Shield: Secure Host-Independent Extensible Logging for SATA/Network Storage Towards Ransomware Detection

Md Raz, P.V. Sai Charan, Prashanth Krishnamurthy, Farshad Khorrami, Ramesh Karri
This work is supported in part by the Defense Advanced Research Projects Agency (DARPA) under contract HR00112390029. The views and conclusions contained in this document are those of the authors and should not be interpreted as representing the official policies, either expressed or implied, of the U.S. Government. Department of ECE, NYU Tandon School of Engineering, 5 MetroTech Center, Brooklyn, NY 11201, USA
[email protected], [email protected], [email protected], [email protected], [email protected]

Abstract

As malware such as ransomware becomes sophisticated, the ability to find and neutralize it requires more robust and tamper-resistant solutions. Current methods rely on data from compromised hosts, lack hardware isolation, and cannot detect emerging threats. To address these limitations, we introduce Shield—a detection architecture leveraging FPGA-based open-source SATA and Network Block Device (NBD) technology to provide off-host, tamper-proof measurements for continuous observation of disk activity for software executing on a target device. Shield provides three distinct contributions: It (1) develops a framework to obtain and analyze multi-level hardware metrics at NBD, FPGA, and SATA storage levels, and shows their ability to differentiate between harmless and malicious software; (2) Broadens the functionality of an open-source FPGA-driven SATA Host Bus Adapter (HBA) to offer complete data storage capabilities through NBD without relying on the host system; (3) Provides a foundation for using the methodology and metrics in automated machine learning-assisted detection and ASIC integration for advanced mitigation capabilities in data storage devices. Shield analyzes 10 benign programs and 10 modern ransomware families to illustrate its capacity for real-time monitoring and use in distinguishing between ransomware and benign software. Experimental evidence shows Shield’s robust host-independent and hardware-assisted metrics are a basis for detection, allowing to observe program execution and detect malicious activities at the storage level.

Index Terms:

Architecture/System Design, Security, Privacy

I Introduction

Ransomware, one of the most prevalent forms of malware, encrypts a victim’s file system and demands a ransom for decryption [1]. The emergence of Ransomware as a Service (RaaS) has transformed ransomware into a lucrative business model, from which individuals with minimal technical expertise can execute attacks [2]. Modern ransomware families are increasingly sophisticated, leveraging multi-threading and other techniques to accelerate encryption rates [3]. The AvosLocker variant employs multiple parallel threads to facilitate rapid encryption. LockBit can encrypt up to 20,000 files per minute [4, 5, 6]. BlackBasta, Rorschach, and BlackCat use intermittent encryption—modifying only small sections of files to make them inaccessible. This speeds up file encryption to 50,000 files per minute, making these attacks faster and more efficient [7]. In a study by researchers at Splunk, the encryption speeds of ransomware variants were tested on a dataset of 98,000 files totaling 53 GB. The findings demonstrated high encryption rates for variants such as Babuk, LockBit, and REvil [8]. The effectiveness and ease of executing ransomware, coupled with covert digital channels for communication and monetary exchange, have made it a preferred method for attackers to inflict financial, reputational, and data losses on victims. Ransomware detection mechanisms have been developed by monitoring API calls, using hardware performance counters, deploying trap files, cataloging changes within the Windows Registry, and identifying anomalous network behavior [9, 10, 11, 12, 13, 14, 15, 16].

Although each solution may fit a particular scenario, all detection and mitigation techniques for sophisticated ransomware have limitations when executed on a compromised host: they rely on metrics at the software and host-levels, which are inherently vulnerable to tampering and manipulation. These approaches also lack the granularity to collect detailed, filesystem-aware, or data-centric measurements. Cloud-based solutions, while offering isolation from host-level tampering, require offsite security infrastructure, placing sensitive data under the operational security policies of an external organization. This approach is unsuitable—or even prohibited—due to an organization’s data policies [17]. This underscores the need for robust, tamper-resistant detection solutions that operate independent of the host system’s integrity [18, 15].

To address these limitations, we present Shield, a secure, host-independent, and extensible logging mechanism that can be used to detect data compromise by leveraging metrics obtained via multiple hardware layers across the storage stack. Shield can capture metrics at multiple hardware levels, including the Network Block Device (NBD), FPGA, SATA Host Bus Adapter (HBA), and SATA disk file system. Although Shield can be modified to support different file systems, this study uses metrics captured within the Linux supported EXT4 file system. Key contributions of Shield are:

1.

Develop a framework to collect and analyze multi-level filesystem-aware tamper-proof hardware metrics to discern malicious behaviors from benign ones. This lays the groundwork for a first-of-its-kind ransomware mitigation using these metrics.
2.

Extend an open-source FPGA-based SATA Host Bus Adapter, the Groundhog HBA, to support full disk capability required to mount, format and initialize a file system. This allows support through NBD for the FPGA HBA over Ethernet regardless of host or operating system, and verifies functionality on real hardware.
3.

Case studies showing that the metrics collected by Shield can be the foundation for future research, including automated machine learning-assisted detection and ASIC integration for detection capabilities in storage devices.

Refer to caption — Figure 1: Architectural overview of Shield components and flow.

II System Architecture and Methodology

II-A System Overview and Design Goals

The primary objective of Shield is to create a cost-effective and host-independent architecture for capturing metrics from the SATA, file system, and server-side NBD layer, allowing the use of these metrics in automated, real-time hardware based detection of malware and ransomware. Fig. 1 is an overview of this architecture.

II-A1 Host-Independent Multi-level Metric Acquisition

The architecture is designed to capture meaningful data across multiple hardware levels, including the SATA interface, data storage file system, and Ethernet-based server-side NBD, all while being independent to any compromised metrics which may be obtainable from the host. This multi-layered approach provides not only fundamental measurements such as access types and sizes, but also detailed metrics unique to the file system. Although Shield can be modified to support different file systems, we qualify our case studies using the EXT4 filesystem [19]. For EXT4, this architecture can capture unique metrics like access and modification events in the superblock, which stores key disk information such as usage and block sizes; group descriptor tables (GDT), which map disk features and usage patterns; inodes, which contain file metadata and pointers to data blocks; and inode data blocks, which hold the actual file data [20, 21, 22].

II-A2 Use of Open-Source SATA Host Bus Adapter (HBA)

Although SATA is a widely used protocol for transfer of data between a host and a memory device, proprietary SATA IP is expensive, restricting its accessibility for research and testing purposes. We implement Shield’s proof of concept with the open-source Groundhog HBA, which enables an FPGA interface between a computer and permanent storage device using Microsoft’s Simple Interface for Reconfigurable Computing (SIRC) [23, 24, 25]. Shield extends the software-side capability of the SATA HBA to become operating system agnostic and NBD compatible, no longer requiring OS primitives or software-side SIRC for communication. The SATA HBA is further developed for system mounting, formatting, and file system initialization of the storage device [26, 27].

II-A3 Use of an FPGA

We use the Digilent XUPV5 FPGA which has features for communication and SATA design:

•

High Speed Gigabit Transceiver Ports (GTP): The XUPV5 provides GTPs capable of achieving the 3 Gb/s throughput required for SATA generation 2 communication. The GTPs also enable access Ethernet functionality for server-side NBD communication [28].
•

On-board SATA Hardware: The XUPV5 board includes dedicated integrated circuits for SATA clock generation for GTPs, as well as physical SATA connectors, enabling direct interfacing with storage devices.
•

FPGA Primitives: The Virtex-5 FPGA has many logic blocks, memory, and DSP primitives, allowing for expansion when implementing detection circuitry [29, 30].

II-A4 Support for Virtual and Physical Storage

The architecture was designed to support both physical SATA devices and virtual disk images to facilitate experimentation and testing. As the addition of FPGA, Ethernet, NBD layers, and a physical hard disk drive introduces latency, virtual disk support is essential for faster prototype iterations and disk formatting. With the ultimate goal of deploying this architecture within or alongside data storage ASICs, we anticipate significantly reduced latency in the prospective ASIC implementation.

II-B Implementation and Execution

II-B1 Execution Flow

The flow through Shield components is illustrated in Fig. 1. It is initiated by an NBD client on the host, which may be a separate machine or a virtualized environment on the same system. This client connects to the NBD server , communicating over Ethernet to the FPGA , which handles measurement and logging of the desired metrics. The FPGA interfaces directly with a SATA disk , enabling low-level access to data storage and file system structures. Metrics are collected across multiple layers—including network, FPGA, and file system levels—and then observed in real-time or recorded before changes are committed to the disk. These recorded metrics are inputs for behavior fingerprinting and anomaly detection, to distinguish between benign and malicious activities . Algorithm 1 collects metrics used to capture the file system interactions in real-time.

II-B2 Software

The NBD server interfaces with the client-side host and uses either (a) an Ethernet packet generation library for FPGA communication or (b) access functions to interact with a local virtual-disk image. This setup allows the host—a separate machine or a virtualized instance—to perform standard file system operations (e.g., mounting, reading, writing) as though directly connected with a physical disk. The NBD server also captures metrics like read/write counts, access sizes, pending requests, and disk utilization to ensure consistency with hardware metrics [31].

II-B3 Hardware

The FPGA between the NBD server and storage device captures additional metrics for accurate software fingerprinting. Basic measurements include access type (read/write), access size, and disk location. With direct disk and data buffer access, the hardware can analyze detailed file system features, such as the superblock, group descriptor tables, and inodes, to track granular changes within the EXT4 filesystem. An overview of relevant EXT4 structures utilized by Shield is depicted in Fig. 2. Beyond these core metrics, the EXT4 filesystem offers additional data points, like journals and extent trees, though these are outside the current scope of Shield. The hardware can collect metrics in two ways: (a) actively, by using direct SATA commands to read data independently from the host, and (b) passively, by parsing buffers as data is read/written by the host. This dual approach, as outlined in Algorithm 1, allows the hardware to perform an initial file system scan during disk initialization, before the host enumerates the drive, and then switch to passive monitoring during regular host operations.

Initialize Global Variables and File System Structs;

Initialize Hardware Connection to Disk

Load Superblock from SUPERBLOCK_OFFSET into Superblock_Struct;

if EXT4 Magic Number Exists in Superblock then

Initialize Array of GDT Structures // Active Parsing

Load GDT from GDT_OFFSET into GDT Array;

for Each GDT Entry do

Load Inode Table from GDT Entry into Inode Array;

for Each Inode in Inode Array do

Load Data Block Addresses from Inode;

Traverse and save Direct, Indirect, Double-Indirect, and Triple-Indirect Data Block Addresses;

end for

end if

Run NBD Process // Connects Host to Disk

while True do

if NBD Read Operation then

determine_fs_feature(offset)

Log file system feature accessed // Passive Parsing

Load Data from Disk and Return to Host

end if

if NBD Write Operation then

determine_fs_feature(offset)

Log file system feature accessed

Log Changes written to feature // Passive Parsing

Update Local file system Structs

Write Disk Commit Data to Disk

end if

end while

Algorithm 1 Shield Flow to Log Metrics

TABLE I: Selected Ransomware and Benign Software.

No.	Ransomware	Benign Software
1	Intercobros	Veracrypt
2	AtomSilo	UltraSearch
3	BlackMatter	Camstasia
4	Bubuk	Gimp
5	AvosLocker	7zip
6	Karma	VLC
7	Cerber	qBittorrent
8	Conti	Handbrake
9	Lockbit	Eraser
10	Makop	OBS

TABLE II: Comparison of (a) server-side NBD (Software) and (b) FPGA-Ethernet, FPGA-SATA & file system (Hardware) Metrics.

Software Metrics (Server-side NBD)	Hardware Metrics (FPGA-Ethernet, FPGA-SATA and File System)
Number of Reads	Number of Reads
Number of Writes	Number of Writes
Bytes Read	Bytes Read
Bytes Written	Bytes Written
Average Read Request Size (KB)	Inodes Read
Average Write Request Size (KB)	Inodes Written
Average Queue Length	Data Block Reads
Disk Utilization	Data Block Writes

III Case Studies: Program Fingerprinting

III-A Experimental Setup

To validate that Shield can distinguish between ransomware and benign software, case studies were conducted involving the 10 ransomware variants and 10 common benign programs listed in Table I. Contemporary ransomware families were chosen based on their technical sophistication and relevance to current attack trends. Benign programs included common software such as media players and file-sharing applications. Additionally, to test the effectiveness of Shield in discerning high disk activity typical of ransomware, we included benign programs with substantial disk use, including file compression (7-zip), secure deletion (Eraser), and file encryption (Veracrypt) applications.

A controlled sandbox was configured with 16 GB of RAM, 32 GB of OS storage, and 5 GB allocated to the test storage device. For consistency, the host environment was reset to a fixed snapshot, and the test storage device was wiped and reformatted to a predefined disk image with 3,970 pre-existing files per test. After being preloaded onto the storage device, each program was executed, collecting relevant data within 6-minute time window at the NBD, FPGA, and filesystem levels for fingerprinting. These experiments helped to identify the metrics captured by Shield that are most effective in differentiating benign and malicious behaviors.

III-B Experimental Observations

III-B1 Observed and Recorded Metrics

Software metrics are obtained from the server-side NBD process and system, while hardware metrics are recorded at the FPGA-Ethernet, FPGA-SATA, and EXT4 device levels. In general, software-level metrics are used to validate the accuracy of the hardware measurements, providing additional context and ensuring host independence. Table II outlines the metrics selected for this case study, although Shield can collect other metrics. Fig. 3 plots measurements for these metrics, outlining fundamental and unique metrics for software and hardware.

III-B2 At the Software Level

Metrics such as the number of reads and writes, along with their sizes, are collected (Fig. 3.a). These measurements show that ransomware tends to have a higher number of reads and larger read sizes per second compared to benign software—an indicator of malicious behavior, though not conclusive. The number of write operations and their sizes are similar for ransomware and benign software, with the latter showing a slightly higher range. This overlap limits the usefulness of write metrics. The software metrics confirm that the programs executed as expected, and serve as a baseline for comparison with hardware measurements.

Other metrics which are unique to software capture are collected (Fig. 3.b), and these include the average read request size, average write request size, average queue length, and disk utilization percentage. These metrics show similar activity patterns for both ransomware and benign programs, indicating that they are less useful for distinguishing between the two.

III-B3 At the Hardware Level

The hardware (Fig. 3.c), containing the number of reads, writes, and sizes, are identical to the software measurements (Fig. 3.a). Thus the metrics captured in hardware are accurate while being host-independent. The hardware level offers additional metrics that reveal clear differences (Fig. 3.d), showing which metrics can cern between ransomware and benign software:

•

Inodes Written: Ransomware consistently shows a high number of write operations to unique inodes, in contrast to benign software, which remains in the low single digits. This difference is a strong indicator of ransomware behavior.
•

Inodes Read: Ransomware generally performs read operations for unique inodes more frequently, though the average difference is less pronounced. This increased access pattern may indicate malicious activity.
•

Data Blocks Read: Ransomware typically reads a significantly higher number of data blocks, averaging around 150, compared to benign software, which consistently averages about 50. This difference in read activity also discerns ransomware from benign behavior.
•

Data Blocks Written: While the total number of data blocks written is comparable between ransomware and benign software, a key difference lies in the distribution of these writes when analyzed alongside correlated metrics. Ransomware tends to write to a large number of files (high inode access counts), whereas benign software accesses few files.

III-C Analysis of Recorded Metrics

III-C1 Coherence between Software and Hardware Levels

The collected metrics demonstrate strong coherence between software and hardware measurements as the number of reads and writes are identical in both count and trend (Fig 3.a and Fig 3.c). Additionally, the bytes read and written at the hardware level correspond directly to those read and written at the software level. This confirms that the hardware-level measurements are both accurate and reliable, offer the same insights as the software-level metrics, and provide additional off-host hardware-specific information while being invulnerable to tampering.

III-C2 Discerning Between Malicious and Benign Behavior

Our observations reveal that several metrics exhibit differences and may be useful when comparing ransomware with benign software, as analyzed in Fig. 4. The most distinctive metric is the total number of inode writes, which increases significantly when a program alters file metadata or pointers to data blocks at high rates. Despite testing benign programs that access all files on the drive—such as secure file deletion and file compression—the data shows that these programs only modify a limited number of inodes each second, usually in the single digits (Fig. 4.b). In contrast, ransomware consistently modifies many inodes, usually nearing the total inodes used in the entire file system. This metric appears highly promising for ransomware detection and could be enhanced by checking granular details, such as the inode elements being modified (e.g., access time, deletion time, file size, and file type).

The total inodes read and total data blocks read (Fig. 4.a and 4.c) reveal distinguishable patterns between ransomware and benign programs, both in mean values and in standard deviation ranges. Ransomware consistently shows higher values in these metrics. However, depending on the ransomware family, the number of data blocks read per inode can vary before encryption occurs, even though the total number of inodes accessed remains similar. The correlation between total inodes read and total data blocks read may serve as a potential fingerprinting method for different ransomware families, each displaying unique variations in these readings.

The metric for total data blocks written (Fig. 4.d) shows significant overlap between ransomware and benign programs. Benign programs exhibit more variability, with applications like 7-Zip and Eraser writing substantially more data blocks compared to others. Ransomware shows consistent, lower deviation in data block writes. This consistency, combined with metrics such as inode write frequency, could be a strong indicator of ransomware activity. A high inode write rate paired with stable or minimally varied data block writes, aligns with the average pattern across different ransomware samples.

TABLE III: Comparison of Ransomware Detection and Mitigation Architectures.

Architecture	Metric Acquisition Level	Tamper Resistant	Host Independent	Hardware Assisted	Data Integrity Centric	Real-time	Evasion Proof
File Integrity Monitoring [32]	Application	✗	✗	✗	✓	✗	✗
Decoy Files [7, 13]	Application	✗	✗	✗	✓	✓	✗
Signature-based Antivirus [33]	Application	✗	✗	✗	✗	✗	✗
AI/ML-based Detection [18]	App/Kernel	✗	✗	✗	✓	✓	✗
Process Monitoring [34]	Kernel	✗	✗	✗	✓	✓	✗
Hardware Traces [35]	Hardware	✓	✗	✓	✗	✓	✓
Performance Counters [36]	Hardware	✓	✗	✓	✗	✓	✗
Sandboxing [37]	Off-host	✓	✓	✗	✗	✗	✗
Cloud-based Security [38]	Off-host	✓	✓	✗	✗	✗	✗
NVMe-oE SSD Logging [39]	Hardware	✓	✓	✓	✗	✗	✓
Filesystem-aware [40, 41]	Kernel	✗	✗	✗	✓	✓	✗
Shield (This Work)	Hardware	✓	✓	✓	✓	✓	✓

IV Discussion

IV-A Usefulness of Shield Metrics

The metrics collected by Shield, as verified in the case studies, are effective for ransomware detection. Hardware-level metrics have proven to be both reliable and accurate compared to software-level metrics, while also introducing novel insights through data such as inode and data block accesses. By capturing granular details on data access patterns—including file reads, writes, inode modifications, and superblock interactions—Shield enables the identification of deviations from typical usage patterns, which may indicate malicious activity. These results validate that Shield’s metrics effectively support data access pattern recognition, highlighting the value of its metric extraction framework for real-time anomaly detection directly at the storage level.

IV-B Security Benefits of Shield

Shield’s host-independent design improves security by isolating metric collection from the host, providing key benefits:

•

Tamper-Resistance: With metrics logged server-side, Shield is immune to host tampering, preventing evasion by malicious software that may otherwise compromise host-based monitoring tools.
•

Local Storage on the Network: Since metrics are collected locally within the network, Shield allows organizations to retain control over data, complying with on-site data policies and eliminating the need for offsite storage.
•

Controlled Data Access: Since every operation that accesses or modifies disk data must pass through the Shield hardware pipeline, evasion or obfuscation of on-disk changes is prevented. This capability can also be extended to block access to certain file system features at the hardware level in real time, making the system more resistant to malicious behavior.

IV-C Platform Limitations and Extensions

Refining software and hardware in the current Shield proof-of-concept can further enhance throughput and hardware efficiency. Tests reveal that when using a virtual disk, logging introduces a 1 second latency during active parsing and 0.5 ms latency when passively parsing, with a system-to-disk throughput of about 600 MB/s. When accessing the SATA disk from the SATA HBA, the raw disk throughput reaches 250 MB/s, but when accounting for overhead between NBD and FPGA-Ethernet layers, throughput is reduced to approximately 100 KB/s. This reduction in throughput is primarily caused by packet sizes and buffer handling, and they can be addressed through the following optimizations:

•

Ethernet Packets: Currently, the Ethernet packet sizes are limited to 512 bytes per packet. Modifying the Ethernet packet generation library to utilize the standard maximum packet size of 1500 bytes would increase throughput by roughly threefold. For even higher throughput, the Ethernet pipeline could be extended to implement a custom packet protocol that supports even larger packets.
•

FPGA Buffers: The FPGA uses two pairs of input and output buffers within the Ethernet and SATA HBA modules to handle data transfers. Unifying these buffers would reduce the latency associated with loading and accessing each buffer, increasing throughput. Furthermore, the size of the buffers can be increased. Currently, the input and output buffers use 2-byte words, with 11-bit and 16-bit addresses, equating to a input buffer size of 4 KB, and an output buffer size of 16 KB. Increasing buffer sizes to larger values like 32 or 64 KB could double or quadruple the throughput.
•

FPGA Board: Porting the architecture to a newer FPGA (e.g., Xilinx 7 Series), would support higher clock speeds and denser logic. Better on-chip memory primitives would support larger, faster buffers, and faster transfer protocols like USB 3.0 or PCIe could increase throughput further.

V Related Work

The evolving malware landscape demands advanced detection and mitigation spanning multiple computing layers. Modern methods transitioned from signature-based antivirus solutions to employing machine learning, behavioral analytics, and hardware-assisted techniques to combat more complex threats [42, 43, 44, 45]. These solutions span the application, kernel, and hardware levels, with some methods being built into the hardware or trying to leverage the file system.

Application-level methods like File Integrity Monitoring detect tampering via cryptographic hashes or metadata changes but lack real-time capabilities and are prone to evasion. Decoy file techniques and signature-based antivirus programs share these vulnerabilities, with the latter also requiring frequent updates and being prone to tampering [32, 33]. Machine learning and deep learning strategies eliminate manual intervention but still rely on host-dependent data from the application or kernel level [3, 38]. Kernel-level monitoring provides access to file and network processes but introduces system overhead and remains vulnerable to host compromise. Even combined approaches integrating application, kernel, and AI/ML insights lack off-host capabilities [34]. Hardware-level monitoring improves runtime integrity by using processor traces, performance counters, and Trusted Platform Modules, but falls short for filesystem-specific attacks. Off-host solutions like sandboxing and cloud-based security offer isolation but have limitations: sandboxing enables post-mortem analysis but lacks real-time detection, while cloud-based systems may conflict with data policies and fail to provide detailed file system insights [36, 11, 35, 42].

Table III surveys these defense strategies and compares them against Shield. The advantages of Shield, coupled with its novel use of disk file system parameters and the ability to integrate with existing methods and devices, make it ideal for single endpoint or multifaceted ransomware detection.

VI Conclusion and Future Work

By capturing file system and hardware metrics independently from the host, Shield overcomes the limitations of host-based monitoring solutions. Key contributions of Shield include a unique metric acquisition architecture that integrates an open-source SATA HBA with NBD technology, enabling off-host operation and low-level file system monitoring. The hardware-level metrics effectively distinguish ransomware behavior from benign programs, laying a foundation for scalable, tamper-resistant, hardware-based malicious activity detection. Future work will enhance Shield via ML and chip-level hardware integration. By leveraging ML models to enhance Shield, benign and malicious behavior can be automatically differentiated, enabling real-time detection and mitigation of current and emerging threats. Integrating Shield within a SATA ASIC or storage controller would enable continuous, low-latency monitoring. These advances position Shield as a scalable solution that has significant implications in secure data storage and malicious activity detection.

References

[1] A. Young and M. Yung, “Cryptovirology: extortion-based security threats and countermeasures,” in IEEE Symposium on Security and Privacy, 1996, pp. 129–140.
[2] P. H. Meland, Y. F. F. Bayoumy, and G. Sindre, “The Ransomware-as-a-Service economy within the darknet,” Computers & Security, vol. 92, p. 101762, 2020.
[3] Cybots AI, “The Road to Ransomware Resilience: Behaviour Analysis,” 2024. [Online]. Available: https://cybotsai.com/the-road-to-ransomware-resilience-behaviour-analysis/
[4] K. Townsend, “Ransomware in 2024: More Attacks, More Leaks, and Increased Sophistication,” 2024. [Online]. Available: https://www.securityweek.com/ransomware-in-2024-more-attacks-more-leaks-and-increased-sophistication/
[5] IBM, “What Is Ransomware-as-a-Service (RaaS)?” 2024. [Online]. Available: https://www.ibm.com/topics/ransomware-as-a-service
[6] J. Lyons, “Lockbit wins ransomware speed test, encrypts 25,000 files per minute,” 2022. [Online]. Available: https://tinyurl.com/3hccp4fm
[7] M. A. Putrevu, H. Chunduri, V. S. C. Putrevu, and S. K. Shukla, “A Comprehensive Analysis of Machine Learning Based File Trap Selection Methods to Detect Crypto Ransomware,” arXiv preprint arXiv:2409.11428, 2024.
[8] Splunk, “A Comparative Analysis of Ransomware Encryption Speed,” 2022. [Online]. Available: https://tinyurl.com/ymnk248v
[9] A. Kharaz, S. Arshad, C. Mulliner, W. Robertson, and E. Kirda, “UNVEIL: A Large-Scale, Automated Approach to Detecting Ransomware,” in USENIX Security Symposium, 2016, pp. 757–772.
[10] Z.-G. Chen, H.-S. Kang, S.-N. Yin, and S.-R. Kim, “Automatic Ransomware Detection and Analysis Based on Dynamic API Calls Flow Graph,” in International Conference on Research in Adaptive and Convergent Systems, ser. RACS ’17. Association for Computing Machinery, 2017, p. 196–201.
[11] P. M. Anand, P. S. Charan, and S. K. Shukla, “HiPeR-Early Detection of a Ransomware Attack Using Hardware Performance Counters,” Digital Threats: Research and Practice, vol. 4, no. 3, pp. 1–24, 2023.
[12] G. O. Ganfure, C. F. Wu, Y. H. Chang, and W. K. Shih, “Rtrap: Trapping and Containing Ransomware with Machine Learning,” IEEE Transactions on Information Forensics and Security, vol. 18, pp. 1433–1448, 2023.
[13] J. A. Gomez-Hernandez, R. Sanchez-Fernandez, and P. Garcia-Teodoro, “Inhibiting Crypto-Ransomware on Windows Platforms Through a Honeyfile-Based Approach with R-Locker,” IET Information Security, vol. 16, no. 1, pp. 64–74, 2022.
[14] V. Kotov and M. Rajpal, “Understanding Crypto-Ransomware,” 2023. [Online]. Available: https://arxiv.org/abs/2312.07641
[15] C. Beaman, A. Barkworth, T. D. Akande, S. Hakak, and M. K. Khan, “Ransomware: Recent advances, analysis, challenges and future research directions,” Comput. Secur., vol. 111, no. C, Dec. 2021.
[16] P. M. Anand, P. V. S. Charan, H. Chunduri, and S. K. Shukla, “RTR-Shield: Early Detection of Ransomware Using Registry and Trap Files,” in Information Security Practice and Experience. Springer Nature Singapore, 2023, pp. 209–229.
[17] M. Sohail and S. Tabet, “Data privacy and ransomware impact on cyber-physical systems data protection,” in Cyber-Physical Systems for Industrial Transformation. CRC Press, 2023, pp. 115–134.
[18] J. Ispahany, M. R. Islam, M. Z. Islam, and M. A. Khan, “Ransomware Detection Using Machine Learning: A Review, Research Limitations and Future Directions,” IEEE Access, vol. 12, pp. 68 785–68 813, 2024.
[19] A. Mathur, M. Cao, S. Bhattacharya, A. Dilger, A. Tomas, and L. Vivier, “The new ext4 filesystem: Current status and future plans,” Linux Symposium, 2007.
[20] P. Breuer, A. Marín-López, and A. Ares, “The Network Block Device,” Linux Journal, vol. 73, 2000.
[21] B. Djordjevic and V. Timcenko, “Ext4 file system performance analysis in linux environment,” in WSEAS International Conference on Applied Informatics and Communications. World Scientific and Engineering Academy and Society, 2011, p. 288–293.
[22] S. Dara, “Understanding Ext4 Disk Layout, Part 1,” 2023. [Online]. Available: https://blogs.oracle.com/linux/post/understanding-ext4-disk-layout-part-1
[23] Missing Link Electronics, “SATA Storage Extension for ZYNQ 7000,” 2024. [Online]. Available: https://www.missinglinkelectronics.com/ip-cores/sata-storage-extension-for-zynq-7000/
[24] K. Eguro, “SIRC: An Extensible Reconfigurable Computing Communication API,” in IEEE Annual International Symposium on Field-Programmable Custom Computing Machines, 2010, pp. 135–138.
[25] L. Woods and K. Eguro, “Groundhog - A Serial ATA Host Bus Adapter (HBA) for FPGAs,” in IEEE International Symposium on Field-Programmable Custom Computing Machines, 2012, pp. 220–223.
[26] Fpgasystems, “Groundhog: Serial ATA Host Bus Adapter,” 2013. [Online]. Available: https://github.com/fpgasystems/groundhog
[27] A. Cozzette, “BUSE: A Block Device in User Space for Linux,” 2013. [Online]. Available: https://github.com/acozzette/BUSE
[28] Serial ATA International Organization, Serial ATA Revision 3.1 Gold Revision, 2011. [Online]. Available: https://sata-io.org/system/files/specifications/SerialATA_Revision_3_1_Gold.pdf
[29] AMD, ML505/ML506/ML507 Evaluation Platform User Guide (UG347) - 3.1.2 English, May 2011. [Online]. Available: https://docs.amd.com/v/u/en-US/ug347
[30] Digilent, “Virtex-5 OpenSPARC,” 2024. [Online]. Available: https://digilent.com/reference/programmable-logic/virtex-5/start
[31] NetworkBlockDevice, “Network Block Device,” 2024. [Online]. Available: https://github.com/NetworkBlockDevice/nbd
[32] N. Murphy, “What is File Integrity Monitoring (FIM) and Why Is It Important?” 2024. [Online]. Available: https://www.lepide.com/blog/what-is-file-integrity-monitoring/
[33] V. S. Sathyanarayan, P. Kohli, and B. Bruhadeshwar, “Signature Generation and Detection of Malware Families,” in Information Security and Privacy. Springer Berlin Heidelberg, 2008, pp. 336–349.
[34] H. Zhang, L. Zhao, A. Yu, L. Cai, and D. Meng, “Ranker: Early Ransomware Detection Through Kernel-Level Behavioral Analysis,” IEEE Transactions on Information Forensics and Security, vol. 19, pp. 6113–6127, 2024.
[35] R. Elnaggar, K. Basu, K. Chakrabarty, and R. Karri, “Runtime Malware Detection Using Embedded Trace Buffers,” IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems, vol. 41, no. 1, pp. 35–48, 2022.
[36] C. Malone, M. Zahran, and R. Karri, “Are hardware performance counters a cost effective way for integrity checking of programs,” in ACM workshop on Scalable trusted computing, 2011, pp. 71–76.
[37] B. Denham and D. R. Thompson, “Ransomware and Malware Sandboxing,” in IEEE Annual Ubiquitous Computing, Electronics & Mobile Communication Conference (UEMCON), 2022, pp. 0173–0179.
[38] Microsoft, “AI-Driven Adaptive Protection Against Human-Operated Ransomware,” 2021. [Online]. Available: https://www.microsoft.com/en-us/security/blog/2021/11/15/ai-driven-adaptive-protection-against-human-operated-ransomware/
[39] B. Reidys, P. Liu, and J. Huang, “RSSD: defend against ransomware with hardware-isolated network-storage codesign and post-attack analysis,” in ACM International Conference on Architectural Support for Programming Languages and Operating Systems, ser. ASPLOS ’22. Association for Computing Machinery, 2022, p. 726–739.
[40] A. Continella, A. Guagnelli, G. Zingaro, G. De Pasquale, A. Barenghi, S. Zanero, and F. Maggi, “ShieldFS: a self-healing, ransomware-aware filesystem,” in Annual Conference on Computer Security Applications. Association for Computing Machinery, 2016, p. 336–347.
[41] D. Dimov and Y. Tsonev, “Observing, Measuring and Collecting HDD Performance Metrics on a Physical Machine During Ransomware Attack,” Information & Security: An International Journal, vol. 47, no. 3, pp. 317–327, 2020.
[42] CrowdStrike, “Malware Analysis: Steps & Examples,” 2023. [Online]. Available: https://www.crowdstrike.com/en-us/cybersecurity-101/malware/malware-analysis/
[43] M. A. Al-Garadi, A. Mohamed, A. K. Al-Ali, X. Du, I. Ali, and M. Guizani, “A Survey of Machine and Deep Learning Methods for Internet of Things (IoT) Security,” IEEE Communications Surveys & Tutorials, vol. 22, no. 3, pp. 1646–1685, 2020.
[44] Z. Pan, J. Sheldon, C. Sudusinghe, S. Charles, and P. Mishra, “Hardware-Assisted Malware Detection using Machine Learning,” in Design, Automation & Test in Europe Conference & Exhibition (DATE), 2021, pp. 1775–1780.
[45] S. Razaulla, C. Fachkha, C. Markarian, A. Gawanmeh, W. Mansoor, B. C. M. Fung, and C. Assi, “The Age of Ransomware: A Survey on the Evolution, Taxonomy, and Research Directions,” IEEE Access, vol. 11, pp. 40 698–40 723, 2023.