More Like this

1. On the Effectiveness of Behavior-Based Ransomware Detection

   https://doi.org/10.1007/978-3-030-63095-9_7  

   Han, Jaehyun ; Lin, Zhiqiang ; Porter, Donald E ( December 2020 , International Conference on Security and Privacy in Communication Systems)

   null (Ed.)

   Ransomware has been a growing threat to end-users in the past few years. In response, there is also a burgeoning market for anti-ransomware defense products, as well as research prototypes that explore more advanced, behavioral analyses. Intuitively, ransomware should be amenable to identification through behavioral analysis, since ransomware recursively walks a user’s files and encrypts them, overwriting or deleting the plaintext. This paper contributes a study of the effectiveness of these behavior-based ransomware defenses, from both commercial products and academic proposals. We drive the study with a dead simple ransomware, augmented with a number of both straightforward and new evasion techniques. Surprisingly, our results indicate that most commercial products are strikingly ineffective. Ten out of 15 commercial products could not detect our simple ransomware without any evasive techniques; most of the rest were evaded and able to ransom user data with some combination of simple techniques. Only one tool appears to correctly identify our ransomware, but suffers from staggering false positives, including flagging Windows Explorer, Firefox, and Notepad as ransomware during routine operation. Our paper identifies a number of techniques to manipulate entropy to match the original file. The paper further shows that partial encryption, of as little as 3–5% of a file’s data is sufficient to ransom most file formats. Finally, we show that a combination of these techniques can render an aggregate malice score that is well below that of a Linux kernel compile. In summary, these results indicate that it is highly likely that ransomware will be able to adapt its behavior to fit within the range of expected benign behaviors, avoiding detection even by future generations of behavioral ransomware detectors. 

   more » « less
2. Breaking and Fixing Virtual Channels: Domino Attack and Donner

   Aumayr, Lukas ; Moreno-Sanchez, Pedro ; Kate, Aniket ; Maffei, Matteo. ( January 2023 , Network and Distributed System Security (NDSS) Symposium)

   Payment channel networks (PCNs) mitigate the scalability issues of current decentralized cryptocurrencies. They allow for arbitrarily many payments between users connected through a path of intermediate payment channels, while requiring interacting with the blockchain only to open and close the channels. Unfortunately, PCNs are (i) tailored to payments, excluding more complex smart contract functionalities, such as the oracle-enabling Discreet Log Contracts and (ii) their need for active participation from intermediaries may make payments unreliable, slower, expensive, and privacy-invasive. Virtual channels are among the most promising techniques to mitigate these issues, allowing two endpoints of a path to create a direct channel over the intermediaries without any interaction with the blockchain. After such a virtual channel is constructed, (i) the endpoints can use this direct channel for applications other than payments and (ii) the intermediaries are no longer involved in updates. In this work, we first introduce the Domino attack, a new DoS/griefing style attack that leverages virtual channels to destruct the PCN itself and is inherent to the design adopted by the existing Bitcoin-compatible virtual channels. We then demonstrate its severity by a quantitative analysis on a snapshot of the Lightning Network (LN), the most widely deployed PCN at present. We finally discuss other serious drawbacks of existing virtual channel designs, such as the support for only a single intermediary, a latency and blockchain overhead linear in the path length, or a non-constant storage overhead per user. We then present Donner, the first virtual channel construction that overcomes the shortcomings above, by relying on a novel design paradigm. We formally define and prove security and privacy properties in the Universal Composability framework. Our evaluation shows that Donner is efficient, reduces the on-chain number of transactions for disputes from linear in the path length to a single one, which is the key to prevent Domino attacks, and reduces the storage overhead from logarithmic in the path length to constant. Donner is Bitcoin-compatible and can be easily integrated in the LN. 

   more » « less
3. Digital Payment and Its Discontents: Street Shops and the Indian Government's Push for Cashless Transactions

   https://doi.org/10.1145/3173574.3173803  

   Pal, Joyojeet ; Chandra, Priyank ; Kameswaran, Vaishnav ; Parameshwar, Aakanksha ; Joshi, Sneha ; Johri, Aditya ( January 2018 , Proceedings of CHI 2018)

   In November 2016, the Government of India banned the vast majority of the nation’s banknotes in a move referred to as ‘demonetization’, with the stated goals of fighting corruption, terrorism, and eventually expanding digital transactions. In this study of 200 shop-keepers in Mumbai and Bengaluru, we found that cash shortage increased digital payment adoption but that digital payments fell after new banknotes became available. Digital payment adoption depended on the nature and scope of transactions, type of product sold, as well as personal factors specific to business owners such as comfort and familiarity with other digital technologies and online transactions. Using theoretical work on market and information behavior, we examined environmental pushes for technology adoption against prevalent transactional practices, trust, and control. We propose that the move toward digital payments must be framed within a larger undertaking of technology-driven modernity that drives these initiatives, rather than just the efficiency or productivity gains digital payments present. 

   more » « less
4. Touch-Based Magnetic Communication through Your Hand

   https://doi.org/10.1109/ICIOT.2018.00009  

   Allawadi, Arvind ; Liu, Kaikai ( July 2018 , 2018 IEEE International Congress on Internet of Things (ICIOT))

   Near field communication (NFC), which emerged only a decade ago, has been rapidly adopted in business services including point-of-sale (POS) systems, payments, identification, ticketing, and various other types of services. NFC offers great and varied promise in providing secure and implicit paired communication capability in smartphones. As a short-range wireless communication technology, the level of "secure" is contributed by the short-range nature. Compared with other competitive technologies, NFC achieves physical-level security but sacrifices convenience. For example, NFC cannot achieve device-free or hands-free payment transactions like the service provided by PayPal called PayPal beacon which utilizes Bluetooth-low-energy (BLE) technology. In this paper, we propose a low-cost wearable device that can achieve better physical-level security than NFC provides. This system is compatible with existing NFC-based POS systems and can help users realize a convenient hands-free payment transaction. Specifically, a custom NFC wristband was designed to channel its magnetic field through the human arm. By confining the magnetic field in NFC to the area around the body, we could minimize energy radiation, reduce the possibility of communication sniffing and hijackings, and improve security. To evaluate this approach, we conducted various experiments via different configurations. The results showed that the communication range for the human body channel was greater than that of the air and water channels. In addition, through this study we demonstrated that the human body is a naturally secure channel, and hacking and nearby interference are minimized during such communication. Our system also defines a new way of communication, for example, people can share confidential information with a simple handshake without pulling out and touching, or tapping smartphones. 

   more » « less
5. SSD-Insider: Internal Defense of Solid-State Drive against Ransomware with Perfect Data Recovery

   https://doi.org/10.1109/ICDCS.2018.00089  

   Baek, SungHa ; Jung, Youngdon ; Mohaisen, Aziz ; Lee, Sungjin ; Nyang, DaeHun ( July 2018 , 38th IEEE International Conference on Distributed Computing Systems, ICDCS 2018)

   Ransomware is a malware that encrypts victim's data, where the decryption key is released after a ransom is paid by the data owner to the attacker. Many ransomware attacks were reported recently, making anti-ransomware a crucial need in security operation, and an issue for the security community to tackle. In this paper, we propose a new approach to defending against ransomware inside NAND flash-based SSDs. To realize the idea of defense-inside-SSDs, both a lightweight detection technique and a perfect recovery algorithm to be used as a part of SSDs firmware should be developed. To this end, we propose a new set of lightweight behavioral features on ran-somware's overwriting pattern, which are invariant across various ransomwares. Our features rely on observing the block I/O request headers only, and not the payload. For perfect and instant recovery, we also propose using the delayed deletion feature of SSDs, which is intrinsic to NAND flash. To demonstrate their feasibility, we implement our algorithms atop an open-channel SSD as a working prototype called SSD-Insider. In experiments using eight real-world and two in-house ransomwares with various background applications running, SSD-Insider achieved a detection accuracy 0% FRR/FAR in most scenarios, and only 5% FAR when heavy overwriting resembling ransomware's data wiping occurs. SSD-Insider detects ransomware activity within 10s, and recovers instantly an infected SSD within 1s with 0% data loss. The additional software overheads incurred by the SSD-Insider is just 147 ns and 254 ns for 4-KB reads and writes, respectively, which is negligible considering NAND chip latency (50-1000 μs). 

   more » « less