Skip to main content
SpringerLink
Log in

Using Process Mining to Identify File System Metrics Impacted by Ransomware Execution

  • Conference paper
  • First Online:
Mobile, Secure, and Programmable Networking (MSPN 2020)

Part of the book series: Lecture Notes in Computer Science ((LNCCN,volume 12605))

  • 426 Accesses

Abstract

Malware authors leverage strong cryptographic primitives to hold user files as a hostage in their own devices until a ransom is paid. Indeed, victims not protected against ransomware are forced to pay the ransom or lose the files if ignoring the extortion. Devices are by no means immune from ransomware attacks. The reality is that there is a limited study on how to protect end-user devices against ransomware while there is hardly any protection available. Ransomware uses legitimate operating system processes that even state-of-the-art and advanced anti-malware products are ineffective against them. The results of our static and dynamic analysis illustrate that a local file system plays a critical role in the operation of all ransomware engines. Therefore, this study investigates the correlation existed between the file system operations to identify metrics such as the absolute occurrence frequency of a system file to identify a ransomware attack from within the kernel. We employ business process mining techniques to analyze collected log files from samples of seven recent live ransomware families and use the Naive discovery algorithm to study the absolute occurrence frequency of system files. The findings are visualized by state charts and sequence diagrams. Finally, the study identifies eight common system files that ransomware calls on in order to encrypt a victim’s files on their device.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Van Der Aalst, W.: Service mining: using process mining to discover, check, and improve service behavior. IEEE Trans. Serv. Comput. 6(4), 525–535 (2013). https://doi.org/10.1109/TSC.2012.25

    Article  Google Scholar 

  2. Van der Aalst, W.: Data Science in Action, pp. 3–23. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49851-4

  3. Accorsi, R., Stocker, T., Müller, G.: On the exploitation of process mining for security audits: The process discovery case. In: Proceedings of the 28th Annual ACM Symposium on Applied Computing, pp. 1462–1468. SAC 2013. Association for Computing Machinery, New York, NY, USA (2013). https://doi.org/10.1145/2480362.2480634, https://doi.org/10.1145/2480362.2480634

  4. de Alvarenga, S.C., Zarpel, B., Miani, R.: Discovering attack strategies using process mining. In: Proceedings of the 11th Advanced International Conference on Telecommunications, pp. 119–125 (2015)

    Google Scholar 

  5. Augusto, A., et al.: Automated discovery of process models from event logs: review and benchmark. IEEE Trans. Knowl. Data Eng. 31(4), 686–705 (2019). https://doi.org/10.1109/TKDE.2018.2841877

    Article  Google Scholar 

  6. Bernardi, M.L., Cimitile, M., Distante, D., Martinelli, F., Mercaldo, F.: Dynamic malware detection and phylogeny analysis using process mining. Int. J. Inf. Secur. 18(3), 257–284 (2018). https://doi.org/10.1007/s10207-018-0415-3

    Article  Google Scholar 

  7. Coltellese, S., Maggi, F.M., Marrella, A., Massarelli, L., Querzoni, L.: Triage of iot attacks through process mining. In: OTM Confederated International Conferences” On the Move to Meaningful Internet Systems”. pp. 326–344. Springer (2019)

    Google Scholar 

  8. Continella, A., et al.: Shieldfs: a self-healing, ransomware-aware filesystem. In: Proceedings of the 32nd Annual Conference on Computer Security Applications, pp. 336–347. ACSAC 2016, Association for Computing Machinery, New York, NY, USA (2016). https://doi.org/10.1145/2991079.2991110

  9. van Dongen, B.F., de Medeiros, A.K.A., Verbeek, H.M.W., Weijters, A.J.M.M., van der Aalst, W.M.P.: The prom framework: A new era in process mining tool support. In: Ciardo, G., Darondeau, P. (eds.) Applications and Theory of Petri Nets 2005, pp. 444–454. Springer, Berlin Heidelberg, Berlin, Heidelberg (2005)

    Chapter  Google Scholar 

  10. Hassan, N.A.: Ransomware Families, pp. 47–68. Apress, Berkeley (2019)

    Google Scholar 

  11. Honda, T., Mukaiyama, K., Shirai, T., Ohki, T., Nishigaki, M.: Ransomware detection considering user’s document editing. In: 2018 IEEE 32nd International Conference on Advanced Information Networking and Applications (AINA), pp. 907–914 (2018). https://doi.org/10.1109/AINA.2018.00133

  12. Jans, M., Alles, M., Vasarhelyi, M.: The case for process mining in auditing: sources of value added and areas of application. Int. J. Account. Inf. Syst. 14(1), 1–20 (2013). https://doi.org/10.1016/j.accinf.2012.06.015, http://www.sciencedirect.com/science/article/pii/S1467089512000462

  13. Kim, D., Lee, J.: Blacklist vs. whitelist-based ransomware solutions. IEEE Consumer Electr. Mag. 9(3), 22–28 (2020). https://doi.org/10.1109/MCE.2019.2956192

  14. Leemans, M.: Statechart prom plugin : statechart workbench (2017)

    Google Scholar 

  15. Loman, M.: How ransomware attacks. Sophos (2019), https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/sophoslabs-ransomware-behavior-report.pdf

  16. Mahboubi, A., Camtepe, S., Morarji, H.: A study on formal methods to generalize heterogeneous mobile malware propagation and their impacts. IEEE Access 5, 27740–27756 (2017). https://doi.org/10.1109/ACCESS.2017.2772787

    Article  Google Scholar 

  17. Sgandurra, D., Muñoz-González, L., Mohsen, R., Lupu, E.C.: Automated dynamic analysis of ransomware: Benefits, limitations and use for detection. arXiv preprint arXiv:1609.03020 (2016)

  18. Van Der Aalst, W.M.P., Van Hee, K.M., Van der Werf, J.M., Verdonk, M.: Auditing 2.0: using process mining to support tomorrow’s auditor. Computer 43(3), 90–93 (2010). https://doi.org/10.1109/MC.2010.61

  19. Van Der Aalst, W., de Medeiros, A.: Process mining and security: Detecting anomalous process executions and checking process conformance. Electr. Notes Theoret. Comput. Sci. 121, 3–21 (2005). https://doi.org/10.1016/j.entcs.2004.10.013, http://www.sciencedirect.com/science/article/pii/S1571066105000228. Proceedings of the 2nd International Workshop on Security Issues with Petri Nets and other Computational Models (WISP 2004)

  20. Wakup, C., Desel, J.: Analyzing a TCP/IP-protocol with process mining techniques. In: Fournier, F., Mendling, J. (eds.) BPM 2014. LNBIP, vol. 202, pp. 353–364. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-15895-2_30

    Chapter  Google Scholar 

  21. Yaqoob, I., et al.: The rise of ransomware and emerging security challenges in the internet of things. Comput. Networks 129, 444–458 (2017). https://doi.org/10.1016/j.comnet.2017.09.003, http://www.sciencedirect.com/science/article/pii/S1389128617303468. Special Issue on 5G Wireless Networks for IoT and Body Sensors

  22. Young, A., Yung, M.: Cryptovirology: extortion-based security threats and countermeasures. In: Proceedings 1996 IEEE Symposium on Security and Privacy, pp. 129–140 (1996). https://doi.org/10.1109/SECPRI.1996.502676

Download references

Author information

Authors and Affiliations

  1. Charles Sturt University, 7 Major Innes Road, Port Macquarie, NSW, 2444, Australia

    Arash Mahboubi

  2. University of the Sunshine Coast, 90 Sippy Downs Dr, Sippy Downs, QLD, 4556, Australia

    Keyvan Ansari

  3. CSIRO Data61, Corner Vimiera and Pembroke Rd, Marsfield, NSW, 2122, Australia

    Seyit Camtepe

Authors
  1. Arash Mahboubi
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Keyvan Ansari
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Seyit Camtepe
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding authors

Correspondence to Arash Mahboubi , Keyvan Ansari or Seyit Camtepe .

Editor information

Editors and Affiliations

  1. Cedric Lab, Cnam, Paris, France

    Samia Bouzefrane

  2. Télécom SudParis, Evry, France

    Maryline Laurent

  3. Cedric Lab, Cnam, Paris, France

    Selma Boumerdassi

  4. LIGM, ESIEE, Noisy-le-Grand, France

    Eric Renault

Rights and permissions

Reprints and permissions

Copyright information

© 2021 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Mahboubi, A., Ansari, K., Camtepe, S. (2021). Using Process Mining to Identify File System Metrics Impacted by Ransomware Execution. In: Bouzefrane, S., Laurent, M., Boumerdassi, S., Renault, E. (eds) Mobile, Secure, and Programmable Networking. MSPN 2020. Lecture Notes in Computer Science(), vol 12605. Springer, Cham. https://doi.org/10.1007/978-3-030-67550-9_5

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-67550-9_5

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-67549-3

  • Online ISBN: 978-3-030-67550-9

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation