Although ransomware has received broad attention in media and research, this evolving threat vector still poses a systematic threat. Related literature has explored their detection using various approaches leveraging Machine and Deep Learning. While these approaches are effective in detecting malware, they do not answer how to use this intelligence to protect against threats, raising concerns about their applicability in a hostile environment. Solutions that focus on mitigation rarely explore how to prevent and not just alert or halt its execution, especially when considering Linux-based samples. This paper presents GuardFS, a file system-based approach to investigate the integration of detection and mitigation of ransomware. Using a bespoke overlay file system, data is extracted before files are accessed. Models trained on this data are used by three novel defense configurations that obfuscate, delay, or track access to the file system. The experiments on GuardFS test the configurations in a reactive setting. The results demonstrate that although data loss cannot be completely prevented, it can be significantly reduced. Usability and performance analysis demonstrate that the defense effectiveness of the configurations relates to their impact on resource consumption and usability.

翻译：尽管勒索软件在媒体和研究领域已受到广泛关注，但这种不断演变的威胁载体仍构成系统性风险。相关文献已探索利用机器学习和深度学习的多种检测方法。虽然这些方法在恶意软件检测方面效果显著，但并未阐明如何将此类智能手段用于威胁防护，引发其在敌对环境中适用性的担忧。侧重于缓解的解决方案鲜少探讨如何实现预防（而非仅告警或终止执行），尤其在考虑基于Linux样本时更是如此。本文提出GuardFS——一种基于文件系统的方案，用以研究勒索软件检测与缓解的集成方法。通过定制化覆盖文件系统，在文件被访问前提取数据。基于这些数据训练的模型被三种新型防御配置所采用，这些配置可对文件系统实施混淆、延迟或追踪访问。GuardFS实验在反应式场景中测试了上述配置。结果表明，尽管无法完全阻止数据丢失，但可显著降低其损失程度。可用性与性能分析显示，各配置的防御效能与其对资源消耗及用户操作影响密切相关。