Detecting Ransomware

Cite This

Files in this item

Checksum: MD5:fcb795f39a5074e63c74b76c8137da6a

HELD, Matthias, 2018. Detecting Ransomware [Master thesis]. Konstanz: Universität Konstanz

@mastersthesis{Held2018Detec-43396, title={Detecting Ransomware}, year={2018}, address={Konstanz}, school={Universität Konstanz}, author={Held, Matthias} }

<rdf:RDF xmlns:dcterms="" xmlns:dc="" xmlns:rdf="" xmlns:bibo="" xmlns:dspace="" xmlns:foaf="" xmlns:void="" xmlns:xsd="" > <rdf:Description rdf:about=""> <bibo:uri rdf:resource=""/> <dc:rights>Attribution-NonCommercial-NoDerivatives 4.0 International</dc:rights> <void:sparqlEndpoint rdf:resource="http://localhost/fuseki/dspace/sparql"/> <dc:language>eng</dc:language> <dcterms:abstract xml:lang="eng">Ransomware attacks -- in contrast to other cyber attacks -- must not be detected and especially not blocked or recovered on first sight. This relaxation is supported by the rareness of ransomware attacks. Certainly, the uprising of ransomware families, which are able to circumvent the detection mechanism, integrated into the local machine, prevents the approaches from taking advantage of the relaxation. Justified by the attack isolation, the move to the personal cloud storage is the reasonable way to gain as much as possible of the relaxation, the perfect protection of false positives and the simplified recovery. In this paper we investigate different ransomware families -- with the help of real-world malware samples -- to formulate a taxonomy of requirements for operation classes and indicator categories. Additionally, we propose an approach which moves the ransomware detection from the local system to the personal cloud storage. Utilizing the file versioning of the cloud storage, we can delay the recovery and reliably perform our content-based, metadata-based and behaviour-based analysis in combination with the `guilt by association' assumption to improve the false positive rate. The new burden for the end-user is the responsibility of supervising the recovery; but the responsibilities are supported by the simplified recovery -- offering the classification information -- allowing the user to make a qualified decision and release the user from fighting with false classified operations. In summary, this leads to an improvement in the aspects of detection quality, usability and reliable recovery.</dcterms:abstract> <dc:creator>Held, Matthias</dc:creator> <dcterms:issued>2018</dcterms:issued> <dc:contributor>Held, Matthias</dc:contributor> <dcterms:available rdf:datatype="">2018-09-28T06:16:52Z</dcterms:available> <dspace:hasBitstream rdf:resource=""/> <dcterms:rights rdf:resource=""/> <dcterms:title>Detecting Ransomware</dcterms:title> <dcterms:hasPart rdf:resource=""/> <dspace:isPartOfCollection rdf:resource=""/> <foaf:homepage rdf:resource="http://localhost:8080/jspui"/> <dcterms:isPartOf rdf:resource=""/> <dc:date rdf:datatype="">2018-09-28T06:16:52Z</dc:date> </rdf:Description> </rdf:RDF>

Downloads since Sep 28, 2018 (Information about access statistics)

Held_2-jp86thc6u67s4.pdf 628

This item appears in the following Collection(s)

Attribution-NonCommercial-NoDerivatives 4.0 International Except where otherwise noted, this item's license is described as Attribution-NonCommercial-NoDerivatives 4.0 International

Search KOPS


My Account