Time Machine: An Efficient and Backend-Migratable Architecture for Defending Against Ransomware in the Hypervisor
Authors: 
Jian-Syue Huang, Tsung-Han Liu, Yi-Hsien Chen, Hsuan-Yu Peng, Tse-Wei Huang, Chin-Laung Lei, 
Chun-Ying HuangAuthors Info & Claims
Jian-Syue Huang, Tsung-Han Liu, Yi-Hsien Chen, Hsuan-Yu Peng, Tse-Wei Huang, Chin-Laung Lei, Chun-Ying HuangAuthors Info & ClaimsPages 66 - 79
Abstract
Ransomware has caused escalating financial losses for individuals and companies, increasing annually. To combat this, we present Time Machine, a real-time, fine-grained sector-level live view navigation solution designed to safeguard filesystems from ransomware attacks at the hypervisor level. Time Machine offers several key advancements over existing solutions. Operating at the hypervisor level minimizes the risk of bypassing via privilege escalation and eliminates reliance on hardware-based solutions. Time Machine redirects I/O operations without altering the original storage disk. Utilizing local or cloud-based key-value store backends, it offers flexible storage spaces for live view navigation and the capability of backend migration. This approach ensures comprehensive filesystem protection without data loss, allowing users to browse and recover data to any specific timestamp. Time Machine is designed to operate independently of detection algorithms but can also integrate with them for enhanced protection. Evaluation results demonstrate that our prototype effectively safeguards the filesystem with minimal overhead. With a 256MB memory cache and affordable storage, Time Machine successfully defends against 12 ransomware variants on Windows and Linux platforms, incurring an average runtime overhead of less than 5%.
References
[1]
Muhammad Shabbir Abbasi, Harith Al-Sahaf, and Ian Welch. 2020. Particle Swarm Optimization: A Wrapper-Based Feature Selection Method for Ransomware Detection and Classification. In Applications of Evolutionary Computation: 23rd European Conference, EvoApplications 2020, Held as Part of EvoStar 2020, Seville, Spain, April 15--17, 2020, Proceedings. Springer-Verlag, Berlin, Heidelberg, 181--196. https://doi.org/10.1007/978--3-030--43722-0_12
[2]
Yahye Abukar Ahmed, Bar Koçer, Shamsul Huda, Bander Ali Saleh Al-rimy, and Mohammad Mehedi Hassan. 2020. A system call refinement-based enhanced Minimum Redundancy Maximum Relevance method for ransomware early detection. Journal of Network and Computer Applications, Vol. 167 (2020), 102753. https://doi.org/10.1016/j.jnca.2020.102753
[3]
Bander Al-rimy, Mohd Maarof, Yuli Prasetyo, Syed Zainudeen Mohd Shaid, and Aswami Ariffin. 2018. Zero-Day Aware Decision Fusion-Based Model for Crypto-Ransomware Early Detection. International Journal of Integrated Engineering, Vol. 10 (11 2018). https://doi.org/10.30880/ijie.2018.10.06.011
[4]
SungHa Baek, Youngdon Jung, Aziz Mohaisen, Sungjin Lee, and DaeHun Nyang. 2018. SSD-Insider: Internal Defense of Solid-State Drive against Ransomware with Perfect Data Recovery. In 2018 IEEE 38th International Conference on Distributed Computing Systems (ICDCS). 875--884. https://doi.org/10.1109/ICDCS.2018.00089
[5]
Sungha Baek, Youngdon Jung, David Mohaisen, Sungjin Lee, and DaeHun Nyang. 2021. SSD-Assisted Ransomware Detection and Data Recovery Techniques. IEEE Trans. Comput., Vol. 70, 10 (2021), 1762--1776. https://doi.org/10.1109/TC.2020.3011214
[6]
James Baldwin and Ali Dehghantanha. 2018. Leveraging Support Vector Machine for Opcode Density Based Detection of Crypto-Ransomware. Springer International Publishing, Cham, 107--136. https://doi.org/10.1007/978--3--319--73951--9_6
[7]
Fabrice Bellard. 2005. QEMU, a fast and portable dynamic translator. In Proceedings of the Annual Conference on USENIX Annual Technical Conference (Anaheim, CA) (ATEC '05). USENIX Association, USA, 41.
[8]
Andrea Continella, Alessandro Guagnelli, Giovanni Zingaro, Giulio De Pasquale, Alessandro Barenghi, Stefano Zanero, and Federico Maggi. 2016. ShieldFS: A Self-healing, Ransomware-aware Filesystem. In Proceedings of the 32nd Annual Computer Security Applications Conference (Los Angeles, USA, 2016--12). ACM.
[9]
Fabio De Gaspari, Dorjan Hitaj, Giulio Pagnotta, Lorenzo De Carli, and Luigi V Mancini. 2020. Encod: Distinguishing compressed and encrypted file fragments. In Network and System Security: 14th International Conference, NSS 2020, Melbourne, VIC, Australia, November 25--27, 2020, Proceedings 14. Springer, 42--62.
[10]
Danny Yuxing Huang, Maxwell Matthaios Aliapoulios, Vector Guo Li, Luca Invernizzi, Elie Bursztein, Kylie McRoberts, Jonathan Levin, Kirill Levchenko, Alex C. Snoeren, and Damon McCoy. 2018. Tracking Ransomware End-to-end. In Proceedings - 2018 IEEE Symposium on Security and Privacy, SP 2018 (Proceedings - IEEE Symposium on Security and Privacy). Institute of Electrical and Electronics Engineers Inc., 618--631. https://doi.org/10.1109/SP.2018.00047
[11]
Jian Huang, Jun Xu, Xinyu Xing, Peng Liu, and Moinuddin K. Qureshi. 2017. FlashGuard: Leveraging Intrinsic Flash Properties to Defend Against Encryption Ransomware. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security (Dallas, Texas, USA) (CCS '17). Association for Computing Machinery, New York, NY, USA, 2231--2244. https://doi.org/10.1145/3133956.3134035
[12]
Gizmodo International. 2017. Todays Massive Ransomware Attack Was Mostly Preventable; Heres How To Avoid It. Gizmodo Australia (05 2017). https://gizmodo.com.au/2017/05/todays-massive-ransomware-attack-was-mostly-preventable-heres-how-to-avoid-it/
[13]
IOzone. 2018. IOzone Filesystem Benchmark. online. Last accessed: 2024.04.30, http://www.iozone.org/.
[14]
Brijesh Jethva, Issa Traoré, Asem Ghaleb, Karim Ganame, and Sherif Ahmed. 2020. Multilayer ransomware detection using grouped registry key operations, file entropy and file signature monitoring. J. Comput. Secur., Vol. 28, 3 (jan 2020), 337--373. https://doi.org/10.3233/JCS-191346
[15]
Amin Kharraz, Sajjad Arshad, Collin Mulliner, William Robertson, and Engin Kirda. 2016. UNVEIL: A Large-Scale, Automated Approach to Detecting Ransomware.
[16]
Amin Kharraz and Engin Kirda. 2017. Redemption: Real-Time Protection Against Ransomware at End-Hosts. In Research in Attacks, Intrusions, and Defenses, Marc Dacier, Michael Bailey, Michalis Polychronakis, and Manos Antonakakis (Eds.). Springer International Publishing, Cham, 98--119.
[17]
Avi Kivity, Yaniv Kamay, Dor Laor, Uri Lublin, and Anthony Liguori. 2007. kvm: the Linux virtual machine monitor. In Proceedings of the Linux symposium, Vol. 1. Dttawa, Dntorio, Canada, 225--230.
[18]
Ryusuke Konishi, Yoshiji Amagai, Koji Sato, Hisashi Hifumi, Seiji Kihara, and Satoshi Moriai. 2006. The Linux implementation of a log-structured file system. SIGOPS Oper. Syst. Rev., Vol. 40, 3 (jul 2006), 102--107. https://doi.org/10.1145/1151374.1151375
[19]
Kyungroul Lee, Jaehyuk Lee, Sun-Young Lee, and Kangbin Yim. 2023. Effective Ransomware Detection Using Entropy Estimation of Files for Cloud Services. Sensors, Vol. 23, 6 (2023). https://doi.org/10.3390/s23063023
[20]
SOPHOS Ltd. 2023. The State of Ransomware 2023. Technical Report. SOPHOS. https://www.congress.gov/118/meeting/house/116406/documents/HHRG-118-GO12--20230927-SD003.pdf
[21]
Boyang Ma, Yilin Yang, Jinku Li, Fengwei Zhang, Wenbo Shen, Yajin Zhou, and Jianfeng Ma. 2023. Travelling the Hypervisor and SSD: A Tag-Based Approach Against Crypto Ransomware with Fine-Grained Data Recovery. In Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security (CCS '23). Association for Computing Machinery, New York, NY, USA, 341--355. https://doi.org/10.1145/3576915.3616665
[22]
MalwareBazaar. [n.,d.]. MalwareBazaar Database. online. Last accessed: 2024.04.29, https://bazaar.abuse.ch/browse/.
[23]
May Medhat, Samir Gaber, and Nashwa Abdelbaki. 2018. A New Static-Based Framework for Ransomware Detection. 710--715. https://doi.org/10.1109/DASC/PiCom/DataCom/CyberSciTec.2018.00124
[24]
Shagufta Mehnaz, Anand Mudgerikar, and Elisa Bertino. 2018. RWGuard: A Real-Time Detection System Against Cryptographic Ransomware: 21st International Symposium, RAID 2018, Heraklion, Crete, Greece, September 10--12, 2018, Proceedings. 114--136. https://doi.org/10.1007/978--3-030-00470--5_6
[25]
Donghyun Min, Donggyu Park, Jinwoo Ahn, Ryan Walker, Junghee Lee, Sungyong Park, and Youngjae Kim. 2018. Amoeba: An Autonomous Backup and Recovery SSD for Ransomware Attack Defense. IEEE Computer Architecture Letters, Vol. 17, 2 (2018), 245--248. https://doi.org/10.1109/LCA.2018.2883431
[26]
Mohsen KHashei. 2021. Ransomware-Samples. online. Last accessed: 2024.06.07, https://github.com/kh4sh3i/Ransomware-Samples.
[27]
Pradeep Padala. 2005. A Log Structured File System with Snapshots. (08 2005).
[28]
Joon-Young Paik, GeunYong Kim, Seoyeon Kang, Rize Jin, and Eun-Sun Cho. 2022. Data Protection Based on Hidden Space in Windows Against Ransomware. In Proceedings of Sixth International Congress on Information and Communication Technology, Xin-She Yang, Simon Sherratt, Nilanjan Dey, and Amit Joshi (Eds.). Springer Singapore, Singapore, 629--637.
[29]
Jisung Park, Youngdon Jung, Jonghoon Won, Minji Kang, Sungjin Lee, and Jihong Kim. 2019. RansomBlocker: a Low-Overhead Ransomware-Proof SSD. In 2019 56th ACM/IEEE Design Automation Conference (DAC). 1--6.
[30]
Subash Poudyal, Kul Prasad Subedi, and Dipankar Dasgupta. 2018. A Framework for Analyzing Ransomware using Machine Learning. 2018 IEEE Symposium Series on Computational Intelligence (SSCI) (2018), 1692--1699. https://api.semanticscholar.org/CorpusID:59554080
[31]
J.T. Robinson and P.A. Franaszek. 1994. Analysis of reorganization overhead in log-structured file systems. In Proceedings of 1994 IEEE 10th International Conference on Data Engineering. 102--110. https://doi.org/10.1109/ICDE.1994.283000
[32]
Mendel Rosenblum and John K Ousterhout. 1992. The design and implementation of a log-structured file system. ACM Transactions on Computer Systems (TOCS), Vol. 10, 1 (1992), 26--52.
[33]
Scott Sayce. 2024. 3 trends set to drive cyberattacks and ransomware in 2024. World Economic Forum Annual Meeting (2024). https://www.weforum.org/agenda/2024/02/3-trends-ransomware-2024/
[34]
Nolen Scaife, Henry Carter, Patrick Traynor, and Kevin R. B. Butler. 2016. CryptoLock (and Drop It): Stopping Ransomware Attacks on User Data. In 2016 IEEE 36th International Conference on Distributed Computing Systems (ICDCS). 303--312. https://doi.org/10.1109/ICDCS.2016.46
[35]
Shaila Sharmeen, Yahye Abukar, Shamsul Huda, Baris Kocer, and Mohammad Hassan. 2020. Avoiding Future Digital Extortion Through Robust Protection Against Ransomware Threats Using Deep Learning Based Adaptive Approaches. IEEE Access, Vol. PP (01 2020), 1--1. https://doi.org/10.1109/ACCESS.2020.2970466
[36]
Fei Tang, Boyang Ma, Jinku Li, Fengwei Zhang, Jipeng Su, and Jianfeng Ma. 2020. RansomSpector: An introspection-based approach to detect crypto ransomware. Computers & Security, Vol. 97 (2020), 101997.
[37]
Wentao Xiao, Bin Zhang, Xi Xiao, Arun Kumar, Weizhe Zhang, and Jiajia Zhang. 2019. Ransomware classification using patch-based CNN and self-attention network on embedded N-grams of opcodes. Future Generation Computer Systems, Vol. 110 (09 2019). https://doi.org/10.1016/j.future.2019.09.025
[38]
Joobeom YUN, Junbeom HUR, Youngjoo Shin, and Dongyoung Koo. 2017. CLDSafe: An Efficient File Backup System in Cloud Storage against Ransomware. IEICE Transactions on Information and Systems, Vol. E100.D (09 2017), 2228--2231. https://doi.org/10.1587/transinf.2017EDL8052
[39]
Hanqi Zhang, Xi Xiao, Francesco Mercaldo, Shiguang Ni, Fabio Martinelli, and Arun Kumar Sangaiah. 2019. Classification of ransomware families with machine learning based on N-gram of opcodes. Future Generation Computer Systems, Vol. 90 (2019), 211--221. https://doi.org/10.1016/j.future.2018.07.052
Index Terms
- Time Machine: An Efficient and Backend-Migratable Architecture for Defending Against Ransomware in the Hypervisor
Recommendations
Architectural support for hypervisor-secure virtualization
ASPLOS '12Virtualization has become a standard part of many computer systems. A key part of virtualization is the all-powerful hypervisor which manages the physical platform and can access all of its resources, including memory assigned to the guest virtual ...
Virtual Machine Migration Method between Different Hypervisor Implementations and Its Evaluation
WAINA '12: Proceedings of the 2012 26th International Conference on Advanced Information Networking and Applications WorkshopsVirtualization technologies are an important building block for cloud services. Each service will run on virtual machines (VMs) deployed over different hyper visors in the future. Therefore, a VM migration method between different hyper visor ...
Architectural support for hypervisor-secure virtualization
ASPLOS XVII: Proceedings of the seventeenth international conference on Architectural Support for Programming Languages and Operating SystemsVirtualization has become a standard part of many computer systems. A key part of virtualization is the all-powerful hypervisor which manages the physical platform and can access all of its resources, including memory assigned to the guest virtual ...
Comments
Information & Contributors
Information
Published In
November 2024
85 pages
Copyright © 2024 ACM.
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].
Sponsors
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 19 November 2024
Check for updates
Author Tags
Qualifiers
- Research-article
Funding Sources
Conference
CCS '24
Sponsor:
CCS '24: ACM SIGSAC Conference on Computer and Communications Security
October 14 - 18, 2024
UT, Salt Lake City, USA
Acceptance Rates
Overall Acceptance Rate 37 of 108 submissions, 34%
Upcoming Conference
CCS '25
- Sponsor:
- sigsac
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 68Total Downloads
- Downloads (Last 12 months)68
- Downloads (Last 6 weeks)7
Reflects downloads up to 16 Feb 2025
Other Metrics
Citations
View Options
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in