Rcryptect: Real-time detection of cryptographic function in the user-space filesystem

Rcryptect: Real-time detection of cryptographic function in the user-space filesystem

The existing methods of ransomware detection have limitations. To be specific, static analysis is not effective to obfuscated binaries, while dynamic analysis is usually restricted to a certain platform and often takes tens of minutes. In this paper, we propose a block-level monitoring system to det...

Ausführliche Beschreibung

Gespeichert in:
Bibliographische Detailangaben
Veröffentlicht in:Computers & security 2022-01, Vol.112, p.102512, Article 102512
Hauptverfasser: Lee, Seungkwang, Jho, Nam-su, Chung, Doyoung, Kang, Yousung, Kim, Myungchul
Format: Artikel
Sprache:eng
Schlagworte:
Cryptographic function detection
Cryptography
Cybersecurity
Device security
Entropy
FUSE
Heuristic
Ransomware
Real time
Statistical analysis
Online-Zugang:Volltext
Tags: Tag hinzufügen
Keine Tags, Fügen Sie den ersten Tag hinzu!
Beschreibung
Zusammenfassung:The existing methods of ransomware detection have limitations. To be specific, static analysis is not effective to obfuscated binaries, while dynamic analysis is usually restricted to a certain platform and often takes tens of minutes. In this paper, we propose a block-level monitoring system to detect potentially malicious cryptographic operations. We carry out statistical analysis to find heuristic rules to distinguish between normal and encrypted blocks. In order to apply the heuristic rule to the filesystem without kernel modification, we adopt Filesystem in Userspace (FUSE) and define our filesystem Rcryptect for real-time detection of cryptographic function. We demonstrate the protection of well-known ransomware and show that various cryptographic functions can be detected with about 13% overhead.
ISSN:0167-4048
1872-6208
DOI:10.1016/j.cose.2021.102512