Report
SHIELD: Secure Host-Independent Extensible Logging for SATA/Network Storage Towards Ransomware Detection
| العنوان: | SHIELD: Secure Host-Independent Extensible Logging for SATA/Network Storage Towards Ransomware Detection |
|---|---|
| المؤلفون: | Raz, Md, Charan, P. V. Sai, Krishnamurthy, Prashanth, Khorrami, Farshad, Karri, Ramesh |
| سنة النشر: | 2025 |
| المجموعة: | Computer Science |
| مصطلحات موضوعية: | Computer Science - Cryptography and Security, Electrical Engineering and Systems Science - Systems and Control |
| الوصف: | As malware such as ransomware becomes sophisticated, the ability to find and neutralize it requires more robust and tamper-resistant solutions. Current methods rely on data from compromised hosts, lack hardware isolation, and cannot detect emerging threats. To address these limitations, we introduce SHIELD - a detection architecture leveraging FPGA-based open-source SATA and Network Block Device (NBD) technology to provide off-host, tamper-proof measurements for continuous observation of disk activity for software executing on a target device. SHIELD provides three distinct contributions: It (1) develops a framework to obtain and analyze multi-level hardware metrics at NBD, FPGA, and SATA storage levels, and shows their ability to differentiate between harmless and malicious software; (2) Broadens the functionality of an open-source FPGA-driven SATA Host Bus Adapter (HBA) to offer complete data storage capabilities through NBD without relying on the host system; (3) Provides a foundation for using the methodology and metrics in automated machine learning-assisted detection and ASIC integration for advanced mitigation capabilities in data storage devices. SHIELD analyzes 10 benign programs and 10 modern ransomware families to illustrate its capacity for real-time monitoring and use in distinguishing between ransomware and benign software. Experimental evidence shows SHIELD's robust host-independent and hardware-assisted metrics are a basis for detection, allowing to observe program execution and detect malicious activities at the storage level. Comment: 7 pages, 4 figures |
| نوع الوثيقة: | Working Paper |
| URL الوصول: | http://arxiv.org/abs/2501.16619 |
| رقم الانضمام: | edsarx.2501.16619 |
| قاعدة البيانات: | arXiv |
| الوصف غير متاح. |