ROFBS$α$: Real Time Backup System Decoupled from ML Based Ransomware Detection

• URL: http://arxiv.org/abs/2504.14162v1
• Date: Sat, 19 Apr 2025 03:36:01 GMT
• Title: ROFBS$α$: Real Time Backup System Decoupled from ML Based Ransomware Detection
• Authors: Kosuke Higuchi, Ryotaro Kobayashi,
• Abstract summary: This study introduces ROFBS$alpha$, a new defense architecture that addresses delays in detection in ransomware detectors based on machine learning.<n>It builds on our earlier Real Time Open File Backup System, ROFBS, by adopting an asynchronous design that separates backup operations from detection tasks.
• Score: 0.0
• License: http://creativecommons.org/licenses/by-nc-nd/4.0/
• Abstract: This study introduces ROFBS$\alpha$, a new defense architecture that addresses delays in detection in ransomware detectors based on machine learning. It builds on our earlier Real Time Open File Backup System, ROFBS, by adopting an asynchronous design that separates backup operations from detection tasks. By using eBPF to monitor file open events and running the backup process independently, the system avoids performance limitations when detection and protection contend for resources. We evaluated ROFBS$\alpha$ against three ransomware strains, AvosLocker, Conti, and IceFire. The evaluation measured the number of files encrypted, the number of files successfully backed up, the ratio of backups to encrypted files, and the overall detection latency. The results show that ROFBS$\alpha$ achieves high backup success rates and faster detection while adding minimal extra load to the system. However, defending against ransomware that encrypts files extremely quickly remains an open challenge that will require further enhancements.

Related papers

• SHIELD: Secure Host-Independent Extensible Logging for Tamper-Proof Detection and Real-Time Mitigation of Ransomware Threats [17.861324495723487]
  We introduce SHIELD: a metric acquisition framework leveraging low-level monitoring and Network Block Device (NBD) technology to provide off-host, tamper-proof measurements for continuous observation of disk activity.<n>We employ deep features along with simplified metrics aggregated based on frequency of disk actions, making the metrics impervious to obfuscation while avoiding reliance on vulnerable host-based logs.<n>In a proof-of-concept deployment, we demonstrate real-time mitigation using models trained on these metrics by halting malicious disk operations after ransomware detection with minimum file loss and memory corruption.
  arXiv  Detail & Related papers  (2025-01-28T01:33:03Z)
• A Comprehensive Analysis of Machine Learning Based File Trap Selection Methods to Detect Crypto Ransomware [0.6597195879147557]
  To minimize file loss during the ransomware attack, detecting file modifications at the earliest execution stage is considered very important. This paper evaluates various machine learning-based trap selection methods for reducing file loss, detection delay, and endpoint overhead.
  arXiv  Detail & Related papers  (2024-09-13T13:31:24Z)
• Ransomware Detection Using Machine Learning in the Linux Kernel [0.0]
  Linux-based cloud environments have become lucrative targets for ransomware attacks. We propose leveraging the extended Berkeley Packet Filter (eBPF) to collect system call information regarding active processes and infer about the data directly at the kernel level.
  arXiv  Detail & Related papers  (2024-09-10T12:17:23Z)
• EmInspector: Combating Backdoor Attacks in Federated Self-Supervised Learning Through Embedding Inspection [53.25863925815954]
  Federated self-supervised learning (FSSL) has emerged as a promising paradigm that enables the exploitation of clients' vast amounts of unlabeled data. While FSSL offers advantages, its susceptibility to backdoor attacks has not been investigated. We propose the Embedding Inspector (EmInspector) that detects malicious clients by inspecting the embedding space of local models.
  arXiv  Detail & Related papers  (2024-05-21T06:14:49Z)
• Understanding crypter-as-a-service in a popular underground marketplace [51.328567400947435]
  Crypters are pieces of software whose main goal is to transform a target binary so it can avoid detection from Anti Viruses (AVs) applications. The crypter-as-a-service model has gained popularity, in response to the increased sophistication of detection mechanisms. This paper provides the first study on an online underground market dedicated to crypter-as-a-service.
  arXiv  Detail & Related papers  (2024-05-20T08:35:39Z)
• GuardFS: a File System for Integrated Detection and Mitigation of Linux-based Ransomware [8.576433180938004]
  GuardFS is a file system-based approach to investigate the integration of detection and mitigation of ransomware. Using a bespoke overlay file system, data is extracted before files are accessed. Models trained on this data are used by three novel defense configurations that obfuscate, delay, or track access to the file system.
  arXiv  Detail & Related papers  (2024-01-31T15:33:29Z)
• Ransomware Detection Using Federated Learning with Imbalanced Datasets [0.0]
  This paper presents a weighted cross-entropy loss function approach to mitigate dataset imbalance. A detailed performance evaluation study is then presented for the case of static analysis using the latest Windows-based ransomware families.
  arXiv  Detail & Related papers  (2023-11-13T21:21:39Z)
• DRSM: De-Randomized Smoothing on Malware Classifier Providing Certified Robustness [58.23214712926585]
  We develop a certified defense, DRSM (De-Randomized Smoothed MalConv), by redesigning the de-randomized smoothing technique for the domain of malware detection. Specifically, we propose a window ablation scheme to provably limit the impact of adversarial bytes while maximally preserving local structures of the executables. We are the first to offer certified robustness in the realm of static detection of malware executables.
  arXiv  Detail & Related papers  (2023-03-20T17:25:22Z)
• Minerva: A File-Based Ransomware Detector [2.139756658997758]
  This paper presents Minerva, a novel, robust approach to ransomware detection.<n> Minerva is engineered to be robust by design against evasion attacks, with architectural and feature selection choices informed by their resilience to adversarial manipulation.<n>Over 99% of detected ransomware are identified within 0.52sec of activity, enabling the adoption of data loss prevention techniques with near-zero overhead.
  arXiv  Detail & Related papers  (2023-01-26T11:47:10Z)
• Mate! Are You Really Aware? An Explainability-Guided Testing Framework for Robustness of Malware Detectors [49.34155921877441]
  We propose an explainability-guided and model-agnostic testing framework for robustness of malware detectors. We then use this framework to test several state-of-the-art malware detectors' abilities to detect manipulated malware. Our findings shed light on the limitations of current malware detectors, as well as how they can be improved.
  arXiv  Detail & Related papers  (2021-11-19T08:02:38Z)
• Adversarial EXEmples: A Survey and Experimental Evaluation of Practical Attacks on Machine Learning for Windows Malware Detection [67.53296659361598]
  adversarial EXEmples can bypass machine learning-based detection by perturbing relatively few input bytes. We develop a unifying framework that does not only encompass and generalize previous attacks against machine-learning models, but also includes three novel attacks. These attacks, named Full DOS, Extend and Shift, inject the adversarial payload by respectively manipulating the DOS header, extending it, and shifting the content of the first section.
  arXiv  Detail & Related papers  (2020-08-17T07:16:57Z)
• Detecting malicious PDF using CNN [46.86114958340962]
  Malicious PDF files represent one of the biggest threats to computer security. We propose a novel algorithm that uses an ensemble of Convolutional Neural Network (CNN) on the byte level of the file. We show, using a data set of 90000 files downloadable online, that our approach maintains a high detection rate (94%) of PDF malware.
  arXiv  Detail & Related papers  (2020-07-24T18:27:45Z)

This list is automatically generated from the titles and abstracts of the papers in this site.

This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.