The document proposes a ransomware protection method called "Hiding in the Crowd" that protects critical files from ransomware attacks by applying a camouflage and hiding strategy. The method hides files in directories that ransomware typically avoids encrypting and uses link files to allow convenient access to hidden files. The authors enhance the security of the method by implementing an encrypted database and linker to avoid exposing information about hidden files. Experiments show the method successfully protects files against real-world ransomware samples in a cost-effective manner.
Optimised malware detection in digital forensicsIJNSA Journal
On the Internet, malware is one of the most serious threats to system security. Most complex issues and
problems on any systems are caused by malware and spam. Networks and systems can be accessed and
compromised by malware known as botnets, which compromise other systems through a coordinated
attack. Such malware uses anti-forensic techniques to avoid detection and investigation. To prevent systems
from the malicious activity of this malware, a new framework is required that aims to develop an optimised
technique for malware detection. Hence, this paper demonstrates new approaches to perform malware
analysis in forensic investigations and discusses how such a framework may be developed.
Integrating Threat Modeling in Secure Agent-Oriented Software DevelopmentWaqas Tariq
The main objective of this paper is to integrate threat modeling when developing a software application following the Secure Tropos methodology. Secure Tropos is an agent-oriented software development methodology which integrates “security extensions” into all development phases. Threat modeling is used to identify, document, and mitigate security risks, therefore, applying threat modeling when defining the security extensions shall lead to better modeling and increased level of security. After integrating threat modeling into this methodology, security attack scenarios are applied to the models to discuss how the security level of the system has been impacted. Security attack scenarios have been used to test different enhancements made to the Secure Tropos methodology and the Tropos methodology itself. The system modeled using this methodology is an e-Commerce application that will be used to sell handmade products made in Ecuador through the web. The .NET Model-View-Controller framework is used to develop our case study application. Results show that integrating threat modeling in the development process, the level of security of the modeled application has increased. The different actors, goals, tasks, and security constraints that were introduced based on the proposed integration help mitigate different risks and vulnerabilities.
Optimised Malware Detection in Digital Forensics IJNSA Journal
On the Internet, malware is one of the most serious threats to system security. Most complex issues and problems on any systems are caused by malware and spam. Networks and systems can be accessed and compromised by malware known as botnets, which compromise other systems through a coordinated attack. Such malware uses anti-forensic techniques to avoid detection and investigation. To prevent systems from the malicious activity of this malware, a new framework is required that aims to develop an optimised technique for malware detection. Hence, this paper demonstrates new approaches to perform malware analysis in forensic investigations and discusses how such a framework may be developed.
Vulnerability scanners a proactive approach to assess web application securityijcsa
With the increasing concern for security in the network, many approaches are laid out that try to protect
the network from unauthorised access. New methods have been adopted in order to find the potential
discrepancies that may damage the network. Most commonly used approach is the vulnerability
assessment. By vulnerability, we mean, the potential flaws in the system that make it prone to the attack.
Assessment of these system vulnerabilities provide a means to identify and develop new strategies so as to
protect the system from the risk of being damaged. This paper focuses on the usage of various vulnerability
scanners and their related methodology to detect the various vulnerabilities available in the web
applications or the remote host across the network and tries to identify new mechanisms that can be
deployed to secure the network.
Network Threat Characterization in Multiple Intrusion Perspectives using Data...IJNSA Journal
For effective security incidence response on the network, a reputable approach must be in place at both protected and unprotected region of the network. This is because compromise in the demilitarized zone could be precursor to threat inside the network. The improved complexity of attacks in present times and vulnerability of system are motivations for this work. Past and present approaches to intrusion detection and prevention have neglected victim and attacker properties despite the fact that for intrusion to occur, an overt act by an attacker and a manifestation, observable by the intended victim, which results from that act are required. Therefore, this paper presents a threat characterization model for attacks from the victim and the attacker perspective of intrusion using data mining technique. The data mining technique combines Frequent Temporal Sequence Association Mining and Fuzzy Logic. Apriori Association Mining algorithm was used to mine temporal rule patterns from alert sequences while Fuzzy Control System was used to rate exploits. The results of the experiment show that accurate threat characterization in multiple intrusion perspectives could be actualized using Fuzzy Association Mining. Also, the results proved that sequence of exploits could be used to rate threat and are motivated by victim properties and attacker objectives.
Optimised malware detection in digital forensicsIJNSA Journal
On the Internet, malware is one of the most serious threats to system security. Most complex issues and
problems on any systems are caused by malware and spam. Networks and systems can be accessed and
compromised by malware known as botnets, which compromise other systems through a coordinated
attack. Such malware uses anti-forensic techniques to avoid detection and investigation. To prevent systems
from the malicious activity of this malware, a new framework is required that aims to develop an optimised
technique for malware detection. Hence, this paper demonstrates new approaches to perform malware
analysis in forensic investigations and discusses how such a framework may be developed.
Integrating Threat Modeling in Secure Agent-Oriented Software DevelopmentWaqas Tariq
The main objective of this paper is to integrate threat modeling when developing a software application following the Secure Tropos methodology. Secure Tropos is an agent-oriented software development methodology which integrates “security extensions” into all development phases. Threat modeling is used to identify, document, and mitigate security risks, therefore, applying threat modeling when defining the security extensions shall lead to better modeling and increased level of security. After integrating threat modeling into this methodology, security attack scenarios are applied to the models to discuss how the security level of the system has been impacted. Security attack scenarios have been used to test different enhancements made to the Secure Tropos methodology and the Tropos methodology itself. The system modeled using this methodology is an e-Commerce application that will be used to sell handmade products made in Ecuador through the web. The .NET Model-View-Controller framework is used to develop our case study application. Results show that integrating threat modeling in the development process, the level of security of the modeled application has increased. The different actors, goals, tasks, and security constraints that were introduced based on the proposed integration help mitigate different risks and vulnerabilities.
Optimised Malware Detection in Digital Forensics IJNSA Journal
On the Internet, malware is one of the most serious threats to system security. Most complex issues and problems on any systems are caused by malware and spam. Networks and systems can be accessed and compromised by malware known as botnets, which compromise other systems through a coordinated attack. Such malware uses anti-forensic techniques to avoid detection and investigation. To prevent systems from the malicious activity of this malware, a new framework is required that aims to develop an optimised technique for malware detection. Hence, this paper demonstrates new approaches to perform malware analysis in forensic investigations and discusses how such a framework may be developed.
Vulnerability scanners a proactive approach to assess web application securityijcsa
With the increasing concern for security in the network, many approaches are laid out that try to protect
the network from unauthorised access. New methods have been adopted in order to find the potential
discrepancies that may damage the network. Most commonly used approach is the vulnerability
assessment. By vulnerability, we mean, the potential flaws in the system that make it prone to the attack.
Assessment of these system vulnerabilities provide a means to identify and develop new strategies so as to
protect the system from the risk of being damaged. This paper focuses on the usage of various vulnerability
scanners and their related methodology to detect the various vulnerabilities available in the web
applications or the remote host across the network and tries to identify new mechanisms that can be
deployed to secure the network.
Network Threat Characterization in Multiple Intrusion Perspectives using Data...IJNSA Journal
For effective security incidence response on the network, a reputable approach must be in place at both protected and unprotected region of the network. This is because compromise in the demilitarized zone could be precursor to threat inside the network. The improved complexity of attacks in present times and vulnerability of system are motivations for this work. Past and present approaches to intrusion detection and prevention have neglected victim and attacker properties despite the fact that for intrusion to occur, an overt act by an attacker and a manifestation, observable by the intended victim, which results from that act are required. Therefore, this paper presents a threat characterization model for attacks from the victim and the attacker perspective of intrusion using data mining technique. The data mining technique combines Frequent Temporal Sequence Association Mining and Fuzzy Logic. Apriori Association Mining algorithm was used to mine temporal rule patterns from alert sequences while Fuzzy Control System was used to rate exploits. The results of the experiment show that accurate threat characterization in multiple intrusion perspectives could be actualized using Fuzzy Association Mining. Also, the results proved that sequence of exploits could be used to rate threat and are motivated by victim properties and attacker objectives.
Malware Risk Analysis on the Campus Network with Bayesian Belief NetworkIJNSA Journal
A security network management system is for providing clear guidelines on risk evaluation and assessment for enterprise networks. The threat and risk assessment is conducted to safeguard enterprise network services to maintain system confidentiality, integrity, and availability through effective control strategies. In this paper, based on our previous work in analyzing integrated information security management and malware propagation on the campus network through mathematical modelling, we proposed Bayesian Belief Network with inference level indicator to enable the decision maker to understand and provide appropriate mitigation decisions on the risks posed. We experimentally placed monitoring sensors on the campus network that gives the threat alert priority levels and magnitude on the vulnerable information assets. These methods will give a direction on the belief inferred due to malware prevalence on the information security assets for better understanding.
With the development and rapid growth in IT infrastructure, malicious code attacks are considered as the
main threat to cybersecurity. Malicious JavaScript’s which are intentionally crafted by the attackers inside the web page
over the web as an emerging security issue affecting millions of users. In past few years, a number of studies have been
conducted based on machine learning for detection of malicious JavaScript code attacks has demonstrated a poor
detection accuracy and increased performance overheads. In this paper, an effective interceptor approach for detection of
multivariate and novel malicious JavaScript’s based on deep learning is proposed and evaluated. Hybrid feature set based
on static and dynamic analysis were used. The dataset which was used in this study consists of 32,000 benign webpages
and 12,900 malicious pages. The experimental results show that this approach was able to detect 99.01% of new malicious
code variants.
International Journal of Computer Science and Information Security,IJCSIS ISSN 1947-5500, Pittsburgh, PA, USA
Email: ijcsiseditor@gmail.com
http://sites.google.com/site/ijcsis/
https://google.academia.edu/JournalofComputerScience
https://www.linkedin.com/in/ijcsis-research-publications-8b916516/
http://www.researcherid.com/rid/E-1319-2016
AN ISP BASED NOTIFICATION AND DETECTION SYSTEM TO MAXIMIZE EFFICIENCY OF CLIE...IJNSA Journal
End users are increasingly vulnerable to attacks directed at web browsers which make the most of popularity of today’s web services. While organizations deploy several layers of security to protect their systems and data against unauthorised access, surveys reveal that a large fraction of end users do not utilize and/or are not familiar with any security tools. End users’ hesitation and unfamiliarity with security products contribute vastly to the number of online DDoS attacks, malware and Spam distribution. This work on progress paper proposes a design focused on the notion of increased participation of internet service providers in protecting end users. The proposed design takes advantage of three different detection tools to identify the maliciousness of a website content and alerts users through utilising Internet Content Adaptation Protocol (ICAP) by an In-Browser cross-platform messaging system. The system also incorporates the users’ online behaviour analysis to minimize the scanning intervals of malicious websites database by client honeypots. Findings from our proof of concept design and other research indicate that such a design can provide a reliable hybrid detection mechanism while introducing low delay time into user browsing experience.
McAfee Labs explores top threats expected in the coming year.
Welcome to the McAfee Labs 2017 Threats Predictions
report. We have split this year’s report into two sections.
The first section digs into three very important topics,
looking at each through a long lens.
The second section makes specific predictions about
threats activity in 2017. Our predictions for next year
cover a wide range of threats, including ransomware,
vulnerabilities of all kinds, the use of threat intelligence
to improve defenses, and attacks on mobile devices.
Evasion Streamline Intruders Using Graph Based Attacker model Analysis and Co...Editor IJCATR
Network Intrusion detection and Countermeasure Election in virtual network systems (NICE) are used to establish a
defense-in-depth intrusion detection framework. For better attack detection, NICE incorporates attack graph analytical procedures into
the intrusion detection processes. We must note that the design of NICE does not intend to improve any of the existing intrusion
detection algorithms; indeed, NICE employs a reconfigurable virtual networking approach to detect and counter the attempts to
compromise VMs, thus preventing zombie VMs. NICE includes two main phases: deploy a lightweight mirroring-based network
intrusion detection agent (NICE-A) on each cloud server to capture and analyze cloud traffic. A NICE-A periodically scans the virtual
system vulnerabilities within a cloud server to establish Scenario Attack Graph (SAGs), and then based on the severity of identified
vulnerability toward the collaborative attack goals, NICE will decide whether or not to put a VM in network inspection state. Once a
VM enters inspection state, Deep Packet Inspection (DPI) is applied, and/or virtual network reconfigurations can be deployed to the
inspecting VM to make the potential attack behaviors prominent.
INFORMATION AND COMMUNICATION SECURITY MECHANISMS FOR MICROSERVICES-BASED SYS...IJNSA Journal
Security has become paramount in modern software services as more and more security breaches emerge, impacting final users and organizations alike. Trends like the Microservice Architecture bring new security challenges related to communication, system design, development, and operation. The literature presents a plethora of security-related solutions for microservices-based systems, but the spread of information difficult practitioners' adoption of novel security related solutions. In this study, we aim to present a catalogue and discussion of security solutions based on algorithms, protocols, standards, or implementations; supporting principles or characteristics of information security, considering the three possible states of data, according to the McCumber Cube. Our research follows a Systematic Literature Review, synthesizing the results with a meta-aggregation process. We identified a total of 30 primary studies, yielding 75 security solutions for the communication of microservices.
Exploring network security threats through text mining techniques: a comprehe...CSITiaesprime
In response to the escalating cybersecurity threats, this research focuses on leveraging text mining techniques to analyze network security data effectively. The study utilizes user-generated reports detailing attacks on server networks. Employing clustering algorithms, these reports are grouped based on threat levels. Additionally, a classification algorithm discerns whether network activities pose security risks. The research achieves a noteworthy 93% accuracy in text classification, showcasing the efficacy of these techniques. The novelty lies in classifying security threat report logs according to their threat levels. Prioritizing high-risk threats, this approach aids network management in strategic focus. By enabling swift identification and categorization of network security threats, this research equips organizations to take prompt, targeted actions, enhancing overall network security.
Network infrastructures have played important part in most daily communications for business industries,
social networking, government sectors and etc. Despites the advantages that came from such
functionalities, security threats have become a daily struggle. One major security threat is hacking.
Consequently, security experts and researchers have suggested possible security solutions such as
Firewalls, Intrusion Detection Systems (IDS), Intrusion Detection and Prevention Systems (IDP) and
Honeynet. Yet, none of these solutions have proven their ability to completely address hacking. The reason
behind that, there is a few researches that examine the behavior of hackers. This paper formally and
practically examines in details the behavior of hackers and their targeted environments. Moreover, this
paper formally examines the properties of one essential pre-hacking step called scanning and highlights its
importance in developing hacking strategies. Also, it illustrates the properties of hacking that is common in
most hacking strategies to assist security experts and researchers towards minimizing the risk of hack.
DETERRING HACKING STRATEGIES VIA TARGETING SCANNING PROPERTIESIJNSA Journal
Network infrastructures have played important part in most daily communications for business industries, social networking, government sectors and etc. Despites the advantages that came from such functionalities, security threats have become a daily struggle. One major security threat is hacking. Consequently, security experts and researchers have suggested possible security solutions such as Firewalls, Intrusion Detection Systems (IDS), Intrusion Detection and Prevention Systems (IDP) and Honeynet. Yet, none of these solutions have proven their ability to completely address hacking. The reason behind that, there is a few researches that examine the behavior of hackers. This paper formally and practically examines in details the behavior of hackers and their targeted environments. Moreover, this paper formally examines the properties of one essential pre-hacking step called scanning and highlights its importance in developing hacking strategies. Also, it illustrates the properties of hacking that is common in most hacking strategies to assist security experts and researchers towards minimizing the risk of hack.
ESSENTIAL ACTIVITIES FOR SECURE SOFTWARE DEVELOPMENTijesajournal
Diverse types of software are used in almost all sectors of businesses in the modern world. They provide mechanisms that enable buyers and sellers to interact virtually, reduce manual work in businesses and institutions as well as make work a lot easier. Increased demand for software has led to the increased investment that has subsequently attracted numerous security attacks. Millions of resources are held in various software worldwide, cyber-attack criminals have made a career in breaching software security for selfish gains, thus necessitating the development and establishment of secure software. Through a literature review, the work introduces concepts and terms used in secure software development, presents the best practices and provides a review of the models that could be used. Confidentiality, integrity, availability, and non-repudiation are secure software terms that mean it should be secret, safe, and accessible and keeps a record of every activity undertaken. The proposed work advocates for several best practices among them the creation of a secure perimeter that limits access to key segments or parts of the system in addition to reducing attacking surface or rather reducing the opportunities available for cyber-attack. In regard to the engineering of software, the paper recommends that system requirements must be established before the software is created. Additional engineering ought to be done after the system has been evaluated just before the official launch. Moreover, the paper recommends the adoption of strategies that are used by renowned software models such as Microsoft Software Development Life-cycle among others. Those models have put secure software strategies throughout the life-cycle of software development. They recognize the need to put secure engineering systems during the design and utilization of the software because new methods of breaching software security come up every new day. The paper concludes by noting that continued collaborative efforts to guarantee more secure software is still a demanding need. Adherence to basic secure software development and utilization is essential in addition to developing additional engineering that maintains the integrity, confidentially and accessibility of the software.
Beyond Prevention: Cisco's Next Generation Endpoint Security
The only way to defeat today’s security threats is to address them holistically across the full attack continuum—before, during, and after an attack. Cisco’s approach of continuous endpoint analysis in combination with an integrated, architectural approach to security is foundational to this model
Dalam dunia keamanan siber, sinergi antara berbagai proses memiliki peran yang sangat penting. Salah satu proses atau framework yang tengah menjadi sorotan dan menarik perhatian luas adalah Detection Engineering. Proses Detection Engineering ini bertujuan untuk meningkatkan struktur dan pengorganisasian dalam pembuatan detection use case atau rules di Security Operation Center (SOC). Detection Engineering bisa dikatakan masih baru dalam dunia keamanan siber, sehingga terdapat banyak peluang untuk membuat keseluruhan prosesnya menjadi lebih baik. Salah satu hal yang masih terlupakan adalah integrasi antara proses Detection Engineering dan Threat Modeling. Biasanya, Threat Modeling lebih berfokus pada solusi pencegahan dan mitigasi resiko secara langsung dan melupakanan komponen deteksi ketika pencegahan dan mitigasi tersebut gagal dalam menjalankan fungsinya. Dalam makalah ini, kami memperkenalkan paradigma baru dengan mengintegrasikan Detection Engineering ke dalam proses Threat Modeling. Pendekatan ini menjadikan Detection sebagai langkah proaktif tambahan, yang dapat menjadi lapisan pertahanan ekstra ketika kontrol pencegahan dan mitigasi akhirnya gagal dalam menghadapi ancaman sesungguhnya.
The possibilities provided by the internet in this day and times is almost limitless, fueled by
presence of global networks and larger operations being performed on a daily basis coupled with
people around the world who enjoy these benefits. However, the internet space is not used for
peaceful reasons as it should be assumed. The growing development in technologies and
substantive upgrade of programming systems has led to frequent cases of attacks by threat actors,
becoming a real problem for large companies.
Hence, therefore, one of the most famous cases in relation to hacking in the world was the
hacking of important information on the eBay database, an online shopping store. The case study
will focus on this attack.
3
Vulnerabilities detection using attack recognition technique in multi-factor ...TELKOMNIKA JOURNAL
Authentication is one of the essentials components of information security. It has become one of the most basic security requirements for network communication. Today, there is a necessity for a strong level of authentication to guarantee a significant level of security is being conveyed to the application. As such, it expedites challenging issues on security and efficiency. Security issues such as privacy and data integrity emerge because of the absence of control and authority. In addition, the bigger issue for multi-factor authentication is on the high execution time that leads to overall performance degradation. Most of existing studies related to multi-factor authentication schemes does not detect weaknesses based on user behavior. Most recent research does not look at the efficiency of the system by focusing only on improving the security aspect of authentication. Hence, this research proposes a new multi-factor authentication scheme that can withstand attacks, based on user behavior and maintaining optimum efficiency. Experiments have been conducted to evaluate this scheme. The results of the experiment show that the processing time of the proposed scheme is lower than the processing time of other schemes. This is particularly important after additional security features have been added to the scheme.
Building a Distributed Secure System on Multi-Agent Platform Depending on the...CSCJournals
Today, applications in mobile multi-agent systems require a high degree of confidence that running code inside the system will not be malicious. Also any malicious agents must be identified and contained. Since the inception of mobile agents, the intruder has been addressed using a multitude of techniques, but many of these implementations have only addressed concerns from the position of either the platform or the agents. Very few approaches have undertaken the problem of mobile agent security from both perspectives simultaneously. Furthermore, no middleware exists to facilitate provisioning of the required security qualities of mobile agent software while extensively focusing on easing the software development burden. The aim is to build a distributed secure system using multi-agents by applying the principles of software engineering. The objectives of this paper is to introduce multi agent systems that enhance security rules through the access right to building a distributed secure system integrating with principles of software engineering system life cycle, as well as satisfy the security access right for both platform and agents to improve the three characteristics of agents adaptively, mobility and flexibility. This project based on the platform of PHP and MYSQL (Database) which can be presented in a website. The implementation and test are applied in both Linux and Windows platforms, including Linux Red Hat 8, Linux Ubuntu 6.06 LTS and Microsoft Windows XP Professional. Since PHP and MySQL are available in almost all operating systems, the result could be tested the platform as long as PHP and MySQL configuration is available. PHP5 and the MySQL (database) software are used to build a secure website. Multiple techniques of security and authentications have been used by multi-agents system. Secure database is encrypted by using md5. Also satisfy the characteristics for security requirements: confidentiality (protection from disclosure to unauthorized persons), integrity (maintaining data consistency) and authentication (assurance of identity of person or originator of data).
Malware Risk Analysis on the Campus Network with Bayesian Belief NetworkIJNSA Journal
A security network management system is for providing clear guidelines on risk evaluation and assessment for enterprise networks. The threat and risk assessment is conducted to safeguard enterprise network services to maintain system confidentiality, integrity, and availability through effective control strategies. In this paper, based on our previous work in analyzing integrated information security management and malware propagation on the campus network through mathematical modelling, we proposed Bayesian Belief Network with inference level indicator to enable the decision maker to understand and provide appropriate mitigation decisions on the risks posed. We experimentally placed monitoring sensors on the campus network that gives the threat alert priority levels and magnitude on the vulnerable information assets. These methods will give a direction on the belief inferred due to malware prevalence on the information security assets for better understanding.
With the development and rapid growth in IT infrastructure, malicious code attacks are considered as the
main threat to cybersecurity. Malicious JavaScript’s which are intentionally crafted by the attackers inside the web page
over the web as an emerging security issue affecting millions of users. In past few years, a number of studies have been
conducted based on machine learning for detection of malicious JavaScript code attacks has demonstrated a poor
detection accuracy and increased performance overheads. In this paper, an effective interceptor approach for detection of
multivariate and novel malicious JavaScript’s based on deep learning is proposed and evaluated. Hybrid feature set based
on static and dynamic analysis were used. The dataset which was used in this study consists of 32,000 benign webpages
and 12,900 malicious pages. The experimental results show that this approach was able to detect 99.01% of new malicious
code variants.
International Journal of Computer Science and Information Security,IJCSIS ISSN 1947-5500, Pittsburgh, PA, USA
Email: ijcsiseditor@gmail.com
http://sites.google.com/site/ijcsis/
https://google.academia.edu/JournalofComputerScience
https://www.linkedin.com/in/ijcsis-research-publications-8b916516/
http://www.researcherid.com/rid/E-1319-2016
AN ISP BASED NOTIFICATION AND DETECTION SYSTEM TO MAXIMIZE EFFICIENCY OF CLIE...IJNSA Journal
End users are increasingly vulnerable to attacks directed at web browsers which make the most of popularity of today’s web services. While organizations deploy several layers of security to protect their systems and data against unauthorised access, surveys reveal that a large fraction of end users do not utilize and/or are not familiar with any security tools. End users’ hesitation and unfamiliarity with security products contribute vastly to the number of online DDoS attacks, malware and Spam distribution. This work on progress paper proposes a design focused on the notion of increased participation of internet service providers in protecting end users. The proposed design takes advantage of three different detection tools to identify the maliciousness of a website content and alerts users through utilising Internet Content Adaptation Protocol (ICAP) by an In-Browser cross-platform messaging system. The system also incorporates the users’ online behaviour analysis to minimize the scanning intervals of malicious websites database by client honeypots. Findings from our proof of concept design and other research indicate that such a design can provide a reliable hybrid detection mechanism while introducing low delay time into user browsing experience.
McAfee Labs explores top threats expected in the coming year.
Welcome to the McAfee Labs 2017 Threats Predictions
report. We have split this year’s report into two sections.
The first section digs into three very important topics,
looking at each through a long lens.
The second section makes specific predictions about
threats activity in 2017. Our predictions for next year
cover a wide range of threats, including ransomware,
vulnerabilities of all kinds, the use of threat intelligence
to improve defenses, and attacks on mobile devices.
Evasion Streamline Intruders Using Graph Based Attacker model Analysis and Co...Editor IJCATR
Network Intrusion detection and Countermeasure Election in virtual network systems (NICE) are used to establish a
defense-in-depth intrusion detection framework. For better attack detection, NICE incorporates attack graph analytical procedures into
the intrusion detection processes. We must note that the design of NICE does not intend to improve any of the existing intrusion
detection algorithms; indeed, NICE employs a reconfigurable virtual networking approach to detect and counter the attempts to
compromise VMs, thus preventing zombie VMs. NICE includes two main phases: deploy a lightweight mirroring-based network
intrusion detection agent (NICE-A) on each cloud server to capture and analyze cloud traffic. A NICE-A periodically scans the virtual
system vulnerabilities within a cloud server to establish Scenario Attack Graph (SAGs), and then based on the severity of identified
vulnerability toward the collaborative attack goals, NICE will decide whether or not to put a VM in network inspection state. Once a
VM enters inspection state, Deep Packet Inspection (DPI) is applied, and/or virtual network reconfigurations can be deployed to the
inspecting VM to make the potential attack behaviors prominent.
INFORMATION AND COMMUNICATION SECURITY MECHANISMS FOR MICROSERVICES-BASED SYS...IJNSA Journal
Security has become paramount in modern software services as more and more security breaches emerge, impacting final users and organizations alike. Trends like the Microservice Architecture bring new security challenges related to communication, system design, development, and operation. The literature presents a plethora of security-related solutions for microservices-based systems, but the spread of information difficult practitioners' adoption of novel security related solutions. In this study, we aim to present a catalogue and discussion of security solutions based on algorithms, protocols, standards, or implementations; supporting principles or characteristics of information security, considering the three possible states of data, according to the McCumber Cube. Our research follows a Systematic Literature Review, synthesizing the results with a meta-aggregation process. We identified a total of 30 primary studies, yielding 75 security solutions for the communication of microservices.
Exploring network security threats through text mining techniques: a comprehe...CSITiaesprime
In response to the escalating cybersecurity threats, this research focuses on leveraging text mining techniques to analyze network security data effectively. The study utilizes user-generated reports detailing attacks on server networks. Employing clustering algorithms, these reports are grouped based on threat levels. Additionally, a classification algorithm discerns whether network activities pose security risks. The research achieves a noteworthy 93% accuracy in text classification, showcasing the efficacy of these techniques. The novelty lies in classifying security threat report logs according to their threat levels. Prioritizing high-risk threats, this approach aids network management in strategic focus. By enabling swift identification and categorization of network security threats, this research equips organizations to take prompt, targeted actions, enhancing overall network security.
Network infrastructures have played important part in most daily communications for business industries,
social networking, government sectors and etc. Despites the advantages that came from such
functionalities, security threats have become a daily struggle. One major security threat is hacking.
Consequently, security experts and researchers have suggested possible security solutions such as
Firewalls, Intrusion Detection Systems (IDS), Intrusion Detection and Prevention Systems (IDP) and
Honeynet. Yet, none of these solutions have proven their ability to completely address hacking. The reason
behind that, there is a few researches that examine the behavior of hackers. This paper formally and
practically examines in details the behavior of hackers and their targeted environments. Moreover, this
paper formally examines the properties of one essential pre-hacking step called scanning and highlights its
importance in developing hacking strategies. Also, it illustrates the properties of hacking that is common in
most hacking strategies to assist security experts and researchers towards minimizing the risk of hack.
DETERRING HACKING STRATEGIES VIA TARGETING SCANNING PROPERTIESIJNSA Journal
Network infrastructures have played important part in most daily communications for business industries, social networking, government sectors and etc. Despites the advantages that came from such functionalities, security threats have become a daily struggle. One major security threat is hacking. Consequently, security experts and researchers have suggested possible security solutions such as Firewalls, Intrusion Detection Systems (IDS), Intrusion Detection and Prevention Systems (IDP) and Honeynet. Yet, none of these solutions have proven their ability to completely address hacking. The reason behind that, there is a few researches that examine the behavior of hackers. This paper formally and practically examines in details the behavior of hackers and their targeted environments. Moreover, this paper formally examines the properties of one essential pre-hacking step called scanning and highlights its importance in developing hacking strategies. Also, it illustrates the properties of hacking that is common in most hacking strategies to assist security experts and researchers towards minimizing the risk of hack.
ESSENTIAL ACTIVITIES FOR SECURE SOFTWARE DEVELOPMENTijesajournal
Diverse types of software are used in almost all sectors of businesses in the modern world. They provide mechanisms that enable buyers and sellers to interact virtually, reduce manual work in businesses and institutions as well as make work a lot easier. Increased demand for software has led to the increased investment that has subsequently attracted numerous security attacks. Millions of resources are held in various software worldwide, cyber-attack criminals have made a career in breaching software security for selfish gains, thus necessitating the development and establishment of secure software. Through a literature review, the work introduces concepts and terms used in secure software development, presents the best practices and provides a review of the models that could be used. Confidentiality, integrity, availability, and non-repudiation are secure software terms that mean it should be secret, safe, and accessible and keeps a record of every activity undertaken. The proposed work advocates for several best practices among them the creation of a secure perimeter that limits access to key segments or parts of the system in addition to reducing attacking surface or rather reducing the opportunities available for cyber-attack. In regard to the engineering of software, the paper recommends that system requirements must be established before the software is created. Additional engineering ought to be done after the system has been evaluated just before the official launch. Moreover, the paper recommends the adoption of strategies that are used by renowned software models such as Microsoft Software Development Life-cycle among others. Those models have put secure software strategies throughout the life-cycle of software development. They recognize the need to put secure engineering systems during the design and utilization of the software because new methods of breaching software security come up every new day. The paper concludes by noting that continued collaborative efforts to guarantee more secure software is still a demanding need. Adherence to basic secure software development and utilization is essential in addition to developing additional engineering that maintains the integrity, confidentially and accessibility of the software.
Beyond Prevention: Cisco's Next Generation Endpoint Security
The only way to defeat today’s security threats is to address them holistically across the full attack continuum—before, during, and after an attack. Cisco’s approach of continuous endpoint analysis in combination with an integrated, architectural approach to security is foundational to this model
Dalam dunia keamanan siber, sinergi antara berbagai proses memiliki peran yang sangat penting. Salah satu proses atau framework yang tengah menjadi sorotan dan menarik perhatian luas adalah Detection Engineering. Proses Detection Engineering ini bertujuan untuk meningkatkan struktur dan pengorganisasian dalam pembuatan detection use case atau rules di Security Operation Center (SOC). Detection Engineering bisa dikatakan masih baru dalam dunia keamanan siber, sehingga terdapat banyak peluang untuk membuat keseluruhan prosesnya menjadi lebih baik. Salah satu hal yang masih terlupakan adalah integrasi antara proses Detection Engineering dan Threat Modeling. Biasanya, Threat Modeling lebih berfokus pada solusi pencegahan dan mitigasi resiko secara langsung dan melupakanan komponen deteksi ketika pencegahan dan mitigasi tersebut gagal dalam menjalankan fungsinya. Dalam makalah ini, kami memperkenalkan paradigma baru dengan mengintegrasikan Detection Engineering ke dalam proses Threat Modeling. Pendekatan ini menjadikan Detection sebagai langkah proaktif tambahan, yang dapat menjadi lapisan pertahanan ekstra ketika kontrol pencegahan dan mitigasi akhirnya gagal dalam menghadapi ancaman sesungguhnya.
The possibilities provided by the internet in this day and times is almost limitless, fueled by
presence of global networks and larger operations being performed on a daily basis coupled with
people around the world who enjoy these benefits. However, the internet space is not used for
peaceful reasons as it should be assumed. The growing development in technologies and
substantive upgrade of programming systems has led to frequent cases of attacks by threat actors,
becoming a real problem for large companies.
Hence, therefore, one of the most famous cases in relation to hacking in the world was the
hacking of important information on the eBay database, an online shopping store. The case study
will focus on this attack.
3
Vulnerabilities detection using attack recognition technique in multi-factor ...TELKOMNIKA JOURNAL
Authentication is one of the essentials components of information security. It has become one of the most basic security requirements for network communication. Today, there is a necessity for a strong level of authentication to guarantee a significant level of security is being conveyed to the application. As such, it expedites challenging issues on security and efficiency. Security issues such as privacy and data integrity emerge because of the absence of control and authority. In addition, the bigger issue for multi-factor authentication is on the high execution time that leads to overall performance degradation. Most of existing studies related to multi-factor authentication schemes does not detect weaknesses based on user behavior. Most recent research does not look at the efficiency of the system by focusing only on improving the security aspect of authentication. Hence, this research proposes a new multi-factor authentication scheme that can withstand attacks, based on user behavior and maintaining optimum efficiency. Experiments have been conducted to evaluate this scheme. The results of the experiment show that the processing time of the proposed scheme is lower than the processing time of other schemes. This is particularly important after additional security features have been added to the scheme.
Building a Distributed Secure System on Multi-Agent Platform Depending on the...CSCJournals
Today, applications in mobile multi-agent systems require a high degree of confidence that running code inside the system will not be malicious. Also any malicious agents must be identified and contained. Since the inception of mobile agents, the intruder has been addressed using a multitude of techniques, but many of these implementations have only addressed concerns from the position of either the platform or the agents. Very few approaches have undertaken the problem of mobile agent security from both perspectives simultaneously. Furthermore, no middleware exists to facilitate provisioning of the required security qualities of mobile agent software while extensively focusing on easing the software development burden. The aim is to build a distributed secure system using multi-agents by applying the principles of software engineering. The objectives of this paper is to introduce multi agent systems that enhance security rules through the access right to building a distributed secure system integrating with principles of software engineering system life cycle, as well as satisfy the security access right for both platform and agents to improve the three characteristics of agents adaptively, mobility and flexibility. This project based on the platform of PHP and MYSQL (Database) which can be presented in a website. The implementation and test are applied in both Linux and Windows platforms, including Linux Red Hat 8, Linux Ubuntu 6.06 LTS and Microsoft Windows XP Professional. Since PHP and MySQL are available in almost all operating systems, the result could be tested the platform as long as PHP and MySQL configuration is available. PHP5 and the MySQL (database) software are used to build a secure website. Multiple techniques of security and authentications have been used by multi-agents system. Secure database is encrypted by using md5. Also satisfy the characteristics for security requirements: confidentiality (protection from disclosure to unauthorized persons), integrity (maintaining data consistency) and authentication (assurance of identity of person or originator of data).
Similar to Hiding_in_the_Crowd_Ransomware_Protection_by_Adopting_Camouflage.pdf (20)
Using recycled concrete aggregates (RCA) for pavements is crucial to achieving sustainability. Implementing RCA for new pavement can minimize carbon footprint, conserve natural resources, reduce harmful emissions, and lower life cycle costs. Compared to natural aggregate (NA), RCA pavement has fewer comprehensive studies and sustainability assessments.
NUMERICAL SIMULATIONS OF HEAT AND MASS TRANSFER IN CONDENSING HEAT EXCHANGERS...ssuser7dcef0
Power plants release a large amount of water vapor into the
atmosphere through the stack. The flue gas can be a potential
source for obtaining much needed cooling water for a power
plant. If a power plant could recover and reuse a portion of this
moisture, it could reduce its total cooling water intake
requirement. One of the most practical way to recover water
from flue gas is to use a condensing heat exchanger. The power
plant could also recover latent heat due to condensation as well
as sensible heat due to lowering the flue gas exit temperature.
Additionally, harmful acids released from the stack can be
reduced in a condensing heat exchanger by acid condensation. reduced in a condensing heat exchanger by acid condensation.
Condensation of vapors in flue gas is a complicated
phenomenon since heat and mass transfer of water vapor and
various acids simultaneously occur in the presence of noncondensable
gases such as nitrogen and oxygen. Design of a
condenser depends on the knowledge and understanding of the
heat and mass transfer processes. A computer program for
numerical simulations of water (H2O) and sulfuric acid (H2SO4)
condensation in a flue gas condensing heat exchanger was
developed using MATLAB. Governing equations based on
mass and energy balances for the system were derived to
predict variables such as flue gas exit temperature, cooling
water outlet temperature, mole fraction and condensation rates
of water and sulfuric acid vapors. The equations were solved
using an iterative solution technique with calculations of heat
and mass transfer coefficients and physical properties.
Water billing management system project report.pdfKamal Acharya
Our project entitled “Water Billing Management System” aims is to generate Water bill with all the charges and penalty. Manual system that is employed is extremely laborious and quite inadequate. It only makes the process more difficult and hard.
The aim of our project is to develop a system that is meant to partially computerize the work performed in the Water Board like generating monthly Water bill, record of consuming unit of water, store record of the customer and previous unpaid record.
We used HTML/PHP as front end and MYSQL as back end for developing our project. HTML is primarily a visual design environment. We can create a android application by designing the form and that make up the user interface. Adding android application code to the form and the objects such as buttons and text boxes on them and adding any required support code in additional modular.
MySQL is free open source database that facilitates the effective management of the databases by connecting them to the software. It is a stable ,reliable and the powerful solution with the advanced features and advantages which are as follows: Data Security.MySQL is free open source database that facilitates the effective management of the databases by connecting them to the software.
We have compiled the most important slides from each speaker's presentation. This year’s compilation, available for free, captures the key insights and contributions shared during the DfMAy 2024 conference.
The Internet of Things (IoT) is a revolutionary concept that connects everyday objects and devices to the internet, enabling them to communicate, collect, and exchange data. Imagine a world where your refrigerator notifies you when you’re running low on groceries, or streetlights adjust their brightness based on traffic patterns – that’s the power of IoT. In essence, IoT transforms ordinary objects into smart, interconnected devices, creating a network of endless possibilities.
Here is a blog on the role of electrical and electronics engineers in IOT. Let's dig in!!!!
For more such content visit: https://nttftrg.com/
CW RADAR, FMCW RADAR, FMCW ALTIMETER, AND THEIR PARAMETERSveerababupersonal22
It consists of cw radar and fmcw radar ,range measurement,if amplifier and fmcw altimeterThe CW radar operates using continuous wave transmission, while the FMCW radar employs frequency-modulated continuous wave technology. Range measurement is a crucial aspect of radar systems, providing information about the distance to a target. The IF amplifier plays a key role in signal processing, amplifying intermediate frequency signals for further analysis. The FMCW altimeter utilizes frequency-modulated continuous wave technology to accurately measure altitude above a reference point.
NO1 Uk best vashikaran specialist in delhi vashikaran baba near me online vas...Amil Baba Dawood bangali
Contact with Dawood Bhai Just call on +92322-6382012 and we'll help you. We'll solve all your problems within 12 to 24 hours and with 101% guarantee and with astrology systematic. If you want to take any personal or professional advice then also you can call us on +92322-6382012 , ONLINE LOVE PROBLEM & Other all types of Daily Life Problem's.Then CALL or WHATSAPP us on +92322-6382012 and Get all these problems solutions here by Amil Baba DAWOOD BANGALI
#vashikaranspecialist #astrologer #palmistry #amliyaat #taweez #manpasandshadi #horoscope #spiritual #lovelife #lovespell #marriagespell#aamilbabainpakistan #amilbabainkarachi #powerfullblackmagicspell #kalajadumantarspecialist #realamilbaba #AmilbabainPakistan #astrologerincanada #astrologerindubai #lovespellsmaster #kalajaduspecialist #lovespellsthatwork #aamilbabainlahore#blackmagicformarriage #aamilbaba #kalajadu #kalailam #taweez #wazifaexpert #jadumantar #vashikaranspecialist #astrologer #palmistry #amliyaat #taweez #manpasandshadi #horoscope #spiritual #lovelife #lovespell #marriagespell#aamilbabainpakistan #amilbabainkarachi #powerfullblackmagicspell #kalajadumantarspecialist #realamilbaba #AmilbabainPakistan #astrologerincanada #astrologerindubai #lovespellsmaster #kalajaduspecialist #lovespellsthatwork #aamilbabainlahore #blackmagicforlove #blackmagicformarriage #aamilbaba #kalajadu #kalailam #taweez #wazifaexpert #jadumantar #vashikaranspecialist #astrologer #palmistry #amliyaat #taweez #manpasandshadi #horoscope #spiritual #lovelife #lovespell #marriagespell#aamilbabainpakistan #amilbabainkarachi #powerfullblackmagicspell #kalajadumantarspecialist #realamilbaba #AmilbabainPakistan #astrologerincanada #astrologerindubai #lovespellsmaster #kalajaduspecialist #lovespellsthatwork #aamilbabainlahore #Amilbabainuk #amilbabainspain #amilbabaindubai #Amilbabainnorway #amilbabainkrachi #amilbabainlahore #amilbabaingujranwalan #amilbabainislamabad
Hierarchical Digital Twin of a Naval Power SystemKerry Sado
A hierarchical digital twin of a Naval DC power system has been developed and experimentally verified. Similar to other state-of-the-art digital twins, this technology creates a digital replica of the physical system executed in real-time or faster, which can modify hardware controls. However, its advantage stems from distributing computational efforts by utilizing a hierarchical structure composed of lower-level digital twin blocks and a higher-level system digital twin. Each digital twin block is associated with a physical subsystem of the hardware and communicates with a singular system digital twin, which creates a system-level response. By extracting information from each level of the hierarchy, power system controls of the hardware were reconfigured autonomously. This hierarchical digital twin development offers several advantages over other digital twins, particularly in the field of naval power systems. The hierarchical structure allows for greater computational efficiency and scalability while the ability to autonomously reconfigure hardware controls offers increased flexibility and responsiveness. The hierarchical decomposition and models utilized were well aligned with the physical twin, as indicated by the maximum deviations between the developed digital twin hierarchy and the hardware.
Industrial Training at Shahjalal Fertilizer Company Limited (SFCL)MdTanvirMahtab2
This presentation is about the working procedure of Shahjalal Fertilizer Company Limited (SFCL). A Govt. owned Company of Bangladesh Chemical Industries Corporation under Ministry of Industries.
Student information management system project report ii.pdfKamal Acharya
Our project explains about the student management. This project mainly explains the various actions related to student details. This project shows some ease in adding, editing and deleting the student details. It also provides a less time consuming process for viewing, adding, editing and deleting the marks of the students.
1. Received 25 June 2023, accepted 16 August 2023, date of publication 29 August 2023, date of current version 1 September 2023.
Digital Object Identifier 10.1109/ACCESS.2023.3309879
Hiding in the Crowd: Ransomware Protection by
Adopting Camouflage and Hiding Strategy
With the Link File
SOOHAN LEE 1, SUHYEON LEE 2, (Member, IEEE), JIWON PARK1,
KYOUNGMIN KIM 1, AND KYUNGHO LEE 3
1Department of Cyber Security, Korea University, Seoul 02841, Republic of Korea
2Ministry of Defense, Seoul 04383, Republic of Korea
3Institute of Cyber Security and Privacy, Korea University, Seoul 02841, Republic of Korea
Corresponding author: Kyungho Lee (kevinlee@korea.ac.kr)
This work was supported by Korea University Grant.
ABSTRACT Ransomware is a growing threat and is building ecosystems in the form of ransomware as
a service (RaaS). While there have been diverse efforts to detect and mitigate such threats, techniques to
bypass such countermeasures have advanced considerably. Since detecting all evolving threats has become
challenging, there is a growing interest in developing proactive countermeasures that can minimize the
damage even in environments where ransomware has already been executed. In this study, we gained
insights from an attacker’s perspective by analyzing ransomware such as LockBit and derived a generic
counterstrategy against features that are common in ransomware attacks. Our proposed method protects
critical files from existing ransomware by applying a hiding strategy that poses a challenge to attackers in
finding the target files. We also present best practices for implementing the strategy while considering both
in terms of security and usability using the link file and improving the method through the addition of a
linker and encrypted database to reduce the attack surface. By using real-world ransomware samples, our
experiments show that the proposed method successfully protects valuable files against ransomware in a
cost-effective manner.
INDEX TERMS Cybersecurity, ransomware, avoidance mechanism, malware analysis.
I. INTRODUCTION
With the development of information technology, real-world
values such as information assets are moving into cyberspace.
As a result, ransomware has emerged as a major cybersecurity
threat, and its occurrence has surged drastically in 2022.
According to a recent Verizon report, ransomware instances
continue to exhibit an upward trend, showing an almost
13% increase. This increase is equivalent to the combined
increase of the last five years and is associated with 25%
of all breaches [1]. Ransomware is a subset of malware
designed to limit access to a system or data until a ransom is
paid. Therefore, ransomware can cause considerable damage
to businesses, organizations, and individuals, resulting in data
loss, financial loss, and reputational damage [2], [3].
The associate editor coordinating the review of this manuscript and
approving it for publication was Mohamed Elhoseny .
A trend in ransomware attacks is the use of ransomware as
a service (RaaS) platform, which enables even non-technical
criminals to launch ransomware attacks [4]. RaaS operators
provide a user-friendly interface to affiliates for creating and
distributing ransomware, as well as a range of other services,
such as payment processing and negotiation support [5].
The operators generate profits by allocating a percentage of
each successful ransom payment [6]. The development of
these ecosystems has a significant impact on the spread
of ransomware threats.
In response to the growing threat, studies have focused
on developing effective mechanisms for detection and block-
ing [7]. Researchers have extracted structural and behavioral
features from ransomware samples to design defense mecha-
nisms [8]. Although leveraging structural features is the most
common approach for malware detection, it is ineffective
against sophisticated techniques such as polymorphism and
VOLUME 11, 2023
This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 License.
For more information, see https://creativecommons.org/licenses/by-nc-nd/4.0/ 92693
2. S. Lee et al.: Hiding in the Crowd: Ransomware Protection by Adopting Camouflage and Hiding Strategy
obfuscation [9]. To overcome these limitations, researchers
have increasingly focused on behavior-based analysis that
monitors the actions of the malware process during run-
time. This approach utilizes features that are challenging
for ransomware authors to conceal, such as API calls and
I/O accesses [10], [11]. Behavior-based detection mecha-
nisms have evolved to incorporate deceptive strategies. As an
example, they create and distribute decoy files considering
ransomware attacks target specific files [12].
However, attackers are constantly developing techniques
to evade detection mechanisms. It results in difficulty in
blocking all emerging threats. Despite the effectiveness of
detection mechanisms, their efficacy is constrained by three
fundamental limitations, as underscored by studies propos-
ing detection mechanisms or investigating the behavior of
ransomware:
1) Static and dynamic analysis techniques become less
efficient as the malware developers continuously
develop evasion techniques [13].
2) Behavior-based detection mechanisms may result in
file loss until detection is achieved [14].
3) Terminating the monitoring process can render the
detection mechanism ineffective [15].
Since process termination is commonly performed before
file encryption in ransomware attacks [16], [17], it highlights
the need for alternative approaches to complement existing
detection-based methods. While monitoring may suffice in
general computing environments from an economic stand-
point, special environments such as military systems cannot
afford even a single intrusion due to the potentially catas-
trophic damage. Thus, reducing risk at all levels is crucial in
such critical environments. As a result, there is a demand for
methods that minimize the damage caused by ransomware in
terms of cyber resilience [18], even in situations where the
malware has already been executed and real-time detection is
not available.
Therefore, our study aims to devise a proactive method that
can function as a secondary line of defense to address two
unfavorable scenarios from a defensive standpoint: i) failure
or termination of the monitoring process before malware
detection, ii) delay in the detection mechanism requiring
additional time to identify the malware.
In this context, our approach ensures file protection
through a two-step process: firstly, by modifying file exten-
sions, and secondly, by concealing the original files within
directories that are typically not targeted by ransomware
for encryption. While our approach may not directly detect
or block ransomware execution, it effectively counters the
targeting strategy employed by the majority of ransomware.
The authors in [15] identified directories that are delib-
erately avoided during the targeting phase. They suggested
further investigating the possibility of utilizing these char-
acteristics as defensive techniques. In their study, a prelim-
inary attempt was made to conceal valuable data within the
C:Windows directory, but it was found ineffective against
ransomware like Onyx. In contrast, our goal is to advance
these concepts by proposing a camouflage and hiding strat-
egy. Our method not only protects files against the majority
of ransomware families but also ensures convenient access to
hidden files using link files.
In addition, prior research on ransomware protection has
limitations when the defense mechanisms are exposed, as it
provides attackers with an opportunity to develop counter-
strategies. To address this concern, we have adopted an open
design approach to enhance the robustness of the proposed
method. In our effort to minimize the likelihood of attackers
uncovering the locations of protected files via the information
within link files, we have enhanced the method by imple-
menting an encrypted database and a linker. The advanced
method ensures that the attacker cannot obtain information
about hidden files through the link files.
The contributions of this paper are as follows:
• We propose a novel approach to protect against ran-
somware proactively while ensuring file access utilizing
link files.
• We enhance the security of our method by implementing
measures to address situations where our defense strat-
egy is exposed to attackers.
• We demonstrate that our approach is practically effective
against various ransomware families through a series of
experiments.
The remainder of the paper is organized as follows.
Section II introduces related work, and Section III presents
common features of ransomware. We propose a ransomware
protection method by applying a camouflage and hiding
strategy in Section IV and demonstrate our experiments
in Section V. We discuss our approach from the perspective
of security and usability in Section VI before concluding our
research in Section VII.
II. RELATED WORK
In this section, we categorize ransomware defense mecha-
nisms into three main categories: detection, recovery, and
avoidance. Table 1 presents the comparison of each mecha-
nism. Table 2 categorizes the related work with our research.
A. DETECTION MECHANISM
This mechanism aims to identify and block ransomware
before or during its execution. Detection mechanisms employ
both static analysis, which examines the structural features of
ransomware, and behavior-based detection, which involves
real-time monitoring of the actions performed by the ran-
somware process. However, static analysis approaches have
limitations when confronted with obfuscation techniques [9].
As a result, behavior-based detection is commonly adopted
in recent research.
In the field of behavior-based detection, Kharraz et al. [19]
presented UNVEIL, a dynamic analysis system that operates
on the principle that ransomware needs to manipulate the
user’s files to carry out a successful attack. UNVEIL actively
92694 VOLUME 11, 2023
3. S. Lee et al.: Hiding in the Crowd: Ransomware Protection by Adopting Camouflage and Hiding Strategy
TABLE 1. Description and limitation of ransomware defense mechanisms.
TABLE 2. Categorization based on types of ransomware defense research ( means applied and # means not applied).
monitors filesystem activities, including input/output (I/O)
requests, with the purpose of identifying alterations made to
the system that could potentially indicate the execution of
ransomware. Arabo et al. [11] proposed a self-defense mech-
anism based on process behavior analysis. They utilized
application programming interface (API) calls and system
usage to differentiate between ransomware and benign appli-
cations, achieving low false-positive/negative rates.
Over the past few years, there has been a growing
interest in hybrid approaches that combine the analysis of
both structural and behavioral characteristics of ransomware.
Notably, machine learning has emerged as a vital component
within such approaches, owing to its ability to automat-
ically extract crucial features from ransomware samples.
Poudyal et al. [20] introduced a reverse engineering frame-
work that integrates feature generation engines and machine
learning techniques for effective ransomware detection. Their
approach involves extracting features at multiple levels,
including the dynamic link library (DLL), function call, and
assembly, to leverage both structural and behavioral charac-
teristics. Karbab et al. [21] proposed SwiftR, a ransomware
detection system that utilizes deep learning models, which
effectively analyze the hybrid features of ransomware.
Modern studies have focused on detection and block-
ing mechanisms that utilize decoy files. For instance,
R-Locker [22] deploys a collection of honeyfiles within the
target environment to detect zero-day ransomware attacks and
automatically launch countermeasures when the honeyfiles
VOLUME 11, 2023 92695
4. S. Lee et al.: Hiding in the Crowd: Ransomware Protection by Adopting Camouflage and Hiding Strategy
are accessed. RTrap [12] is a comprehensive framework
that incorporates ML-generated deceptive files to detect ran-
somware, specifically addressing evasion techniques related
to decoy-watching strategies.
Although detection mechanisms may be effective in iden-
tifying existing ransomware, they cannot comprehensively
reflect all evasion techniques. It is also possible that file
loss might occur during the detection process. Furthermore,
these mechanisms are only effective when the monitoring
process is running, and the effect of protection can be lost
if the ransomware terminates such countermeasures to avoid
observation.
B. RECOVERY MECHANISM
This mechanism focuses on data backups or restoring
encrypted files, thereby effectively addressing scenarios
where encryption has already occurred. Unlike the blocking
mechanism, the recovery mechanism does not necessarily
require prior detection. However, as the decryption process
becomes more challenging, proposed methods for recovery
often involve obtaining encryption keys or creating file copies
during ransomware execution, which require the involvement
of the detection process.
Kolodenker et al. [23] introduced a key escrow mechanism
named Paybreak that securely stores encryption keys in a key
vault by hooking cryptographic API and using the keys to
decrypt the victim files. While the authors demonstrate that
the technique can recover from the damage caused by 12 dif-
ferent ransomware families, its effectiveness is limited
against ransomware families that utilize the corresponding
cryptography APIs for file encryption. Continella et al. [24]
proposed ShieldFS which monitors the low-level activity of
the file system and maintains adaptive models that profile the
system behavior over time. When ransomware execution is
detected, the file system triggers a function to create copies
of the data for restoration. Yun et al. [25] proposed a backup
system named CLDSafe that keeps shadow copies of files
and provides secure restoration using cloud storage to prevent
data loss. CLDSafe measures file similarities between a new
file on the client and an old file on the server. To ensure data
integrity, when significant modifications are made to the new
file, the previous version of the file residing on the server is
securely backed up.
As demonstrated by the aforementioned studies, advance-
ments in recovery mechanisms tend to rely on prior detection.
Additionally, recovery mechanisms cannot prevent secondary
damage because modern ransomware employs a double
extortion strategy [26] that threatens to release files publicly
if a ransom is not paid.
C. AVOIDANCE MECHANISM
This mitigation approach aims to prevent ransomware attacks
and minimize their impact. Unlike reactive blocking and
recovery techniques that respond to intrusions, the avoid-
ance technique focuses on proactive measures to avoid
or minimize the potential damage caused by ransomware
attacks. One prominent method for preventing ransomware is
the use of permission restriction. This involves implement-
ing strict access controls and permissions on critical files
and folders, limiting the ability of ransomware to modify or
encrypt them.
Microsoft has introduced controlled folder access [27],
a security feature that restricts access to protected folders
exclusively to trusted applications, effectively preventing ran-
somware from tampering with those folders. However, this
feature also has limitations as it relies on user permissions
and does not provide prevention against potentially mali-
cious programs operating in unprotected locations. Attackers
with sufficient privileges can easily circumvent such defense
mechanisms.
In recent studies, security researchers have focused on
the targeting phase in ransomware execution, where spe-
cific files are selected for encryption. Choi et al. [28] pro-
posed a defense mechanism utilizing deception technology.
This mechanism involved inserting an authentication pro-
cess during file search operations by hooking system calls
like ZwQueryDirectoryFile. While system call hooking was
previously used in antivirus solutions, its efficacy has been
reduced due to bypass techniques such as direct system calls.
For example, the Conti ransomware employs API-unhooking
mechanisms to evade antivirus or endpoint detection and
response (EDR) systems [29].
Lee et al. [30] introduced a countermeasure from the
moving target defense (MTD) perspective. Given that most
ransomware targets files based on file extensions, the authors
protected valuable files from ransomware by changing
their extensions randomly. In the past, ransomware only
encrypted files that contained specific file extensions. How-
ever, as depicted in Table 3, recent variants of ransomware
have adopted a strategic approach wherein they encrypt all
files except those with excluded extensions or located in
excluded paths. This strategy aims to evade countermeasures
reliant on file extension randomization. Consequently, coun-
termeasures of this nature may prove ineffective within such
environments.
The avoidance mechanism does not necessarily require
prior detection as its primary goal is to implement preven-
tive measures. Nevertheless, the incorporation of the detec-
tion process into the framework can be considered a viable
approach to enhance usability and overall effectiveness.
Khan et al. [31] proposed a multi-level MTD method, which
randomizes file extensions and modifies file headers for
proactive mitigation. Additionally, to complement the limita-
tion of the extension randomization strategy, they introduced
an event-based reactive MTD method that switches file exten-
sions with .exe (which is excluded in ransomware encryption)
when typical ransomware events occur. They integrated a
detection procedure into their avoidance mechanism because
changing file extensions to .exe can render the files inac-
cessible. Therefore, they chose to alter the file extensions
only when a ransomware event occurs. However, like other
92696 VOLUME 11, 2023
5. S. Lee et al.: Hiding in the Crowd: Ransomware Protection by Adopting Camouflage and Hiding Strategy
detection-based mechanisms, this approach can be ineffective
if ransomware deletes scheduled tasks that monitor ran-
somware events.
Although avoidance mechanisms have demonstrated their
efficacy, there may encounter usability issues. Additionally,
the existing defense mechanisms are susceptible if their
strategies are exposed, as attackers may develop correspond-
ing countermeasures. Hence, we propose a novel approach
that offers protection without relying on a prior detection,
while simultaneously ensuring normal file access.
III. RANSOMWARE ANALYSIS FROM THE ATTACKER’S
PERSPECTIVE
In this section, we introduce three key insights and the
common execution flow of ransomware obtained by a com-
prehensive analysis to select the features and the scope of our
approach.
A. INSIGHTS FROM RANSOMWARE ANALYSIS
To develop a universal approach, we conducted a compre-
hensive analysis of various ransomware families that have
become popular to identify their common features. Given
that most ransomware attacks target the Microsoft Windows
operating system (OS) [32] and prefer encrypting individual
files to locking the device [33], this study focuses on crypto
ransomware executed in the Windows OS. The results of
our ransomware analysis provide three key insights from the
attacker’s perspective.
1) RELIABLE ENCRYPTION ENVIRONMENT
Attackers aim to encrypt files as reliably as possible with-
out destroying the system to demand a ransom. Most ran-
somware has a specific list of files to include or exclude from
encryption. Since attackers generally seek financial gain, they
refrain from encrypting files that may affect the function-
ality of the OS [15]. Consequently, attackers could execute
the entire encryption process and inform the victim of the
damage. Furthermore, encryption has not been applied to files
that can contact the attackers, such as files in the Tor Browser
directory are excluded from encryption.
2) FAST IMPACT
Attackers want to encrypt files as quickly and efficiently as
possible. They select files to encrypt based on their exten-
sions and paths to reduce discovery time. Next, they select
the appropriate encryption method based on the file size,
such as partial encryption of files larger than 5.24 MB [29].
Stream ciphers such as Salsa20 [34] and ChaCha20 [35] are
increasingly used to shorten the encryption time as attackers
believe that the longer the attack time, the more likely it is to
be detected.
3) EVOLVING ATTACK TECHNIQUES
Attackers use various initial access and defense evasion tech-
niques and are constantly evolving their tactics for successful
attacks [36]. In particular, advanced techniques are used
for each group to bypass detection, rendering detection and
blocking of all attacks difficult. Therefore, we consider that
minimizing damage when ransomware is executed can be an
effective defense measure.
FIGURE 1. Main phases of the ransomware execution process.
B. EXECUTION FLOW OF RANSOMWARE
In the case of the latest ransomware samples, attackers
include numerous tactics such as data exfiltration for double
extortion, discovery, and lateral movement for the spread of
attacks [37]. However, we focused on the common character-
istics shared by most ransomware families. As a result of our
analysis, we identified four common phases of ransomware,
as displayed in Fig. 1. In the initial access phase, ransomware
is downloaded and executed through various attack vectors
such as social engineering. In the defense evasion phase, pro-
tective measures such as antivirus are bypassed. During the
targeting phase, ransomware identifies files to be encrypted
and then proceeds to the encryption phase. Due to the evolv-
ing nature of attack techniques, as discussed in Section III-A,
detecting all possible attacks has become challenging. There-
fore, we focused on the targeting phase as the next line of
defense.
We observe that ransomware excludes system-related files
from encryption for a reliable attack and classifies files based
on the extensions and paths for fast encryption, as presented
in Table 3. The Windows OS categorizes files by extensions
and stores system-related files in designated paths, which
allows attackers to easily select targets. Conversely, if these
characteristics disappear, it becomes difficult for attackers
to target files for encryption. Exploiting this weak point,
we develop a generic countermeasure by implementing a
camouflage and hiding strategy.
IV. PROPOSED METHOD
In this section, we propose a novel method to counter ran-
somware targeting by applying a camouflage and hiding
strategy. We also enhance our approach by considering sit-
uations where the strategy is exposed to attackers.
A. CAMOUFLAGE AND HIDING
Since attackers typically categorize files by their extensions
and paths, the proposed method uses excluded extensions to
camouflage files as hard-to-touch files and excluded paths to
hide them in obscure directories that are difficult to encrypt.
For example, we can disguise a document file as a DLL file
by altering its file extension from .docx to .dll and randomly
modify its name. Then, we hide it in a subdirectory of the
Windows directory (C:Windows), making it difficult for
ransomware to target and encrypt. However, this approach
VOLUME 11, 2023 92697
6. S. Lee et al.: Hiding in the Crowd: Ransomware Protection by Adopting Camouflage and Hiding Strategy
TABLE 3. The list of excluded paths and file extensions in LockBit and DarkSide ransomware.
may lead to usability issues as users could encounter diffi-
culty in accessing files.
B. ADDING LAYER WITH LINK FILE
Although the camouflage and hiding strategy is an effective
method of impeding ransomware from selecting targets, this
approach can pose usability challenges because users may
not be able to find and access hidden files. In response to
these usability issues, we have designed a linking system that
allows users to easily access hidden files.
In the Windows OS, soft links are of two types, namely,
a shell link binary file format and a symbolic link. The shell
link binary file format is the format that contains information
to access another data object [38], whereas the symbolic
link is a file system object that points to another file system
object [39]. However, symbolic links are not suitable for our
camouflage and hiding method because their functions are
limited to pointing to files. Since Windows OS identifies files
by their extensions, it cannot open camouflaged files properly
as it mistakes the file type for a camouflaged extension and
connects the wrong application. Therefore, the application
to open the camouflaged file must be specified; however,
symbolic links do not support this flexibility. Furthermore,
symbolic links allow ransomware to access hidden files
directly. We have implemented a camouflage and hiding strat-
egy using symbolic links and conducted simple experiments
by executing ransomware samples. As a result, we observed
that some ransomware, such as LockBit, could encrypt hidden
files through symbolic links.
Instead, we opt to use the shell link binary file format,
which enables the creation of independent data objects that
include command-line arguments. For example, we can
specify a command line in the link file to open a hidden doc-
ument file, such as ‘‘C:Program FilesMicrosoft
OfficerootOffice16WINWORD.EXE [hidden
file path]’’. This approach allows us to create a link file
that provides users with easy access to hidden files, while
hidden files are located in the hidden layer that ransomware
typically excludes from encryption.
FIGURE 2. The proposed method of linking the user layer to a hidden
layer.
As displayed in Fig. 2, the proposed method involves
hiding files in the hidden layer and creating link files in the
user layer to access the hidden files. In this case, even if
ransomware is executed, only link files in the user layer are
encrypted, whereas hidden files in the hidden layer remain
protected. Thus, the effect of ransomware can be avoided and
files can be easily restored without any decryption process.
In the case that files in the user layer are encrypted, or if
the user needs the original file for tasks such as file transfer,
a recovery function is necessary to retrieve files from the
hidden layer and restore them to the user layer. Therefore,
we store a pair of [original file path] and [hidden file path]
in the mapping table when hiding a file. This mapping table
enables us to retrieve the original file path corresponding to
the hidden file path and recover the original file in the user
layer. The details for the hiding and recovery functions are
described in Algorithm 1.
C. ENCRYPTED DATABASE AND LINKER
The methods used to avoid ransomware targeting are vul-
nerable to advanced attackers who may have knowledge of
the internal design. Since these methods assume that the
device has already been compromised, attackers can easily
bypass countermeasures. Therefore, it is crucial to design
92698 VOLUME 11, 2023
7. S. Lee et al.: Hiding in the Crowd: Ransomware Protection by Adopting Camouflage and Hiding Strategy
Algorithm 1 Hiding and Recovery Function
Data: P, the list of excluded paths
Data: E, the list of excluded file extensions
Data: T, mapping table
1: function HideFile(file)
2: fileName ← RandomGenName()
3: path ← RandomSelect(P)
4: ext ← RandomSelect(E)
5: hiddenFile ← path + fileName + ext
6: MoveFile(file, hiddenFile)
7: linkFile ← MakeLinkFile(file, hiddenFile)
8: UpdateTable(T, hiddenFile, file, linkFile)
9: end function
10: function RecoverFile(hiddenFile)
11: file, linkFile ← PopTable(T, hiddenFile)
12: MoveFile(hiddenFile, file)
13: Delete(linkFile)
14: end function
our method as an open design, considering that the enemy
knows the system [40]. We first identified potential design
vulnerabilities that could arise from advanced attackers and
then applied hardening to our approach.
FIGURE 3. Differences in the link file considering open design.
Fig. 3(a) displays a hex dump of the link file generated by
our previous approach, which reveals the path of the hidden
file. This vulnerability could potentially enable advanced
attackers to encrypt valuable files using the exposed infor-
mation. Additionally, storing the mapping table for recovery
could allow attackers to acquire the table and locate hidden
files. Attackers may exploit our recovery function to retrieve
hidden files before encryption.
In response to these challenges, we proposed a secure
version of the previous method, as shown in Fig. 4. The secure
version references the hash value of the hidden file path,
as displayed in Fig. 3(b), instead of directly linking to the
hidden file. The hash value and the hidden file path are stored
in a separate hash table. This approach involves the addition
of a linker, which redirects users to the hidden file upon
accessing the link file. The linker retrieves the hidden file path
using the hash value from the hash table and determines the
file type by referencing a mapping table. Then, it associates
the hidden file with the corresponding program based on its
file type. The one-way hash function conceals the location of
the hidden files, making it challenging for attackers to access
valuable data.
Since the mapping table and hash table both contain
critical information about hidden files, attackers can poten-
tially exploit data by obtaining access to these databases.
To mitigate this risk, we add encryption to the database
to prevent unauthorized access. Additionally, we insert an
authentication process within the recovery function to prevent
attackers from recovering files before encryption. Although
we perform hardening to reduce the attack surface, vulner-
abilities that can be exploited during the implementation
or operation of our approach may still exist. For instance,
attackers can obtain the database key or deduce the pattern
of the hidden files. Further weaknesses that might emerge
when implementing or operating our approach are discussed
in Section VI.
V. EVALUATION
In this section, we describe our experiment design and
demonstrate the validity of the proposed method against a
variety of ransomware families.
A. IMPLEMENTATION
We conducted an experiment to verify the effectiveness of the
method and addressed the following research questions:
RQ1. Is our method valid for real-world ransomware?
RQ2. Is our method reasonable in terms of performance?
Before conducting the experiments, we implemented the
method described in Fig. 4. For evaluation, we selected the
extensions and paths commonly excluded by ransomware
in the targeting phase. In particular, as shown in Table 4,
we selected the .dll and .exe extensions and the subdirectory
of the Windows directory for simplicity. Next, we selected
seven file types (word, ppt, excel, photo, pdf, text, and zip)
commonly encrypted by ransomware in the user layer.
Subsequently, we implemented the prototype of the pro-
posed method with Python3 to camouflage and hide files. The
prototype comprises three functions: hiding, recovery, and
linker. The hiding function generates link files that include the
hash value of each hidden file path, which allows access to the
file through the linker as usual. The linker function retrieves
VOLUME 11, 2023 92699
8. S. Lee et al.: Hiding in the Crowd: Ransomware Protection by Adopting Camouflage and Hiding Strategy
FIGURE 4. A secure version of the proposed method considering an advanced attacker.
TABLE 4. Selected features in this experiment.
the path of the hidden file by referring to the hash table and
connects the hidden file to the corresponding application. The
recovery function refers to the mapping table and restores the
hidden file to its original location as the original file.
To enhance the security of the method, we encrypted a
database containing critical information, such as the excluded
extensions, excluded paths, hash table, and mapping table.
We used AES256 for database encryption and SHA256 for
hashing the hidden file path. The detailed proof-of-concept
codes are available on Github.1
Executing the hiding function of the prototype demon-
strated that files were successfully disguised with excluded
extensions and stored in a hidden layer. Additionally, link
files were created in the user layer, enabling users to access
the hidden files by simply clicking on the link files, thereby
replicating the experience of accessing the original files.
Finally, we executed real-world ransomware samples to
verify that selected files were preserved (not encrypted) and
recovered normally (RQ1). We also conducted a perfor-
mance test to check whether the method is reasonable (RQ2).
1https://github.com/hanXen/ransomware_protect_linkers
The experiment was conducted on a virtual image of Win-
dows OS 10 for repeated ransomware executions, and the
performance test was conducted on 16 GB RAM and AMD
Ryzen 5 3600 6-Core Processor running at 3.60 GHz.
FIGURE 5. Process of sorting dataset in the experiment.
B. DATASET
We tested multiple ransomware families in our experiment to
evaluate the effectiveness of the proposed method. Fig. 5 dis-
plays the dataset selection process. We initially collected
samples mainly from databases such as VirusTotal, referring
to ransomware-related reports. To select functional samples,
we tested the collected samples in a sandbox environment.
Some samples did not function owing to reasons such as
unreachable command and control (C&C) servers or the use
of anti-analysis tactics. During analysis, we evaded anti-
analysis tactics without disrupting the core functionality if
possible. For example, we bypassed input validation for
samples that required an active token. Thus, we selected
36 ransomware families that have been actively operating in
recent years. While multiple samples were available for each
family, we prioritized family diversity over sample quantity
based on research and analysis because all samples selected
from the same family led to identical results owing to signif-
icant similarities in the core logic.
92700 VOLUME 11, 2023
9. S. Lee et al.: Hiding in the Crowd: Ransomware Protection by Adopting Camouflage and Hiding Strategy
TABLE 5. Results of the experiment.
FIGURE 6. Time and storage required for hiding/recovering files based on the number of files.
C. RESULTS
The proposed approach protected valuable files from var-
ious ransomware variants, including Agenda, AvosLocker,
BlackBasta, BlackCat/ALPHV, CLOP, Conti, Cuba, Dagon,
DarkSide/BlackMatter, FarGo/TargetCompany, GandCrab,
H0lyGh0st, Hive, K0xic, Lilith, LockBit, Magniber, Maze,
Medusa, Moisha, NightSky, Nokoyawa, ONYX, Phobos,
Pysa, REvil, Ragnarok, Ryuk, SolidBit, STOP/Djvu, Sugar,
SunCrypt, Surtr, WannaCry, and Yashma/Chaos. The major-
ity of ransomware families do not encrypt link files (.lnk),
which allowed us to access files normally even after being
infected. The recovery function successfully recovered files,
demonstrating the effectiveness of our approach in providing
universal defense against ransomware in a cost-effective man-
ner, as presented in Table 5. However, the proposed method
cannot protect against Phosphorus, which utilizes BitLocker,
built-in functions in Windows OS that support full-volume
encryption. Most ransomware targets the files of the victim,
but BitLocker targets the entire disk to render the device
inoperable, which is similar to the function of locker ran-
somware. Because our method focuses on protecting files,
locker ransomware is beyond the scope of our protection.
The performance of our method was evaluated based on
two factors: usability degradation during hiding/recovering
files and accessing a hidden file through the link file. First,
we measured the time and storage required in the system
for hiding/recovering files based on the number of files.
As displayed in Fig. 6(a), our approach requires an average of
0.003 s per file for hiding and 0.0004 s per file for recovery.
This indicates that the proposed method can be used without
significant performance degradation and recover files quickly
after a ransomware attack, which reduces the effect on system
operations. Furthermore, Fig. 6(b) reveals that the method
requires 2 KB per link file, which is smaller than the default
minimum size that the Windows OS allocates for files in
disks. Compared with the size of the original files, the pro-
posed method can more efficiently recover files than backing
up files, such as using a volume shadow copy.
We then measured the time required to access a file through
the link file and compared it with accessing a file directly
before applying the proposed method. Each experiment was
conducted 300 times, and the distribution of the time required
to open the file was expressed through a histogram. The
measurement is performed from the time when a user clicks
on a file and the CreateFile function of File Explorer occurs
to the time when the application that opens the hidden file
invokes the CreateFile function. Fig. 7(a) displays that a delay
of approximately 0.45 s occurs compared with accessing the
VOLUME 11, 2023 92701
10. S. Lee et al.: Hiding in the Crowd: Ransomware Protection by Adopting Camouflage and Hiding Strategy
FIGURE 7. Comparison of file access time when applying the proposed method with general access.
file directly before applying the method. The time delays
occur due to the process of the link file calling the linker
function, the linker function decrypting the database, and
the linker function referring to the hash table to open hid-
den files through the application. These causes were con-
firmed by measuring the time before the linker was adopted
and when the database was not encrypted, as displayed
in Fig. 7(b).
Even in the current prototype, access through a link file
did not cause inconveniences compared with when accessing
a file directly. Considering that the prototype is implemented
in Python3 and not optimized, access latency can be reduced
by optimizing both its algorithm and implementation.
VI. DISCUSSION
In this section, we discuss the usability and security consid-
erations of our approach when applied to the real world.
A. IMPROVE USABILITY
Usability is a significant factor in the adoption of defense
mechanisms. Even the best defense technique may not
be used if it is not user-friendly. However, the security-
usability trade-off typically forces the sacrifice of usability
for strengthened security. Therefore, it is essential to explore
ways to improve usability within the constraints of the sys-
tem. Although we demonstrate the effectiveness of the pro-
posed method for accessing hidden files through a link file
in Section V, it may still inconvenience users because hidden
files are not easily visible. If a user requires the retrieval of
the original files for sharing purposes, the user may need to
execute the file recovery function first.
One possible solution to improving usability is to lever-
age the right-click context menu in the Windows OS by
editing the registry. To add a recovery function to the
right-click menu, the command can be specified in the
registry as follows: ‘‘HKEY_CLASSES_ROOT*shell
RecoverFilecommand’’. Since the hiding function
requires administrator privileges, the command can be
specified in the registry: ‘‘HKEY_CLASSES_ROOT*
shellrunascommand’’. These registry edits enable
users to conveniently execute the features of the proposed
method with a simple one-click action. While we have
made efforts to enhance usability through the implementa-
tion of practical methods, we recognize that our approach
may still present usability challenges. We will continue to
explore ways to improve the user experience through the
implementation.
B. APPLICATION IN THE REAL WORLD
The proposed method effectively protects files against real-
world ransomware, as described in Section V. By making
it difficult for ransomware to classify files, our approach
increases the attacker’s cost during the targeting phase, such
as acquiring relationships from the mapping table. That is,
the crux of the proposed method lies in the security of
database encryption and key management. As described
in Section IV-C, we limit the scope of hardening to vulner-
abilities that may arise from the design of our approach.
However, security issues can occur during the implementa-
tion or operation phases. For instance, if the decryption key is
stored within a program or device, a skilled advanced persis-
tent threat attacker with sufficient privileges can potentially
extract the key through analysis.
Externalizing the key would be a recommended approach
to enhance security. In our current implementation, the key
was externalized by requiring a password input for database
decryption. Combining our approach with other effective key
management methods would improve the proposed method.
Periodically moving and hiding databases from an MTD
perspective can be an effective security control to safeguard
against various types of attacks.
Moreover, attackers may be able to deduce the pattern
of hidden files. Our prototype synchronizes the MAC time
92702 VOLUME 11, 2023
11. S. Lee et al.: Hiding in the Crowd: Ransomware Protection by Adopting Camouflage and Hiding Strategy
to show a mapping relationship and randomly generates an
eight-letter name for simplicity. However, this result could
provide clues to attackers, such as identifying hidden files
based on the MAC time of link files or figuring out the name
pattern. Therefore, adjusting such details when implementing
our approach in the real world is necessary. In an enterprise
environment, separating hidden layers from the device can
be a viable option. While current remote file systems can be
affected by ransomware due to direct file access, separating
the layers using link files can prevent file damage through
infections on particular devices.
The proposed method can be combined with other mech-
anisms to complement each other’s limitations. For instance,
our method can be used in conjunction with decoy files or
behavior-based ransomware detection methods, which are
constantly studied to minimize file loss before detection [12].
By using the proposed method in combination with these
techniques, ransomware can be detected and blocked with-
out any loss of files during the execution process. Even if
ransomware is not detected or the monitoring process is
terminated before detection, the proposed method can be
used as a secondary line of defense. Furthermore, the pro-
posed approach can be additionally effective against double
extortion strategies because attackers cannot determine which
files are valuable. Attackers may steal all files including
system-related files for double extortion, which can be a
substantial burden in terms of size and time that increases
detection risk.
VII. CONCLUSION
This study proposes a novel defensive strategy against ran-
somware attacks, which adopts a hiding strategy for valuable
files, leveraging insights from the attacker’s perspective.
The strategy effectively obfuscates target files, making it
challenging for ransomware to locate and encrypt critical
information. The addition of an encrypted database and a
linker enhances the method, further reducing the attack sur-
face. While maintaining security, we have also considered
usability, which is often a determining factor in the success-
ful adoption of defensive mechanisms. Through experiments
with real-world ransomware samples, the proposed method
demonstrated effectiveness in protecting valuable files in a
cost-effective manner, suggesting its potential as a secondary
line of defense in scenarios where previous detection mech-
anisms might fail. We expect further improvements in areas
such as enhancing usability or real-world applications to be
addressed in future work. Our method can be effectively
combined with other mechanisms such as utilizing decoy files
or behavior-based ransomware detection to create a compre-
hensive and robust defense system.
REFERENCES
[1] Verizon Business. (2022). 2022 Data Breach Investigations Report.
Accessed: Apr. 3, 2023. [Online]. Available: https://www.verizon.
com/business/en-gb/resources/2022-data-breach-investigations-report-
dbir.pdf
[2] M. Paquet-Clouston, B. Haslhofer, and B. Dupont, ‘‘Ransomware pay-
ments in the Bitcoin ecosystem,’’ J. Cybersec., vol. 5, no. 1, pp. 1–11,
Jan. 2019, doi: 10.1093/cybsec/tyz003.
[3] S. Corbet and J. W. Goodell, ‘‘The reputational contagion effects of ran-
somware attacks,’’ Finance Res. Lett., vol. 47, Jun. 2022, Art. no. 102715,
doi: 10.1016/j.frl.2022.102715.
[4] P. O’Kane, S. Sezer, and D. Carlin, ‘‘Evolution of ransomware,’’ IET Netw.,
vol. 7, no. 5, pp. 321–327, Sep. 2018, doi: 10.1049/iet-net.2017.0207.
[5] A. A. M. A. Alwashali, N. A. A. Rahman, and N. Ismail, ‘‘A survey
of ransomware as a service (RaaS) and methods to mitigate the attack,’’
in Proc. 14th Int. Conf. Develop. eSyst. Eng. (DeSE), Sharjah, UAE,
Dec. 2021, pp. 92–96, doi: 10.1109/DeSE54285.2021.9719456.
[6] P. H. Meland, Y. F. F. Bayoumy, and G. Sindre, ‘‘The ransomware-as-a-
service economy within the darknet,’’ Comput. Secur., vol. 92, May 2020,
Art. no. 101762, doi: 10.1016/j.cose.2020.101762.
[7] H. Oz, A. Aris, A. Levi, and A. S. Uluagac, ‘‘A survey on ransomware:
Evolution, taxonomy, and defense solutions,’’ ACM Comput. Surv., vol. 54,
no. 11s, pp. 1–37, Sep. 2022, doi: 10.1145/3514229.
[8] Ö. A. Aslan and R. Samet, ‘‘A comprehensive review on malware
detection approaches,’’ IEEE Access, vol. 8, pp. 6249–6271, 2020, doi:
10.1109/ACCESS.2019.2963724.
[9] A. Moser, C. Kruegel, and E. Kirda, ‘‘Limits of static analysis for malware
detection,’’ in Proc. 23rd Annu. Comput. Secur. Appl. Conf. (ACSAC ),
Dec. 2007, pp. 421–430, doi: 10.1109/ACSAC.2007.21.
[10] Q. Chen and R. A. Bridges, ‘‘Automated behavioral analysis of malware: A
case study of WannaCry ransomware,’’ in Proc. 16th IEEE Int. Conf. Mach.
Learn. Appl. (ICMLA), Miami Beach, FL, USA, Dec. 2017, pp. 454–460,
doi: 10.1109/ICMLA.2017.0-119.
[11] A. Arabo, R. Dijoux, T. Poulain, and G. Chevalier, ‘‘Detecting ran-
somware using process behavior analysis,’’ Proc. Comput. Sci., vol. 168,
pp. 289–296, Jan. 2020, doi: 10.1016/j.procs.2020.02.249.
[12] G. O. Ganfure, C.-F. Wu, Y.-H. Chang, and W.-K. Shih, ‘‘RTrap:
Trapping and containing ransomware with machine learning,’’ IEEE
Trans. Inf. Forensics Security, vol. 18, pp. 1433–1448, 2023, doi:
10.1109/TIFS.2023.3240025.
[13] S. Poudyal and D. Dasgupta, ‘‘Analysis of crypto-ransomware using ML-
based multi-level profiling,’’ IEEE Access, vol. 9, pp. 122532–122547,
2021, doi: 10.1109/ACCESS.2021.3109260.
[14] S. Sheen, K. A. Asmitha, and S. Venkatesan, ‘‘R-Sentry:
Deception based ransomware detection using file access patterns,’’
Comput. Electr. Eng., vol. 103, Oct. 2022, Art. no. 108346, doi:
10.1016/j.compeleceng.2022.108346.
[15] Y. Lemmou, J. Lanet, and E. M. Souidi, ‘‘A behavioural in-depth analy-
sis of ransomware infection,’’ IET Inf. Secur., vol. 15, no. 1, pp. 38–58,
Jan. 2021, doi: 10.1049/ise2.12004.
[16] S. Sharma, R. Kumar, and C. R. Krishna, ‘‘RansomAnalysis: The evolu-
tion and investigation of Android ransomware,’’ in Proc. Int. Conf. IoT
Inclusive Life (ICIIL). Chandigarh, India: NITTTR, 2020, pp. 33–41, doi:
10.1007/978-981-15-3020-3_4.
[17] J. Yuste and S. Pastrana, ‘‘Avaddon ransomware: An in-depth analysis
and decryption of infected systems,’’ Comput. Secur., vol. 109, Oct. 2021,
Art. no. 102388, doi: 10.1016/j.cose.2021.102388.
[18] F. Björck, M. Henkel, J. Stirna, and J. Zdravkovic, ‘‘Cyber resilience—
Fundamentals for a definition,’’ in New Contributions in Information
Systems and Technologies, vol. 1. Cham, Switzerland: Springer, 2015,
pp. 311–316.
[19] A. Kharaz, S. Arshad, C. Mulliner, W. Robertson, and E. Kirda, ‘‘UNVEIL:
A large-scale, automated approach to detecting ransomware,’’ in Proc. 25th
USENIX Secur. Symp. (USENIX Security). Austin, TX, USA: USENIX
Association, 2016, pp. 757–772.
[20] S. Poudyal, K. P. Subedi, and D. Dasgupta, ‘‘A framework for ana-
lyzing ransomware using machine learning,’’ in Proc. IEEE Symp. Ser.
Comput. Intell. (SSCI), Bengaluru, India, Nov. 2018, pp. 1692–1699, doi:
10.1109/SSCI.2018.8628743.
[21] E. B. Karbab, M. Debbabi, and A. Derhab, ‘‘SwiftR: Cross-platform
ransomware fingerprinting using hierarchical neural networks on hybrid
features,’’ Expert Syst. Appl., vol. 225, Sep. 2023, Art. no. 120017, doi:
10.1016/j.eswa.2023.120017.
[22] J. A. Gómez-Hernández, L. Álvarez-González, and P. García-Teodoro,
‘‘R-locker: Thwarting ransomware action through a honeyfile-based
approach,’’ Comput. Secur., vol. 73, pp. 389–398, Mar. 2018, doi:
10.1016/j.cose.2017.11.019.
VOLUME 11, 2023 92703
12. S. Lee et al.: Hiding in the Crowd: Ransomware Protection by Adopting Camouflage and Hiding Strategy
[23] E. Kolodenker, W. Koch, G. Stringhini, and M. Egele, ‘‘PayBreak: Defense
against cryptographic ransomware,’’ in Proc. ACM Asia Conf. Com-
put. Commun. Secur., Abu Dhabi, UAE, Apr. 2017, pp. 599–611, doi:
10.1145/3052973.3053035.
[24] A. Continella, A. Guagnelli, G. Zingaro, G. De Pasquale, A. Barenghi,
S. Zanero, and F. Maggi, ‘‘ShieldFS: A self-healing, ransomware-aware
filesystem,’’ in Proc. 32nd Annu. Conf. Comput. Secur. Appl., Los Angeles,
CA, USA, Dec. 2016, pp. 336–347, doi: 10.1145/2991079.2991110.
[25] J. Yun, J. Hur, Y. Shin, and D. Koo, ‘‘CLDSafe: An efficient
file backup system in cloud storage against ransomware,’’ IEICE
Trans. Inf. Syst., vol. E100.D, no. 9, pp. 2228–2231, 2017, doi:
10.1587/transinf.2017EDL8052.
[26] Q. Kerns, B. Payne, and T. Abegaz, ‘‘Double-extortion ransomware: A
technical analysis of maze ransomware,’’ in Proc. Future Technol. Conf.
(FTC), vol. 3, 2021, pp. 82–94, doi: 10.1007/978-3-030-89912-7_7.
[27] Microsoft. (2023). Protect Important Folders With Controlled
Folder Access. Accessed: Jun. 4, 2023. [Online]. Available: https://
learn.microsoft.com/en-us/microsoft-365/security/defender-
endpoint/controlled-folders?view=o365-worldwide
[28] J. Choi, J. Lee, G. Lee, J. Yu, and A. Park, ‘‘A defense mechanism against
attacks on files by hiding files,’’ J. Korea Soc. Ind. Inf. Syst., vol. 27, no. 2,
pp. 1–10, 2022, doi: 10.9723/jksiis.2022.27.2.001.
[29] S. Alzahrani, Y. Xiao, and W. Sun, ‘‘An analysis of conti ransomware
leaked source codes,’’ IEEE Access, vol. 10, pp. 100178–100193, 2022,
doi: 10.1109/ACCESS.2022.3207757.
[30] S. Lee, H. K. Kim, and K. Kim, ‘‘Ransomware protection using the moving
target defense perspective,’’ Comput. Electr. Eng., vol. 78, pp. 288–299,
Sep. 2019, doi: 10.1016/j.compeleceng.2019.07.014.
[31] M. M. Khan, M. F. Hyder, S. M. Khan, J. Arshad, and M. M. Khan, ‘‘Ran-
somware prevention using moving target defense based approach,’’ Con-
currency Comput., Pract. Exp., vol. 35, no. 7, Dec. 2022, Art. no. e7592,
doi: 10.1002/cpe.7592.
[32] I. Kara and M. Aydos, ‘‘The rise of ransomware: Forensic analysis for win-
dows based ransomware attacks,’’ Expert Syst. Appl., vol. 190, Mar. 2022,
Art. no. 116198, doi: 10.1016/j.eswa.2021.116198.
[33] A. Kapoor, A. Gupta, R. Gupta, S. Tanwar, G. Sharma, and I. E. Davidson,
‘‘Ransomware detection, avoidance, and mitigation scheme: A review and
future directions,’’ Sustainability, vol. 14, no. 1, p. 8, Dec. 2021, doi:
10.3390/su14010008.
[34] B. Yamany, M. S. Elsayed, A. D. Jurcut, N. Abdelbaki, and M. A. Azer,
‘‘A new scheme for ransomware classification and clustering using
static features,’’ Electronics, vol. 11, no. 20, p. 3307, Oct. 2022, doi:
10.3390/electronics11203307.
[35] D. J. Bernstein, ‘‘ChaCha, a variant of Salsa20,’’ in Proc. Workshop Rec.
SASC, Jan. 2008, vol. 8, no. 1, pp. 3–5.
[36] G. Hull, H. John, and B. Arief, ‘‘Ransomware deployment methods and
analysis: Views from a predictive model and human responses,’’ Crime
Sci., vol. 8, no. 1, pp. 1–22, Feb. 2019, doi: 10.1186/s40163-019-0097-9.
[37] N. Kshetri and J. Voas, ‘‘Ransomware as a business (RaaB),’’ IT Prof.,
vol. 24, no. 2, pp. 83–87, Mar. 2022, doi: 10.1109/MITP.2022.3157208.
[38] Microsoft. (2021). [MS-SHLLINK]: Shell Link (.LNK) Binary File Format.
Accessed: Apr. 3, 2023. [Online]. Available: https://learn.microsoft.
com/en-us/openspecs/windows_protocols/ms-shllink/16cb4ca1-9339-
4d0c-a68d-bf1d6cc0f943
[39] Microsoft. (2023). Create Symbolic Links (Windows 10). Accessed:
Apr. 3, 2023. [Online]. Available: https://learn.microsoft.com/en-
us/windows/security/threat-protection/security-policy-settings/create-
symbolic-links
[40] C. E. Shannon, ‘‘Communication theory of secrecy systems,’’ Bell Syst.
Tech. J., vol. 28, no. 4, pp. 656–715, Oct. 1949, doi: 10.1002/j.1538-
7305.1949.tb00928.x.
SOOHAN LEE received the B.E. degree in cyber
defense and the M.S. degree in cybersecurity from
Korea University, in 2020 and 2023, respectively.
From 2020 to 2023, he was a Red Team Oper-
ator and a Cyber Training Instructor at ROK
Cyber Operations Command. He is currently a
Researcher with the Cyber Technology Center,
Agency for Defense Development (ADD). His
research interests include usable security, security
engineering, and red teaming.
SUHYEON LEE (Member, IEEE) received the
B.E. degree in cyber defense and the Ph.D. degree
in cybersecurity from Korea University. Currently,
he completed his military duty with honor as an
Army Captain in the Republic of Korea Army.
He was with ROK Cyber Operations Command
and Agency for Defense Development (ADD),
where he developed expertise in cybersecurity
practice. His research interests include blockchain
security and game theory.
JIWON PARK received the B.E. degree in cyber
defense from Korea University, in 2021, where he
is currently pursuing the Ph.D. degree with the
Department of Cyber Security. He is also a Red
Team Operator and a Cyber Training Instructor
with ROK Cyber Operations Command, focus-
ing primarily on research related to artificial
intelligence security.
KYOUNGMIN KIM received the B.E. degree in
cyber defense from Korea University, in 2019,
where is currently pursuing the Ph.D. degree with
the Department of Cyber Security. From 2019
to 2022, he was a Malware Researcher with ROK
Cyber Operations Command. Since 2022, he has
been a Cyber Specialized Officer with the Defense
Counterintelligence Command. His research inter-
ests include cyber threat intelligence, malware
analysis, and cyber warfare.
KYUNGHO LEE received the Ph.D. degree from
Korea University. He has been leading the Risk
Management Laboratory, Korea University, since
2012. He was a former CISO with Naver Corpora-
tion. He was a CIO, a CISO, and a CPO with Korea
University, where he is currently a Professor with
the Graduate School of Information Security.
92704 VOLUME 11, 2023