Using process mining to identify file system metrics impacted by ransomware execution

Arash Mahboubi, Keyvan Ansari, Seyit Camtepe

Research output: Book chapter/Published conference paperConference paperpeer-review

1 Citation (Scopus)


Malware authors leverage strong cryptographic primitives to hold user files as a hostage in their own devices until a ransom is paid. Indeed, victims not protected against ransomware are forced to pay the ransom or lose the files if ignoring the extortion. Devices are by no means immune from ransomware attacks. The reality is that there is a limited study on how to protect end-user devices against ransomware while there is hardly any protection available. Ransomware uses legitimate operating system processes that even state-of-the-art and advanced anti-malware products are ineffective against them. The results of our static and dynamic analysis illustrate that a local file system plays a critical role in the operation of all ransomware engines. Therefore, this study investigates the correlation existed between the file system operations to identify metrics such as the absolute occurrence frequency of a system file to identify a ransomware attack from within the kernel. We employ business process mining techniques to analyze collected log files from samples of seven recent live ransomware families and use the Naive discovery algorithm to study the absolute occurrence frequency of system files. The findings are visualized by state charts and sequence diagrams. Finally, the study identifies eight common system files that ransomware calls on in order to encrypt a victim’s files on their device.

Original languageEnglish
Title of host publicationMobile, secure, and programmable networking
Subtitle of host publication6th International Conference, MSPN 2020, Paris, France, October 28-29, 2020, Revised Selected Papers
EditorsSamia Bouzefrane, Maryline Laurent, Selma Boumerdassi, Eric Renault
PublisherSpringer Science and Business Media Deutschland GmbH
Number of pages15
ISBN (Electronic)9783030675509
ISBN (Print)9783030675493
Publication statusPublished - 20 Jan 2021
Event6th International Conference on Mobile, Secure and Programmable Networking: MSPN 2020 - Virtual, Paris, France
Duration: 28 Oct 202029 Oct 2020,Mobile%2C%20Secure%20and%20Programmable%20Networking.&text=MSPN%202020%20will%20be%20held,virtual%20because%20of%20covid%20situation. (Conference website) (Conference program)

Publication series

NameLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume12605 LNCS
ISSN (Print)0302-9743
ISSN (Electronic)1611-3349


Conference6th International Conference on Mobile, Secure and Programmable Networking
OtherMSPN 2020 is the 6th edition of the successful International Conference on Mobile, Secure and Programmable Networking. It aims at providing an elicited forum for researchers and industrial practitioners to present and discuss emerging trends in networking infrastructures, distributed yet intelligent protocols, security, services and applications while focusing manifold vertical tools on machine leaning and artificial intelligence, network programming and Cloud computing, Industrial Internet of things, Digital Twins, etc. Position papers are also appreciated and solicited. It should be clearly marked as such.
MSPN 2020 will be held from October 28 to October 29, 2020 in Paris, France. The conference will be fully virtual because of covid situation.
Internet address


Dive into the research topics of 'Using process mining to identify file system metrics impacted by ransomware execution'. Together they form a unique fingerprint.

Cite this