File Access Pattern Analysis
Definition
Analyzing the files accessed by a process to identify unauthorized activity.
How it works
File modifying malware such as wipers and ransomware are detected by identifying file access patterns that are associated with a malicious process. Examples of file access patterns include accessing a large number of files, accessing multiple file types, files being accessed located in multiple locations in a directory, and copying a file and encrypting the contents of that file into a copy.
Considerations
Certain file access actions may not be statistically different from authorized activity.
References
The following references were used to develop the File Access Pattern Analysis knowledge-base article.
(Note: the consideration of references does not imply specific functionality exists in an offering.)
File-modifying malware detection
MITRE Comments
This patent describes a technique for detecting file modifying malware such as wipers and ransomware that overwrite portions of files and encrypt portions of a computer's memory, respectively. Processes that are traversing a directory are identified along with file access patterns. Processes executing on a computing device that are traversing a directory include:
- changing a directory of a process (e.g., iteratively, systematically, repeatedly)
- detecting that a process is conducting an "open directory" operation repeatedly
- the same process traversing through a directory and recording the locations of data files encountered in each sub - directory
In addition to identifying processes traversing a directory, particular file access patterns are also detected that may be indicative of malicious behavior including:
- multiple file types being accessed
- accessing a large number of files
- files located in multiple locations in the directory being accessed
If a process is conducting a traversal of the directory and accessing files according to a defined access pattern associated with malicious behavior, a preventative action is performed.