Hands Off my Database: Ransomware Detection in Databases through Dynamic Analysis of Query Sequences

TL;DR

This paper introduces DIMAQS, a novel runtime monitoring system using Colored Petri Nets for detecting server-side ransomware in databases, achieving high accuracy with minimal performance impact.

Contribution

It presents the first solution for server-side database ransomware detection using dynamic query sequence analysis and pattern matching with CPNs.

Findings

High detection accuracy with no false positives or negatives

Moderate performance overhead under 5%

Effective global detection without user connection limitations

Abstract

Ransomware is an emerging threat which imposed a \$ 5 billion loss in 2017 and is predicted to hit \$ 11.5 billion in 2019. While initially targeting PC (client) platforms, ransomware recently made the leap to server-side databases - starting in January 2017 with the MongoDB Apocalypse attack, followed by other attack waves targeting a wide range of DB types such as MongoDB, MySQL, ElasticSearch, Cassandra, Hadoop, and CouchDB. While previous research has developed countermeasures against client-side ransomware (e.g., CryptoDrop and ShieldFS), the problem of server-side ransomware has received zero attention so far. In our work, we aim to bridge this gap and present DIMAQS (Dynamic Identification of Malicious Query Sequences), a novel anti-ransomware solution for databases. DIMAQS performs runtime monitoring of incoming queries and pattern matching using Colored Petri Nets (CPNs) for attack detection. Our system design exhibits several novel techniques to enable efficient detection of malicious query sequences globally (i.e., without limiting detection to distinct user connections). Our proof-of-concept implementation targets MySQL servers. The evaluation shows high efficiency with no false positives and no false negatives and very moderate performance overhead of under 5%. We will publish our data sets and implementation allowing the community to reproduce our tests and compare to our results.