%0 Thesis %1 jobst2018dimaqs %A Jobst, Michael %D 2018 %K international-conference-workshop-papers-book-chapters journal-and-magazine-articles sss-group thesis_supervised_by_SSS_member thesis_supervised_by_SE_member %T DIMAQS - Dynamic Identification of Malicious Query Sequences %X Ransomware is an emerging threat which imposed 5 billion USD loss in 2017 and is predicted to hit 11.5 billion in 2019. While initially targeting PC (client) platforms,recently it made a leap to server-side databases – in January 2017 we faced MongoDB Apocalypse attack, followed by other attack waves targeting a wide range of DB technologies such as MongoDB, MySQL, ElasticSearch, Cassandra, Hadoop, and CouchDB. While previous research has developed countermeasures against client-side ransomware (e.g., CryptoDrop and ShieldFS), no attention was given to the problem of server-side ransomware yet.This thesis aims to bridge this gap and presents design and implementation of the tool DIMAQS (Dynamic Identification of Malicious Query Sequences) for MySQL servers that can efficiently and effectively detect server-side ransomware. DIMAQS performs run-time monitoring of incoming queries and pattern matching using a Colored Petri Net (CPN) for attack detection. The system design of DIMAQS exhibits several novel techniques to enable efficient detection of malicious query sequences globally (i.e., without limiting detection to distinct user connections). Evaluation results show high efficiency with no false positives and no false negatives,and a very moderate performance overhead (for a run-time monitoring tool) of under5% in worst case scenarios.

@mastersthesis{jobst2018dimaqs, abstract = {Ransomware is an emerging threat which imposed 5 billion USD loss in 2017 and is predicted to hit 11.5 billion in 2019. While initially targeting PC (client) platforms,recently it made a leap to server-side databases – in January 2017 we faced MongoDB Apocalypse attack, followed by other attack waves targeting a wide range of DB technologies such as MongoDB, MySQL, ElasticSearch, Cassandra, Hadoop, and CouchDB. While previous research has developed countermeasures against client-side ransomware (e.g., CryptoDrop and ShieldFS), no attention was given to the problem of server-side ransomware yet.This thesis aims to bridge this gap and presents design and implementation of the tool DIMAQS (Dynamic Identification of Malicious Query Sequences) for MySQL servers that can efficiently and effectively detect server-side ransomware. DIMAQS performs run-time monitoring of incoming queries and pattern matching using a Colored Petri Net (CPN) for attack detection. The system design of DIMAQS exhibits several novel techniques to enable efficient detection of malicious query sequences globally (i.e., without limiting detection to distinct user connections). Evaluation results show high efficiency with no false positives and no false negatives,and a very moderate performance overhead (for a run-time monitoring tool) of under5% in worst case scenarios.}, added-at = {2020-10-06T17:39:30.000+0200}, author = {Jobst, Michael}, biburl = {https://www.bibsonomy.org/bibtex/26b6bbb00d3a68fb4ae94c0c82f92464f/se-group}, interhash = {1ee772cfa3a78360b83605e801aed5e7}, intrahash = {6b6bbb00d3a68fb4ae94c0c82f92464f}, keywords = {international-conference-workshop-papers-book-chapters journal-and-magazine-articles sss-group thesis_supervised_by_SSS_member thesis_supervised_by_SE_member}, month = {June}, school = {University of W{\"u}rzburg}, timestamp = {2020-12-16T11:21:52.000+0100}, title = {DIMAQS - Dynamic Identification of Malicious Query Sequences}, type = {Master Thesis}, year = 2018 }