Visible to the public Ransomware Detection in Databases through Dynamic Analysis of Query Sequences

TitleRansomware Detection in Databases through Dynamic Analysis of Query Sequences
Publication TypeConference Paper
Year of Publication2022
AuthorsSendner, Christoph, Iffländer, Lukas, Schindler, Sebastian, Jobst, Michael, Dmitrienko, Alexandra, Kounev, Samuel
Conference Name2022 IEEE Conference on Communications and Network Security (CNS)
KeywordsAttack Modeling, Benchmark testing, Colored Petri Nets, composability, database, Databases, machine learning, Metrics, MySQL, Network security, Neural networks, Petri nets, pubcrawl, ransomware, resilience, Resiliency, Runtime
AbstractRansomware is an emerging threat that imposed a \$ 5 billion loss in 2017, rose to \$ 20 billion in 2021, and is predicted to hit \$ 256 billion in 2031. While initially targeting PC (client) platforms, ransomware recently leaped over to server-side databases-starting in January 2017 with the MongoDB Apocalypse attack and continuing in 2020 with 85,000 MySQL instances ransomed. Previous research developed countermeasures against client-side ransomware. However, the problem of server-side database ransomware has received little attention so far. In our work, we aim to bridge this gap and present DIMAQS (Dynamic Identification of Malicious Query Sequences), a novel anti-ransomware solution for databases. DIMAQS performs runtime monitoring of incoming queries and pattern matching using two classification approaches (Colored Petri Nets (CPNs) and Deep Neural Networks (DNNs)) for attack detection. Our system design exhibits several novel techniques like dynamic color generation to efficiently detect malicious query sequences globally (i.e., without limiting detection to distinct user connections). Our proof-of-concept and ready-to-use implementation targets MySQL servers. The evaluation shows high efficiency without false negatives for both approaches and a false positive rate of nearly 0%. Both classifiers show very moderate performance overheads below 6%. We will publish our data sets and implementation, allowing the community to reproduce our tests and results.
Citation Keysendner_ransomware_2022