GuardFS: a File System for Integrated Detection and Mitigation of Linux-based Ransomware

TL;DR

GuardFS introduces a novel Linux file system overlay that combines detection and mitigation of ransomware, significantly reducing data loss while balancing resource use and usability.

Contribution

This paper presents GuardFS, a new file system-based approach integrating ransomware detection and mitigation using a bespoke overlay system with three novel defense configurations.

Findings

Data loss can be significantly reduced with GuardFS.

Defense configurations impact resource consumption and usability.

GuardFS is effective in reactive ransomware mitigation.

Abstract

Although ransomware has received broad attention in media and research, this evolving threat vector still poses a systematic threat. Related literature has explored their detection using various approaches leveraging Machine and Deep Learning. While these approaches are effective in detecting malware, they do not answer how to use this intelligence to protect against threats, raising concerns about their applicability in a hostile environment. Solutions that focus on mitigation rarely explore how to prevent and not just alert or halt its execution, especially when considering Linux-based samples. This paper presents GuardFS, a file system-based approach to investigate the integration of detection and mitigation of ransomware. Using a bespoke overlay file system, data is extracted before files are accessed. Models trained on this data are used by three novel defense configurations that obfuscate, delay, or track access to the file system. The experiments on GuardFS test the configurations in a reactive setting. The results demonstrate that although data loss cannot be completely prevented, it can be significantly reduced. Usability and performance analysis demonstrate that the defense effectiveness of the configurations relates to their impact on resource consumption and usability.