Abstract
Malware authors leverage strong cryptographic primitives to hold user files as a hostage in their own devices until a ransom is paid. Indeed, victims not protected against ransomware are forced to pay the ransom or lose the files if ignoring the extortion. Devices are by no means immune from ransomware attacks. The reality is that there is a limited study on how to protect end-user devices against ransomware while there is hardly any protection available. Ransomware uses legitimate operating system processes that even state-of-the-art and advanced anti-malware products are ineffective against them. The results of our static and dynamic analysis illustrate that a local file system plays a critical role in the operation of all ransomware engines. Therefore, this study investigates the correlation existed between the file system operations to identify metrics such as the absolute occurrence frequency of a system file to identify a ransomware attack from within the kernel. We employ business process mining techniques to analyze collected log files from samples of seven recent live ransomware families and use the Naive discovery algorithm to study the absolute occurrence frequency of system files. The findings are visualized by state charts and sequence diagrams. Finally, the study identifies eight common system files that ransomware calls on in order to encrypt a victim’s files on their device.
| Original language | English |
|---|---|
| Title of host publication | Mobile, secure, and programmable networking |
| Subtitle of host publication | 6th International Conference, MSPN 2020, Paris, France, October 28-29, 2020, Revised Selected Papers |
| Editors | Samia Bouzefrane, Maryline Laurent, Selma Boumerdassi, Eric Renault |
| Publisher | Springer Science and Business Media Deutschland GmbH |
| Pages | 57-71 |
| Number of pages | 15 |
| ISBN (Electronic) | 9783030675509 |
| ISBN (Print) | 9783030675493 |
| DOIs | |
| Publication status | Published - 20 Jan 2021 |
| Event | 6th International Conference on Mobile, Secure and Programmable Networking: MSPN 2020 - Virtual, Paris, France Duration: 28 Oct 2020 → 29 Oct 2020 https://mspn2020.roc.cnam.fr/#:~:text=MSPN%202020%20is%20the%206th,Mobile%2C%20Secure%20and%20Programmable%20Networking.&text=MSPN%202020%20will%20be%20held,virtual%20because%20of%20covid%20situation. (Conference website) https://mspn2020.roc.cnam.fr/wp-content/uploads/2020/11/mspn2020_program.pdf (Conference program) |
Publication series
| Name | Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) |
|---|---|
| Volume | 12605 LNCS |
| ISSN (Print) | 0302-9743 |
| ISSN (Electronic) | 1611-3349 |
Conference
| Conference | 6th International Conference on Mobile, Secure and Programmable Networking |
|---|---|
| Country/Territory | France |
| City | Paris |
| Period | 28/10/20 → 29/10/20 |
| Other | MSPN 2020 is the 6th edition of the successful International Conference on Mobile, Secure and Programmable Networking. It aims at providing an elicited forum for researchers and industrial practitioners to present and discuss emerging trends in networking infrastructures, distributed yet intelligent protocols, security, services and applications while focusing manifold vertical tools on machine leaning and artificial intelligence, network programming and Cloud computing, Industrial Internet of things, Digital Twins, etc. Position papers are also appreciated and solicited. It should be clearly marked as such. MSPN 2020 will be held from October 28 to October 29, 2020 in Paris, France. The conference will be fully virtual because of covid situation. |
| Internet address |
|
