SHIELD: Secure Host-Independent Extensible Logging for SATA/Network Storage Towards Ransomware Detection
Abstract: As malware such as ransomware becomes sophisticated, the ability to find and neutralize it requires more robust and tamper-resistant solutions. Current methods rely on data from compromised hosts, lack hardware isolation, and cannot detect emerging threats. To address these limitations, we introduce SHIELD - a detection architecture leveraging FPGA-based open-source SATA and Network Block Device (NBD) technology to provide off-host, tamper-proof measurements for continuous observation of disk activity for software executing on a target device. SHIELD provides three distinct contributions: It (1) develops a framework to obtain and analyze multi-level hardware metrics at NBD, FPGA, and SATA storage levels, and shows their ability to differentiate between harmless and malicious software; (2) Broadens the functionality of an open-source FPGA-driven SATA Host Bus Adapter (HBA) to offer complete data storage capabilities through NBD without relying on the host system; (3) Provides a foundation for using the methodology and metrics in automated machine learning-assisted detection and ASIC integration for advanced mitigation capabilities in data storage devices. SHIELD analyzes 10 benign programs and 10 modern ransomware families to illustrate its capacity for real-time monitoring and use in distinguishing between ransomware and benign software. Experimental evidence shows SHIELD's robust host-independent and hardware-assisted metrics are a basis for detection, allowing to observe program execution and detect malicious activities at the storage level.
Loading