SHIELD: A Host-Independent Framework for Ransomware Detection using Deep Filesystem Features

The paper presents SHIELD, a host-independent framework that leverages deep filesystem features parsed at the storage controller level to achieve tamper-resistant, real-time ransomware detection and mitigation with over 97% accuracy and minimal impact on benign applications.

The Gist

Imagine your computer is a massive, high-security library. Inside, there are millions of books (your files). A ransomware attack is like a chaotic, invisible thief who sneaks in, grabs every book, and starts rewriting the pages with gibberish so no one can read them anymore. They demand a ransom to give you the "decoder ring" to fix the books.

Usually, we try to catch this thief by watching the librarian (the Operating System) or the security guards inside the building. But what if the thief is the librarian? Or what if they've hypnotized the guards? If the thief controls the library's internal security system, they can tell the guards, "Everything is fine!" while they burn the books down.

Enter SHIELD.

SHIELD is a new kind of security system that doesn't trust the librarian or the guards. Instead, it installs a tiny, unbreakable camera inside the library's foundation—right where the books are actually stored on the shelves.

Here is how SHIELD works, broken down into simple concepts:

1. The "Unblinking Eye" in the Foundation

Most security software lives inside the computer's main brain (the OS). If a hacker takes over the brain, they can turn off the security software.

SHIELD lives outside the brain. It sits at the very bottom, in the storage controller (the part of the computer that talks to the hard drive). Think of it like a smart lock on the front door that doesn't care if the person inside is acting weird. It only cares about what is physically happening to the books on the shelves. Even if the hacker is the librarian, they cannot trick the lock because the lock is built into the wall itself.

2. Reading the "Dust" Instead of the "Story"

How does SHIELD know a thief is there without reading the books (which would be slow and invasive)?

It looks at the dust and footprints.

• Normal behavior: When you write a report or watch a movie, you might open a few books, read them, and maybe write a little bit. The footprints are scattered and calm.
• Ransomware behavior: The thief grabs thousands of books, flips through them rapidly, and scribbles over the pages in a specific, frantic pattern. They change the "metadata" (the labels on the spines) and the "content" (the pages) all at once.

SHIELD watches these footprints (filesystem features like how many files are touched, how fast they are changed, and how the "gibberish" looks). It doesn't need to know what the files are; it just knows that no normal human moves books that fast or changes them in that specific chaotic way.

3. The "Stop Sign" Mechanism

SHIELD doesn't just watch; it has a remote control for the library doors.

It uses a smart AI (Machine Learning) that has studied thousands of "normal days" and "thief days." When it sees the footprints of a thief:

1. It counts the steps.
2. If the pattern matches a ransomware attack, it instantly slams the doors shut.
3. It stops the thief from writing any more gibberish.

Because it acts so fast (within a few dozen actions), the thief might have scribbled on a few pages of a few books, but the rest of the library remains safe. In the paper's tests, SHIELD stopped the attack before 99.6% of the files were touched.

4. Why It's a Game-Changer

• It's "Host-Independent": It doesn't care if the computer is running Windows, Linux, or macOS. It doesn't care if the computer is infected with a virus. It only cares about the physical hard drive.
• It's "Tamper-Proof": Since it lives in the hardware (the storage controller), a hacker cannot delete it or turn it off from the inside. It's like trying to erase a security camera by smashing the monitor inside the room; the camera is bolted to the ceiling.
• It's Fast: It can detect the attack in milliseconds, often before the thief has even finished encrypting the first file.

The Analogy Summary

Imagine a bank vault.

• Old Security: Hired guards inside the vault who check IDs. If the robber wears a guard's uniform, the guards let them in.
• SHIELD: A motion sensor built into the floor tiles of the vault. It doesn't care who you are or what you're wearing. It only knows that no one should be running around the vault changing the contents of the safe deposit boxes at 500 miles per hour. As soon as that pattern is detected, the floor locks down, trapping the robber and saving the money.

The Bottom Line

SHIELD proves that we don't need to trust the computer's operating system to keep our data safe. By moving the "eyes" of security down to the hardware level, we can catch ransomware even when the computer is completely compromised, saving our data with minimal loss. It's a shift from "trusting the guard" to "trusting the foundation."

Technical Summary

Here is a detailed technical summary of the paper "SHIELD: A Host-Independent Framework for Ransomware Detection using Deep Filesystem Features."

1. Problem Statement

Ransomware attacks have evolved to become highly sophisticated, utilizing hardware-accelerated encryption and multi-threaded execution to encrypt critical data rapidly. Existing detection mechanisms suffer from significant limitations:

• Host Dependency: Most solutions rely on OS-level telemetry (API calls, kernel logs, or user-space monitoring). Once the operating system is compromised, these signals can be tampered with, suppressed, or forged by the attacker.
• Coarse Granularity: Many hardware-based defenses rely on coarse block-I/O statistics (e.g., Logical Block Address patterns) or transport-layer metrics. These often lack filesystem semantics, making it difficult to distinguish between legitimate high-I/O operations (like backups) and malicious encryption, and they often miss intermittent or partial encryption strategies.
• Lack of Off-Host Trust: There is a critical gap in solutions that operate below the OS, within the storage controller itself, where the hardware remains trusted even if the host is fully compromised.

2. Methodology: The SHIELD Framework

SHIELD (Secure Host-Independent Extensible Metric Logging Framework) is designed as a tamper-resistant, off-host detection system that operates within the storage controller datapath (e.g., FPGA or ASIC).

Core Architecture

• Trust Boundary: The system assumes the Host OS is untrusted. SHIELD resides in the trusted storage-side component (controller/FPGA). It observes standard block I/O requests but derives its intelligence by parsing on-disk filesystem structures directly, bypassing the OS kernel.
• Metric Acquisition:
  • Active Parsing: At initialization, the system queries global filesystem metadata (e.g., Superblock, Group Descriptors) to bootstrap a live catalog of inodes and data block mappings.
  • Passive Parsing: During runtime, it monitors every read/write action, attributing the request to specific filesystem structures (Inodes, Data Blocks, Metadata) based on disk offsets.
  • Feature Extraction: For every disk action, SHIELD generates a multidimensional metric vector containing:
    • Transport/Interface Metrics: (Optional) I/O completion counts, sectors transferred, time spent.
    • Filesystem-Level Metrics: Counts of inode accesses/allocations/deallocations, data block reads/writes, superblock/GDT accesses, and bytes changed.
    • Entropy Signals: Shannon entropy calculations on written data blocks to detect the transition from low-entropy plaintext to high-entropy ciphertext.
• Detection Logic:
  • Action-Based Windows: Instead of time-based intervals, SHIELD aggregates consecutive disk actions into "windows" (e.g., 20 actions with 10-action overlap). This makes detection latency independent of system speed or network latency.
  • Machine Learning: The aggregated feature vectors are fed into a supervised classifier (specifically LightGBM). The system performs real-time inference to classify behavior as "Benign" or "Malicious."
  • Closed-Loop Mitigation: Upon detecting a sustained malicious pattern (e.g., 4 out of 5 consecutive windows flagged as malicious), SHIELD triggers a halt mechanism that blocks further write operations to the protected volume at the disk interface.

Modularity

The framework is filesystem-agnostic. While the primary evaluation uses ext4, the backend parser is modular. The system maps OS-specific structures (e.g., NTFS MFT, APFS Object Records) to a common semantic event schema, allowing the same detection pipeline to work across different filesystems.

3. Key Contributions

1. Novel Off-Host Metric Acquisition: Introduces a low-level pipeline that logs deep filesystem features (inodes, block allocations, metadata mutations) independent of the OS, creating a tamper-proof telemetry source.
2. Validation of Deep Filesystem Semantics: Demonstrates that filesystem-level mutations (inode access patterns, block-level entropy shifts) provide robust signals for distinguishing ransomware from benign high-I/O workloads, even when transport-layer metrics are removed.
3. Zero-Shot Detection & Mitigation: Proves that models trained on specific ransomware families can effectively detect and halt unseen ransomware strains and families in real-time, limiting data loss to a negligible amount.
4. Hardware Feasibility: Validates that detection can rely solely on hardware-observable filesystem features (excluding transport-layer data), achieving high accuracy suitable for FPGA/ASIC deployment within the storage controller.

4. Experimental Results

The authors evaluated SHIELD using a prototype test harness (network block device) and validated key findings against a hardware-realistic FPGA-SATA bridge.

• Dataset: Trained on 10 ransomware families and 10 benign applications (including heavy I/O tools like OBS, 7Zip, and Veracrypt). Tested on 10 unseen ransomware strains.
• In-Distribution Performance:
  • The best binary classifier (LightGBM) achieved 97.29% accuracy and an F1 score of 0.9734 in distinguishing benign vs. malicious behavior.
  • Multiclass classification (identifying specific ransomware families) achieved 96.05% accuracy.
• Hardware-Only Feasibility:
  • When all transport-layer metrics were removed (relying only on filesystem-derived features), the model retained 95.97% accuracy. This confirms that the detection logic does not depend on the OS or network transport, validating its suitability for embedded controller integration.
• Zero-Shot Generalization:
  • On unseen ransomware families, the model maintained high accuracy (up to 98.91% for specific strains with larger windows).
  • Mitigation Efficacy: In closed-loop tests, SHIELD halted disk operations within tens of actions.
    • Data Loss: For zero-shot strains, the percentage of affected files was limited to ≤0.4% in small action windows.
    • Block-Level vs. OS-Level: The system halted during partial encryption. While the OS might flag a file as "corrupted" (100% loss), the actual bytes overwritten on the disk were often <0.03%, demonstrating the ability to stop attacks before bulk data replacement.
• False Positives: On unseen benign applications, the false-positive rate was ≤3.6%, and the system did not trigger a halt, indicating high operational safety.

5. Significance and Implications

• Resilience to Compromise: By moving the trust boundary to the storage controller, SHIELD provides a defense that remains effective even if the host OS is fully root-compromised. The attacker cannot forge the on-disk filesystem state that SHIELD observes.
• Granularity and Speed: Unlike solutions that wait for file-level hashes or network anomalies, SHIELD detects the act of encryption at the block level. It can detect intermittent encryption (where only parts of a file are encrypted) by analyzing inode and block mutation patterns.
• Practical Deployment: The "hardware-only" results suggest that SHIELD can be implemented as a lightweight, parallelizable module in an FPGA or ASIC storage controller without requiring a full OS or heavy computational resources.
• Tunable Trade-offs: The framework offers a tunable trade-off between detection speed and confidence. Smaller action windows allow for faster halting (less data loss) but require more sequential decisions; larger windows increase confidence but may allow slightly more writes before stopping.

In conclusion, SHIELD represents a paradigm shift in ransomware defense, moving from host-dependent software monitoring to storage-side, filesystem-aware hardware enforcement, offering a robust, tamper-resistant solution for critical infrastructure protection.