TCSE logo 
 Sigsoft logo
Sustainability badge
Sat 3 May 2025 14:00 - 14:20 at 206 - Paper session 2 and panel questions Chair(s): Eunkyoung Jee

The rise of crypto-ransomware, especially targeting Windows systems leveraging multi-threading and swift encryption rates, renders conventional detection methods, often resulting in delayed detection and significant file losses. Although trap file monitoring provides real-time detection, it may lead to false positives due to concurrent user activities on endpoints. Furthermore, there is a research gap in identifying ransomware processes, as most of the research focuses on real-time ransomware detection rather than identifying processes responsible for ransomware activity. To address the above limitations, we propose RANDART, a tool designed to detect and terminate ransomware activity in real-time while minimizing false positives and accurately identifying ransomware processes. RANDART achieves this through two distinct functional blocks: one monitors file modifications, while the other tracks modifications in the Windows Registry. The first block monitors file modifications, including delete, write, or rename operations on trap files. The trap files are selected using a non-parametric clustering method called Affinity Propagation paired with file access patterns of modern ransomware variants. The second functional block monitors critical registry hives in the Windows Registry for key additions, value additions, and value updates to confirm ransomware activity, thereby reducing false positives. Upon ransomware detection, RANDART employs a lightweight classifier, utilizing process attributes like I/O counters, page faults, handles, and threads as features to selectively identify and terminate ransomware processes among the running processes. In the evaluation, RANDART demonstrated an average latency of 1.7 seconds and a file loss rate of 0.35% across 20 ransomware families, with no instances of false positives.

Sat 3 May

Displayed time zone: Eastern Time (US & Canada) change

14:00 - 15:30
Paper session 2 and panel questionsEnCyCriS at 206
Chair(s): Eunkyoung Jee KAIST, South Korea
14:00
20m
Paper
RANDART: A Hybrid Approach Leveraging File Traps and Registry Monitoring to Thwart Crypto Ransomware on Windows Endpoints
EnCyCriS
P. Mohan Anand Indian Institute of Technology Kanpur, India, P.V. Sai Charan New York University, USA, Hrushikesh Chunduri Indian Institute of Technology Kanpur, India, Sandeep K. Shukla Indian Institute of Technology Kanpur
14:20
20m
Paper
Static Analysis of IoT Firmware: Identifying Systemic Vulnerabilities with RMMIDL
EnCyCriS
Ahmad Al-Zuraiqi Queen's University Belfast, UK, Desmond Greer Queens University 
14:40
45m
Panel
Panel based discussions and open questions - afternoon session
EnCyCriS

15:25
5m
Day closing
Workshop Closure
EnCyCriS
Coralie Esnoul Institute For Energy Technology (IFE)
:
:
:
: