跳到主要內容

簡易檢索 / 詳目顯示

回結果列表
研究生: 謝岳緯
Yue-Wei Xie
論文名稱: RGuard: A Light-weight Minifilter-based Solution to Ransomware
指導教授: 許富皓
Fu-Hau Hsu
口試委員:
學位類別: 碩士
Master
系所名稱: 資訊電機學院 - 資訊工程學系
Department of Computer Science & Information Engineering
論文出版年: 2016
畢業學年度: 104
語文別: 中文
論文頁數: 47
中文關鍵詞: 勒索軟體minifilterWindows 驅動
外文關鍵詞: Ransomware, minifilter, Windows driver
相關次數: 點閱:13下載:0
分享至:
查詢本校圖書館目錄 查詢臺灣博碩士論文知識加值系統 勘誤回報

    • 近年來勒索軟體的危害程度對於使用者越來越高,勒索軟體會想盡辦法入侵使用者的電腦去加密檔案,並勒索贖金,被攻擊的使用者只能被迫向勒索軟體作者付出高額的贖金,而且付出贖金也不一定會解鎖檔案,受害者只能被動等待作者解鎖。
    對於勒索軟體的攻擊,防毒軟體雖然有辦法偵測到電腦遭受到攻擊,但是這是在確定是勒索軟體後才能阻擋,在這病毒空窗期的期間,可能已有不少使用者遭受到勒索軟體攻擊,因此這在期間保護使用者就成為首要任務。
    為了抵禦勒索軟體的攻擊,我們提出了一個能在平時偵測疑似勒索軟體的方法,該方法是建置在 Windows 的 minifilter driver 上,因此勒索軟體很難繞過我們的偵測。
    在偵測到疑似勒索軟體後,我們的系統能讓使用者做後續的處理,像是終止目前的程式或是直接將程式加入白名單,讓使用者可以有選擇的空間。除了可以對程式進行操作外,當使用者選擇終止程式時,我們的系統還會還原被改變的檔案,減少使用者的損失。

    In recent years, ransomwares are prevalent and dangerous to users more and more. The target of ransomware is to intrude the user’s computer to encrypt files and force the user to pay money. Additionally, after paying a high ransom to the author of ransomware, the victim was not necessarily to get recovery key. Therefore, victims are to face a dilemma.
    Although antivirus software can detect the attack of ransomware, it is due to the latest virus definitions. If a new virus appears and the virus definitions are out of date, user’s computer may suffer the threat of ransomware. Thus, it is important to protect the user’s computer during virus window period.
    In order to resist the attack of ransomware, we propose a method to detect process whose actions are similar to the actions of ransomware. Because the method proposed is based on Windows minifilter driver, ransomware is hard to bypass the detection of our method.
    After catching ransomware-like process, our system would take care user’s computer, such as terminate the process, whitelist the process. Furthermore, when users choose to terminate the program, our system will restore the files changed by the process.

    目錄 摘要 i Abstract ii 目錄 iii 圖目錄 iv 表目錄 v 第 1 章 緒論 1 第 2 章 背景介紹 4 2.1 Ransomware 4 2.2 Windows Device Driver 7 2.3 Windows Minifilter Driver 10 第 3 章 相關研究 14 第 4 章 系統設計與實作 16 4.1 偵測原理 17 4.2 偵測程式 18 4.2.1 Callback Routine of Create 19 4.2.2 Callback Routine of Write 21 4.3 Backup Files 25 4.4 Protect Files 26 4.5 Recover Files 27 4.6 Whitelist Process 27 4.7 Terminate Process 28 第 5 章 效能分析 29 5.1 實驗環境 29 5.2 測試案例 30 5.3 效能評估 31 第 6 章 討論 34 6.1 準確率 34 6.2 限制 34 第 7 章 結論 36 7.1 貢獻 36 7.2 未來研究 37 參考文獻 38 圖目錄 Fig. 1‑1: 使用者遇到勒索軟體至少一次的數量 2 Fig. 1‑2: 我們針對勒索軟體提出的防禦方法 3 Fig. 2‑1: 中文的勒索訊息 6 Fig. 2‑2: 使用 driver 作為 OS 和 device 之間通訊的橋樑 7 Fig. 2‑3: 作業系統和裝置通訊透過多個 driver 8 Fig. 2‑4: 使用 software driver 通訊 9 Fig. 2‑5: 檔案的 I/O 經過 I/O Manager 及三個 minifilter driver傳送 11 Fig. 2‑6: Minifilter driver 註冊的流程 11 Fig. 3‑1: CryptoWall proxy 的地理位置 15 Fig. 4‑1: RGuard 的系統架構 16 Fig. 4‑2: Ransomware 的偵測方法 18 Fig. 4‑3: I/O operation 的註冊 19 Fig. 4‑4: Create operation 的偵測流程 20 Fig. 4‑5: Recursive I/O operation of create 21 Fig. 4‑6: Write operation 的偵測流程 22 Fig. 4‑7: Recursive I/O operation of write 24 Fig. 4‑8: 備份的時間差 24 Fig. 4‑9: 一個視窗去警告使用者 24 Fig. 4‑10: 索引的資料欄位 25 Fig. 4‑11: 拒絕訪問文件的方法 26 Fig. 4‑12: 拒絕訪問備份目錄 26 Fig. 4‑13: 還原檔案的通知訊息 27 Fig. 4‑14: 終止程式的流程 28 Fig. 5‑1: 不同性質的加密時間 31 Fig. 5‑2: 備份檔案占用的磁碟空間 32 表目錄 Table 5‑1: 系統實驗環境 29 Table 5‑2: 測試案例的訊息 30 Table 5‑3: 勒索軟體的偵測 33

    參考文獻
    [1] Kaspersky Lab. KSN Report: Ransomware in 2014-2016 [Online]. Available: https://securelist.com/analysis/publications/75145/pc-ransomware-in-2014-2016/
    [2] Wikipedia. Ransomware - Wikipedia, the free encyclopedia [Online]. Available: https://en.wikipedia.org/wiki/Ransomware
    [3] A. Kharraz, W. Robertson, D. Balzarotti, L. Bilge, and E. Kirda, "Cutting the gordian knot: a look under the hood of ransomware attacks," in Detection of Intrusions and Malware, and Vulnerability Assessment, ed: Springer, 2015, pp. 3-24.
    [4] M. M. Ahmadian, H. R. Shahriari, and S. M. Ghaffarian, "Connection-monitor & connection-breaker: A novel approach for prevention and detection of high survivable ransomwares," in Information Security and Cryptology (ISCISC), 2015 12th International Iranian Society of Cryptology Conference on, 2015, pp. 79-84
    [5] D. Kim, W. Soh, and S. Kim, "Design of Quantification Model for Prevent of Cryptolocker," Indian Journal of Science and Technology, vol. 8, 2015.
    [6] K. CABAJ, P. GAWKOWSKI, K. GROCHOWSKI, and D. OSOJCA, "Network activity analysis of CryptoWall ransomware," Przegląd Elektrotechniczny, vol. 91, pp. 201-204, 2015.
    [7] Cindy Ng. The Complete Ransomware Guide [Online]. Available: https://blog.varonis.com/the-complete-ransomware-guide/
    [8] TrendMicro. TrendLabs Security Intelligence BlogZCRYPT Crypto-ransomware Attacks Windows 7 and Later, Scraps Backward Compatibility - TrendLabs Security Intelligence Blog [Online]. Available: http://blog.trendmicro.com/trendlabs-security-intelligence/crypto-ransomware-attacks-windows-7-later-scraps-backward-compatibility/
    [9] Joshua Cannell. A Look At Malware With Virtual Machine Detection | Malwarebytes Labs. [Online]. Available: https://blog.malwarebytes.com/threat-analysis/2014/02/a-look-at-malware-with-virtual-machine-detection/
    [10] Jeremy Kirk. CryptoWall ransomware variant has new defenses | PCWorld [Online]. Available: http://www.pcworld.com/article/2867132/cryptowall-ransomware-variant-has-new-defenses.html
    [11] Wikipedia. Shadow Copy - Wikipedia, the free encyclopedia [Online]. Available: https://en.wikipedia.org/wiki/Shadow_Copy
    [12] hasherezade. Look Into Locky Ransomware | Malwarebytes Labs [Online]. Available: https://blog.malwarebytes.com/threat-analysis/2016/03/look-into-locky/
    [13] TrendMicro. Using the Trend Micro Ransomware File Decryptor Tool [Online]. Available: http://esupport.trendmicro.com/solution/en-us/1114221.aspx
    [14] Kaspersky. Ransomware Decryptor | Kaspersky Lab [Online]. Available: https://noransom.kaspersky.com/
    [15] Microsoft. Choosing a driver model [Online]. Available: https://msdn.microsoft.com/en-us/library/windows/hardware/ff554652%28v=vs.85%29.aspx
    [16] Microsoft. File System Filter Drivers [Online]. Available: https://msdn.microsoft.com/en-us/windows/hardware/drivers/ifs/file-system-filter-drivers
    [17] Microsoft. Load Order Groups and Altitudes for Minifilter Drivers [Online]. Available: https://msdn.microsoft.com/en-us/windows/hardware/drivers/ifs/load-order-groups-and-altitudes-for-minifilter-drivers
    [18] Microsoft. Allocated Altitudes [Online]. Available: https://msdn.microsoft.com/en-us/windows/hardware/drivers/ifs/allocated-altitudes
    [19] L. Bridges, "The changing face of malware," Network Security, vol. 2008, pp. 17-20, 2008.
    [20] X. Luo and Q. Liao, "Awareness Education as the key to Ransomware Prevention," Information Systems Security, vol. 16, pp. 195-202, 2007.
    [21] A. Gazet, "Comparative analysis of various ransomware virii," Journal in computer virology, vol. 6, pp. 77-90, 2010.
    [22] E. Jardine, "A Continuum of Internet-Based Crime: How the Effectiveness of Cybersecurity Policies Varies across Cybercrime Types," Research Handbook on Digital Transformations, edited by F. Xavier Olleros and Majlinda Zhegu. Edward Elgar, Northampton, MA, Forthcoming, 2015.
    [23] M. Spagnuolo, F. Maggi, and S. Zanero, "Bitiodine: Extracting intelligence from the bitcoin network," in Financial Cryptography and Data Security, ed: Springer, 2014, pp. 457-468.
    [24] K. Liao, Z. Zhao, A. Doupe, and G. J. Ahn, "Behind closed doors: measurement and analysis of CryptoLocker ransoms in Bitcoin," in 2016 APWG Symposium on Electronic Crime Research (eCrime), 2016, pp. 1-13.
    [25] Lawrence Abrams. The Cerber Ransomware not only Encrypts Your Data But Also Speaks to You [Online]. Available: http://www.bleepingcomputer.com/news/security/the-cerber-ransomware-not-only-encrypts-your-data-but-also-speaks-to-you/
    [26] zhanghaiyang9999. Visual Studio 2013開發 mini-filter driver step by step (5) - 讀寫文件 [Online]. Available: http://blog.csdn.net/zhanghaiyang9999/article/details/39033033
    [27] utkusen. GitHub - utkusen/hidden-tear: an open source ransomware honeypot [Online]. Available: https://github.com/utkusen/hidden-tear
    [28] VirusTotal. VirusTotal - Free Online Virus, Malware and URL Scanner. Available: https://www.virustotal.com/
    [29] TrendMicro. Removing ransomware using the AntiRansomware Tool | Trend Micro. Available: https://esupport.trendmicro.com/en-us/home/pages/technical-support/1105975.aspx

    QR CODE
    :::