Guardfs: A File System for Integrated Detection and Mitigation of Linux-Based Ransomware

16 Pages Posted: 22 Feb 2024

See all articles by Jan von der Assen

Jan von der Assen

affiliation not provided to SSRN

Chao Feng

University of Zurich

ALBERTO HUERTAS CELDRAN

University of Zurich

Róbert Oleš

affiliation not provided to SSRN

Gérôme Bovet

Cyber-Defence Campus, armasuisse Science and Technology

Burkhard Stiller

University of Zurich

Abstract

Although ransomware has received broad attention in media and research, this evolving threat vector still poses a systematic threat. Related literature has explored their detection using various approaches leveraging Machine and Deep Learning. While these approaches are effective in detecting malware, they do not answer how to use this intelligence to protect against threats, raising concerns about their applicability in a hostile environment. Solutions that focus on mitigation rarely explore how to prevent and not just alert or halt its execution, especially when considering Linux-based samples. This paper presents GuardFS, a file system-based approach to investigate the integration of detection and mitigation of ransomware. Using a bespoke overlay file system, data is extracted before files are accessed. Models trained on this data are used by three novel defense configurations that obfuscate, delay, or track access to the file system. The experiments on GuardFS test the configurations in a reactive setting. The results demonstrate that although data loss cannot be completely prevented, it can be significantly reduced. Usability and performance analysis demonstrate that the defense effectiveness of the configurations relates to their impact on resource consumption and usability.

Keywords: Cybersecurity, Ransomare, Malware, Mitigation, Prevention, Recovery, Fingerprinting, machine learning

Suggested Citation

von der Assen, Jan and Feng, Chao and HUERTAS CELDRAN, ALBERTO and Oleš, Róbert and Bovet, Gérôme and Stiller, Burkhard, Guardfs: A File System for Integrated Detection and Mitigation of Linux-Based Ransomware. Available at SSRN: https://ssrn.com/abstract=4734768 or http://dx.doi.org/10.2139/ssrn.4734768

Jan Von der Assen (Contact Author)

affiliation not provided to SSRN ( email )

No Address Available

Chao Feng

University of Zurich ( email )

ALBERTO HUERTAS CELDRAN

University of Zurich ( email )

Róbert Oleš

affiliation not provided to SSRN ( email )

No Address Available

Gérôme Bovet

Cyber-Defence Campus, armasuisse Science and Technology ( email )

Burkhard Stiller

University of Zurich ( email )

Rämistrasse 71
Zürich, CH-8006
Switzerland

Do you have a job opening that you would like to promote on SSRN?

Paper statistics

Downloads
14
Abstract Views
94
PlumX Metrics