Architecture and Design Overview The architecture of naGuard consists of two main components, naGuard I/O Monitor and naGuard Analyzer. naGuard I/O Monitor: a Windows kernel module [mini-filter driver] which monitors and logs every single I/O operation in the system. The information is passed to naGuard Analyzer for analysis. naGuard Analyzer: a user mode application which analyzes all the data received from naGuard I/O Monitor, detects and stops malicious behavior.
Since naGuard I/O Monitor operates at the core of the operating system, the kernel, it is crucial to quickly introduce some relevant concepts of the internals of Windows operating system. The Windows I/O system consists of several executive components that together manage hardware devices and provide interfaces to hardware devices for applications and the system. We’ll only cover the components that make up the I/O system, including the I/O manager as they are crucial. To implement these features the Windows I/O system consists of several executive components as well as device drivers, which are shown in the above figure. ■ The I/O manager is the heart of the I/O system. It connects applications and system components to virtual, logical, and physical devices, and it defines the infrastructure that supports device drivers. ■ A device driver typically provides an I/O interface for a particular type of device. A driver is a software module that interprets high-level commands, such as read or write, and issues low level, device-specific commands, such as writing to control registers. Device drivers receive commands routed to them by the I/O manager that are directed at the devices they manage, and they inform the I/O manager when those commands are complete. Device drivers often use the I/O manager to forward I/O commands to other device drivers that share in the implementation of a device’s interface or control.
Multithreaded scoring table which grant higher scoring to malicious behavior processes.
• DB: o Several criteria: I/O operations: Read, write, rename. short (3 sec) aggregation and long (process life) time aggregation. Absolute and relative entropy. Write OP - New file creation and rewrite existing file. • Score engine: o Increase score for suspicions behavior and decrease score for innocent behavior through time. o Interesting extensions = content holding files – doc, pdf etc. • Hidden honey pots in several locations (as result of research been done) and names.
filter_message_t – message received from kernel – Contains the following fields: a. Opcode – can hold: i. 0 – new write. ii. 1 – rewrite iii. 2 – rename iv. 3 – delete b. Process_id c. Preop_entropy – entropy before I/O operation take place. d. Postop_entpry – in case of write operation – entropy value after operation took place. e. Preop_filename – file name before I/O operation take place. f. Postop_filename - in case of rename operation – file name after operation took
DB: a. unordered_map<HANDLE, ThreadInfo> b. ThreadInfo is capable of handle all data related to specific process. i. M_score – current malicious score. ii. honeyPotsCounter – counter of honey pots touched by process in the last X seconds (X=3). iii. Write_end_entropy – sum of absolute entropy in rewrite operations. iv. Write_delta_entropy – sum of delta entropy in rewrite operations. v. New_write_entropy – sum of entropy in new write operations. vi. notExtInListWrite – number of all write operations (include all extensions) in the last X seconds (X=3) if absolute entropy higher then 3.5. vii. honey_pots_touched – number of honey pots files touched (all OPS) viii. m_total_ops[OPS_NUM] – number of all operations (interesting extensions only) in the last X seconds (X=3). ix. m_ops[OPS_NUM] – number of all operations (interesting extensions only) in the process life.
The algorithm is based on division of ransomware behavior into 3 types:
The algorithm was tuned experimentally. If total score of process is higher then 100 and the process is not signed it would be terminated.
Security solutions benchmarked based on four main parameters: detection accuracy, false positive rate, system stability and overhead [performance hit]. To test detection accuracy, we infected a system with several known ransomware. Below are the results:
To test system stability, the following was done: