Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

GuardFS: a File System for Integrated Detection and Mitigation of Linux-based Ransomware

Jan von der Assen, Chao Feng, Alberto Huertas Celdrán, Róbert Oleš, Gérôme Bovet, Burkhard Stiller

TL;DR

GuardFS addresses the gap between ransomware detection and practical protection on Linux by integrating detection and reactive mitigation inside an overlay file system. It uses a two-plane architecture (File System Plane and Detection Plane) with ML classifiers and four defense configurations (PKILL, OBF, DEL+OBF, TRACK) to reduce data loss while balancing latency and usability. Through Raspberry Pi and virtualized testbeds with multiple Linux ransomware strains, it shows substantial data preservation improvements (up to ~98% reductions under DEL+OBF variants) and comparable resource usage to baseline defenses, highlighting tradeoffs between security guarantees and delay. This work demonstrates the viability of deception-based, data-driven defenses in real-world Linux environments and outlines directions for lightweight detection and broader OS-portability.

Abstract

Although ransomware has received broad attention in media and research, this evolving threat vector still poses a systematic threat. Related literature has explored their detection using various approaches leveraging Machine and Deep Learning. While these approaches are effective in detecting malware, they do not answer how to use this intelligence to protect against threats, raising concerns about their applicability in a hostile environment. Solutions that focus on mitigation rarely explore how to prevent and not just alert or halt its execution, especially when considering Linux-based samples. This paper presents GuardFS, a file system-based approach to investigate the integration of detection and mitigation of ransomware. Using a bespoke overlay file system, data is extracted before files are accessed. Models trained on this data are used by three novel defense configurations that obfuscate, delay, or track access to the file system. The experiments on GuardFS test the configurations in a reactive setting. The results demonstrate that although data loss cannot be completely prevented, it can be significantly reduced. Usability and performance analysis demonstrate that the defense effectiveness of the configurations relates to their impact on resource consumption and usability.

GuardFS: a File System for Integrated Detection and Mitigation of Linux-based Ransomware

TL;DR

GuardFS addresses the gap between ransomware detection and practical protection on Linux by integrating detection and reactive mitigation inside an overlay file system. It uses a two-plane architecture (File System Plane and Detection Plane) with ML classifiers and four defense configurations (PKILL, OBF, DEL+OBF, TRACK) to reduce data loss while balancing latency and usability. Through Raspberry Pi and virtualized testbeds with multiple Linux ransomware strains, it shows substantial data preservation improvements (up to ~98% reductions under DEL+OBF variants) and comparable resource usage to baseline defenses, highlighting tradeoffs between security guarantees and delay. This work demonstrates the viability of deception-based, data-driven defenses in real-world Linux environments and outlines directions for lightweight detection and broader OS-portability.

Abstract

Although ransomware has received broad attention in media and research, this evolving threat vector still poses a systematic threat. Related literature has explored their detection using various approaches leveraging Machine and Deep Learning. While these approaches are effective in detecting malware, they do not answer how to use this intelligence to protect against threats, raising concerns about their applicability in a hostile environment. Solutions that focus on mitigation rarely explore how to prevent and not just alert or halt its execution, especially when considering Linux-based samples. This paper presents GuardFS, a file system-based approach to investigate the integration of detection and mitigation of ransomware. Using a bespoke overlay file system, data is extracted before files are accessed. Models trained on this data are used by three novel defense configurations that obfuscate, delay, or track access to the file system. The experiments on GuardFS test the configurations in a reactive setting. The results demonstrate that although data loss cannot be completely prevented, it can be significantly reduced. Usability and performance analysis demonstrate that the defense effectiveness of the configurations relates to their impact on resource consumption and usability.
Paper Structure (29 sections, 3 equations, 7 figures, 7 tables, 1 algorithm)

This paper contains 29 sections, 3 equations, 7 figures, 7 tables, 1 algorithm.

Table of Contents

  1. Introduction
  2. Related Work
  3. Framework Design
  4. Ransomware Threat Model
  5. Architecture
  6. File System Plane
  7. Detection Plane
  8. Framework Implementation
  9. File System Plane
  10. Defense 1: Killing Processes (PKILL)
  11. Defense 2: Obfuscating Responses (OBF)
  12. Defense 3: Delaying and Obfuscating Responses (DEL+OBF)
  13. Defense 4: Tracking Processes (TRACK)
  14. Detection Plane
  15. Validation Scenarios
  16. ...and 14 more sections

Figures (7)

  • Figure 1: File System-based Framework Architecture
  • Figure 2: PKILL Defense
  • Figure 3: OBF Defense
  • Figure 4: DEL+OBF Defense
  • Figure 5: TRACK Defense
  • ...and 2 more figures