A Method for Neutralizing Entropy Measurement-Based Ransomware Detection Technologies Using Encoding Algorithms

Lee, Kyungroul

doi:10.3390/e24020239

Cited by 16 publications

(19 citation statements)

References 18 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Using an entropy value as an indication of crypto-ransomware infection has been a common feature in ransomware detection systems for many years, however, some previous research [ 7 ], and more recently [ 74 ], have investigated techniques that could be used by crypto-ransomware developers to avoid creating files with an elevated entropy value and thus avoid detection using these techniques. One suggested approach is to further encode the encrypted files in a way as to reduce their overall entropy value, by for example, using base64 encoding.…”

Section: Discussionmentioning

confidence: 99%

“…The authors of these entropy reduction technique [ 7 , 74 ] state in their papers that they are currently theoretical techniques that could be used by ransomware, but to date, the authors have not encountered any crypto-ransomware strain that have employed them, suggesting that the entropy calculation detection avoidance techniques remain theoretical. This does not mean that these techniques will not be deployed in the future so one area of research would be to update the detection techniques so that they can identify these entropy reducing methods and then adapt their entropy calculation to take this in to account.…”

Section: Discussionmentioning

confidence: 99%

“…There exist techniques that can be used to reduce the overall entropy of a file generated by crypto-ransomware [ 7 , 74 ] so one area of research would be to investigate methods to detect if these techniques have been employed, and if so, then modify the entropy calculation to take this into account.…”

Section: Discussionmentioning

confidence: 99%

See 2 more Smart Citations

Comparison of Entropy Calculation Methods for Ransomware Encrypted File Identification

Davies

Macfarlane

Buchanan

2022

Entropy

View full text Add to dashboard Cite

Ransomware is a malicious class of software that utilises encryption to implement an attack on system availability. The target’s data remains encrypted and is held captive by the attacker until a ransom demand is met. A common approach used by many crypto-ransomware detection techniques is to monitor file system activity and attempt to identify encrypted files being written to disk, often using a file’s entropy as an indicator of encryption. However, often in the description of these techniques, little or no discussion is made as to why a particular entropy calculation technique is selected or any justification given as to why one technique is selected over the alternatives. The Shannon method of entropy calculation is the most commonly-used technique when it comes to file encryption identification in crypto-ransomware detection techniques. Overall, correctly encrypted data should be indistinguishable from random data, so apart from the standard mathematical entropy calculations such as Chi-Square (χ2), Shannon Entropy and Serial Correlation, the test suites used to validate the output from pseudo-random number generators would also be suited to perform this analysis. The hypothesis being that there is a fundamental difference between different entropy methods and that the best methods may be used to better detect ransomware encrypted files. The paper compares the accuracy of 53 distinct tests in being able to differentiate between encrypted data and other file types. The testing is broken down into two phases, the first phase is used to identify potential candidate tests, and a second phase where these candidates are thoroughly evaluated. To ensure that the tests were sufficiently robust, the NapierOne dataset is used. This dataset contains thousands of examples of the most commonly used file types, as well as examples of files that have been encrypted by crypto-ransomware. During the second phase of testing, 11 candidate entropy calculation techniques were tested against more than 270,000 individual files—resulting in nearly three million separate calculations. The overall accuracy of each of the individual test’s ability to differentiate between files encrypted using crypto-ransomware and other file types is then evaluated and each test is compared using this metric in an attempt to identify the entropy method most suited for encrypted file identification. An investigation was also undertaken to determine if a hybrid approach, where the results of multiple tests are combined, to discover if an improvement in accuracy could be achieved.

show abstract

Section: Discussionmentioning

confidence: 99%

Section: Discussionmentioning

confidence: 99%

See 1 more Smart Citation

Comparison of Entropy Calculation Methods for Ransomware Encrypted File Identification

Davies

Macfarlane

Buchanan

2022

Entropy

View full text Add to dashboard Cite

show abstract

“…Here, the characteristics of the ciphertext used by ransomware producers are described. Encryption means converting plaintext into ciphertext using a cryptographic algorithm so that no one except for the person who has information on the key, which is secret information, can acquire the information needed to provide confidentiality [ 12 , 13 , 14 ]. Conversely, decryption is the reverse of encryption.…”

Section: Prior Knowledge and Related Workmentioning

confidence: 99%

Neutralization Method of Ransomware Detection Technology Using Format Preserving Encryption

Lee

Yim

Lee

2023

Sensors

Self Cite

View full text Add to dashboard Cite

Ransomware is one type of malware that involves restricting access to files by encrypting files stored on the victim’s system and demanding money in return for file recovery. Although various ransomware detection technologies have been introduced, existing ransomware detection technologies have certain limitations and problems that affect their detection ability. Therefore, there is a need for new detection technologies that can overcome the problems of existing detection methods and minimize the damage from ransomware. A technology that can be used to detect files infected by ransomware and by measuring the entropy of files has been proposed. However, from an attacker’s point of view, neutralization technology can bypass detection through neutralization using entropy. A representative neutralization method is one that involves decreasing the entropy of encrypted files by using an encoding technology such as base64. This technology also makes it possible to detect files that are infected by ransomware by measuring entropy after decoding the encoded files, which, in turn, means the failure of the ransomware detection-neutralization technology. Therefore, this paper derives three requirements for a more sophisticated ransomware detection-neutralization method from the perspective of an attacker for it to have novelty. These requirements are (1) it must not be decoded; (2) it must support encryption using secret information; and (3) the entropy of the generated ciphertext must be similar to that of plaintext. The proposed neutralization method satisfies these requirements, supports encryption without decoding, and applies format-preserving encryption that can adjust the input and output lengths. To overcome the limitations of neutralization technology using the encoding algorithm, we utilized format-preserving encryption, which could allow the attacker to manipulate the entropy of the ciphertext as desired by changing the expression range of numbers and controlling the input and output lengths in a very free manner. To apply format-preserving encryption, Byte Split, BinaryToASCII, and Radix Conversion methods were evaluated, and an optimal neutralization method was derived based on the experimental results of these three methods. As a result of the comparative analysis of the neutralization performance with existing studies, when the entropy threshold value was 0.5 in the Radix Conversion method, which was the optimal neutralization method derived from the proposed study, the neutralization accuracy was improved by 96% based on the PPTX file format. The results of this study provide clues for future studies to derive a plan to counter the technology that can neutralize ransomware detection technology.

show abstract

“…3.1.2 Objective weights based on the entropy. The entropy was first used in the field of thermodynamics in physics and was first proposed by R. Xlausis and L. Boltgman (Lee and Lee, 2022). Given the evaluated alternatives and evaluation indicators, the entropy can determine the objective weight of each indicator, which is an effective method to determine the weight by information theory.…”

Section: Determining the Weight Of Each Evaluation Indicatormentioning

confidence: 99%

Fuzzy gray clustering evaluation of green building operation effect: a case study of Shenzhen Bay One, China

Zhang

Zhao²,

Guo³

2022

View full text Add to dashboard Cite

PurposeThis paper improves the evaluation index system of green building operation effect and establishes the evaluation model of green building operation effect. It is expected to promote energy saving and emission reduction and provide a more scientific evaluation method for green building operation effect evaluation.Design/methodology/approachFirst, 20 key evaluation indexes are selected to establish the operation effective evaluation index system. Then, the combined weight method is proposed to determine the weight of each evaluation index. Next, the gray clustering-fuzzy comprehensive evaluation method is used to construct the green building operation effective evaluation model. Finally, the feasibility and validity of the selected model were verified by taking Shenzhen Bay One green building in Shenzhen as an example.FindingsThis paper establishes the evaluation system of green building operational effect, and evaluates green building from the angle of operational effect. Taking Shenzhen Bay One project as an example, the rationality and applicability of the model are verified.Originality/valueIn this paper, for the first time, relevant indexes of user experience are included in the evaluation system of green building operational effect, which makes the evaluation system more perfect. In addition, a more scientific fuzzy gray clustering method is used to evaluate the operational effect of green building, and a new evaluation model is established.

show abstract

A Method for Neutralizing Entropy Measurement-Based Ransomware Detection Technologies Using Encoding Algorithms

Cited by 16 publications

References 18 publications

Comparison of Entropy Calculation Methods for Ransomware Encrypted File Identification

Comparison of Entropy Calculation Methods for Ransomware Encrypted File Identification

Neutralization Method of Ransomware Detection Technology Using Format Preserving Encryption

Fuzzy gray clustering evaluation of green building operation effect: a case study of Shenzhen Bay One, China

Contact Info

Product

Resources

About