这篇论文用RoI技术分析网络流量,结合机器学习实现了99.64%精度和0%漏报,比传统端点检测更早发现共享存储上的勒索攻击。
该论文提出一种混合检测框架,用于检测企业共享存储环境中的加密勒索软件入侵。框架基于Region of Interest (RoI)技术分析网络流量并提取入侵指标(IoC),IoC可作为EDR、IDS等工具的补充规则集。RoI特征用于训练机器学习模型,检测高度规避的勒索软件变种。实验显示,机器学习模块检测精度达99.64%,假阴性率为0%,假阳性率极低,整体准确率达99.44%。该方法能早期识别攻击,在造成重大损害前发出预警。
A Hybrid Framework For Crypto-Ransomware Detection In Enterprise Shared Storage
Most corporate workplace environments enforce policies and technical controls that limit the storage of sensitive data on client endpoints. Consequently, ransomware operators have evolved variants that expand their attack surface from local systems to network drives and shared storage resources. As traditional endpoint detection mechanisms focus primarily on local system behaviour, a compromised client can impact remote file servers, such as by encrypting shared data, without directly triggering behavioural changes on the servers themselves. In this paper, we propose a hybrid detection framework for detecting crypto-ransomware intrusion within integrated file server and client environments. The framework is based on a new technique referred to as Region of Interest (RoI) to analyse network traffic and extract Indicators of Compromise (IoCs). The IoC repository serves as an additional ruleset to enhance existing security tools such as EDRs and IDSs, while RoI-derived features are used to train an ML model to detect highly evasive variants. This study incorporates a broader set of ransomwares families and carefully selected benign behaviors based on domain expertise, ensuring coverage of common user actions that could interfere with ransomware detection. Beyond IoCs, which operate in a signature-based manner, our machine learning module achieves a detection precision of 99.64%, with a 0% false negative rate (FNR) and a minimal false positive rate (FPR). Furthermore, the proposed method enables early detection, identifying ransomware intrusions before significant damage occurs, achieving an accuracy of 99.44%.