Lingbo Zhao (Institute of Information Engineering, Chinese Academy of Sciences), Yuhui Zhang (Institute of Information Engineering, Chinese Academy of Sciences), Zhilu Wang (Institute of Information Engineering, Chinese Academy of Sciences), Fengkai Yuan (Institute of Information Engineering, CAS), Rui Hou (Institute of Information Engineering, Chinese Academy of Sciences)

To evade existing antivirus software and detection systems, ransomware authors tend to obscure behavior differences with benign programs by imitating them or by weakening malicious behaviors during encryption. Existing defense solutions have limited effects on defending against evasive ransomware. Fortunately, through extensive observation, we find I/O behaviors of evasive ransomware exhibit a unique repetitiveness during encryption. This is rarely observed in benign programs. Besides, the $chi^2$ test and the probability distribution of byte streams can effectively distinguish encrypted files from benignly modified files. Inspired by these, we first propose ERW-Radar, a detection system, to detect evasive ransomware accurately and efficiently. We make three breakthroughs: 1) a contextual emph{Correlation} mechanism to detect malicious behaviors; 2) a fine-grained content emph{Analysis} mechanism to identify encrypted files; and 3) adaptive mechanisms to achieve a better trade-off between accuracy and efficiency. Experiments show that ERW-Radar detects evasive ransomware with an accuracy of 96.18% while maintaining a FPR of 5.36%. The average overhead of ERW-Radar is 5.09% in CPU utilization and 3.80% in memory utilization.

View More Papers

URVFL: Undetectable Data Reconstruction Attack on Vertical Federated Learning

Duanyi Yao (Hong Kong University of Science and Technology), Songze Li (Southeast University), Xueluan Gong (Wuhan University), Sizai Hou (Hong Kong University of Science and Technology), Gaoning Pan (Hangzhou Dianzi University)

Read More

NodeMedic-FINE: Automatic Detection and Exploit Synthesis for Node.js Vulnerabilities

Darion Cassel (Carnegie Mellon University), Nuno Sabino (IST & CMU), Min-Chien Hsu (Carnegie Mellon University), Ruben Martins (Carnegie Mellon University), Limin Jia (Carnegie Mellon University)

Read More

Heimdall: Towards Risk-Aware Network Management Outsourcing

Yuejie Wang (Peking University), Qiutong Men (New York University), Yongting Chen (New York University Shanghai), Jiajin Liu (New York University Shanghai), Gengyu Chen (Carnegie Mellon University), Ying Zhang (Meta), Guyue Liu (Peking University), Vyas Sekar (Carnegie Mellon University)

Read More