RansomSOC: A more effective security operations center to detect and respond to ransomware attacks

Ransomware remains a major threat for organizations. Despite a lot of research done, existing solutions still have at least two shortcomings. (I) Slow detection time: by the time we realize that the system is under ransomware attack, almost all files have been encrypted. (II) Without a ransomwareawa...

Full description

Saved in:
Bibliographic Details
Main Authors: LAI, Anthony Cheuk Tung, KE, Ping Fan, CHAN, Kelvin, YIU, Siu Ming, KIM, Dongsun, WONG, Wai Kin, WANG, Shuai, MUPPALA, Joseph, HO, Alan
Format: text
Language:English
Published: Institutional Knowledge at Singapore Management University 2022
Subjects:
Online Access:https://ink.library.smu.edu.sg/sis_research/7272
Tags: Add Tag
No Tags, Be the first to tag this record!
Institution: Singapore Management University
Language: English
id sg-smu-ink.sis_research-8275
record_format dspace
spelling sg-smu-ink.sis_research-82752022-09-15T07:06:03Z RansomSOC: A more effective security operations center to detect and respond to ransomware attacks LAI, Anthony Cheuk Tung KE, Ping Fan CHAN, Kelvin YIU, Siu Ming KIM, Dongsun WONG, Wai Kin WANG, Shuai MUPPALA, Joseph HO, Alan Ransomware remains a major threat for organizations. Despite a lot of research done, existing solutions still have at least two shortcomings. (I) Slow detection time: by the time we realize that the system is under ransomware attack, almost all files have been encrypted. (II) Without a ransomwareaware backup scheme: Most existing systems, in particular those in SMEs (small and medium enterprises), do not have a proper backup system. Even they have it, either it is not a remote-site backup (i.e., files in the backup system may also be encrypted) or it is not designed for ransomware attacks. In this paper, based on the analysis of four popular ransomware families, we propose the design of a more effective Security Operations Center (SOC) framework specific to ransomware attack detection and response, called RansomSOC. The core ideas behind RansomSOC are the followings. (a) A novel real-time emergency local data backup scheme: we exploit a design flaw of ransomware and come up with a scheme to enable a real-time emergency data backup of critical files even after the attack starts, to keep the number of encrypted files as few as possible. (b) Easy-to-detect ransomware honey files: Based on the change of entropy values, we identified a set of file types to create honey files (in a honeypot), which facilitate our detection module to quickly detect the existence of a ransomware attack. Our experiments show that RansomSOC is able to detect an attack within about 5 - 10 seconds after the attack starts. For a 1GB folder, RansomSOC is able to backup more than 91% of the data even after the attack starts. And over 95% of this data can be restored. 2022-08-31T07:00:00Z text https://ink.library.smu.edu.sg/sis_research/7272 info:doi/10.22667/JISIS.2022.08.31.063 Research Collection School Of Computing and Information Systems eng Institutional Knowledge at Singapore Management University Ransomware Virus Malware Databases and Information Systems Information Security
institution Singapore Management University
building SMU Libraries
continent Asia
country Singapore
Singapore
content_provider SMU Libraries
collection InK@SMU
language English
topic Ransomware
Virus
Malware
Databases and Information Systems
Information Security
spellingShingle Ransomware
Virus
Malware
Databases and Information Systems
Information Security
LAI, Anthony Cheuk Tung
KE, Ping Fan
CHAN, Kelvin
YIU, Siu Ming
KIM, Dongsun
WONG, Wai Kin
WANG, Shuai
MUPPALA, Joseph
HO, Alan
RansomSOC: A more effective security operations center to detect and respond to ransomware attacks
description Ransomware remains a major threat for organizations. Despite a lot of research done, existing solutions still have at least two shortcomings. (I) Slow detection time: by the time we realize that the system is under ransomware attack, almost all files have been encrypted. (II) Without a ransomwareaware backup scheme: Most existing systems, in particular those in SMEs (small and medium enterprises), do not have a proper backup system. Even they have it, either it is not a remote-site backup (i.e., files in the backup system may also be encrypted) or it is not designed for ransomware attacks. In this paper, based on the analysis of four popular ransomware families, we propose the design of a more effective Security Operations Center (SOC) framework specific to ransomware attack detection and response, called RansomSOC. The core ideas behind RansomSOC are the followings. (a) A novel real-time emergency local data backup scheme: we exploit a design flaw of ransomware and come up with a scheme to enable a real-time emergency data backup of critical files even after the attack starts, to keep the number of encrypted files as few as possible. (b) Easy-to-detect ransomware honey files: Based on the change of entropy values, we identified a set of file types to create honey files (in a honeypot), which facilitate our detection module to quickly detect the existence of a ransomware attack. Our experiments show that RansomSOC is able to detect an attack within about 5 - 10 seconds after the attack starts. For a 1GB folder, RansomSOC is able to backup more than 91% of the data even after the attack starts. And over 95% of this data can be restored.
format text
author LAI, Anthony Cheuk Tung
KE, Ping Fan
CHAN, Kelvin
YIU, Siu Ming
KIM, Dongsun
WONG, Wai Kin
WANG, Shuai
MUPPALA, Joseph
HO, Alan
author_facet LAI, Anthony Cheuk Tung
KE, Ping Fan
CHAN, Kelvin
YIU, Siu Ming
KIM, Dongsun
WONG, Wai Kin
WANG, Shuai
MUPPALA, Joseph
HO, Alan
author_sort LAI, Anthony Cheuk Tung
title RansomSOC: A more effective security operations center to detect and respond to ransomware attacks
title_short RansomSOC: A more effective security operations center to detect and respond to ransomware attacks
title_full RansomSOC: A more effective security operations center to detect and respond to ransomware attacks
title_fullStr RansomSOC: A more effective security operations center to detect and respond to ransomware attacks
title_full_unstemmed RansomSOC: A more effective security operations center to detect and respond to ransomware attacks
title_sort ransomsoc: a more effective security operations center to detect and respond to ransomware attacks
publisher Institutional Knowledge at Singapore Management University
publishDate 2022
url https://ink.library.smu.edu.sg/sis_research/7272
_version_ 1770576296011628544