Patent Application
20250209165
None.
None.
The present disclosure relates to the security of electronic devices, computers and networks, and to the detection of unauthorized tampering and encryption of data. More particularly, one embodiment of the present disclosure pertains to a method for generating order measurements to detect malware performing the unauthorized encryption of a file.
Ransomware is malicious software that extorts funds from organizations by holding their computer files for ransom. Ransomware operates by encrypting computer files making them unavailable to the file owners until the ransom has been paid. Many ransomware attacks are transnational coming from countries that provide safe havens to the criminals operating the ransomware software. Ransoms are often demanded in Bitcoin or other crypto currency, making tracing and prosecuting the perpetrators difficult. A ransomware attack in May of 2021 temporarily crippled a major U.S. gasoline pipeline operator, causing fuel shortages and price spikes. Other ransomware attacks have affected schools, hospitals and government agencies. In each successful attack, the victim was unable to operate their computer systems. Even after paying the ransom, some of the affected systems could not be brought back online.
In 2021, Cloudwards published a report claiming that ransomware cost the world $20 Billion dollars in 2021. That number is expected to rise to $265 Billion in costs by 2031. A technology that can detect and block ransomware from tampering with data would have a tremendous impact in reducing these costs.
There have been a number of approaches to protecting computer systems from ransomware attacks. Many of these approaches rely on the detection of ransomware software that has been previously detected on other computer systems. While this stops some ransomware attacks, it is susceptible to zero-day attacks. Zero-day attacks are attacks from a previously unknown malware or variant. Another approach that attempts to address zero-day attacks operates by analyzing software operating behavior. Behavioral malware detection can be evaded and may cause an increase in detection false positives. A false positive is when the presence of malware is falsely detected, such as when a burglar alarm goes off because of an animal. In additional to false positives, there are also false negatives. A false negative is when the detection should have detected an event and fails to do so. A false negative for a burglar alarm is when a burglar breaks into a home and the alarm fails to go off. The concepts of false positives and false negatives are especially important when detecting malware and ransomware. The rate of false positives can be seem as a measure of deployability. If ransomware is falsely detected too frequently, the alerts may get ignored-like the little boy who cried wolf. Operationally, detection mechanisms that generate a high number of false positives are generally only used for alerting and are not used to block the suspect activity. Only when the number of false positives is low enough is automatic blocking of suspicious activity generally acceptable. On the otherside, false negatives can be though of as a measurement of effectiveness. A detection mechanism with a high number of false negatives is not providing very good protection. The challenge is how to detect zero-day ransomware attacks with both a low false positive rate and a low false negative rate.
Another approach to combating ransomware relies on filesystem permissions. This approach attempts to make file unwritable so that those files cannot be encrypted. While good in concept, this approach is often difficult to implement due to the operational requirements of legacy software.
A system which can reliably detect and block ransomware, which detects zero-day attacks with a low false positive rate and a low false negative rate, and which can be easily and reliable deployed to legacy software and systems, would constitute a major technological advance, and would satisfy long felt needs and aspirations in the computer security industry.
When a computer, electronic device, or network is attacked by ransomware, data stored on the computer, electronic device, or network may be encrypted without the permission of the owner. Unless the ransom is paid, the data becomes inaccessible by the owner of the computer, electronic device or network, because the owner does not possess the key necessary to de-crypt the data. The attacker holds the owner's data as a hostage, and tries to obtain a payment from the owner in exchange for the key that would enable the owner to re-capture control of his or her data.
One embodiment of the present disclosure senses when a ransomware attack is in progress. One component of the present disclosure generally constantly monitors the data stored in the computer, electronic device or network. At any given time, an arrangement of data possesses an attribute called “entropy.” This attribute is related to the relative order or dis-order of the arrangement of the stored data. When a ransomware attack is in progress, the entropy of the arrangement of data changes. The present disclosure detects this change, and places the encrypted data in quarantine.
The present disclosure may also produce an indication or an alarm which alerts that a ransomware attack is under way. One embodiment may also disconnect the computer, electronic device or network from the connection that is being used by the ransomware attacker. This disconnection may by physical or logical. A logical disconnection prevents the ransomware from communicating with the computer, electronic device or network under attack, even if the ransomware is physically present on the computer, electronic device or network.
This approach is quite different from conventional ransomware detection methodologies. In conventional ransomware detection, memory and filesystem scanners look for indicators or signatures of previously seen ransomware. This approach is focused on the executable programs that perform the ransomware activities, including the encryption of data. The present disclosure detects changes in characteristics of the data to detect the unauthorized encryption that is ransomeware. By focusing on the data transformation, this approach operates independently from the executable programs that perform the ransomware activities, and is therefore able to detect and block zero-day ransomware.
Then, following the process of:
Performing the steps above for
These three examples show that disorder can be quantified and calculated. The perfectly ordered cards have a order metric of 0. The slightly disordered cards have an order metric of 0.3133. The more disordered cards have an order metric of 0.7376. The approach to showing how disorder in a set of cards can be quantified is also applicable to quantifying how much order or disorder is in a series of numbers.
An appreciation of other aims and objectives of the present disclosure and a more complete and comprehensive understanding of this disclosure may be obtained by studying the following description of a preferred embodiment, and by referring to the accompanying drawings.
A measurement of order 16 is a measurement of entropy. Entropy measurements and measurements of order 16 are measurements of how ordered or dis-ordered is the target data 11. The measurement of order 16 is the information entropy present in the target data. Highly ordered data has low randomness and low entropy, and highly unordered data has high randomness, and correspondingly high entropy. Text files have low randomness and entropy, and a high level of order. The files that are computer applications, sometimes known as binaries, also have a high level of order. Encrypted files exhibit a low level of order. Some compressed filed also exhibit a low level of order. The one embodiment of the present invention detects changes in measurements of order 16 that fall outside of a predefined range of order 23. This detects the change in entropy when a file is encrypted.
To address detection of encryption of compressed files which also exhibit high randomness, the system uses multiple measurements of order 16 covering different portions of the target data 11. Each of these portions is called an EnFret 40. An EnFret 40 is the data for which a measurement of order is made. Target data 11 often has structured file headers or other structure 34 that have high measurements of order 16, followed by data that may have low measurements of order 16. Measuring the order of the target data 11 at multiple places allows target data 11 with mixed structures and random data to be processed using multiple EnFrets 40. Each Enfret 40 may be of a same or different size as another EnFret 40. Each EnFret 40 may be adjacent or discontiguous to another EnFret 40. An EnFret 40 may overlap another Enfret 40 so that some of the data in a first Enfret 40 is also used in a second EnFret 40. An EnFret 40 (Entropy Fret) can be thought of like a fret on the neck of a guitar. Choosing the frets on which to place your fingers produces different resulting sounds and music. Choosing different EnFrets 40 from the target data 11 produces different results.
One embodiment of the present invention produces measurements of order. These measurements of order are written in a random access memory and/or in a storage medium, and change the state of components within the device.
The selection of what portion of target data 11 each EnFret 40 covers is driven by the two goals of low false positives and low false negatives in the detection of ransomware encrypting target data 11.
There are numerous algorithms used to measure order and approximate Shannon Entropy. Examples of these algorithms include the Chi-squared test, Arithmetic mean, Monte Carlo value for Pi, and Serial Correlation Coefficient. The one embodiment of the present invention may use different order measurement algorithms for different target data 11 types. When comparing measurements of order, the algorithms ApEn (Approximate Entropy), SampEn (Sample Entropy), cross-ApEn (Asynchrony between two different time series), and cross-SampEn (Used to measure the similarity of two distinct time series) may also be used.
One embodiment of the present invention reads files on a filesystem and is able to read file data and metadata. The filesystem is responsible for interacting with the storage device to store and retrieve files and for the arrangement of the data on the storage device. A filesystem is analogous to a repository of data 12. A file within a filesystem is analogous to target data 11. A database is analogous to a repository of data 12. A record within a database is analogous to target data 11.
A filesystem is a data structure that an operating system uses to control how data is stored and retrieved. Metadata is data that provides information about other data, but not the content of the data, such as the text of a message or the image itself.
The filesystem is also responsible for the file metadata, the data about the data. The file metadata includes information such as file name and file length. It may also include file creation date, last modification date, access permissions, filesystem integrity data, and file type. The storage device is responsible for the accurate storage and retrieval of data supplied to it by the filesystem. The storage device may be any form of hard drive, including spinning media and solid-state devices, or any other suitable non-volatile memory device or technology.
The communications between the filesystem and the storage device are storage operations. Storage operations are typically read, write and delete. Additional storage operations may specify performance, security and other operating parameters.
One embodiment of the invention operates by comparing reference entropy metrics known as pre-determined levels of order 22 against entropy measurements, known as measurements of order 16 calculated for each EnFret 40 within the target data 11.
If the difference between the pre-determined levels of order 22 and the measurements of order 16 exceeds a range of order 23, an indication is produced which signals that at least one of the entropy measurements has exceeded the at least one of the range of order 23 and the corresponding target data 11 may have been encrypted.
In one embodiment of the present invention, target data 11 is read from a repository of data 12. Upon reading the target data 11, an order measurement sensor 14 calculates a number of measurements of order 16 of the target data 11. Each measurement of order 16 is calculated from an EnFret 40 which describes the portion of the target data 11 to use. A measurement of order 16 is measurement of how ordered or dis-ordered is the target data 11. The measurement of order 16 is the information entropy present in the target data 11. Highly ordered data has low randomness, and highly unordered data has high randomness. Target data 11 containing only text has low randomness and a corresponding high measurement of order 16. Target data 11 containing computer applications, known as binaries, also have a relatively high measurement of order 16. Target data 11 containing encrypted or compressed data exhibit a low measurement of order 16. The order measurement sensor 14 calculates a measurement of order 16 across multiple portions of the target data 11, producing a plurality of measurements of order 16P.
Once the order measurement sensor 14 has calculated a plurality of measurements of order 16P, a comparator 18 compares the measurement of order 14 with a plurality of pre-determined levels of order 22P retrieved from a library 20.
One embodiment of the present invention compares reference entropy metrics, known as pre-determined levels of order 22, against entropy measurements. The results of these comparisons are written in a random access memory and/or in a storage medium, and change the state of components within the device.
The comparator 18 also has a predetermined plurality of ranges of order 23P. Each of these ranges of order 23 describes a boundary threshold, where measurements outside of the boundary may indicate data tampering. If the comparator 18 determines that at least one of these measurements of order 16 falls outside of the plurality of range of order 23P, then an indicator 24 indicates that an anomalous measurement of order 16 has been made. This detects a change in at least one of the plurality of measurements of order 16P when the target data 11 is tampered with and encrypted.
An access manager 26 may receive an indication of data tampering 19 from the indicator 24 and prevent the target data 11 from being stored, written, or otherwise used. In this way, blocking unauthorized encryption of data, and thus preventing ransomware from operating.
While the examples used here refer to target data 11 for ease of explanation and teaching, the use of a plurality of measurements of order 16P entropy can be applied to any target data, such as a file, data in computer memory, or data being received via a communications channel. Computer memory includes volatile and non-volatile memory technologies. Data in volatile storage does not persist when power is removed. Data in non-volatile storage does persist when power is removed. Flash memory is an example for non-volatile memory.
In another embodiment of the present invention, files on a filesystem are read, including any associated file data and meta data.
The present invention operates by comparing pre-determined levels of order and their corresponding acceptable ranges against the plurality of measurements of order calculated for each file. If any of the differences falls outside of the corresponding acceptable range, the present invention indicates that the calculated level of order has exceeded the range of order and the corresponding file may have been encrypted.
One embodiment of the present invention uses a comparator 18 to compares measurements of order 14 with a plurality of pre-determined levels of order 22P retrieved from a library 20. The results of these comparisons are written in a random access memory and/or in a storage medium, and change the state of components within the device.
One embodiment of the present invention uses a comparator 18 to retrieve reference order levels and ranges from the library 20. For each EnFret 40 of data, the measurement of order 16 is compared with the corresponding range of order 23. If any of the measurement of order 16 falls outside of the range of order 23, it is detected as an indication of data tampering 19 by the comparator 18. EnFret 1 shows where an indication of data tampering 19 begins and is detected by the comparator 18. The indications of data tampering are written in a random access memory and/or in a storage medium, and change the state of components within the device.
One embodiment of the present invention utilizes an access manager 26 to receive an indication of data tampering 19 from the indicator 24 and to prevent the target data 11 from being stored, written, or otherwise used. These indications are written in a random access memory and/or in a storage medium, and change the state of components within the device.
In one embodiment of the present invention, pre-determined levels of order 22 are calculated over a large amount of target data 11 of the same type, and a statistical distribution is calculated. These values are calculated for each of the EnFrets 40, producing a set of pre-determined levels of order 22 for each of the EnFrets 40 for a given target data type. The results of these calculations are written in a random access memory and/or in a storage medium, and change the state of components within the device.
The present invention operates on target data 11. The target data 11 is a sequence of bits, binary digits, ones and zeros, that represent data in a data processing system. Target data 11 is stored in a repository of data 12. The repository of data 12 may be any of multiple possible sources such as data memory, data storage, and data communications. The target data 11 often has associated formats or data structures that describes the layout of data relative to the bitstring. For target data 11 from computer filesystems, these are called the file structures. For target data 11 from computer memory, these are simply called data structures. Each different file structure or data structure is composed of fields. A field describes the data format and use within a data structure. For instance, there can be fields for text such as a name, numeric fields for arithmetic information, and special fields for calculated data, such as compressed or encrypted data.
For many data structures, there is often a set of fields called a header that describe another set of data fields that follows the header fields. Some portions of data structures are repeated multiple times. The internal structure of the target data 11 is the first structure 34A. The present invention creates at least two EnFrets 40 from the target data 11. The first EnFret 40 is generated from a first portion of the target data 11. There may be additional EnFrets 40 generated from additional portions of the target data 11. There will be a final EnFret 40 generated from the remaining portion of the target data 11. This method of generating at least two EnFrets 40 allows for the calculation of separate measurements of order 16 for header data and for non-header data.
The library 20 contains a plurality of predetermined EnFret configurations 42P. This plurality of predetermined EnFret configurations 42P is used by the order management sensor 14 to produce a plurality of configured EnFrets 44P. The configuration of an EnFret 40 describes the portion of the target data 11 that is included in each measurement of order 16, and the algorithm used to produce the measurement of order 16.
For each of the plurality of configured EnFrets 44P, a measurement of order 16 is calculated over the configured EnFret 44 by an order measurement sensor 14. Different types of data exhibit different amounts of randomness, and the measurement of order 16 is a measurement of the randomness. The order measurement sensor 14 may use different algorithms to produce the measurement of order 16. For example, using the arithmetic mean method for the measurement of order 16, this is the summing all the bytes in an EnFret 40 and dividing by the number of bytes in the EnFret 40. If the data is close to random, this number should be about 127.5. If the mean departs from this value, the values within the EnFret 40 are consistently high or low. Once the measurement of order 16 has been calculated for each of the EnFrets 40, the resulting measurements of order 16 are conveyed to a comparator 18. The comparator 18 compares the measurements of order 16 to pre-determined levels of order 22 and a range of order 23.
The pre-determined levels of order 22 are calculated similarly to the measurements of order 16. The pre-determined levels of order 22 are calculated over a large amount of target data 11 of the same type, and a statistical distribution is calculated. These values are calculated for each of the EnFrets 40, producing a set of pre-determined levels of order 22 for each of the EnFrets 40 for a given target data type. For example, reference pre-determined levels of can be calculated for mp3 files. Mp3 files have a similar structure, regardless of the type of audio they contain. To obtain the range of order 23, in one embodiment, a standard deviation is calculated over the measurements of order 16 on a per EnFret basis 40. Specifically, a standard deviation is calculated over the measurement of order 16 for the first EnFret 40, and another standard deviation is calculated over the measurement of order 16 for the next EnFret 40, and so on. The calculated standard deviations are used as the range of order 23.
In one embodiment of the present invention, a standard deviation is calculated over the measurement of order 16 for the first EnFret 40, and another standard deviation is calculated over the measurement of order 16 for the next EnFret 40, and so on. The results of these calculations are written in a random access memory and/or in a storage medium, and change the state of components within the device.
If all of the measurements of order 16 are within the corresponding range of order 23, no further action is taken. If any of the measurements of order 16 are outside the corresponding range of order 23, then an indication is made by the indicator 24. The indicator 24 indicates the detection of tampering.
In one embodiment, the indicator 24 is connected to an access manager 26. Upon receiving an indication from the indicator 24, the access manager 26 blocks or quarantines the target data 11 from being written, preventing ransomware from encrypting target data 11 in the repository of data 12. In this way, the access manager 26 prevents further activity after a changed measurement of order 16 is detected.
In one embodiment, the indicator 24 is connected to a false positive reduction evaluator 28. The false positive reduction evaluator 28 evaluates additional information and metadata about the target data 11 to reduce false positives in indicating tampering of the target data 11. The false positive reduction evaluator 28 may employ processing that is computationally more expensive than the order measurement sensor 14 and the comparator 18. The false positive reduction evaluator 28 may use any mechanism to reduce false positive indications. These false positive reduction mechanisms include recognizing specific software programs and computer processes. There are many methods to recognize software, including authenticating cryptographically signed software and using lists of allowed and dis-allowed software. Software recogition is well-known in the art.
In this Specification, the term software refers to both a software image in storage or memory, and the software processes that exist when software is operating. Once recognized, the false positive reduction mechanisms may allow or dis-allow the operation of specific software and computer processes. When software cannot be recognized, the false positive reduction mechanism may allow or dis-allow operation based behavioral analysis of software and computer processes. Methods for behavioral analysis of software are known in the art. The false positive reduction mechanism may also allow or dis-allow based on the meta-data of the target data 11.
In one embodiment, each of the plurality of measurements of order 16 and measured over a plurality of EnFrets 40, and each of the EnFrets 40 are contained within the target data 12. The EnFrets 40 may be of equal or unequal lengths. A EnFret 40 may overlap another EnFret 40. EnFrets 40 do not have to be contiguous with respect to the entirely of data in the target data 11. EnFrets 40 may be discontiguous. For some target data, the final EnFret 40 can be truncated. The EnFrets 40 do not have to be on the same structure boundaries as the target data 11 structure 34. The present invention does not even have to know the target data 11 structure 34. This allows the present invention to process opaque target data 11. Opaque target data 11 is target data 11 lacking a defined structure 34.
One embodiment of the present invention is designed to allow the editing of target data 11, such as an mp3 file, where the resulting edited file will still generate measurements of order 16 that fall within the corresponding ranges of order 23 as long as the underlaying structure 34 is unchanged. However, if the underlaying structure 34 is changed, as would be the case if the mp3 files were processed by an encryption program, then at least one of the generated measurements of order 16 will fall outside the corresponding ranges of order 23 and an indication will be made. The present invention entropy will operate correctly even when the target data 11 structure 34 includes some fields that are encrypted or compressed, both of which result in high entropy metrics. This is because the target data 11 structures 34 that include encrypted or compressed fields, still require data headers that produce lower entropy metrics. Examples of target data 11 that include compressed or encrypted fields include mp3 and jpeg files, both of which use various compression methods within their structure, and pdf files which can optionally include encrypted data. However, when these files are subject to bulk encryption, all of the data, including the header data becomes encrypted, resulting in low measurements of order 16 for EnFrets 40 that previously exhibited higher measurements of order 16.
In one embodiment, when target data 11 is arranged in a first structure 34A and is processed into a second target data 11B and that the second target data 11B is arranged in the same first data structure 34A as the target data 11, the order measurement sensor 14 measuring the EnFrets 40 within the second target data 11B will produce measurements of order 16 that are within the range of order 23 associated with the second target data 11B. When the second target data 11B replaces the target data 11 in the data repository 12, the updated target data 11, the order measurement sensor 14 measuring the EnFrets 40 within the new, updated target data 11 will produce measurements of order 16 that are within the range of order 23 associated with the updated target data 11. In this way, target data 11 of one format can be processed or edited without triggering the detection of tampering.
In one embodiment, when target data 11 is arranged in a first structure 34A and is processed into a second target data 11B and that the second target data 11B is arranged in a second structure 34B, the order measurement sensor 14 measuring the EnFrets 40 within the second target data 11B will produce at least one measurement of order 16 will be outside of the range of order 23 associated with the second target data 11B. When the second target data 11B replaces the target data 11 in the data repository 12, the updated target data 11, the order measurement sensor 14 measuring the EnFrets 40 within the new, updated target data 11 will produce at least one measurement of order 16 that is outside of the range of order 23 associated with the new updated target data 11. In this way, when target data 11 of one format is processed into a second format, it will be detected as tampering.
In one embodiment, the repository of data 12 includes encrypted data.
In one embodiment, the repository of data 12 includes compressed data.
When generating the pre-determined levels of order 22 and their corresponding ranges of order 23, target data 11 from similar target data 11 types are analyzed together. When metadata about the target data 11 is available, it can be used to classify target data 11 types and group them appropriately. Examples of metadata that can be used to classify and group target data 11 includes the file name extension, the source location of the file, and the target data 11 length. Combinations of metadata can also be used. For example, all files ending with .mp3 can be evaluated together to generate pre-determined levels of order 22 and their corresponding ranges of order 23 for mp3 files. Care must be taken to verify that the files have not been corrupted and do not have a different target data 11 structure 34. Including corrupted data in the pre-determined levels of order 22 and their corresponding ranges of order 23 calculations may have adverse effects. For target data 11 that do not have an extension, the target data 11 location or file location can provide a useful classification method. The target data 11 length can also be useful in classifying, qualifying, or disqualifying the classification and grouping of target data 11.
The various embodiments of the present invention can be used in a variety of ways. It can be used as a memory and file scanner, scanning and detecting anomalies where target data 11 of scanned files and memory region whose measurements of order falls outside of the pre-determined levels of order 22 and their corresponding ranges of order 23 and alerting the system.
In one embodiment of the present invention, anomalies where target data 11 of scanned files and memory region whose measurements of order falls outside of the pre-determined levels of order 22 are detected. These detections are written in a random access memory and/or in a storage medium, and change the state of components within the device.
The present invention can also be used in a filesystem or memory monitor in real time to detect anomalies where a file or memory region is being written whose target data 11 measurement of order 16 outside of the pre-determined levels of order 22 and their corresponding ranges of order 23. Upon detecting the anomaly, the filesystem or memory monitor can quarantine the file or memory write, or block the file or memory write, in addition alerting the system.
In the present application, a quarantined file is a copy of the original, unmodified file. This enables a data tampering detection mechanism to preserve the original file so that it can be restored without requiring decryption.
In one embodiment of the present invention, the library 20 resides within the memory 80.
In one embodiment of the present invention, the library 20 resides within the storage 88.
In one embodiment, the target data 11 is accessed using the input output interface 86.
In one embodiment, the indicator 24 indicates the detection tampering using the input output interface 86.
In one embodiment, the indicator 24 communicates with the access manager 26 using the input output interface 86.
In one embodiment, the indicator 24 communicates with the false positive reduction evaluator 28 using the input output interface 86.
In one embodiment, the order measurement sensor 14 operates using the CPU 84.
In one embodiment, the comparator 18 operates using the CPU 84.
In one embodiment, the indicator 24 operates using the CPU 84.
The detection of malware, including ransomware has always been a game of evolving offensive and defensive capabilities. When a new offensive technology, in this case ransomware, is used, new defensive technologies are developed to combat their detection and use. Ransomware technologies continue to evolve, primarily using previously unknown zero-day methods to obtain the privileges necessary to perform data tampering and encryption. Some detection methodologies incorporate CPU usage monitoring in their detection; data encryption is computationally expensive and high CPU unitization for long periods of time may be an indicator of malware or ransomware activity. Recent advances in ransomware attempts to combat this approach be encrypting only portions of the ransomed data. By encrypting stripes through the target data, the target data is damaged, and the ransomware utilizes only a small fraction of the CPU processing previously used when encrypting the entire target data.
The configuration and use of multiple EnFrets 40 is key to detecting unauthorized data tampering, especially when malware strategies, and their corresponding detection and mitigation are evolving. The configuration of the multiple EnFrets 40 may be different for each type of file or target data location being evaluated, and for different strains of ransomware. In the above example where only portions of the target data is being encrypted, the configuration of EnFrets 40 can be configured to match and detect the encrypted data stripes.
Each EnFret 40 can be configured to evaluate a portion of the target data 11. The configuration options for an individual EnFret 40 includes the start and end of the data within the target data 11, and the algorithm used to calculate the measurement of order 16. Multiple EnFrets 40 can be configured to be adjacent to each other with respect to the target data 11, as shown in
In one embodiment of the present invention, each EnFret 40 man be configured to evaluate a portion of the target data 11. These configurations are written in a random access memory and/or in a storage medium, and change the state of components within the device.
The development of unique configurations of EnFrets 40 to detect various forms of data tampering, unauthorized data encryption, and ransomware operaiton is a continuous activity. As new ransomware strains and variants are discovered, the corresponding EnFret 40 configurations will be added to the plurality of predetermined EnFret configurations 42P. The plurality of predetermined EnFret configurations 42P is used by the order measurement sensor 14 to produce a plurality of configured EnFrets 44P which are subsequently used to make a plurality of measurements of order 16P of the target data 11. It is this flexibility of the configuration of the EnFrets 40 that makes the present invention uniquely suited to the detection of ransomware and unauthorized encryption while maintaining a low false positive rate and a low false negative rate. Reliably detecting ransomware performing unauthorized encryption of target data 11 does not work without the use of multiple configurable EnFrets 40.
The definitions presented in this section are not intended to limit the scope of the meaning or applicability of any term, and is intended to provide a convenient alphabetically-ordered reference for the reader.
Analytics—A system or apparatus that takes sensor or data inputs from one or more sources to produce a coordinated view of activity. Analytics may employ “big data” and “artificial intelligence” techniques. Analytics can provide situational awareness, baseline and out of parameter behavioral indications, security anomaly detection and other multi variate analysis.
ApEn—Approximate Entropy, an algorithm that measures the logarithmic probability that nearby pattern runs remain close in the next incremental comparison. ApEn quantifies the concept of variable complexity without the difficulties of exact statistics of regularity. The main idea behind ApEn's development was that it is not an algorithm to entirely determine the dynamics of a system. Instead, it is an appropriate algorithm for classifying systems and studying the evolution of its complexity: it is not necessary to completely reconstruct the dynamics of the system to classify it.
Arithmetic Mean Test—The result of summing all the data bytes and dividing by the number of data bytes. If the data values are close to random, this should be about 127.5. If the mean departs from this value, the values are consistently high or low.
Chi-Squared Test—The chi-square test is a commonly used test for the randomness of data, and is extremely sensitive to errors in pseudorandom sequence generators. The chi-square distribution is calculated for a stream of bytes and expressed as an absolute number and a percentage which indicates how frequently a truly random sequence would exceed the value calculated.
Compression—Data compressions, is the process of encoding information using fewer bits than the original representation. Any particular compression is either lossy or lossless. Lossless compression reduces bits by identifying and eliminating statistical redundancy. No information is lost in lossless compression. Lossy compression reduces bits by removing unnecessary or less important information.
CPU—Central Processing Unit. A set of circuits that processes CPU instructions.
CPU Instructions—A set of instructions that controls the operation of a CPU.
Cross-ApEn—An algorithm that measures the asynchrony between two different time series. Conceptually, the formulation is very similar to ApEn, with the peculiarity that now we compare the blocks of a series with the blocks of the other series, instead of doing it with the same series. A low number of coincidences imply a high value of cross-ApEn, indicating asynchrony. If the value of cross-ApEn is low, then the two series are more concordant. The idea behind cross-ApEn is the same as before; it is not necessary to model the system in order to discriminate it satisfactorily.
Cross-Samp-En—An algorithm that measures the asynchrony between two different time series, based on the Samp-En algorithm. Conceptually, the formulation is very similar to SampEn. The most remarkable feature of this statistic is its independence of directionality, i.e., it does not matter which series is the template and which one is the target since the results are the same.
Data Compression—The process of encoding information using fewer bits than the original representation. Any particular compression is either lossy or lossless. Lossless compression reduces bits by identifying and eliminating statistical redundancy. No information is lost in lossless compression. Lossy compression reduces bits by removing unnecessary or less important information. In reducing statistical redundancy, measurements of order of compressed data is generally lower than uncompressed data.
Data Encryption—The process of encoding information. This process converts the original representation of the information, known as plaintext, into an alternative form known as ciphertext. Ideally, only authorized parties can decipher a ciphertext back to plaintext and access the original information. Encryption does not itself prevent interference but denies intelligible content to a would-be interceptor. For technical reasons, an encryption scheme usually uses a pseudo-random encryption key generated by an algorithm. It is possible to decrypt the message without possessing the key but, for a well-designed encryption scheme, considerable computational resources and skills are required. An authorized recipient can easily decrypt the message with the key provided by the originator to recipients but not to unauthorized users. Encryption schemes are designed to make the resulting ciphertext appear as random data. Measurements of order of encrypted data is generally much lower than unencrypted data.
Data Structure—A data structure is a data organization, management, and storage format that is usually chosen for efficient access to data. More precisely, a data structure is a collection of data values, the relationships among them, and the functions or operations that can be applied to the data, i.e., it is an algebraic structure about data. Data structures can be analogous to database records and their fields.
EnFret—An EnFret is the data for which a measurement of order is made.
Filesystem—A file system or filesystem is a method and data structure that the operating system uses to control how data are stored and retrieved. Without a filesystem, data placed in a storage medium would be one large body of data with no way to tell where one piece of data stopped and the next began, or where any piece of data was located when it was time to retrieve it. By separating the data into pieces and giving each piece a name, the data are easily isolated and identified. Taking its name from the way a paper-based data management system is named, each group of data is called a “file”. The structure and logic rules used to manage the groups of data and their names is called a “filesystem.”
Field—In computer science, data that has several parts, known as a record, can be divided into fields (data fields). Relational databases arrange data as sets of database records, so called rows. Each record consists of several fields; the fields of all records form the columns. Examples of fields: name, gender, hair color. A record can be analogous to a data structure and fields are analogous to objects within a data structure.
Input Output Interface—An electronic circuit that communicates with other electronic circuits in accordance to a specification.
Measurement of Order—A measurement of Shannon entropy or similar measurement such as the chi-squared test, serial byte correlation, arithmetic mean test, and Monte Carlo value for Pi.
Memory—An electronic circuit which allows for the temporal storage of data.
Monte Carlo value for Pi—Each successive sequence of six bytes is used as 24 bit X and Y coordinates within a square. If the distance of the randomly-generated point is less than the radius of a circle inscribed within the square, the six-byte sequence is considered a “hit”. The percentage of hits can be used to calculate the value of Pi. For very large streams (this approximation converges very slowly), the value will approach the correct value of Pi if the sequence is close to random.
Query—A request for a record from a storage or database device.
Repository of Data—A device that contains data. The data may be contained in memory or other non-persistent storage, in persistent storage such as a disk drive or solid state disk, or any other media form.
SampEn—Sample Entropy, an algorithm that measures the logarithmic probability that nearby pattern runs remain close in the next incremental comparison, but does not depend on the length of the data series.
Serial Byte Correlation—This measures the extent to which each byte depends upon the previous byte. For random sequences, this value (which can be positive or negative) will, of course, be close to zero. A non-random byte stream such as a C program will yield a serial correlation coefficient on the order of 0.5. Wildly predictable data such as uncompressed bitmaps will exhibit serial correlation coefficients approaching 1.
Shannon Entropy—In information theory, the Shannon Entropy or entropy of a random variable is the average level of “information”, “surprise”, or “uncertainty” inherent to the variable's possible outcomes. Shannon entropy is a way of measuring the degree of unexpectedness or unpredictability of a random variable. For example rolling a die has higher entropy than flipping a coin because the die has more possible outcomes making it harder to predict.
Storage—A technology or device which allows for the reading and writing of data that persists over time. Volatile storage fails after power is removed. Non-volatile storage does not require power to maintain its storage capabilities. Dynamic Random Access Memory is an example of volatile storage. FLASH memory and disk drives are examples of non-volatile storage.
Although the present invention has been described in detail with reference to one or more preferred embodiments, persons possessing ordinary skill in the art to which this invention pertains will appreciate that various modifications and enhancements may be made without departing from the spirit and scope of the claims that follow. The various alternatives for providing an efficient means for a Data Tampering Defense System that have been disclosed above are intended to educate the reader about preferred embodiments of the invention, and are not intended to constrain the limits of the invention or the scope of Claims. The List of Reference Characters which follows is intended to provide the reader with a convenient means of identifying elements of the invention in the Specification and Drawings. This list is not intended to delineate or narrow the scope of the Claims.
