The Effective Ransomware Prevention Technique Using Process Monitoring on Android Platform

Due to recent indiscriminate attacks of ransomware, damage cases including encryption of users’ important files are constantly increasing. The existing vaccine systems are vulnerable to attacks of new pattern ransomware because they can only detect the ransomware of existing patterns. More effective technique is required to prevent modified ransomware. In this paper, an effective method is proposed to prevent the attacks of modified ransomware on Android platform. The proposed technique specifies and intensively monitors processes and specific file directories using statistical methods based on Processor usage, Memory usage, and I/O rates so that the process with abnormal behaviors can be detected. If the process running a suspicious ransomware is detected, the proposed systemwill stop the process and take steps to confirm the deletion of programs associated with the process from users. The information of suspected and exceptional processes confirmed by users is stored in a database. The proposed technique can detect ransomware even if you do not save its patterns. Its speed of detection is very fast because it can be implemented in Android source code instead of mobile application. In addition, it can effectively determine modified patterns of ransomware and provide protection with minimum damage.


Introduction
Ransomware [1] is a type of malware that uses malicious codes to intrude the system before users notice it, to encrypt important files, to require money using encrypted files as a hostage, and to give monetary damages to users.The rapid growth of the mobile market has been the main target of hackers to obtain illegal gains by using ransomware.The market share of Korea's Android OS is approximately 80% of the total share of smartphone market as shown in Table 1.Compared to other OS such as iOS, Windows Phone, or Blackberry, Android holds a high market share close to monopoly, while the others combined have less than 15% share in the mobile device market [2].The share of the Android platform is so high that the platform is the main target of ransomware attacks.Damage cases of Android-based smartphones are continuously growing recently.
Traditional vaccine system can detect a system if it is infected with ransomware and cure it.However, it cannot prevent attacks by ransomware without obtaining information on the ransomware.In addition, files cannot be recovered without the encryption key because files are already encrypted even if the traditional vaccine system can remove the ransomware [3].Users can avoid infections by updating the vaccine system from time to time.However, this method has limited efficacy.Existing vaccine system can detect ransomware using intrusion detection method based on files [4].However, this approach cannot detect modified ransomware with new patterns because it can only prevent ransomware based on analysis information of the ransomware.Therefore, an active instead of a passive prevention method is urgently required.
In this paper, a ransomware prevention technique on Android platform is proposed.The proposed method can monitor file events that occurred when the ransomware accesses and copies files.This technique can detect and remove the ransomware using the CPU and I/O usage as well as the information stored in the DB.This proposed method can detect modified patterns of ransomware without obtaining information about the ransomware.In addition, it can be implemented on the kernel and framework source of Android so that it can detect ransomware relatively faster than other programs that run at the application level.Furthermore, it can continuously monitor the ransomware without separately downloading or updating.The remainder of this paper is organized as follows.Related work is briefly discussed in Section 2. Our proposed approach is described in Section 3. Evaluation of the proposed approach is given in Section 4. Finally, several concluding remarks are given in Section 5.

Related Research
2.1.Ransomware.Ransomware spreading methods are similar to those of malicious code Trojan Horse [5] that contains malicious routine and pretends as a normal program.Ransomware intrudes into users' devices after pretending as a normal application such as Trojan Horse.Ransomware restricts the use of the system in various ways after intruding the system.It is mainly classified into the following three types: Scareware, Lock-Screen, and Encrypting [6].
(i) Scareware.It informs users that the device has been infected with malicious codes.It suggests the purchase of fake antivirus programs to treat them.It finally extorts money from the user.
(ii) Lock-Screen.It disables users' PC in any way.It locks the system so that the users are not able to run the operating system when executing the system.When a user runs his system, it disables the operating system and sends the message that your PC has illegal contents that you will be fined by impersonating FBI or government agencies.
(iii) Encrypting.This is the most serious type of ransomware.It prevents the use of important files in your device by encrypting them.It extorts money by encrypting users' files in PCs and letting users deposit the ransom for files to a virtual account to decrypt.
Ransomware accesses users and gives damage to them in various ways.For example, CryptoLocker [7] can encrypt files in PC.Reveton [8,9] will impersonate law enforcement agencies such as FBI.SimpleLocker [10] targets smartphone users of the Android environment.This ransomware can be serious security threat to cloud computing [11] as it becomes the basic infrastructure of information system.

Existing Techniques
2.2.1.Process Using Hash Information.The processing method of CryptoLocker is to compare Hash information.Cryp-toLocker generates files encrypted with ".encrypted" [12].The encrypted files are then added to the Hash Information.Signature, Public Key values, and their sizes will increase.Recovery tools are generally used to process CryptoLocker.They include different decryption key index information by infected users.Recovery tools compare Hash information and encrypted files in the data files, confirm the validation of key from key index information stored therein, and then proceed to decoding [13].
By looking at encrypted files' recovery methods used in existing vaccines, these methods obtain a sample by decompiling the ransomware and perform decryption using the decryption key found by the code analysis of the sample [14].There is a risk that when a new ransomware appears, users have to wait until a security company finds the decryption key value through sample analysis.Intelligent sensing techniques are required to detect new patterns of ransomware because ransomware constantly threatens the safety of mobile device.
System-based behavior detection technique [15] is based on the detection of occurrences of several behaviors in a computer system.It performs "integrity checking" and "behavior blocking" [16,17].Integrity checking technique conducts frequent inspections in order to confirm the integrity of the computing system.This approach calculates and writes the Hash values for execution files and directories on a clean computer system that is not infected by malware.Behavior blocking technique monitors all actions within the computer system.When a suspicious action occurs in similar way of malicious infections, this approach tracks the cause of executable file and blocks the execution of a suspicious action so that it has no progress.

Process Using CPU and I/O Usage. Statistical technique is one malware analysis technique that detects abnormal
behaviors by analyzing the resources of the system.NIDES (Next-generation Intrusion Detection Expert System) [18] of SRI (Stanford Research Institute) International is a typical system based on statistical techniques.NIDES sets a goal of detecting abnormal behaviors that occurred in the system with a profiling technique after collecting Processor usage, I/O rate, Memory usage, and so forth, over a long time.Korea Electronics and Telecommunications Research Institute uses the technique using the mean difference of CPU or Memory usage in order to provide a reliable service on the host [19,20].However, this technique only operates against the attacks of DDoS.In this paper, a technique is proposed to prevent the intrusion of ransomware on Android platform based on statistical methods using Process, Memory, and Storage I/O usage.

Android Application Permissions Analysis.
Android market applications demand Android system permissions in order to perform the correct operation.Applications registered in an official store show users permission requirements when they are downloaded.However, ordinary users may unintentionally download or run applications without carefully looking at them.Ransomware distributors will distribute the ransomware and pretend as a normal application on an official store using this security weakness.
To design the proposed method, the different kinds and functions of permissions on the Android system and permissions needed by ransomware are analyzed.Permissions to adversely affect the Android system are largely classified as System, SMS, Contact, and Location [21].Difference in permissions between Ransomware App and Normal App is shown in Table 2.A total of 14 kinds of ransomware that appeared between 2014.01 and 2015.09based on the report of virustotal [22] are included in the comparison (Table 2).
The functions of the corresponding permissions are not necessarily safe.These permissions access a lot of information, including the configuration information of the device, the list of applications, resource statistics, and personal information such as location information and SMS information.
Normal applications use these permissions.Therefore, users generally agree to install applications without doubt, even when it is the ransomware that requires permissions for the System, SMS, Contact, and Location.

The Proposed Technique
To have efficient implementation, the proposed technique is designed with three modules: Configuration, Monitoring, and Processing (Figure 1).Configuration module generates a monitoring list table for a smooth operation of the proposed method.It is the module for the initial setting.Monitoring module is responsible for monitoring Processor, Memory, and Storage I/O usages of every process in real time based on statistical techniques.Finally, processing module determines the handling of the process suspected as ransomware by the Monitoring module and makes an exception or isolation of the process.The proposed technique implements the configuration module, the monitoring module, and the processing module using the framework and kernel of the Android platform as shown in Figure 2. In addition, user's UI part added to the Android Settings and the database used in the configuration module are implemented within the framework.In the kernel, a part for generating I/O information to monitor the process is implemented, through which a kernel image is produced.
Algorithm 1 shows the operation flow of the basic technique proposed in this paper.Details are described later in different topics.

Configuration Module.
The configuration module is the basic setup to be applied when the proposed technique detects a ransomware.In this paper, default setting values that are information about the process or application installed by default on the Android platform are saved in a database.The foremost role of the configuration module is to specify the location of the files needed to be protected from the attacks of the ransomware.An area of these important files is called priority protection area (hereinafter PPA).If the proposed technique is run correctly, it will collect the information of PPA, register them to the watch list table for the monitoring module, and protect the corresponding files in real time.The second role is to register user's handling for the suspected process detected by the monitoring module into the database and maintain the handling.If the user finally determines the process as a ransomware, it stores the information of the corresponding process.It will automatically detect and delete the process depending on the user's feedback.If the user determines the process as normal, it records the information of the process and forces the system to maintain the process without terminating the process even if the process is redetected.

Monitoring Module.
The monitoring module is responsible for detecting the ransomware by monitoring the PPA area and the process.The monitoring module is largely composed of two modules (file monitoring and process monitoring) based on the roles.
(i) File Monitoring Module.It continuously monitors the status of the input/output events such as reading, writing, copying, and deleting of a file belonging to a PPA set in the configuration module and detects the attacks of the ransomware.Algorithm 2 shows the operation flow of the file monitoring module proposed in this paper.Upon detecting the suspected process, it also handles malicious or exceptional processes in the database applied in the configuration module.For the process registered as a malicious process, the monitoring module will stop the process at the moment of detection and automatically delete the process.For the process registered as an exceptional process, it will allow the normal execution because it is specified as safe by the user.

File Event Monitoring.
The monitoring module monitors the modification and deletion events of files and directories existing in a PPA.Monitoring path is generally through external storage of the device.Basic monitoring path is shown in Table 3.
Observer is arranged to monitor file events in each directory.File event monitoring using Observer is based on the patterns of ransomware to generate encrypted files after reading and writing target files and deleting original files.Observer can detect events of ransomware deleting and modifying files without obtaining data on the ransomware.Observer is responsible for monitoring modification and deletion events that occurred in each path while the device is on.If the event for the file occurs, Observer will pass the file event information to the monitoring module and find which process is the one that produced the event.The process  To prove the change of Processor usage, a sample ransomware is run.The name of the corresponding ransomware process is called "com.example.* * * .Sample".Figure 3 shows the status of the process when a latent ransomware process is carried out.Processor share shows 0-1% so that users will not notice it.
Figure 4 shows the situation when the latent ransomware performs encrypting files in earnest.The Processor usage is changed to 11% at the moment of the encryption.It peaked at 46%.
The process of I/O usage of the same ransomware at latency is shown in Figure 5.The top of the figure is the initial stage of the process execution.The amount of bytes read is relatively small.
The process of I/O usage of the same latent ransomware that performs active encrypting is shown in Figure 6.As shown in Figure 6, the file I/O usage is sharply increased because the data of the files to be encrypted are read and  written in earnest.The sharp increase in the CPU usage and I/O usage can be used to detect the ransomware.

Processing Module.
The processing module forcibly stops the process suspicious of ransomware in the monitoring module and inquires users about the appropriate handling of the process.Once the handling is determined, the information of the corresponding process will be stored in the database and used in the configuration module subsequently.Database table structure used in the processing module is shown in Table 4.
ID is used to place the number of each tuple.Package-Name is the name of an application.RiskType is a flag to determine whether it is safe/unsafe.Comment is prepared in case a separate explanation is needed.
The processing module also warns users about the risk of the ransomware through Android permission analysis.
(i) System Permission.The ransomware has permissions of the system.It seizes permissions of the device's administrator and prevents users from manipulating the device.This permission involves the risk of ransomware browsing the user's personal files stored in the device without user's permission.It uses administrator's permission.
(ii) SMS Permission.While a normal application provides convenience to users with SMS permission, the ransomware intercepts received messages to use them for illegal purposes by using SMS permission.
(iii) Contract Permission.Permission to access contacts is stored in the device.Typical examples of making ill use of this permission are phishing and smishing.
(iv) Network Permission.Permission to automatically find network connected to the device and allow the ransomware to operate.Ransomware seizes permission of the device so that   from time to time, the proposed method does not need so many updates because it can detect the ransomware based on its behavior.It does not need to install an application such as existing vaccines as it is implemented in the Android source.
In this study, we found a slightly degraded performance of the device after using the proposed technique in order to protect sensitive information.

Conclusion
In

Figure 1 :Figure 2 :
Figure 1: Overview of the proposed system.

(
ii) Process Monitoring Module.It continuously monitors Processor share by Process, Memory usage, I/O count, Storage I/O count, and so forth and detects the ransomware.Algorithm 3 shows the operation flow of the process monitoring module proposed in this paper.

Figure 3 :
Figure 3: Process status of the process when a latent ransomware is carried out.

Figure 4 :
Figure 4: Process status when a latent ransomware performs active encrypting.

Figure 5 :
Figure 5: I/O status when the ransomware is latent.

Figure 6 :
Figure 6: I/O status when the ransomware is active.

Figure 9 :
Figure 9: Running results of ransomware using the proposed technique.
this paper, a technique is proposed to reduce damage caused by unknown ransomware attacks on Android devices.The proposed method can effectively reduce damage caused by ransomware with modified or new patterns without obtaining information on the ransomware.It uses file input/output events and Processor status information based on the behavior of ransomware, unlike existing techniques that need information about the ransomware.It can automatically prevent damage caused by such ransomware attacks later based on information collected on the detected ransomware.It is possible to use the proposed method in all Android-based smart phones because this technique is added to the open source of Android source file.This technique is expected to allow users to minimize damage caused by attacks of ransomware that existing vaccine systems fail to detect.

Table 6 :
Evaluation of existing vaccine systems compared to the proposed technique.