Links
- https://netfuture.ch/wp-content/uploads/2018/07/held2018fightingransomware.pdf
- https://netfuture.ch/wp-content/uploads/2018/09/ransomware_detection.pdf
- https://netfuture.ch/wp-content/uploads/2018/09/2018-ransomware.odp
Abstract
Ransomware attacks are rare, yet catastrophic. On closer inspection, they differ from other malware infections: Given appropriate preparation, they do not need to be caught on first sight, but can be undone later. However, current ransomware protection follows the beaten path of anti-malware copying their fallacies. We show how the move to personal cloud storage allows for a paradigm shift in ransomware protection: exceptional attack isolation, perfect elimination of false positive alerts, and simplified recovery.
In this paper, we analyze the necessary operations for ransomware, extend existing ransomware taxonomy, and verify them against real-world malware samples. We analyze the costs and benefits of moving ransomware detection to versioned personal cloud storage. Our content, meta data, and behavior analysis paired with a `guilt by association’ capability greatly improve the false positive rate, but the guided undo make this rate all but inconsequential. Even though the user now carries a new burden, it comes with clear responsibilities and benefits, while being freed from questionable duties, resulting in a win-win situation for user experience and detection quality.
BibTeX (Download)
@inproceedings{Held2018FightingRansomware, title = {Fighting Ransomware with Guided Undo}, author = {Matthias Held and Marcel Waldvogel}, url = {https://netfuture.ch/wp-content/uploads/2018/07/held2018fightingransomware.pdf https://netfuture.ch/wp-content/uploads/2018/09/ransomware_detection.pdf https://netfuture.ch/wp-content/uploads/2018/09/2018-ransomware.odp}, year = {2018}, date = {2018-09-18}, urldate = {1000-01-01}, booktitle = {Proceedings of NISK 2018}, abstract = {Ransomware attacks are rare, yet catastrophic. On closer inspection, they differ from other malware infections: Given appropriate preparation, they do not need to be caught on first sight, but can be undone later. However, current ransomware protection follows the beaten path of anti-malware copying their fallacies. We show how the move to personal cloud storage allows for a paradigm shift in ransomware protection: exceptional attack isolation, perfect elimination of false positive alerts, and simplified recovery. In this paper, we analyze the necessary operations for ransomware, extend existing ransomware taxonomy, and verify them against real-world malware samples. We analyze the costs and benefits of moving ransomware detection to versioned personal cloud storage. Our content, meta data, and behavior analysis paired with a `guilt by association' capability greatly improve the false positive rate, but the guided undo make this rate all but inconsequential. Even though the user now carries a new burden, it comes with clear responsibilities and benefits, while being freed from questionable duties, resulting in a win-win situation for user experience and detection quality. }, keywords = {Cloud Storage, Intrusion Detection, Ransomware, Replication, Security, Usability, Web Applications}, pubstate = {published}, tppubtype = {inproceedings} }