Anomaly Detection Technology Using
Potential Difference Displacement Detection of Data Bus Hye Lim Jeong1, Sung Kyu Ahn1,
Sung Hoon Baek2, and Ki-Woong Park1+ 1Department
of Information Security, Sejong
University, Seoul, Korea {hyello13,
yiimfn}@gmail.com, woongbak@sejong.ac.kr 2Department
of Computer System Engineering,
Jungwon University, Chungbuk 28024, Korea shbaek@jwu.ac.kr Abstract The number of victims of ransomware is increasing
despite attempts to defend them, as variants of ransomware are continuously
being developed. Research and technology that detects and repairs ransomware
variants to prevent damage from ransomware ensure a high level of security;
however, they require additional tradeoffs, including computing resources, to
effectively apply them. In this study, to address these problems, we proposed
a solution that uses the electrical characteristics of a capacitor to detect
abnormal data flow generated at input-output channels of storage by
consecutive encryption calculation. We observed that based on Shannon’s
information entropy, the encrypted files and normal files, i.e., unencrypted
files, can be distinguished based on entropy results. Through this, we assume
that both types of files will affect the voltage change generated at multiple
input-output channel of storage according to data flow. Consequently, we
expect that this voltage change can be detected by using a capacitor, and
abnormal data flow can be identified by calculating entropy. This study shows
the possibility of computationless abnormal data flow to detect abnormal data
flow using a hardware-based capacitor module. Moreover, we expect that since
our method utilizes hardware characteristics, it will detect the ransomware
avoiding the anti-ransomware detection technique relatively more accurately
compared with the software-based detection technique. Our future work aims to
perform this experiment on real storage devices such as SSD. Keywords: Ransomware Detection, Entropy, Computation-less +: Corresponding
author: Ki-Woong Park Dept. of Computer and Information Security, Sejong
University, Neungdonr-Ro 209, Gwangjin-Gu, Seoul, Korea, Journal
of Internet Services and Information Security
(JISIS), 9(4): 68-77,
November 2019 DOI: 10.22667/JISIS.2019.11.30.068 [pdf] |