Anomaly Detection Technology Using Potential Difference Displacement Detection of Data Bus

Hye Lim Jeong1, Sung Kyu Ahn1, Sung Hoon Baek2, and Ki-Woong Park1+
 

1Department of Information Security, Sejong University, Seoul, Korea

{hyello13, yiimfn}@gmail.com, woongbak@sejong.ac.kr

2Department of Computer System Engineering, Jungwon University, Chungbuk 28024, Korea

shbaek@jwu.ac.kr 

 

Abstract

The number of victims of ransomware is increasing despite attempts to defend them, as variants of ransomware are continuously being developed. Research and technology that detects and repairs ransomware variants to prevent damage from ransomware ensure a high level of security; however, they require additional tradeoffs, including computing resources, to effectively apply them. In this study, to address these problems, we proposed a solution that uses the electrical characteristics of a capacitor to detect abnormal data flow generated at input-output channels of storage by consecutive encryption calculation. We observed that based on Shannon’s information entropy, the encrypted files and normal files, i.e., unencrypted files, can be distinguished based on entropy results. Through this, we assume that both types of files will affect the voltage change generated at multiple input-output channel of storage according to data flow. Consequently, we expect that this voltage change can be detected by using a capacitor, and abnormal data flow can be identified by calculating entropy. This study shows the possibility of computationless abnormal data flow to detect abnormal data flow using a hardware-based capacitor module. Moreover, we expect that since our method utilizes hardware characteristics, it will detect the ransomware avoiding the anti-ransomware detection technique relatively more accurately compared with the software-based detection technique. Our future work aims to perform this experiment on real storage devices such as SSD.

Keywords: Ransomware Detection, Entropy, Computation-less

 

+: Corresponding author: Ki-Woong Park

Dept. of Computer and Information Security, Sejong University, Neungdonr-Ro 209, Gwangjin-Gu, Seoul, Korea,
Tel: +82-2-6935-2453

 

Journal of Internet Services and Information Security (JISIS), 9(4): 68-77, November 2019

DOI: 10.22667/JISIS.2019.11.30.068 [pdf]