Early mitigation of CPU-optimized ransomware using monitoring encryption instructions

IF 2.4 4区 计算机科学 Q3 COMPUTER SCIENCE, INFORMATION SYSTEMS International Journal of Information Security Pub Date : 2024-07-30 DOI:10.1007/s10207-024-00892-2
Shuhei Enomoto, Hiroki Kuzuno, Hiroshi Yamada, Yoshiaki Shiraishi, Masakatu Morii
{"title":"Early mitigation of CPU-optimized ransomware using monitoring encryption instructions","authors":"Shuhei Enomoto, Hiroki Kuzuno, Hiroshi Yamada, Yoshiaki Shiraishi, Masakatu Morii","doi":"10.1007/s10207-024-00892-2","DOIUrl":null,"url":null,"abstract":"<p>Ransomware attacks pose a significant threat to information systems. Server hosts, including cloud infrastructure as a service, are prime targets for ransomware developers. To address this, security mechanisms, such as antivirus software, have proven effective. Moreover, research on ransomware detection advocates for behavior-based finding mechanisms while ransomware is in operation. In response to evolving detections, ransomware developers are now adapting an optimized design tailored for CPU architecture (CPU-optimized ransomware). This variant can rapidly encrypt files, potentially evading detection by traditional antivirus methods that rely on fixed time intervals for file scans. In ransomware detection research, numerous files can be encrypted by CPU-optimized ransomware until malicious activity is detected. This study proposes an early mitigation mechanism named CryptoSniffer, which is designed specifically to counter CPU-optimized ransomware attacks on server hosts. CryptoSniffer focuses on the misuse of CPU architecture-specific encryption instructions for swift file encryption by CPU-optimized ransomware. This can be achieved by capturing the ciphertext in user processes and thwarting file encryption by scrutinizing the content intended for writing. To demonstrate the efficacy of CryptoSniffer, the mechanism was implemented in the latest Linux kernel, and its security and performance were systematically evaluated. The experimental results demonstrate that CryptoSniffer successfully prevents real-world CPU-optimized ransomware, and the performance overhead is well-suited for practical applications.</p>","PeriodicalId":50316,"journal":{"name":"International Journal of Information Security","volume":"2 1","pages":""},"PeriodicalIF":2.4000,"publicationDate":"2024-07-30","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"International Journal of Information Security","FirstCategoryId":"94","ListUrlMain":"https://doi.org/10.1007/s10207-024-00892-2","RegionNum":4,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q3","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}
引用次数: 0

Abstract

Ransomware attacks pose a significant threat to information systems. Server hosts, including cloud infrastructure as a service, are prime targets for ransomware developers. To address this, security mechanisms, such as antivirus software, have proven effective. Moreover, research on ransomware detection advocates for behavior-based finding mechanisms while ransomware is in operation. In response to evolving detections, ransomware developers are now adapting an optimized design tailored for CPU architecture (CPU-optimized ransomware). This variant can rapidly encrypt files, potentially evading detection by traditional antivirus methods that rely on fixed time intervals for file scans. In ransomware detection research, numerous files can be encrypted by CPU-optimized ransomware until malicious activity is detected. This study proposes an early mitigation mechanism named CryptoSniffer, which is designed specifically to counter CPU-optimized ransomware attacks on server hosts. CryptoSniffer focuses on the misuse of CPU architecture-specific encryption instructions for swift file encryption by CPU-optimized ransomware. This can be achieved by capturing the ciphertext in user processes and thwarting file encryption by scrutinizing the content intended for writing. To demonstrate the efficacy of CryptoSniffer, the mechanism was implemented in the latest Linux kernel, and its security and performance were systematically evaluated. The experimental results demonstrate that CryptoSniffer successfully prevents real-world CPU-optimized ransomware, and the performance overhead is well-suited for practical applications.

Abstract Image

查看原文
分享 分享
微信好友 朋友圈 QQ好友 复制链接
本刊更多论文
利用监控加密指令及早缓解 CPU 优化的勒索软件
勒索软件攻击对信息系统构成重大威胁。包括云基础设施即服务在内的服务器主机是勒索软件开发者的主要目标。为解决这一问题,杀毒软件等安全机制已被证明是有效的。此外,有关勒索软件检测的研究主张在勒索软件运行时采用基于行为的查找机制。为了应对不断发展的检测,勒索软件开发者现在正在调整一种针对 CPU 架构的优化设计(CPU 优化勒索软件)。这种变种可以快速加密文件,有可能躲过依赖固定时间间隔扫描文件的传统防病毒方法的检测。在勒索软件检测研究中,CPU 优化勒索软件可能会加密大量文件,直到检测到恶意活动。本研究提出了一种名为 "CryptoSniffer "的早期缓解机制,该机制专门用于对抗针对服务器主机的CPU优化勒索软件攻击。CryptoSniffer 主要针对 CPU 优化勒索软件滥用 CPU 架构特定加密指令进行快速文件加密的问题。这可以通过捕获用户进程中的密文来实现,并通过仔细检查打算写入的内容来挫败文件加密。为了证明 CryptoSniffer 的功效,我们在最新的 Linux 内核中实现了该机制,并对其安全性和性能进行了系统评估。实验结果表明,CryptoSniffer 能成功阻止现实世界中经过 CPU 优化的勒索软件,其性能开销也非常适合实际应用。
本文章由计算机程序翻译,如有差异,请以英文原文为准。
求助全文
约1分钟内获得全文 去求助
来源期刊
International Journal of Information Security
International Journal of Information Security 工程技术-计算机:理论方法
CiteScore
6.30
自引率
3.10%
发文量
52
审稿时长
12 months
期刊介绍: The International Journal of Information Security is an English language periodical on research in information security which offers prompt publication of important technical work, whether theoretical, applicable, or related to implementation. Coverage includes system security: intrusion detection, secure end systems, secure operating systems, database security, security infrastructures, security evaluation; network security: Internet security, firewalls, mobile security, security agents, protocols, anti-virus and anti-hacker measures; content protection: watermarking, software protection, tamper resistant software; applications: electronic commerce, government, health, telecommunications, mobility.
期刊最新文献
“Animation” URL in NFT marketplaces considered harmful for privacy An overview of proposals towards the privacy-preserving publication of trajectory data Enhancing privacy protections in national identification systems: an examination of stakeholders’ knowledge, attitudes, and practices of privacy by design An enhanced and verifiable lightweight authentication protocol for securing the Internet of Medical Things (IoMT) based on CP-ABE encryption Secure multi-party computation with legally-enforceable fairness
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
现在去查看 取消
×
提示
确定
0
微信
客服QQ
Book学术公众号 扫码关注我们
反馈
×
意见反馈
请填写您的意见或建议
请填写您的手机或邮箱
已复制链接
已复制链接
快去分享给好友吧!
我知道了
×
扫码分享
扫码分享
Book学术官方微信
Book学术文献互助
Book学术文献互助群
群 号:481959085
Book学术
文献互助 智能选刊 最新文献 互助须知 联系我们:info@booksci.cn
Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。
Copyright © 2023 Book学术 All rights reserved.
ghs 京公网安备 11010802042870号 京ICP备2023020795号-1