Abstract
Ransomware is a malware that encrypts victim's data, where the decryption key is released after a ransom is paid by the data owner to the attacker. Many ransomware attacks were reported recently, making anti-ransomware a crucial need in security operation, and an issue for the security community to tackle. In this paper, we propose a new approach to defending against ransomware inside NAND flash-based SSDs. To realize the idea of defense-inside-SSDs, both a lightweight detection technique and a perfect recovery algorithm to be used as a part of SSDs firmware should be developed. To this end, we propose a new set of lightweight behavioral features on ran-somware's overwriting pattern, which are invariant across various ransomwares. Our features rely on observing the block I/O request headers only, and not the payload. For perfect and instant recovery, we also propose using the delayed deletion feature of SSDs, which is intrinsic to NAND flash. To demonstrate their feasibility, we implement our algorithms atop an open-channel SSD as a working prototype called SSD-Insider. In experiments using eight real-world and two in-house ransomwares with various background applications running, SSD-Insider achieved a detection accuracy 0% FRR/FAR in most scenarios, and only 5% FAR when heavy overwriting resembling ransomware's data wiping occurs. SSD-Insider detects ransomware activity within 10s, and recovers instantly an infected SSD within 1s with 0% data loss. The additional software overheads incurred by the SSD-Insider is just 147 ns and 254 ns for 4-KB reads and writes, respectively, which is negligible considering NAND chip latency (50-1000 μs).
Original language | English |
---|---|
Title of host publication | Proceedings - 2018 IEEE 38th International Conference on Distributed Computing Systems, ICDCS 2018 |
Publisher | Institute of Electrical and Electronics Engineers Inc. |
Pages | 875-884 |
Number of pages | 10 |
ISBN (Electronic) | 9781538668719 |
DOIs | |
State | Published - 19 Jul 2018 |
Event | 38th IEEE International Conference on Distributed Computing Systems, ICDCS 2018 - Vienna, Austria Duration: 2 Jul 2018 → 5 Jul 2018 |
Publication series
Name | Proceedings - International Conference on Distributed Computing Systems |
---|---|
Volume | 2018-July |
Conference
Conference | 38th IEEE International Conference on Distributed Computing Systems, ICDCS 2018 |
---|---|
Country/Territory | Austria |
City | Vienna |
Period | 2/07/18 → 5/07/18 |
Bibliographical note
Publisher Copyright:© 2018 IEEE.
Keywords
- Detection
- Firmware
- Ransomware
- Recovery
- SSD