SoylentNews is people
SoylentNews
Software developed by SMU stops ransomware attacks:
Engineers from SMU's Darwin Deason Institute for Cybersecurity have developed software that detects ransomware attacks before attackers can inflict catastrophic damage.
[...] Unlike existing methods, such as antivirus software or other intrusion detection systems, SMU's new software works even if the ransomware is new and has not been used before.
SMU's detection method is known as sensor-based ransomware detection because the software doesn't rely on information from past ransomware infections to spot new ones on a computer. In contrast, existing technology needs signatures of past infections to do its job.
"With this software we are capable of detecting what's called zero-day ransomware because it's never been seen by the computer before," said Mitch Thornton, executive director of the Deason Institute and professor of electrical and computer engineering in SMU's Lyle School of Engineering. "Right now, there's little protection for zero-day ransomware, but this new software spots zero-day ransomware more than 95 percent of the time."
[...] "The results of testing this technique indicate that rogue encryption processes can be detected within a very small fraction of the time required to completely lock down all of a user's sensitive data files," Taylor noted. "So the technique detects instances of ransomware very quickly and well before extensive damage occurs to the victim's computer files."
[...] SMU's software functions by searching for small, yet distinguishable changes in certain sensors that are found inside computers to detect when unauthorized encryptions are taking place.
[...] Use of the computer's own devices to spot ransomware "is completely different than anything else that's out there," Taylor said.
(Score: 3, Insightful) by Immerman on Sunday May 17 2020, @04:23AM (2 children)
>Are those somehow different circuits then when users deliberately encrypt files?
Probably not - but if you don't normally encrypt your files (which is probably by far the norm), being prompted to disallow file system changes in response to any sustained any surge of encryption activity probably goes a long way toward stopping malicious activity. If you do enough sustained encryption to make hitting "allow" a nuisance... maybe this isn't for you. That's no reason to deny it to the vast majority.
(Score: 1, Insightful) by Anonymous Coward on Sunday May 17 2020, @06:19AM
Additionally, people who do encryption and compression tend to use common COTS software to do so. Maybe 2 dozen products in your whitelist signatures and most people are set. All you need to do is Detect -> Lockdown -> Verify -> Prompt if necessary. When someone says the activity is ok, then you can upload the information necessary to determine if it is worth whitelisting in future versions of the software.
(Score: 2) by vux984 on Monday May 18 2020, @01:35AM
You seem to have missed my overall point: I'm not saying this isn't a good idea. I'm saying its an old idea, and that the novelty of this new research is pretty limited. Limited to perhaps identifying a minor additional signal.