Amoeba: An Autonomous Backup and Recovery SSD For Ransomware Attack Defense
Amoeba: An Autonomous Backup and Recovery SSD For Ransomware Attack Defense
User Ransomware
Encryption
1
Ransomware
Ransom fee
Encryption
1
Damage of Ransomware Attack
2
How to Defend against Ransomware Attack
- Backup method
3
How to Defend against Ransomware Attack
4
Approach 1: Host-level Backup
- FlashGuard [CCS’17]
- SSD-Insider [ICDCS’18]
with backup
mechanism
Out-of-place update
6
Opportunities: Out-of-Place Update in an SSD
SSD
VALID VALID
VALID VALID
...
(10, 2) VALID
(20, 3)
... 2 VALID
VALID
VALID
VALID
7
Opportunities: Out-of-Place Update in an SSD
SSD
Encrypt File(A)
by Ransomware
Address Translation
(LPN, PPN) In-place VALID VALID
LPN 10 Update
VALID VALID
VALID VALID
...
(10, 2) VALID
(20, 3)
... 2 VALID
VALID
VALID
VALID
7
Opportunities: Out-of-Place Update in an SSD
SSD
Encrypt File(A)
by Ransomware
Address Translation
(LPN, PPN) VALID VALID
LPN 10
INVALID VALID
VALID VALID
...
(10, 4) VALID VALID
(20, 3) Out-of-place 2 VALID
... Update
VALID
VALID
VALID
7
Opportunities: Out-of-Place Update in an SSD Invalid page is actually
an original page for
SSD
Encrypt File(A) recovery.
by Ransomware
Address Translation
(LPN, PPN) VALID VALID
LPN 10
INVALID VALID Backup
VALID VALID
...
(10, 4) VALID VALID
(20, 3) Out-of-place 2 VALID
... Update
VALID
VALID
VALID
1. We can save storage space for backup because additional
backup space is not required.
Flash Translation Layer (FTL) NAND Flash memory
...
(10, 4) VALID VALID
(20, 3)
Overwrites on ... Out-of-place
VALID
2 VALID
File(B) LPN 20
Update VALID
by Normal VALID
User VALID
8
Challenges
SSD
Encrypt File(A)
by Ransomware
Address Translation
(LPN, PPN) VALID VALID
INVALID VALID Backup
INVALID
VALID VALID Backup
...
(10, 4) VALID VALID
(20, 3)
Overwrites on ... Out-of-place
VALID
2 VALID
File(B) LPN 20
Update VALID
by Normal VALID
User VALID
8
Challenges
SSD
Encrypt File(A)
by Ransomware
Address Translation
(LPN, PPN) VALID VALID
INVALID VALID Backup
INVALID VALID Backup
...
(10, 4) VALID VALID Backup
(20, 5)
Overwrites on ... Out-of-place
VALID VALID
Backup
File(B) LPN 20
Update VALID
Backup
by Normal VALID
Backup
User VALID
9
Summary: Limitations of Previous Works [CCS’17, ICDCS’18]
9
Our Approach [Amoeba, CAL’18]
10
Challenge 1: How to Apply Content-based Detection at High Speed
Old New
A A’
Similarity Entropy
11
Challenge 2: How Accurately Detect Ransomware Attack
A A’
Write Intensity Similarity Entropy
12
Challenge 2: How Accurately Detect Ransomware Attack
A A’
Similarity Entropy
13
Challenge 3: How to Minimize Backup Space Overhead
User write
Backup
Valid Backup
User write Backup page
Backup
page page
page
Backup pageBackup
Ransomware page ... page
write
14
Amoeba:
An Autonomous Backup and Recovery SSD
for Ransomware Attack Defense
Amoeba System Architecture
SSD
DRAM Buffer
SSD Controller
Host
machine DRAM
Flash Controller
Translation Flash NAND
Layer Controller Flash
(FTL) Amoeba
DMA
15
Amoeba System Architecture
- Amoeba DMA
SSD
DRAM Buffer
SSD Controller
Host
machine DRAM
Flash Controller
Translation Flash NAND
Layer Controller Flash
(FTL) Amoeba
DMA
15
Amoeba System Architecture
SSD Controller
Host
machine DRAM
Flash Controller
Translation Flash NAND
Layer Controller Flash
(FTL) Amoeba
DMA
15
Amoeba System Architecture
SSD Controller
Host
machine DRAM
Flash Controller
Translation Flash NAND
Layer Controller Flash
(FTL) Amoeba
DMA
15
1. Amoeba DMA Engine
16
1. Amoeba DMA Engine
SSD
New DRAM
Data Buffer
Write Request
with New Data
SSD Controller
DRAM
Flash Controller
Translation Flash
Old NAND
Layer Controller Data Flash
(FTL) Internal
DMA
16
1. Amoeba DMA Engine
SSD Controller
DRAM
Flash Controller
Translation Flash OldNAND
Layer Controller DataFlash
(FTL) Amoeba
DMA
17
1. Amoeba DMA Engine
Similarity Flash
DRAM
Controller
Translation New Old Flash NAND
Flash
Layer Data Data Controller
(FTL) Amoeba
Entropy DMA
17
2. Ransomware Attack Risk Indicator (RARI)
18
2. Ransomware Attack Risk Indicator (RARI)
RARI computation
Probability
RARI
18
2. Ransomware Attack Risk Indicator (RARI)
User write
Backup
Valid Backup Backup Backup
User write page
page page Backup
page Backup
page
Ransomware page ... page
write
19
3. Intelligent Backup Control Mechanism
- Recovery Procedure
Recovery
request VALID BACKUP INVALID VALID
VALID BACKUP INVALID VALID
VALID BACKUP INVALID VALID
VALID VALID
SSD SSD
20
Evaluation Methodology
4
Normalized Avg. Response Time (ms)
3.5
2.5
1.5
0.5
22
Result 1: Average Response Time
SSD page occupancy 20% SSD page occupancy 40% SSD page occupancy 80%
4.5
4
Normalized Avg. Response Time (ms)
3.5
2.5
1.5
0.5
22
Result 1: Average Response Time
SSD page occupancy 20% SSD page occupancy 40% SSD page occupancy 80%
4.5
4.0546063
4
Normalized Avg. Response Time (ms)
3
Amoeba only increased by 8%
2.5
compared to baseline.
2
1.5
1.0817913
1
0.5
22
Result 2: Detection Accuracy
FlashGuard SSD-Insider Amoeba
90000
11.11%
80000
70000
Number of Occurrence
60000
50000
Amoeba has only less
40000 Decrease by 23 %
than 1% false detection.
30000
2.79%
20000
Decrease by 4.5 %
10000
0.68%
0
23
Conclusion
A A’
Write Intensity Similarity Entropy
24
Thank you
Q&A
Donghyun Min
[email protected]
Sogang University, South Korea
Backup slides 1: GC Calls
SSD page occupancy 20% SSD page occupancy 40% SSD page occupancy 80%
60000
50000
Number of GC Calls
40000
30000
20000
10000
3500
Occurrence of Recovery Fail
3000
2500
2000
1500
1000
500