TY - JOUR
T1 - RansomSOC
T2 - A More Effective Security Operations Center to Detect and Respond to Ransomware Attacks
AU - Lai, Anthony Cheuk Tung
AU - Ke, Ping Fan
AU - Chan, Kelvin
AU - Yiu, Siu Ming
AU - Kim, Dongsun
AU - Wong, Wai Kin
AU - Wang, Shuai
AU - Muppala, Joseph
AU - Ho, Alan
N1 - Publisher Copyright:
© 2022, Innovative Information Science and Technology Research Group. All rights reserved.
PY - 2022/8
Y1 - 2022/8
N2 - Ransomware remains a major threat for organizations. Despite a lot of research done, existing solutions still have at least two shortcomings. (I) Slow detection time: by the time we realize that the system is under ransomware attack, almost all files have been encrypted. (II) Without a ransomwareaware backup scheme: Most existing systems, in particular those in SMEs (small and medium enterprises), do not have a proper backup system. Even they have it, either it is not a remote-site backup (i.e., files in the backup system may also be encrypted) or it is not designed for ransomware attacks. In this paper, based on the analysis of four popular ransomware families, we propose the design of a more effective Security Operations Center (SOC) framework specific to ransomware attack detection and response, called RansomSOC. The core ideas behind RansomSOC are the followings. (a) A novel real-time emergency local data backup scheme: we exploit a design flaw of ransomware and come up with a scheme to enable a real-time emergency data backup of critical files even after the attack starts, to keep the number of encrypted files as few as possible. (b) Easy-to-detect ransomware honey files: Based on the change of entropy values, we identified a set of file types to create honey files (in a honeypot), which facilitate our detection module to quickly detect the existence of a ransomware attack. Our experiments show that RansomSOC is able to detect an attack within about 5-10 seconds after the attack starts. For a 1GB folder, RansomSOC is able to backup more than 91% of the data even after the attack starts. And over 95% of this data can be restored.
AB - Ransomware remains a major threat for organizations. Despite a lot of research done, existing solutions still have at least two shortcomings. (I) Slow detection time: by the time we realize that the system is under ransomware attack, almost all files have been encrypted. (II) Without a ransomwareaware backup scheme: Most existing systems, in particular those in SMEs (small and medium enterprises), do not have a proper backup system. Even they have it, either it is not a remote-site backup (i.e., files in the backup system may also be encrypted) or it is not designed for ransomware attacks. In this paper, based on the analysis of four popular ransomware families, we propose the design of a more effective Security Operations Center (SOC) framework specific to ransomware attack detection and response, called RansomSOC. The core ideas behind RansomSOC are the followings. (a) A novel real-time emergency local data backup scheme: we exploit a design flaw of ransomware and come up with a scheme to enable a real-time emergency data backup of critical files even after the attack starts, to keep the number of encrypted files as few as possible. (b) Easy-to-detect ransomware honey files: Based on the change of entropy values, we identified a set of file types to create honey files (in a honeypot), which facilitate our detection module to quickly detect the existence of a ransomware attack. Our experiments show that RansomSOC is able to detect an attack within about 5-10 seconds after the attack starts. For a 1GB folder, RansomSOC is able to backup more than 91% of the data even after the attack starts. And over 95% of this data can be restored.
KW - Malware
KW - Ransomware
KW - Virus
UR - http://www.scopus.com/inward/record.url?scp=85138160598&partnerID=8YFLogxK
U2 - 10.22667/JISIS.2022.08.31.063
DO - 10.22667/JISIS.2022.08.31.063
M3 - Article
AN - SCOPUS:85138160598
SN - 2182-2069
VL - 12
SP - 63
EP - 75
JO - Journal of Internet Services and Information Security
JF - Journal of Internet Services and Information Security
IS - 3
ER -