Home Cyber Security News New ‘SHIELD’ Platform Harnesses FPGA and Off-Host Monitoring to Combat Advanced Ransomware...

New ‘SHIELD’ Platform Harnesses FPGA and Off-Host Monitoring to Combat Advanced Ransomware Threats

0
Advanced Ransomware Threats

Researchers from NYU Tandon School of Engineering have unveiled SHIELD (Secure Host-Independent Extensible Logging), an innovative security architecture designed to combat ransomware and other malware threats.

The solution leverages an FPGA-based logging system integrated with SATA and Network Block Device (NBD) protocols to provide real-time, tamper-resistant monitoring of disk activity.

This marks a significant step forward in malware detection, as current solutions relying on host-based data are unable to effectively counter sophisticated ransomware attacks.

SHIELD offers a three-pronged solution: collecting multi-level hardware metrics for distinguishing between benign and malicious software, extending FPGA-based SATA Host Bus Adapter (HBA) functionality to enable independent data storage operations, and laying the groundwork for machine learning–assisted malware detection integrated at the hardware level.

Key Advances with SHIELD

The SHIELD framework captures data through multiple layers of hardware NBD, FPGA, and SATA disks ensuring independence from compromised host systems.

By extending Groundhog, an open-source FPGA-based SATA HBA, SHIELD provides complete disk operations without relying on host operating systems.

Additionally, the system supports detailed real-time metric collection within the filesystem, such as EXT4 superblock changes, inode modifications, and data block activities.

In experimental trials, SHIELD successfully analyzed activity patterns of 10 ransomware families, including LockBit, Babuk, and BlackMatter, alongside 10 benign software applications.

The results demonstrated SHIELD’s efficacy in identifying ransomware through unique metrics, such as the frequency of inode writes and data block reads, showcasing its ability to distinguish malicious behavior with better precision compared to traditional host-based defenses.

SHIELD’s Competitive Edge

SHIELD outperforms existing detection frameworks by addressing several shortcomings in contemporary methods.

Unlike host-dependent antivirus or machine learning algorithms, which are vulnerable to tampering, SHIELD ensures that all monitoring occurs outside the host system.

Its hardware-assisted logging provides granular, filesystem-aware metrics that can capture ransomware-specific anomalies like rapid encryption of files or unauthorized access patterns.

Additionally, SHIELD is optimized for real-time detection. It records desirable metrics before changes are committed to disk, allowing actionable insights for rapid ransomware identification.

The host-independent design also ensures compliance with on-site data policies, making it a viable solution for organizations that avoid offsite cloud security infrastructure.

The research team plans to enhance SHIELD by integrating machine learning algorithms to automate malware detection, leveraging the robust dataset of hardware-level metrics.

Moreover, porting SHIELD to a custom ASIC-based storage controller could reduce latency and enable deployment in high-performance storage systems.

SHIELD paves the way for advanced, tamper-resistant malware detection with its reliance on off-host hardware-driven metrics.

By combining isolated architecture, multi-level monitoring, and extensible FPGA technology, it represents a cornerstone for future innovations in ransomware mitigation, responding to the ever-increasing sophistication of cyber threats.

Also Read:

NO COMMENTS

LEAVE A REPLY

Please enter your comment!
Please enter your name here