS |
ISSN (Print) | 0302-9743 |
ISSN (Electronic) | 1611-3349 |
Conference
Conference | 19th International Workshop on Security, IWSEC 2024 |
---|---|
Country/Territory | Japan |
City | Kyoto |
Period | 17/09/24 → 19/09/24 |
Other | The 19th International Workshop on Security (IWSEC 2024) will be held at Kyoto International Conference Center, Kyoto, Japan between September 17--19, 2024. IWSEC 2024 is co-organized by ISEC in ESS of IEICE (Technical Committee on Information Security in Engineering Sciences Society of the Institute of Electronics, Information and Communication Engineers) and CSEC of IPSJ (Special Interest Group on Computer Security of Information Processing Society of Japan). Original papers on the research and development of various security topics, as well as case studies and implementation experiences, are solicited for submission to IWSEC 2024. IWSEC is an annual international workshop in Japan, co-organized by ISEC in ESS of IEICE and CSEC of IPSJ. Previous IWSEC have been held in Kyoto (2006), Nara (2007), Kagawa (2008), Toyama (2009), Kobe (2010), Tokyo (2011), Fukuoka (2012), Naha (2013), Hirosaki (2014), Nara (2015), Tokyo (2016), Hiroshima (2017), Sendai (2018), Tokyo (2019), Fukui/Online (2020), Tokyo/Online (2021), Tokyo/Online (2022), Yokohama/Online (2023). |
Internet address |
|