SSD-Assisted Ransomware Detection and Data Recovery Techniques

Sungha Baek; Youngdon Jung; David Mohaisen; Sungjin Lee; Dae Hun Nyang

doi:10.1109/TC.2020.3011214

SSD-Assisted Ransomware Detection and Data Recovery Techniques

Sungha Baek, Youngdon Jung, David Mohaisen, Sungjin Lee, Dae Hun Nyang

Cyber Security

Research output: Contribution to journal › Article › peer-review

14 Scopus citations

Abstract

As ransomware attacks have been prevalent, it becomes crucial to make anti-ransomware solutions that defend against ransomwares. In this article, we propose a new ransomware defense system, called SSD-Insider++, which prevents users' files from being damaged by ransomware attacks. SSD-Insider++ is embedded into an SSD controller as a form of firmware. By being separated from a host machine, it not only provides more robust data protection than software-based ones which are vulnerable to evasion attacks, but also offers interoperability with various platforms. SSD-Insider++ is composed of two novel features, ransomware detection and perfect data recovery, which are tightly integrated with each other. The detection algorithm observes I/O patterns of a host system and decides whether the host is being attacked by ransomwares in an early stage. Once an encryption attack is detected, the recovery algorithm is triggered to recover original files by leveraging a delayed deletion feature of an SSD at a low cost. Our experimental results show that SSD-Insider++ achieves high accuracy of detecting ransomwares with 0 percent FRR/FAR in most cases and provides an instant data recovery with 0 percent data loss. The overhead of running SSD-Insider++ is negligible - only 80 nns and 226 nns are spent more for handling 4-KB reads and writes, respectively.

Original language	English
Article number	9146350
Pages (from-to)	1762-1776
Number of pages	15
Journal	IEEE Transactions on Computers
Volume	70
Issue number	10
DOIs	https://doi.org/10.1109/TC.2020.3011214
State	Published - 1 Oct 2021

Bibliographical note

Funding Information:
An earlier version of this article was presented at the IEEE International Conference on Distributed Computing Systems, July 2-5, 2018 [6]. This work was supported in part by the National Research Foundation of Korea (NRF) grant funded by the Korea government (MSIT) under Grant NRF-2017R1E1A1A01077410, in part by Global Research Laboratory (GRL) Program through the National Research Foundation of Korea (NRF) funded by the Ministry of Science and ICT under Grant NRF-2016K1A1A2912757, and in part by Institute for Information & Communications Technology Promotion (IITP) grant funded by the Korea government (MSIT) under Grant 20180003910012003, Behavior-Based Ransom-ware Detection Technology Using I/O Distribution. Sungha Baek and Youngdon Jung contributed equally to this work.

Publisher Copyright:
© 1968-2012 IEEE.

Keywords

Ransomware
data recovery
flash-based SSDs
malware detection

Access to Document

10.1109/TC.2020.3011214

Cite this

@article{f79bb39b38464e38a24d55869c63797c,

title = "SSD-Assisted Ransomware Detection and Data Recovery Techniques",

abstract = "As ransomware attacks have been prevalent, it becomes crucial to make anti-ransomware solutions that defend against ransomwares. In this article, we propose a new ransomware defense system, called SSD-Insider++, which prevents users' files from being damaged by ransomware attacks. SSD-Insider++ is embedded into an SSD controller as a form of firmware. By being separated from a host machine, it not only provides more robust data protection than software-based ones which are vulnerable to evasion attacks, but also offers interoperability with various platforms. SSD-Insider++ is composed of two novel features, ransomware detection and perfect data recovery, which are tightly integrated with each other. The detection algorithm observes I/O patterns of a host system and decides whether the host is being attacked by ransomwares in an early stage. Once an encryption attack is detected, the recovery algorithm is triggered to recover original files by leveraging a delayed deletion feature of an SSD at a low cost. Our experimental results show that SSD-Insider++ achieves high accuracy of detecting ransomwares with 0 percent FRR/FAR in most cases and provides an instant data recovery with 0 percent data loss. The overhead of running SSD-Insider++ is negligible - only 80 nns and 226 nns are spent more for handling 4-KB reads and writes, respectively. ",

keywords = "Ransomware, data recovery, flash-based SSDs, malware detection",

author = "Sungha Baek and Youngdon Jung and David Mohaisen and Sungjin Lee and Nyang, {Dae Hun}",

note = "Funding Information: An earlier version of this article was presented at the IEEE International Conference on Distributed Computing Systems, July 2-5, 2018 [6]. This work was supported in part by the National Research Foundation of Korea (NRF) grant funded by the Korea government (MSIT) under Grant NRF-2017R1E1A1A01077410, in part by Global Research Laboratory (GRL) Program through the National Research Foundation of Korea (NRF) funded by the Ministry of Science and ICT under Grant NRF-2016K1A1A2912757, and in part by Institute for Information & Communications Technology Promotion (IITP) grant funded by the Korea government (MSIT) under Grant 20180003910012003, Behavior-Based Ransom-ware Detection Technology Using I/O Distribution. Sungha Baek and Youngdon Jung contributed equally to this work. Publisher Copyright: {\textcopyright} 1968-2012 IEEE.",

year = "2021",

month = oct,

day = "1",

doi = "10.1109/TC.2020.3011214",

language = "English",

volume = "70",

pages = "1762--1776",

journal = "IEEE Transactions on Computers",

issn = "0018-9340",

publisher = "IEEE Computer Society",

number = "10",

}

TY - JOUR

T1 - SSD-Assisted Ransomware Detection and Data Recovery Techniques

AU - Baek, Sungha

AU - Jung, Youngdon

AU - Mohaisen, David

AU - Lee, Sungjin

AU - Nyang, Dae Hun

N1 - Funding Information: An earlier version of this article was presented at the IEEE International Conference on Distributed Computing Systems, July 2-5, 2018 [6]. This work was supported in part by the National Research Foundation of Korea (NRF) grant funded by the Korea government (MSIT) under Grant NRF-2017R1E1A1A01077410, in part by Global Research Laboratory (GRL) Program through the National Research Foundation of Korea (NRF) funded by the Ministry of Science and ICT under Grant NRF-2016K1A1A2912757, and in part by Institute for Information & Communications Technology Promotion (IITP) grant funded by the Korea government (MSIT) under Grant 20180003910012003, Behavior-Based Ransom-ware Detection Technology Using I/O Distribution. Sungha Baek and Youngdon Jung contributed equally to this work. Publisher Copyright: © 1968-2012 IEEE.

PY - 2021/10/1

Y1 - 2021/10/1

N2 - As ransomware attacks have been prevalent, it becomes crucial to make anti-ransomware solutions that defend against ransomwares. In this article, we propose a new ransomware defense system, called SSD-Insider++, which prevents users' files from being damaged by ransomware attacks. SSD-Insider++ is embedded into an SSD controller as a form of firmware. By being separated from a host machine, it not only provides more robust data protection than software-based ones which are vulnerable to evasion attacks, but also offers interoperability with various platforms. SSD-Insider++ is composed of two novel features, ransomware detection and perfect data recovery, which are tightly integrated with each other. The detection algorithm observes I/O patterns of a host system and decides whether the host is being attacked by ransomwares in an early stage. Once an encryption attack is detected, the recovery algorithm is triggered to recover original files by leveraging a delayed deletion feature of an SSD at a low cost. Our experimental results show that SSD-Insider++ achieves high accuracy of detecting ransomwares with 0 percent FRR/FAR in most cases and provides an instant data recovery with 0 percent data loss. The overhead of running SSD-Insider++ is negligible - only 80 nns and 226 nns are spent more for handling 4-KB reads and writes, respectively.

AB - As ransomware attacks have been prevalent, it becomes crucial to make anti-ransomware solutions that defend against ransomwares. In this article, we propose a new ransomware defense system, called SSD-Insider++, which prevents users' files from being damaged by ransomware attacks. SSD-Insider++ is embedded into an SSD controller as a form of firmware. By being separated from a host machine, it not only provides more robust data protection than software-based ones which are vulnerable to evasion attacks, but also offers interoperability with various platforms. SSD-Insider++ is composed of two novel features, ransomware detection and perfect data recovery, which are tightly integrated with each other. The detection algorithm observes I/O patterns of a host system and decides whether the host is being attacked by ransomwares in an early stage. Once an encryption attack is detected, the recovery algorithm is triggered to recover original files by leveraging a delayed deletion feature of an SSD at a low cost. Our experimental results show that SSD-Insider++ achieves high accuracy of detecting ransomwares with 0 percent FRR/FAR in most cases and provides an instant data recovery with 0 percent data loss. The overhead of running SSD-Insider++ is negligible - only 80 nns and 226 nns are spent more for handling 4-KB reads and writes, respectively.

KW - Ransomware

KW - data recovery

KW - flash-based SSDs

KW - malware detection

UR - http://www.scopus.com/inward/record.url?scp=85114804909&partnerID=8YFLogxK

U2 - 10.1109/TC.2020.3011214

DO - 10.1109/TC.2020.3011214

M3 - Article

AN - SCOPUS:85114804909

SN - 0018-9340

VL - 70

SP - 1762

EP - 1776

JO - IEEE Transactions on Computers

JF - IEEE Transactions on Computers

IS - 10

M1 - 9146350

ER -

SSD-Assisted Ransomware Detection and Data Recovery Techniques

Abstract

Bibliographical note

Keywords

Access to Document

Fingerprint

Cite this