Enforcing situation-aware access control to build malware-resilient file systems

Abstract

Traditional non-semantic file systems are not sufficient in protecting file systems against attacks, either caused by ransomware attacks or software-related defects. Furthermore, outbreaks of new malware often cannot provide a large quantity of training samples for machine-learning-based approaches to counter malware campaigns. The malware defense system should aim to achieve the best balance between early detection and detection accuracy. In this paper, we present a situation-aware access control framework to work with existing file systems as a stackable add-on. Our framework enables the access control decision making to be deferred when required, to observe the consequence of such an access request to the file system and to roll back changes if required. As an application against ransomware attacks, it can be applied to preserve file content integrity, by enforcing that all binary files written to the file system have consistent internal file structures with the declared file types, and rolling back changes that violate such constraints. We envision our access control framework to complement existing operating system access control frameworks, to significantly reduce the dimension of data required for machine learning, and to build extra resilience into the operating systems against damages caused by either malware or software defects. We demonstrate the practicality of our framework through a prototype testing, capturing relevant ransomware situations. The experimental results along with a large ransomware dataset show that our framework can be effectively applied in practice.