Preventing Ransomware Damages using In-Operation Off-Site Backup to Achieve a 10⁻⁸ False-Negative Miss-Detection Rate

Published at: IEEE International Conference on Computer and Information (ICCI) 2025

Authors

• Hiroshi Fujinoki - Department of Computer Science, Southern Illinois University Edwardsville (hfujino@siue.edu)
• Alexander Towell - Department of Computer Science, Southern Illinois University Edwardsville (atowell@siue.edu)
• Vamshi Anirudh Thota - Department of Computer Science, Southern Illinois University Edwardsville (vthota@siue.edu)

Abstract

This paper proposes a backup-based defense mechanism that transparently and continuously secures production data against ransomware while ensuring controlled growth of backup copies. Ransomware attacks continue to intensify, often bypassing conventional static or dynamic detection-based security measures and inflicting irreparable harm on critical organizational data. Our approach focuses on a “just-in-time” backup strategy—termed In-Operation Off-Site Backups—that interposes continuous and verifiable file duplication at each update, combined with a detection mechanism that can halt malicious encryption attempts as soon as they are discovered.

The solution leverages Bloom filters and carefully managed linked-list backups to maintain a low false-negative miss detection rate on the order of 10⁻⁸, providing extremely high confidence that unauthorized data modifications will be detected before damage spreads. By employing fake fields, locality-aware thresholds, and fine-tuned probabilistic data structures, the system discriminates malicious activities from legitimate ones, preventing denial-of-service threats associated with frequent backups.

Simulation results demonstrate that this approach can achieve highly reliable detection and sustainable storage utilization. The proposed method fills a crucial gap in ransomware protection by ensuring that backups remain both secure and manageable, thereby mitigating the risk of catastrophic data loss.

Keywords

ransomware, offsite data backups, malware detection, Bloom filter, security risk management

Key Contributions

1. Detection metric outside attacker control: Uses reference counts by distinct users rather than signatures or entropy values that attackers can manipulate
2. Effectiveness against obfuscation ransomware: Does not rely on entropy-based detection that obfuscation can defeat
3. Zero-day protection: Detection mechanism does not depend on known malware signatures
4. Controlled false-negative rate: Mathematical framework achieving 10⁻⁸ miss-detection probability
5. Fake field detection: Proactive detection using dummy fields that legitimate users never access
6. Bloom filter optimization: Analysis of filter configuration for balancing accuracy and space efficiency

Repository Contents

• ransomware-icci2025-camera-ready.pdf - Final camera-ready version of the paper
• ransomware-icci2025-camera-ready.docx - Source document

Citation

If you use this work in your research, please cite:

@inproceedings{fujinoki2025ransomware,
  title={Preventing Ransomware Damages using In-Operation Off-Site Backup to Achieve a 10⁻⁸ False-Negative Miss-Detection Rate},
  author={Fujinoki, Hiroshi and Towell, Alexander and Thota, Vamshi Anirudh},
  booktitle={Proceedings of the IEEE International Conference on Computer and Information (ICCI)},
  year={2025},
  organization={IEEE}
}
Copy

License

This work is licensed under CC BY 4.0 - you are free to share and adapt this material for any purpose, provided you give appropriate credit.

Contact

For questions about this research, please contact the corresponding author:

• Hiroshi Fujinoki (hfujino@siue.edu)