SHIELD: Secure Host-Independent Extensible Logging for Tamper-Proof Detection and Real-Time Mitigation of Ransomware Threats

TL;DR

Ransomware increasingly compromises host defenses, necessitating tamper-proof monitoring that operates off the host. SHIELD presents an off-host metric acquisition framework that logs fine-grained ext4 filesystem events via NBD, enabling real-time ransomware detection and immediate mitigation. Across binary and multiclass tasks, SHIELD achieves high accuracy and demonstrates generalization to unseen strains, halting disk writes with minimal data loss. The work further shows the feasibility of hardware integration (FPGA/ASIC) for disk-centric defenses, offering robust protection even when the host OS is fully compromised.

Abstract

Ransomware's escalating sophistication necessitates tamper-resistant, off-host detection solutions that capture deep disk activity beyond the reach of a compromised operating system while overcoming evasion and obfuscation techniques. To address this, we introduce SHIELD: a metric acquisition framework leveraging low-level filesystem monitoring and Network Block Device (NBD) technology to provide off-host, tamper-proof measurements for continuous observation of disk activity exhibited by software executing on a target device. We employ Shield within a detection architecture leveraging deep filesystem features along with simplified metrics aggregated based on frequency of disk actions, making the metrics impervious to obfuscation while avoiding reliance on vulnerable host-based logs. We evaluate the efficacy of these metrics through extensive experiments with both binary (benign vs. malicious behavior) and multiclass (ransomware strain identification) classifiers and confirm that our metrics yield high accuracy across diverse threat profiles, including intermittent or partial encryption. In a proof-of-concept deployment, we demonstrate real-time mitigation using models trained on these metrics by halting malicious disk operations after ransomware detection with minimum file loss and memory corruption. We also show that hardware-only features collected independently of OS or network stack retain high detection effectiveness, verifying feasibility of embedding the proposed pipeline in a SATA controller ASIC or FPGA for next-generation, disk-centric defenses that combine filesystem insight with inherent off-host isolation.

Figures (8)

• Figure 1: A high-level illustration of our approach: ransomware on the host attempts to encrypt files, but Shield, our off-host monitoring system, detects the malicious activity in real time using filesystem metrics and closed-loop ML, and promptly halts the disk.
• Figure 2: Architectural overview of SHIELD components and flow.
• Figure 3: Simplified ext4 filesystem depicted with $\alpha$ block groups, $\beta$ data blocks per block group, and $\gamma$ inodes per block group. Each feature outlines metrics which Shield can parse, monitor, and log.
• Figure 4: Modules and data flow internal to our Shield implementation.
• Figure 5: Normalized mean feature values for malicious and benign samples.