Research On Detection And Prevention Of Ransomware

In the last few years,ransomware has been ravaging around the world,and posing a great security threat to users.Ransomware makes it impossible for victims to use their own machines by encrypting user files or locking screen.By taking this as a condition,ransomware extorts money from the users.Ransomware has brought great harm to many enterprises,governments,organizations and individuals,and caused a great economic loss,which makes ransomware one of the most serious threats to internet security.Currently,relevant researchers have proposed several techniques for detecting and preventing ransomware.However,current technologies have some common limitations.First of all,the detection system and ransomware are in the same operating system,which allows ransomware with system-level privilege to attack these systems and bypass them.Secondly,most existing detection systems only take the characteristics of ransomware's file activities as the detecting basis,but the file system activities of ransomware are similar to some benign applications.Therefore,it is easy to produce false positives.In view of the limitations of the current detection system,the paper proposes a large-scale ransomware defense system based on virtual machine introspection(VMI).The system uses VMI to intercept the system calls related to file and network operations in the virtual machine,parse the system call parameters,and obtain the context of current process,which enables the system to monitor process interactions with the file system and network in the virtual machine.When getting the monitoring information,the system is responsible for detecting and preventing ransomware based on the file and network I/O access patterns and the detection policy.The system can well overcome the limitations of existing system.First,the defense system based on VMI resides in the hypervisor that is outside the virtual machine,ransomware in the virtual machine cannot attack the prototype even if promoting privilege.Second,by experiment,the paper found that most of ransomware samples have both file and network activity.Therefore,taking characteristic of file and network activity as a basis for detecting,the system is enable to detect ransomware with a high accuracy.The paper first analyzed some recent active ransomware samples,and summarized three file I/O access patterns and two network I/O access patterns,then designed and implemented the prototype based on KVM hypervisor.In order to evaluate the effectiveness and performance of the prototype,the paper collected 2767 unmarked malware samples,and conducted a large-scale experiment to evaluate the effectiveness of the prototype.The result of evaluation shows that the prototype can successfully detect 534 ransomware samples from 2767 malware samples and block them with no false positives.The performance evaluation results indicate that the overhead introduced by the system is low(< 6% on overage).