Detecting Ransomware

Lade...
Vorschaubild
Dateien
Held_2-jp86thc6u67s4.pdf
Held_2-jp86thc6u67s4.pdfGröße: 913.78 KBDownloads: 2102
Datum
2018
Autor:innen
Herausgeber:innen
Kontakt
ISSN der Zeitschrift
Electronic ISSN
ISBN
Bibliografische Daten
Verlag
Schriftenreihe
Auflagebezeichnung
DOI (zitierfähiger Link)
ArXiv-ID
Internationale Patentnummer
Link zur Lizenz
Angaben zur Forschungsförderung
Projekt
Open Access-Veröffentlichung
Open Access Green
Core Facility der Universität Konstanz
Gesperrt bis
Titel in einer weiteren Sprache
Publikationstyp
Masterarbeit/Diplomarbeit
Publikationsstatus
Published
Erschienen in
Zusammenfassung

Ransomware attacks -- in contrast to other cyber attacks -- must not be detected and especially not blocked or recovered on first sight. This relaxation is supported by the rareness of ransomware attacks. Certainly, the uprising of ransomware families, which are able to circumvent the detection mechanism, integrated into the local machine, prevents the approaches from taking advantage of the relaxation. Justified by the attack isolation, the move to the personal cloud storage is the reasonable way to gain as much as possible of the relaxation, the perfect protection of false positives and the simplified recovery. In this paper we investigate different ransomware families -- with the help of real-world malware samples -- to formulate a taxonomy of requirements for operation classes and indicator categories. Additionally, we propose an approach which moves the ransomware detection from the local system to the personal cloud storage. Utilizing the file versioning of the cloud storage, we can delay the recovery and reliably perform our content-based, metadata-based and behaviour-based analysis in combination with the `guilt by association' assumption to improve the false positive rate. The new burden for the end-user is the responsibility of supervising the recovery; but the responsibilities are supported by the simplified recovery -- offering the classification information -- allowing the user to make a qualified decision and release the user from fighting with false classified operations. In summary, this leads to an improvement in the aspects of detection quality, usability and reliable recovery.

Zusammenfassung in einer weiteren Sprache
Fachgebiet (DDC)
004 Informatik
Schlagwörter
ransomware, security, malware, cloud-storage
Konferenz
Rezension
undefined / . - undefined, undefined
Forschungsvorhaben
Organisationseinheiten
Zeitschriftenheft
Datensätze
Zitieren
ISO 690HELD, Matthias, 2018. Detecting Ransomware [Master thesis]. Konstanz: Universität Konstanz
BibTex
@mastersthesis{Held2018Detec-43396,
  year={2018},
  title={Detecting Ransomware},
  address={Konstanz},
  school={Universität Konstanz},
  author={Held, Matthias}
}
RDF
<rdf:RDF
    xmlns:dcterms="http://purl.org/dc/terms/"
    xmlns:dc="http://purl.org/dc/elements/1.1/"
    xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
    xmlns:bibo="http://purl.org/ontology/bibo/"
    xmlns:dspace="http://digital-repositories.org/ontologies/dspace/0.1.0#"
    xmlns:foaf="http://xmlns.com/foaf/0.1/"
    xmlns:void="http://rdfs.org/ns/void#"
    xmlns:xsd="http://www.w3.org/2001/XMLSchema#" > 
  <rdf:Description rdf:about="https://kops.uni-konstanz.de/server/rdf/resource/123456789/43396">
    <dcterms:isPartOf rdf:resource="https://kops.uni-konstanz.de/server/rdf/resource/123456789/36"/>
    <dcterms:issued>2018</dcterms:issued>
    <dcterms:rights rdf:resource="http://creativecommons.org/licenses/by-nc-nd/4.0/"/>
    <dc:contributor>Held, Matthias</dc:contributor>
    <bibo:uri rdf:resource="https://kops.uni-konstanz.de/handle/123456789/43396"/>
    <dspace:hasBitstream rdf:resource="https://kops.uni-konstanz.de/bitstream/123456789/43396/3/Held_2-jp86thc6u67s4.pdf"/>
    <dcterms:available rdf:datatype="http://www.w3.org/2001/XMLSchema#dateTime">2018-09-28T06:16:52Z</dcterms:available>
    <foaf:homepage rdf:resource="http://localhost:8080/"/>
    <dcterms:abstract xml:lang="eng">Ransomware attacks -- in contrast to other cyber attacks -- must not be detected and especially not blocked or recovered on first sight. This relaxation is supported by the rareness of ransomware attacks. Certainly, the uprising of ransomware families, which are able to circumvent the detection mechanism, integrated into the local machine, prevents the approaches from taking advantage of the relaxation. Justified by the attack isolation, the move to the personal cloud storage is the reasonable way to gain as much as possible of the relaxation, the perfect protection of false positives and the simplified recovery. In this paper we investigate different ransomware families -- with the help of real-world malware samples -- to formulate a taxonomy of requirements for operation classes and indicator categories. Additionally, we propose an approach which moves the ransomware detection from the local system to the personal cloud storage. Utilizing the file versioning of the cloud storage, we can delay the recovery and reliably perform our content-based, metadata-based and behaviour-based analysis in combination with the `guilt by association' assumption to improve the false positive rate. The new burden for the end-user is the responsibility of supervising the recovery; but the responsibilities are supported by the simplified recovery -- offering the classification information -- allowing the user to make a qualified decision and release the user from fighting with false classified operations. In summary, this leads to an improvement in the aspects of detection quality, usability and reliable recovery.</dcterms:abstract>
    <dc:rights>Attribution-NonCommercial-NoDerivatives 4.0 International</dc:rights>
    <dc:date rdf:datatype="http://www.w3.org/2001/XMLSchema#dateTime">2018-09-28T06:16:52Z</dc:date>
    <void:sparqlEndpoint rdf:resource="http://localhost/fuseki/dspace/sparql"/>
    <dcterms:title>Detecting Ransomware</dcterms:title>
    <dspace:isPartOfCollection rdf:resource="https://kops.uni-konstanz.de/server/rdf/resource/123456789/36"/>
    <dc:creator>Held, Matthias</dc:creator>
    <dc:language>eng</dc:language>
    <dcterms:hasPart rdf:resource="https://kops.uni-konstanz.de/bitstream/123456789/43396/3/Held_2-jp86thc6u67s4.pdf"/>
  </rdf:Description>
</rdf:RDF>
Interner Vermerk
xmlui.Submission.submit.DescribeStep.inputForms.label.kops_note_fromSubmitter
Kontakt
URL der Originalveröffentl.
Prüfdatum der URL
Prüfungsdatum der Dissertation
Hochschulschriftenvermerk
Konstanz, Universität Konstanz, Masterarbeit/Diplomarbeit, 2018
Finanzierungsart
Kommentar zur Publikation
Allianzlizenz
Corresponding Authors der Uni Konstanz vorhanden
Internationale Co-Autor:innen
Universitätsbibliographie
Begutachtet
Diese Publikation teilen