( 您好!臺灣時間:2020/05/27 01:48
字體大小: 字級放大   字級縮小   預設字形  


研究生(外文):Yue-Wei Xie
論文名稱(外文):RGuard: A Light-weight Minifilter-based Solution to Ransomware
指導教授(外文):Fu-Hau Hsu
中文關鍵詞:勒索軟體minifilterWindows 驅動
外文關鍵詞:RansomwareminifilterWindows driver
  • 被引用被引用:0
  • 點閱點閱:118
  • 評分評分:系統版面圖檔系統版面圖檔系統版面圖檔系統版面圖檔系統版面圖檔
  • 下載下載:0
  • 收藏至我的研究室書目清單書目收藏:0
為了抵禦勒索軟體的攻擊,我們提出了一個能在平時偵測疑似勒索軟體的方法,該方法是建置在 Windows 的 minifilter driver 上,因此勒索軟體很難繞過我們的偵測。
In recent years, ransomwares are prevalent and dangerous to users more and more. The target of ransomware is to intrude the user’s computer to encrypt files and force the user to pay money. Additionally, after paying a high ransom to the author of ransomware, the victim was not necessarily to get recovery key. Therefore, victims are to face a dilemma.
Although antivirus software can detect the attack of ransomware, it is due to the latest virus definitions. If a new virus appears and the virus definitions are out of date, user’s computer may suffer the threat of ransomware. Thus, it is important to protect the user’s computer during virus window period.
In order to resist the attack of ransomware, we propose a method to detect process whose actions are similar to the actions of ransomware. Because the method proposed is based on Windows minifilter driver, ransomware is hard to bypass the detection of our method.
After catching ransomware-like process, our system would take care user’s computer, such as terminate the process, whitelist the process. Furthermore, when users choose to terminate the program, our system will restore the files changed by the process.
摘要 i
Abstract ii
目錄 iii
圖目錄 iv
表目錄 v
第 1 章 緒論 1
第 2 章 背景介紹 4
2.1 Ransomware 4
2.2 Windows Device Driver 7
2.3 Windows Minifilter Driver 10
第 3 章 相關研究 14
第 4 章 系統設計與實作 16
4.1 偵測原理 17
4.2 偵測程式 18
4.2.1 Callback Routine of Create 19
4.2.2 Callback Routine of Write 21
4.3 Backup Files 25
4.4 Protect Files 26
4.5 Recover Files 27
4.6 Whitelist Process 27
4.7 Terminate Process 28
第 5 章 效能分析 29
5.1 實驗環境 29
5.2 測試案例 30
5.3 效能評估 31
第 6 章 討論 34
6.1 準確率 34
6.2 限制 34
第 7 章 結論 36
7.1 貢獻 36
7.2 未來研究 37
參考文獻 38

Fig. 1‑1: 使用者遇到勒索軟體至少一次的數量 2
Fig. 1‑2: 我們針對勒索軟體提出的防禦方法 3
Fig. 2‑1: 中文的勒索訊息 6
Fig. 2‑2: 使用 driver 作為 OS 和 device 之間通訊的橋樑 7
Fig. 2‑3: 作業系統和裝置通訊透過多個 driver 8
Fig. 2‑4: 使用 software driver 通訊 9
Fig. 2‑5: 檔案的 I/O 經過 I/O Manager 及三個 minifilter driver傳送 11
Fig. 2‑6: Minifilter driver 註冊的流程 11
Fig. 3‑1: CryptoWall proxy 的地理位置 15
Fig. 4‑1: RGuard 的系統架構 16
Fig. 4‑2: Ransomware 的偵測方法 18
Fig. 4‑3: I/O operation 的註冊 19
Fig. 4‑4: Create operation 的偵測流程 20
Fig. 4‑5: Recursive I/O operation of create 21
Fig. 4‑6: Write operation 的偵測流程 22
Fig. 4‑7: Recursive I/O operation of write 24
Fig. 4‑8: 備份的時間差 24
Fig. 4‑9: 一個視窗去警告使用者 24
Fig. 4‑10: 索引的資料欄位 25
Fig. 4‑11: 拒絕訪問文件的方法 26
Fig. 4‑12: 拒絕訪問備份目錄 26
Fig. 4‑13: 還原檔案的通知訊息 27
Fig. 4‑14: 終止程式的流程 28
Fig. 5‑1: 不同性質的加密時間 31
Fig. 5‑2: 備份檔案占用的磁碟空間 32

Table 5‑1: 系統實驗環境 29
Table 5‑2: 測試案例的訊息 30
Table 5‑3: 勒索軟體的偵測 33
[1] Kaspersky Lab. KSN Report: Ransomware in 2014-2016 [Online]. Available: https://securelist.com/analysis/publications/75145/pc-ransomware-in-2014-2016/
[2] Wikipedia. Ransomware - Wikipedia, the free encyclopedia [Online]. Available: https://en.wikipedia.org/wiki/Ransomware
[3] A. Kharraz, W. Robertson, D. Balzarotti, L. Bilge, and E. Kirda, "Cutting the gordian knot: a look under the hood of ransomware attacks," in Detection of Intrusions and Malware, and Vulnerability Assessment, ed: Springer, 2015, pp. 3-24.
[4] M. M. Ahmadian, H. R. Shahriari, and S. M. Ghaffarian, "Connection-monitor & connection-breaker: A novel approach for prevention and detection of high survivable ransomwares," in Information Security and Cryptology (ISCISC), 2015 12th International Iranian Society of Cryptology Conference on, 2015, pp. 79-84
[5] D. Kim, W. Soh, and S. Kim, "Design of Quantification Model for Prevent of Cryptolocker," Indian Journal of Science and Technology, vol. 8, 2015.
[6] K. CABAJ, P. GAWKOWSKI, K. GROCHOWSKI, and D. OSOJCA, "Network activity analysis of CryptoWall ransomware," Przegląd Elektrotechniczny, vol. 91, pp. 201-204, 2015.
[7] Cindy Ng. The Complete Ransomware Guide [Online]. Available: https://blog.varonis.com/the-complete-ransomware-guide/
[8] TrendMicro. TrendLabs Security Intelligence BlogZCRYPT Crypto-ransomware Attacks Windows 7 and Later, Scraps Backward Compatibility - TrendLabs Security Intelligence Blog [Online]. Available: http://blog.trendmicro.com/trendlabs-security-intelligence/crypto-ransomware-attacks-windows-7-later-scraps-backward-compatibility/
[9] Joshua Cannell. A Look At Malware With Virtual Machine Detection | Malwarebytes Labs. [Online]. Available: https://blog.malwarebytes.com/threat-analysis/2014/02/a-look-at-malware-with-virtual-machine-detection/
[10] Jeremy Kirk. CryptoWall ransomware variant has new defenses | PCWorld [Online]. Available: http://www.pcworld.com/article/2867132/cryptowall-ransomware-variant-has-new-defenses.html
[11] Wikipedia. Shadow Copy - Wikipedia, the free encyclopedia [Online]. Available: https://en.wikipedia.org/wiki/Shadow_Copy
[12] hasherezade. Look Into Locky Ransomware | Malwarebytes Labs [Online]. Available: https://blog.malwarebytes.com/threat-analysis/2016/03/look-into-locky/
[13] TrendMicro. Using the Trend Micro Ransomware File Decryptor Tool [Online]. Available: http://esupport.trendmicro.com/solution/en-us/1114221.aspx
[14] Kaspersky. Ransomware Decryptor | Kaspersky Lab [Online]. Available: https://noransom.kaspersky.com/
[15] Microsoft. Choosing a driver model [Online]. Available: https://msdn.microsoft.com/en-us/library/windows/hardware/ff554652%28v=vs.85%29.aspx
[16] Microsoft. File System Filter Drivers [Online]. Available: https://msdn.microsoft.com/en-us/windows/hardware/drivers/ifs/file-system-filter-drivers
[17] Microsoft. Load Order Groups and Altitudes for Minifilter Drivers [Online]. Available: https://msdn.microsoft.com/en-us/windows/hardware/drivers/ifs/load-order-groups-and-altitudes-for-minifilter-drivers
[18] Microsoft. Allocated Altitudes [Online]. Available: https://msdn.microsoft.com/en-us/windows/hardware/drivers/ifs/allocated-altitudes
[19] L. Bridges, "The changing face of malware," Network Security, vol. 2008, pp. 17-20, 2008.
[20] X. Luo and Q. Liao, "Awareness Education as the key to Ransomware Prevention," Information Systems Security, vol. 16, pp. 195-202, 2007.
[21] A. Gazet, "Comparative analysis of various ransomware virii," Journal in computer virology, vol. 6, pp. 77-90, 2010.
[22] E. Jardine, "A Continuum of Internet-Based Crime: How the Effectiveness of Cybersecurity Policies Varies across Cybercrime Types," Research Handbook on Digital Transformations, edited by F. Xavier Olleros and Majlinda Zhegu. Edward Elgar, Northampton, MA, Forthcoming, 2015.
[23] M. Spagnuolo, F. Maggi, and S. Zanero, "Bitiodine: Extracting intelligence from the bitcoin network," in Financial Cryptography and Data Security, ed: Springer, 2014, pp. 457-468.
[24] K. Liao, Z. Zhao, A. Doupe, and G. J. Ahn, "Behind closed doors: measurement and analysis of CryptoLocker ransoms in Bitcoin," in 2016 APWG Symposium on Electronic Crime Research (eCrime), 2016, pp. 1-13.
[25] Lawrence Abrams. The Cerber Ransomware not only Encrypts Your Data But Also Speaks to You [Online]. Available: http://www.bleepingcomputer.com/news/security/the-cerber-ransomware-not-only-encrypts-your-data-but-also-speaks-to-you/
[26] zhanghaiyang9999. Visual Studio 2013開發 mini-filter driver step by step (5) - 讀寫文件 [Online]. Available: http://blog.csdn.net/zhanghaiyang9999/article/details/39033033
[27] utkusen. GitHub - utkusen/hidden-tear: an open source ransomware honeypot [Online]. Available: https://github.com/utkusen/hidden-tear
[28] VirusTotal. VirusTotal - Free Online Virus, Malware and URL Scanner. Available: https://www.virustotal.com/
[29] TrendMicro. Removing ransomware using the AntiRansomware Tool | Trend Micro. Available: https://esupport.trendmicro.com/en-us/home/pages/technical-support/1105975.aspx
電子全文 電子全文(網際網路公開日期:20210630)
註: 此連結為研究生畢業學校所提供,不一定有電子全文可供下載,若連結有誤,請點選上方之〝勘誤回報〞功能,我們會盡快修正,謝謝!
第一頁 上一頁 下一頁 最後一頁 top
系統版面圖檔 系統版面圖檔