Not logged in.

Contribution Details

Type Bachelor's Thesis
Scope Discipline-based scholarship
Title Automatic and Policy-based Framework to Detect Ransomware Affecting Linux-based and Resource-constrained Devices
Organization Unit
Authors
  • Timucin Besken
Supervisors
  • Alberto Huertas Céldran
  • Eder John Scheid
Language
  • English
Institution University of Zurich
Faculty Faculty of Business, Economics and Informatics
Date 2021
Abstract Text Crowdsensing techniques have been proven as a cheap and effective way to collect and analyse data, allowing the introduction of platforms such as ElectroSense, where people can collaborate in the generation of a large-scale radio spectrum monitoring solution. Thanks to these applications, resource-constrained devices, such as IoT devices, have seen their increased adoption in both the industry and general population. However, their security has often been neglected, incentivising adversaries to implement malware targeting these platforms. Ransomware in particular, can be extremely dangerous in a crowdsensing context, being able to encrypt precious data in the sensors and disrupt crowdsensing platforms and services. In such a scenario, it is crucial to develop novel anti-malware, and specifically, anti-ransomware techniques aimed at protecting IoT devices from adversaries. Recent literature has shown promising results in malware detection by fingerprinting the device behaviour and introducing novel dynamic analysis approaches on ransomware detection. However, current solutions focus on well-known Windows Operating System using complex machine learning approaches, with Linux-based and resource-constrained systems being overlooked. Consequently, there is a necessity for malware detection research, specifically ransomware, targeting resource-constrained and Linux-based devices. With the goal of improving the previous limitations, this Thesis introduces an automatic and policy-based framework capable of identifying abnormal behaviour on a Raspberry Pi hosting an ElectroSense sensor. Heterogeneous events from different device dimensions such as hardware usage (i.e. CPU, memory and IO), kernel tracepoints and HPCs, have been considered to identify both an abnormal behaviour and ransomware infections. As a proof-of-concept and to evaluate the framework performance in the ElectroSense platform, two ransomware families were considered and three policies were developed. After that, six experiments evaluating the performance of the framework and its policies provided promising results when recognising normal, abnormal, ransomware1, and ransomware2 behaviors.
PDF File Download
Export BibTeX