Reactive redundancy for data destruction protection (R2D2)

Reactive redundancy for data destruction protection (R2D2)

•We demonstrate R2D2's ability to preserve files under destruction on a Windows 7 VM.•R2D2 protects against modern Wiper Malware and secure delete methods.•R2D2 improves prior work by isolating analysis/preservation from the protected system.•R2D2 shows acceptable performance, suitable for the...

Ausführliche Beschreibung

Gespeichert in:
Bibliographische Detailangaben
Veröffentlicht in:Computers & security 2018-05, Vol.74, p.184-201
Hauptverfasser: Gutierrez, Christopher N., Spafford, Eugene H., Bagchi, Saurabh, Yurek, Thomas
Format: Artikel
Sprache:eng
Schlagworte:
Computer security
Computer viruses
Data availability
Data integrity
Data resiliency
Inspection
Malware
Network security
Operating systems security
Redundancy
Studies
Virtual Machine Introspection
Virtualization
Online-Zugang:Volltext
Tags: Tag hinzufügen
Keine Tags, Fügen Sie den ersten Tag hinzu!
container_end_page 201
container_issue
container_start_page 184
container_title Computers & security
container_volume 74
creator Gutierrez, Christopher N.
Spafford, Eugene H.
Bagchi, Saurabh
Yurek, Thomas
description •We demonstrate R2D2's ability to preserve files under destruction on a Windows 7 VM.•R2D2 protects against modern Wiper Malware and secure delete methods.•R2D2 improves prior work by isolating analysis/preservation from the protected system.•R2D2 shows acceptable performance, suitable for the home user or office related tasks. Data destruction programs, such as Wiper Malware, cause substantial damage by overwriting critical digital assets on compromised machines, denying users access to computing resources. Our system, called R2D2, analyzes write buffers before they can reach a storage medium, determines if the write is destructive, and preserves the data under destruction. We interpose the inspection in the Virtual Machine Monitor (VMM) through a technique known as Virtual Machine Introspection (VMI). This has the benefit that it does not rely on the entire OS as a root of trust. We demonstrate the effectiveness of our prototype implementation by preserving data targeted for destruction by Wiper Malware such as Shamoon and Stonedrill, and a host of secure delete tools. We discover that R2D2 detects data destruction with high accuracy (99.8% true negative and true positive rates) and preserves critical data for all the Wiper Malware samples in the wild that we experimented with. While our prototype is not optimized for performance, we show that it is applicable for common user tasks in an office or home setting, with a latency increase of 1%–4% and 9%–20% to complete batch tasks and interactive tasks respectively. VMI accounts for 90.7%–98.5% of the latency overhead and thus R2D2 incurs a small cost for environments already using VMI.
doi_str_mv 10.1016/j.cose.2017.12.012
format Article
fullrecord <record><control><sourceid>proquest_cross</sourceid><recordid>TN_cdi_proquest_journals_2068015705</recordid><sourceformat>XML</sourceformat><sourcesystem>PC</sourcesystem><els_id>S016740481730281X</els_id><sourcerecordid>2068015705</sourcerecordid><originalsourceid>FETCH-LOGICAL-c372t-d28934998dd6cce6f2102a6da74d662d7f4df35d316d97b62524c9c4719ddc213</originalsourceid><addsrcrecordid>eNp9kE9LxDAQxYMouK5-AU8FL3pozUzbJBUv4n9YEBY9h5hJoUWbNWkX9tubpZ49zcD83sybx9g58AI4iOu-sD66AjnIArDggAdsAUpiLpCrQ7ZIkMwrXqljdhJjzxMolFqwm7Uzduy2LguOpoHMYHdZ60NGZjQZuTiGKc39kG2CH93cXq7xAa9O2VFrvqI7-6tL9vH0-H7_kq_enl_v71a5LSWOOaFqyqppFJGw1okWgaMRZGRFQiDJtqK2rKkEQY38FFhjZRtbSWiILEK5ZBfz3uTgZ0qOdO-nMKSTGrlQHGrJ60ThTNngYwyu1ZvQfZuw08D1PiPd631Gep-RBtQpoyS6nUUu-d92LuhoOzdYR11Iv2ry3X_yX4-3bjQ</addsrcrecordid><sourcetype>Aggregation Database</sourcetype><iscdi>true</iscdi><recordtype>article</recordtype><pqid>2068015705</pqid></control><display><type>article</type><title>Reactive redundancy for data destruction protection (R2D2)</title><source>Access via ScienceDirect (Elsevier)</source><creator>Gutierrez, Christopher N. ; Spafford, Eugene H. ; Bagchi, Saurabh ; Yurek, Thomas</creator><creatorcontrib>Gutierrez, Christopher N. ; Spafford, Eugene H. ; Bagchi, Saurabh ; Yurek, Thomas</creatorcontrib><description>•We demonstrate R2D2's ability to preserve files under destruction on a Windows 7 VM.•R2D2 protects against modern Wiper Malware and secure delete methods.•R2D2 improves prior work by isolating analysis/preservation from the protected system.•R2D2 shows acceptable performance, suitable for the home user or office related tasks. Data destruction programs, such as Wiper Malware, cause substantial damage by overwriting critical digital assets on compromised machines, denying users access to computing resources. Our system, called R2D2, analyzes write buffers before they can reach a storage medium, determines if the write is destructive, and preserves the data under destruction. We interpose the inspection in the Virtual Machine Monitor (VMM) through a technique known as Virtual Machine Introspection (VMI). This has the benefit that it does not rely on the entire OS as a root of trust. We demonstrate the effectiveness of our prototype implementation by preserving data targeted for destruction by Wiper Malware such as Shamoon and Stonedrill, and a host of secure delete tools. We discover that R2D2 detects data destruction with high accuracy (99.8% true negative and true positive rates) and preserves critical data for all the Wiper Malware samples in the wild that we experimented with. While our prototype is not optimized for performance, we show that it is applicable for common user tasks in an office or home setting, with a latency increase of 1%–4% and 9%–20% to complete batch tasks and interactive tasks respectively. VMI accounts for 90.7%–98.5% of the latency overhead and thus R2D2 incurs a small cost for environments already using VMI.</description><identifier>ISSN: 0167-4048</identifier><identifier>EISSN: 1872-6208</identifier><identifier>DOI: 10.1016/j.cose.2017.12.012</identifier><language>eng</language><publisher>Amsterdam: Elsevier Ltd</publisher><subject>Computer security ; Computer viruses ; Data availability ; Data integrity ; Data resiliency ; Inspection ; Malware ; Network security ; Operating systems security ; Redundancy ; Studies ; Virtual Machine Introspection ; Virtualization</subject><ispartof>Computers &amp; security, 2018-05, Vol.74, p.184-201</ispartof><rights>2018 Elsevier Ltd</rights><rights>Copyright Elsevier Sequoia S.A. May 2018</rights><lds50>peer_reviewed</lds50><oa>free_for_read</oa><woscitedreferencessubscribed>false</woscitedreferencessubscribed><citedby>FETCH-LOGICAL-c372t-d28934998dd6cce6f2102a6da74d662d7f4df35d316d97b62524c9c4719ddc213</citedby><cites>FETCH-LOGICAL-c372t-d28934998dd6cce6f2102a6da74d662d7f4df35d316d97b62524c9c4719ddc213</cites><orcidid>0000-0002-5037-4591 ; 0000-0002-5555-8330</orcidid></display><links><openurl>$$Topenurl_article</openurl><openurlfulltext>$$Topenurlfull_article</openurlfulltext><thumbnail>$$Tsyndetics_thumb_exl</thumbnail><linktohtml>$$Uhttps://dx.doi.org/10.1016/j.cose.2017.12.012$$EHTML$$P50$$Gelsevier$$H</linktohtml><link.rule.ids>314,780,784,3550,27924,27925,45995</link.rule.ids></links><search><creatorcontrib>Gutierrez, Christopher N.</creatorcontrib><creatorcontrib>Spafford, Eugene H.</creatorcontrib><creatorcontrib>Bagchi, Saurabh</creatorcontrib><creatorcontrib>Yurek, Thomas</creatorcontrib><title>Reactive redundancy for data destruction protection (R2D2)</title><title>Computers &amp; security</title><description>•We demonstrate R2D2's ability to preserve files under destruction on a Windows 7 VM.•R2D2 protects against modern Wiper Malware and secure delete methods.•R2D2 improves prior work by isolating analysis/preservation from the protected system.•R2D2 shows acceptable performance, suitable for the home user or office related tasks. Data destruction programs, such as Wiper Malware, cause substantial damage by overwriting critical digital assets on compromised machines, denying users access to computing resources. Our system, called R2D2, analyzes write buffers before they can reach a storage medium, determines if the write is destructive, and preserves the data under destruction. We interpose the inspection in the Virtual Machine Monitor (VMM) through a technique known as Virtual Machine Introspection (VMI). This has the benefit that it does not rely on the entire OS as a root of trust. We demonstrate the effectiveness of our prototype implementation by preserving data targeted for destruction by Wiper Malware such as Shamoon and Stonedrill, and a host of secure delete tools. We discover that R2D2 detects data destruction with high accuracy (99.8% true negative and true positive rates) and preserves critical data for all the Wiper Malware samples in the wild that we experimented with. While our prototype is not optimized for performance, we show that it is applicable for common user tasks in an office or home setting, with a latency increase of 1%–4% and 9%–20% to complete batch tasks and interactive tasks respectively. VMI accounts for 90.7%–98.5% of the latency overhead and thus R2D2 incurs a small cost for environments already using VMI.</description><subject>Computer security</subject><subject>Computer viruses</subject><subject>Data availability</subject><subject>Data integrity</subject><subject>Data resiliency</subject><subject>Inspection</subject><subject>Malware</subject><subject>Network security</subject><subject>Operating systems security</subject><subject>Redundancy</subject><subject>Studies</subject><subject>Virtual Machine Introspection</subject><subject>Virtualization</subject><issn>0167-4048</issn><issn>1872-6208</issn><fulltext>true</fulltext><rsrctype>article</rsrctype><creationdate>2018</creationdate><recordtype>article</recordtype><recordid>eNp9kE9LxDAQxYMouK5-AU8FL3pozUzbJBUv4n9YEBY9h5hJoUWbNWkX9tubpZ49zcD83sybx9g58AI4iOu-sD66AjnIArDggAdsAUpiLpCrQ7ZIkMwrXqljdhJjzxMolFqwm7Uzduy2LguOpoHMYHdZ60NGZjQZuTiGKc39kG2CH93cXq7xAa9O2VFrvqI7-6tL9vH0-H7_kq_enl_v71a5LSWOOaFqyqppFJGw1okWgaMRZGRFQiDJtqK2rKkEQY38FFhjZRtbSWiILEK5ZBfz3uTgZ0qOdO-nMKSTGrlQHGrJ60ThTNngYwyu1ZvQfZuw08D1PiPd631Gep-RBtQpoyS6nUUu-d92LuhoOzdYR11Iv2ry3X_yX4-3bjQ</recordid><startdate>201805</startdate><enddate>201805</enddate><creator>Gutierrez, Christopher N.</creator><creator>Spafford, Eugene H.</creator><creator>Bagchi, Saurabh</creator><creator>Yurek, Thomas</creator><general>Elsevier Ltd</general><general>Elsevier Sequoia S.A</general><scope>AAYXX</scope><scope>CITATION</scope><scope>7SC</scope><scope>8FD</scope><scope>JQ2</scope><scope>K7.</scope><scope>L7M</scope><scope>L~C</scope><scope>L~D</scope><orcidid>https://orcid.org/0000-0002-5037-4591</orcidid><orcidid>https://orcid.org/0000-0002-5555-8330</orcidid></search><sort><creationdate>201805</creationdate><title>Reactive redundancy for data destruction protection (R2D2)</title><author>Gutierrez, Christopher N. ; Spafford, Eugene H. ; Bagchi, Saurabh ; Yurek, Thomas</author></sort><facets><frbrtype>5</frbrtype><frbrgroupid>cdi_FETCH-LOGICAL-c372t-d28934998dd6cce6f2102a6da74d662d7f4df35d316d97b62524c9c4719ddc213</frbrgroupid><rsrctype>articles</rsrctype><prefilter>articles</prefilter><language>eng</language><creationdate>2018</creationdate><topic>Computer security</topic><topic>Computer viruses</topic><topic>Data availability</topic><topic>Data integrity</topic><topic>Data resiliency</topic><topic>Inspection</topic><topic>Malware</topic><topic>Network security</topic><topic>Operating systems security</topic><topic>Redundancy</topic><topic>Studies</topic><topic>Virtual Machine Introspection</topic><topic>Virtualization</topic><toplevel>peer_reviewed</toplevel><toplevel>online_resources</toplevel><creatorcontrib>Gutierrez, Christopher N.</creatorcontrib><creatorcontrib>Spafford, Eugene H.</creatorcontrib><creatorcontrib>Bagchi, Saurabh</creatorcontrib><creatorcontrib>Yurek, Thomas</creatorcontrib><collection>CrossRef</collection><collection>Computer and Information Systems Abstracts</collection><collection>Technology Research Database</collection><collection>ProQuest Computer Science Collection</collection><collection>ProQuest Criminal Justice (Alumni)</collection><collection>Advanced Technologies Database with Aerospace</collection><collection>Computer and Information Systems Abstracts – Academic</collection><collection>Computer and Information Systems Abstracts Professional</collection><jtitle>Computers &amp; security</jtitle></facets><delivery><delcategory>Remote Search Resource</delcategory><fulltext>fulltext</fulltext></delivery><addata><au>Gutierrez, Christopher N.</au><au>Spafford, Eugene H.</au><au>Bagchi, Saurabh</au><au>Yurek, Thomas</au><format>journal</format><genre>article</genre><ristype>JOUR</ristype><atitle>Reactive redundancy for data destruction protection (R2D2)</atitle><jtitle>Computers &amp; security</jtitle><date>2018-05</date><risdate>2018</risdate><volume>74</volume><spage>184</spage><epage>201</epage><pages>184-201</pages><issn>0167-4048</issn><eissn>1872-6208</eissn><abstract>•We demonstrate R2D2's ability to preserve files under destruction on a Windows 7 VM.•R2D2 protects against modern Wiper Malware and secure delete methods.•R2D2 improves prior work by isolating analysis/preservation from the protected system.•R2D2 shows acceptable performance, suitable for the home user or office related tasks. Data destruction programs, such as Wiper Malware, cause substantial damage by overwriting critical digital assets on compromised machines, denying users access to computing resources. Our system, called R2D2, analyzes write buffers before they can reach a storage medium, determines if the write is destructive, and preserves the data under destruction. We interpose the inspection in the Virtual Machine Monitor (VMM) through a technique known as Virtual Machine Introspection (VMI). This has the benefit that it does not rely on the entire OS as a root of trust. We demonstrate the effectiveness of our prototype implementation by preserving data targeted for destruction by Wiper Malware such as Shamoon and Stonedrill, and a host of secure delete tools. We discover that R2D2 detects data destruction with high accuracy (99.8% true negative and true positive rates) and preserves critical data for all the Wiper Malware samples in the wild that we experimented with. While our prototype is not optimized for performance, we show that it is applicable for common user tasks in an office or home setting, with a latency increase of 1%–4% and 9%–20% to complete batch tasks and interactive tasks respectively. VMI accounts for 90.7%–98.5% of the latency overhead and thus R2D2 incurs a small cost for environments already using VMI.</abstract><cop>Amsterdam</cop><pub>Elsevier Ltd</pub><doi>10.1016/j.cose.2017.12.012</doi><tpages>18</tpages><orcidid>https://orcid.org/0000-0002-5037-4591</orcidid><orcidid>https://orcid.org/0000-0002-5555-8330</orcidid><oa>free_for_read</oa></addata></record>
fulltext fulltext
identifier ISSN: 0167-4048
ispartof Computers & security, 2018-05, Vol.74, p.184-201
issn 0167-4048
1872-6208
language eng
recordid cdi_proquest_journals_2068015705
source Access via ScienceDirect (Elsevier)
subjects Computer security
Computer viruses
Data availability
Data integrity
Data resiliency
Inspection
Malware
Network security
Operating systems security
Redundancy
Studies
Virtual Machine Introspection
Virtualization
title Reactive redundancy for data destruction protection (R2D2)
url https://sfx.bib-bvb.de/sfx_tum?ctx_ver=Z39.88-2004&ctx_enc=info:ofi/enc:UTF-8&ctx_tim=2024-12-18T21%3A51%3A50IST&url_ver=Z39.88-2004&url_ctx_fmt=infofi/fmt:kev:mtx:ctx&rfr_id=info:sid/primo.exlibrisgroup.com:primo3-Article-proquest_cross&rft_val_fmt=info:ofi/fmt:kev:mtx:journal&rft.genre=article&rft.atitle=Reactive%20redundancy%20for%20data%20destruction%20protection%20(R2D2)&rft.jtitle=Computers%20&%20security&rft.au=Gutierrez,%20Christopher%20N.&rft.date=2018-05&rft.volume=74&rft.spage=184&rft.epage=201&rft.pages=184-201&rft.issn=0167-4048&rft.eissn=1872-6208&rft_id=info:doi/10.1016/j.cose.2017.12.012&rft_dat=%3Cproquest_cross%3E2068015705%3C/proquest_cross%3E%3Curl%3E%3C/url%3E&disable_directlink=true&sfx.directlink=off&sfx.report_link=0&rft_id=info:oai/&rft_pqid=2068015705&rft_id=info:pmid/&rft_els_id=S016740481730281X&rfr_iscdi=true