Abstract
Malware authors leverage strong cryptographic primitives to hold user files as a hostage in their own devices until a ransom is paid. Indeed, victims not protected against ransomware are forced to pay the ransom or lose the files if ignoring the extortion. Devices are by no means immune from ransomware attacks. The reality is that there is a limited study on how to protect end-user devices against ransomware while there is hardly any protection available. Ransomware uses legitimate operating system processes that even state-of-the-art and advanced anti-malware products are ineffective against them. The results of our static and dynamic analysis illustrate that a local file system plays a critical role in the operation of all ransomware engines. Therefore, this study investigates the correlation existed between the file system operations to identify metrics such as the absolute occurrence frequency of a system file to identify a ransomware attack from within the kernel. We employ business process mining techniques to analyze collected log files from samples of seven recent live ransomware families and use the Naive discovery algorithm to study the absolute occurrence frequency of system files. The findings are visualized by state charts and sequence diagrams. Finally, the study identifies eight common system files that ransomware calls on in order to encrypt a victim’s files on their device.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Van Der Aalst, W.: Service mining: using process mining to discover, check, and improve service behavior. IEEE Trans. Serv. Comput. 6(4), 525–535 (2013). https://doi.org/10.1109/TSC.2012.25
Van der Aalst, W.: Data Science in Action, pp. 3–23. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49851-4
Accorsi, R., Stocker, T., Müller, G.: On the exploitation of process mining for security audits: The process discovery case. In: Proceedings of the 28th Annual ACM Symposium on Applied Computing, pp. 1462–1468. SAC 2013. Association for Computing Machinery, New York, NY, USA (2013). https://doi.org/10.1145/2480362.2480634, https://doi.org/10.1145/2480362.2480634
de Alvarenga, S.C., Zarpel, B., Miani, R.: Discovering attack strategies using process mining. In: Proceedings of the 11th Advanced International Conference on Telecommunications, pp. 119–125 (2015)
Augusto, A., et al.: Automated discovery of process models from event logs: review and benchmark. IEEE Trans. Knowl. Data Eng. 31(4), 686–705 (2019). https://doi.org/10.1109/TKDE.2018.2841877
Bernardi, M.L., Cimitile, M., Distante, D., Martinelli, F., Mercaldo, F.: Dynamic malware detection and phylogeny analysis using process mining. Int. J. Inf. Secur. 18(3), 257–284 (2018). https://doi.org/10.1007/s10207-018-0415-3
Coltellese, S., Maggi, F.M., Marrella, A., Massarelli, L., Querzoni, L.: Triage of iot attacks through process mining. In: OTM Confederated International Conferences” On the Move to Meaningful Internet Systems”. pp. 326–344. Springer (2019)
Continella, A., et al.: Shieldfs: a self-healing, ransomware-aware filesystem. In: Proceedings of the 32nd Annual Conference on Computer Security Applications, pp. 336–347. ACSAC 2016, Association for Computing Machinery, New York, NY, USA (2016). https://doi.org/10.1145/2991079.2991110
van Dongen, B.F., de Medeiros, A.K.A., Verbeek, H.M.W., Weijters, A.J.M.M., van der Aalst, W.M.P.: The prom framework: A new era in process mining tool support. In: Ciardo, G., Darondeau, P. (eds.) Applications and Theory of Petri Nets 2005, pp. 444–454. Springer, Berlin Heidelberg, Berlin, Heidelberg (2005)
Hassan, N.A.: Ransomware Families, pp. 47–68. Apress, Berkeley (2019)
Honda, T., Mukaiyama, K., Shirai, T., Ohki, T., Nishigaki, M.: Ransomware detection considering user’s document editing. In: 2018 IEEE 32nd International Conference on Advanced Information Networking and Applications (AINA), pp. 907–914 (2018). https://doi.org/10.1109/AINA.2018.00133
Jans, M., Alles, M., Vasarhelyi, M.: The case for process mining in auditing: sources of value added and areas of application. Int. J. Account. Inf. Syst. 14(1), 1–20 (2013). https://doi.org/10.1016/j.accinf.2012.06.015, http://www.sciencedirect.com/science/article/pii/S1467089512000462
Kim, D., Lee, J.: Blacklist vs. whitelist-based ransomware solutions. IEEE Consumer Electr. Mag. 9(3), 22–28 (2020). https://doi.org/10.1109/MCE.2019.2956192
Leemans, M.: Statechart prom plugin : statechart workbench (2017)
Loman, M.: How ransomware attacks. Sophos (2019), https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/sophoslabs-ransomware-behavior-report.pdf
Mahboubi, A., Camtepe, S., Morarji, H.: A study on formal methods to generalize heterogeneous mobile malware propagation and their impacts. IEEE Access 5, 27740–27756 (2017). https://doi.org/10.1109/ACCESS.2017.2772787
Sgandurra, D., Muñoz-González, L., Mohsen, R., Lupu, E.C.: Automated dynamic analysis of ransomware: Benefits, limitations and use for detection. arXiv preprint arXiv:1609.03020 (2016)
Van Der Aalst, W.M.P., Van Hee, K.M., Van der Werf, J.M., Verdonk, M.: Auditing 2.0: using process mining to support tomorrow’s auditor. Computer 43(3), 90–93 (2010). https://doi.org/10.1109/MC.2010.61
Van Der Aalst, W., de Medeiros, A.: Process mining and security: Detecting anomalous process executions and checking process conformance. Electr. Notes Theoret. Comput. Sci. 121, 3–21 (2005). https://doi.org/10.1016/j.entcs.2004.10.013, http://www.sciencedirect.com/science/article/pii/S1571066105000228. Proceedings of the 2nd International Workshop on Security Issues with Petri Nets and other Computational Models (WISP 2004)
Wakup, C., Desel, J.: Analyzing a TCP/IP-protocol with process mining techniques. In: Fournier, F., Mendling, J. (eds.) BPM 2014. LNBIP, vol. 202, pp. 353–364. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-15895-2_30
Yaqoob, I., et al.: The rise of ransomware and emerging security challenges in the internet of things. Comput. Networks 129, 444–458 (2017). https://doi.org/10.1016/j.comnet.2017.09.003, http://www.sciencedirect.com/science/article/pii/S1389128617303468. Special Issue on 5G Wireless Networks for IoT and Body Sensors
Young, A., Yung, M.: Cryptovirology: extortion-based security threats and countermeasures. In: Proceedings 1996 IEEE Symposium on Security and Privacy, pp. 129–140 (1996). https://doi.org/10.1109/SECPRI.1996.502676
Author information
Authors and Affiliations
Corresponding authors
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2021 Springer Nature Switzerland AG
About this paper
Cite this paper
Mahboubi, A., Ansari, K., Camtepe, S. (2021). Using Process Mining to Identify File System Metrics Impacted by Ransomware Execution. In: Bouzefrane, S., Laurent, M., Boumerdassi, S., Renault, E. (eds) Mobile, Secure, and Programmable Networking. MSPN 2020. Lecture Notes in Computer Science(), vol 12605. Springer, Cham. https://doi.org/10.1007/978-3-030-67550-9_5
Download citation
DOI: https://doi.org/10.1007/978-3-030-67550-9_5
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-67549-3
Online ISBN: 978-3-030-67550-9
eBook Packages: Computer ScienceComputer Science (R0)