RGuard: A Light-weight Minifilter-based Solution to Ransomware

以作者查詢圖書館館藏

、以作者查詢臺灣博碩士

、以作者查詢全國書目

、勘誤回報

、線上人數：77

、訪客IP：18.188.59.124

姓名

謝岳緯(Yue-Wei Xie) 查詢紙本館藏

畢業系所

資訊工程學系

論文名稱

(RGuard: A Light-weight Minifilter-based Solution to Ransomware)

相關論文

★ USB WORM KILLER: Cure USB Flash Worms Through a USB Flash Worm	★ Discoverer- Rootkit即時偵測系統
★ 一項Android手機上詐騙簡訊的偵測與防禦機制	★ SRA系統防禦ARP欺騙劫持路由器
★ A Solution for Detecting and Defending ARP Spoofing on Virtual Machines	★ 針對遠端緩衝區溢位攻擊之自動化即時反擊系統
★ 即時血清系統: 具攻性防壁之自動化蠕蟲治癒系統	★ DNSPD: Entrap Botnets Through DNS Cache Poisoning Detection
★ TransSQL: A Translation and Validation-based Solution for SQL-Injection Attacks	★ A Spam Mail-based Solution for Botnet Detection and Network Bandwidth Protection
★ Shark: Phishing Information Recycling from Spam Mails	★ FFRTD: Beat Fast-Flux by Response Time Differences
★ Antivirus Software Shield against Antivirus Terminators	★ MAC-YURI : My ACcount, YoUr ResponsIbility
★ KKBB: Kernel Keylogger Bye-Bye	★ CIDP Treatment: An Innovative Mobile Botnet Covert Channel based on Caller IDs with P8 Treatment

檔案

[Endnote RIS 格式]

[Bibtex 格式]

[相關文章]

[文章引用]

[完整記錄]

[館藏目錄]

[檢視]

[下載]

本電子論文使用權限為同意立即開放。
已達開放權限電子全文僅授權使用者為學術研究之目的，進行個人非營利性質之檢索、閱讀、列印。
請遵守中華民國著作權法之相關規定，切勿任意重製、散佈、改作、轉貼、播送，以免觸法。

摘要(中)

近年來勒索軟體的危害程度對於使用者越來越高，勒索軟體會想盡辦法入侵使用者的電腦去加密檔案，並勒索贖金，被攻擊的使用者只能被迫向勒索軟體作者付出高額的贖金，而且付出贖金也不一定會解鎖檔案，受害者只能被動等待作者解鎖。
對於勒索軟體的攻擊，防毒軟體雖然有辦法偵測到電腦遭受到攻擊，但是這是在確定是勒索軟體後才能阻擋，在這病毒空窗期的期間，可能已有不少使用者遭受到勒索軟體攻擊，因此這在期間保護使用者就成為首要任務。
為了抵禦勒索軟體的攻擊，我們提出了一個能在平時偵測疑似勒索軟體的方法，該方法是建置在 Windows 的 minifilter driver 上，因此勒索軟體很難繞過我們的偵測。
在偵測到疑似勒索軟體後，我們的系統能讓使用者做後續的處理，像是終止目前的程式或是直接將程式加入白名單，讓使用者可以有選擇的空間。除了可以對程式進行操作外，當使用者選擇終止程式時，我們的系統還會還原被改變的檔案，減少使用者的損失。

摘要(英)

In recent years, ransomwares are prevalent and dangerous to users more and more. The target of ransomware is to intrude the user’s computer to encrypt files and force the user to pay money. Additionally, after paying a high ransom to the author of ransomware, the victim was not necessarily to get recovery key. Therefore, victims are to face a dilemma.
Although antivirus software can detect the attack of ransomware, it is due to the latest virus definitions. If a new virus appears and the virus definitions are out of date, user’s computer may suffer the threat of ransomware. Thus, it is important to protect the user’s computer during virus window period.
In order to resist the attack of ransomware, we propose a method to detect process whose actions are similar to the actions of ransomware. Because the method proposed is based on Windows minifilter driver, ransomware is hard to bypass the detection of our method.
After catching ransomware-like process, our system would take care user’s computer, such as terminate the process, whitelist the process. Furthermore, when users choose to terminate the program, our system will restore the files changed by the process.

關鍵字(中)

★ 勒索軟體
★ minifilter
★ Windows 驅動

關鍵字(英)

★ Ransomware
★ minifilter
★ Windows driver

論文目次

目錄
摘要 i
Abstract ii
目錄 iii
圖目錄 iv
表目錄 v
第 1 章緒論 1
第 2 章背景介紹 4
2.1 Ransomware 4
2.2 Windows Device Driver 7
2.3 Windows Minifilter Driver 10
第 3 章相關研究 14
第 4 章系統設計與實作 16
4.1 偵測原理 17
4.2 偵測程式 18
4.2.1 Callback Routine of Create 19
4.2.2 Callback Routine of Write 21
4.3 Backup Files 25
4.4 Protect Files 26
4.5 Recover Files 27
4.6 Whitelist Process 27
4.7 Terminate Process 28
第 5 章效能分析 29
5.1 實驗環境 29
5.2 測試案例 30
5.3 效能評估 31
第 6 章討論 34
6.1 準確率 34
6.2 限制 34
第 7 章結論 36
7.1 貢獻 36
7.2 未來研究 37
參考文獻 38

圖目錄
Fig. 1‑1: 使用者遇到勒索軟體至少一次的數量 2
Fig. 1‑2: 我們針對勒索軟體提出的防禦方法 3
Fig. 2‑1: 中文的勒索訊息 6
Fig. 2‑2: 使用 driver 作為 OS 和 device 之間通訊的橋樑 7
Fig. 2‑3: 作業系統和裝置通訊透過多個 driver 8
Fig. 2‑4: 使用 software driver 通訊 9
Fig. 2‑5: 檔案的 I/O 經過 I/O Manager 及三個 minifilter driver傳送 11
Fig. 2‑6: Minifilter driver 註冊的流程 11
Fig. 3‑1: CryptoWall proxy 的地理位置 15
Fig. 4‑1: RGuard 的系統架構 16
Fig. 4‑2: Ransomware 的偵測方法 18
Fig. 4‑3: I/O operation 的註冊 19
Fig. 4‑4: Create operation 的偵測流程 20
Fig. 4‑5: Recursive I/O operation of create 21
Fig. 4‑6: Write operation 的偵測流程 22
Fig. 4‑7: Recursive I/O operation of write 24
Fig. 4‑8: 備份的時間差 24
Fig. 4‑9: 一個視窗去警告使用者 24
Fig. 4‑10: 索引的資料欄位 25
Fig. 4‑11: 拒絕訪問文件的方法 26
Fig. 4‑12: 拒絕訪問備份目錄 26
Fig. 4‑13: 還原檔案的通知訊息 27
Fig. 4‑14: 終止程式的流程 28
Fig. 5‑1: 不同性質的加密時間 31
Fig. 5‑2: 備份檔案占用的磁碟空間 32

表目錄
Table 5‑1: 系統實驗環境 29
Table 5‑2: 測試案例的訊息 30
Table 5‑3: 勒索軟體的偵測 33

參考文獻

參考文獻
[1] Kaspersky Lab. KSN Report: Ransomware in 2014-2016 [Online]. Available: https://securelist.com/analysis/publications/75145/pc-ransomware-in-2014-2016/
[2] Wikipedia. Ransomware - Wikipedia, the free encyclopedia [Online]. Available: https://en.wikipedia.org/wiki/Ransomware
[3] A. Kharraz, W. Robertson, D. Balzarotti, L. Bilge, and E. Kirda, "Cutting the gordian knot: a look under the hood of ransomware attacks," in Detection of Intrusions and Malware, and Vulnerability Assessment, ed: Springer, 2015, pp. 3-24.
[4] M. M. Ahmadian, H. R. Shahriari, and S. M. Ghaffarian, "Connection-monitor & connection-breaker: A novel approach for prevention and detection of high survivable ransomwares," in Information Security and Cryptology (ISCISC), 2015 12th International Iranian Society of Cryptology Conference on, 2015, pp. 79-84
[5] D. Kim, W. Soh, and S. Kim, "Design of Quantification Model for Prevent of Cryptolocker," Indian Journal of Science and Technology, vol. 8, 2015.
[6] K. CABAJ, P. GAWKOWSKI, K. GROCHOWSKI, and D. OSOJCA, "Network activity analysis of CryptoWall ransomware," Przegląd Elektrotechniczny, vol. 91, pp. 201-204, 2015.
[7] Cindy Ng. The Complete Ransomware Guide [Online]. Available: https://blog.varonis.com/the-complete-ransomware-guide/
[8] TrendMicro. TrendLabs Security Intelligence BlogZCRYPT Crypto-ransomware Attacks Windows 7 and Later, Scraps Backward Compatibility - TrendLabs Security Intelligence Blog [Online]. Available: http://blog.trendmicro.com/trendlabs-security-intelligence/crypto-ransomware-attacks-windows-7-later-scraps-backward-compatibility/
[9] Joshua Cannell. A Look At Malware With Virtual Machine Detection | Malwarebytes Labs. [Online]. Available: https://blog.malwarebytes.com/threat-analysis/2014/02/a-look-at-malware-with-virtual-machine-detection/
[10] Jeremy Kirk. CryptoWall ransomware variant has new defenses | PCWorld [Online]. Available: http://www.pcworld.com/article/2867132/cryptowall-ransomware-variant-has-new-defenses.html
[11] Wikipedia. Shadow Copy - Wikipedia, the free encyclopedia [Online]. Available: https://en.wikipedia.org/wiki/Shadow_Copy
[12] hasherezade. Look Into Locky Ransomware | Malwarebytes Labs [Online]. Available: https://blog.malwarebytes.com/threat-analysis/2016/03/look-into-locky/
[13] TrendMicro. Using the Trend Micro Ransomware File Decryptor Tool [Online]. Available: http://esupport.trendmicro.com/solution/en-us/1114221.aspx
[14] Kaspersky. Ransomware Decryptor | Kaspersky Lab [Online]. Available: https://noransom.kaspersky.com/
[15] Microsoft. Choosing a driver model [Online]. Available: https://msdn.microsoft.com/en-us/library/windows/hardware/ff554652%28v=vs.85%29.aspx
[16] Microsoft. File System Filter Drivers [Online]. Available: https://msdn.microsoft.com/en-us/windows/hardware/drivers/ifs/file-system-filter-drivers
[17] Microsoft. Load Order Groups and Altitudes for Minifilter Drivers [Online]. Available: https://msdn.microsoft.com/en-us/windows/hardware/drivers/ifs/load-order-groups-and-altitudes-for-minifilter-drivers
[18] Microsoft. Allocated Altitudes [Online]. Available: https://msdn.microsoft.com/en-us/windows/hardware/drivers/ifs/allocated-altitudes
[19] L. Bridges, "The changing face of malware," Network Security, vol. 2008, pp. 17-20, 2008.
[20] X. Luo and Q. Liao, "Awareness Education as the key to Ransomware Prevention," Information Systems Security, vol. 16, pp. 195-202, 2007.
[21] A. Gazet, "Comparative analysis of various ransomware virii," Journal in computer virology, vol. 6, pp. 77-90, 2010.
[22] E. Jardine, "A Continuum of Internet-Based Crime: How the Effectiveness of Cybersecurity Policies Varies across Cybercrime Types," Research Handbook on Digital Transformations, edited by F. Xavier Olleros and Majlinda Zhegu. Edward Elgar, Northampton, MA, Forthcoming, 2015.
[23] M. Spagnuolo, F. Maggi, and S. Zanero, "Bitiodine: Extracting intelligence from the bitcoin network," in Financial Cryptography and Data Security, ed: Springer, 2014, pp. 457-468.
[24] K. Liao, Z. Zhao, A. Doupe, and G. J. Ahn, "Behind closed doors: measurement and analysis of CryptoLocker ransoms in Bitcoin," in 2016 APWG Symposium on Electronic Crime Research (eCrime), 2016, pp. 1-13.
[25] Lawrence Abrams. The Cerber Ransomware not only Encrypts Your Data But Also Speaks to You [Online]. Available: http://www.bleepingcomputer.com/news/security/the-cerber-ransomware-not-only-encrypts-your-data-but-also-speaks-to-you/
[26] zhanghaiyang9999. Visual Studio 2013開發 mini-filter driver step by step (5) - 讀寫文件 [Online]. Available: http://blog.csdn.net/zhanghaiyang9999/article/details/39033033
[27] utkusen. GitHub - utkusen/hidden-tear: an open source ransomware honeypot [Online]. Available: https://github.com/utkusen/hidden-tear
[28] VirusTotal. VirusTotal - Free Online Virus, Malware and URL Scanner. Available: https://www.virustotal.com/
[29] TrendMicro. Removing ransomware using the AntiRansomware Tool | Trend Micro. Available: https://esupport.trendmicro.com/en-us/home/pages/technical-support/1105975.aspx

指導教授

許富皓(Fu-Hau Hsu)

審核日期

2016-7-18

推文