Data Aware Defense (DaD): Towards a Generic and Practical Ransomware Countermeasure

Abstract : We present the Malware - O - Matic analysis platform and the Data Aware Defense ransomware countermeasure based on real time data gathering with as little impact as possible on system performance. Our solution monitors (and blocks if necessary) file system activity of all userland threads with new indicators of compromise. We successfully detect 99.37% of our 798 active ransomware samples with at most 70 MB lost per sample’s thread in 90% of cases, or less than 7 MB in 70% of cases. By a careful analysis of the few false negatives we show that some ransomware authors are specifically trying to hide ongoing encryption. We used free (as in free beer) de facto industry standard benchmarks to evaluate the impact of our solution and enable fair comparisons. In all but the most demanding tests the impact is marginal
Keywords : Ransomware
Liste complète des métadonnées

Cited literature [6 references]  Display  Hide  Download

https://hal-imt-atlantique.archives-ouvertes.fr/hal-01814009
Contributor : Hélène Le Bouder <>
Submitted on : Tuesday, June 12, 2018 - 5:27:56 PM
Last modification on : Tuesday, April 2, 2019 - 1:45:31 AM
Document(s) archivé(s) le : Friday, September 14, 2018 - 12:41:13 AM

File

palisse-nordsec.pdf
Files produced by the author(s)

Identifiers

  • HAL Id : hal-01814009, version 1

Citation

Aurélien Palisse, Antoine Durand, Hélène Le Bouder, Colas Le Guernic, Jean-Louis Lanet. Data Aware Defense (DaD): Towards a Generic and Practical Ransomware Countermeasure. NordSec2017 - Nordic Conference on Secure IT Systems, Nov 2017, Tartu, Estonia. ⟨hal-01814009⟩

Share

Metrics

Record views

219

Files downloads

145