Comparison of Entropy Calculation Methods for Ransomware Encrypted File Identification

Davies, Simon; Macfarlane, Richard; Buchanan, William J.

doi:10.3390/e24101503

Cited by 10 publications

(11 citation statements)

References 45 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Therefore, an increase in entropy can be considered an important metric for ransomware detection. However, here we note that just relying on the calculated Shannon entropy value to distinguish between encrypted and non-encrypted files would be a difficult task generating a lot of false positives and negatives [ 39 ]. In Section 5 , we show our experimental result on this issue.…”

Section: Ransomware Detection and Neutralization Methodsmentioning

confidence: 99%

Entropy Sharing in Ransomware: Bypassing Entropy-Based Detection of Cryptographic Operations

Bang,

Kim,

Lee

2024

Sensors

View full text Add to dashboard Cite

This study presents a groundbreaking approach to the ever-evolving challenge of ransomware detection. A lot of detection methods predominantly rely on pinpointing high-entropy blocks, which is a hallmark of the encryption techniques commonly employed in ransomware. These blocks, typically difficult to recover, serve as key indicators of malicious activity. So far, many neutralization techniques have been introduced so that ransomware utilizing standard encryption can effectively bypass these entropy-based detection systems. However, these have limited capabilities or require relatively high computational costs. To address these problems, we introduce a new concept entropy sharing. This method can be seamlessly integrated with every type of cryptographic algorithm and is also composed of lightweight operations, masking the high-entropy blocks undetectable. In addition, the proposed method cannot be easily nullified, contrary to simple encoding methods, without knowing the order of shares. Our findings demonstrate that entropy sharing can effectively bypass entropy-based detection systems. Ransomware utilizing such attack methods can cause significant damage, as they are difficult to detect through conventional detection methods.

show abstract

Section: Ransomware Detection and Neutralization Methodsmentioning

confidence: 99%

Entropy Sharing in Ransomware: Bypassing Entropy-Based Detection of Cryptographic Operations

Bang,

Kim,

Lee

2024

Sensors

View full text Add to dashboard Cite

show abstract

“…In other words, information entropy refers to the uniformity of data, and if the data are uniform, they have high entropy. Conversely, if the data are not uniform and are deviated, they have relatively low entropy [8][9][10]. In this case, entropy can range from zero to eight.…”

Section: Prior Knowledge and Related Workmentioning

confidence: 99%

“…Many ransomware programs have the feature of maintaining the file type representing the information of the original file in the file name to seamlessly decode the encrypted file when the user pays for it [8]. Due to these characteristics, even if a file is infected with ransomware, the file type can be determined; therefore, it is believed that it is possible to learn a model using the file type characteristics and detect a file infected with ransomware.…”

Section: File Type Featurementioning

confidence: 99%

“…file when the user pays for it [8]. Due to these characteristics, even if a file is ransomware, the file type can be determined; therefore, it is believed that it learn a model using the file type characteristics and detect a file infected with Therefore, to confirm whether a given file type can be exploited as a feature, infection with the actual WannaCry ransomware for xls, pdf, and doc files Figure 4.…”

Section: File Type Featurementioning

confidence: 99%

See 1 more Smart Citation

A Study on Countermeasures against Neutralizing Technology: Encoding Algorithm-Based Ransomware Detection Methods Using Machine Learning

Lee,

Yun,

Lee

2024

Electronics

View full text Add to dashboard Cite

Ransomware, which emerged in 1989, has evolved to the present in numerous variants and new forms. For this reason, serious damage caused by ransomware has occurred not only within our country but around the world, and, according to the analysis of ransomware trends, ransomware poses an ongoing and significant threat, with major damage expected to continue to occur in the future. To address this problem, various approaches to detect ransomware have been explored, with a recent focus on file entropy estimation methods. These methods exploit the characteristic increase in file entropy that is caused by ransomware encryption. In response, a method was developed to neutralize entropy-based ransomware detection technology by manipulating entropy using encoding methods from the attacker’s perspective. Consequently, from the defender’s standpoint, countermeasures are essential to minimize the damage caused by ransomware. Therefore, this article proposes a methodology that utilizes diverse machine learning models such as K-Nearest Neighbors (KNN), logistic regression, decision tree, random forest, gradient boosting, support vector machine (SVM), and multi-layer perception (MLP) to detect files infected with ransomware. The experimental results demonstrate empirically that files infected with ransomware can be detected with approximately 98% accuracy, and the results of this research are expected to provide valuable information for developing countermeasures against various ransomware detection technologies.

show abstract

“…As a related work, [ 20 ] proposed a zone division-based ransomware detection method to detect ransomware by separating areas containing file metadata, such as file headers, footers, signature information, and file contents that define file extensions in binary data. In [ 15 ], features for entropy distribution were derived for various file formats and machine learning models, such as KNN (K-Nearest Neighbor), linear regression, ridge regression, logistics regression, decision tree, random forest, SVM (Support Vector Machine), and MLP (Multi-Layer Perception), which were applied.…”

Section: Prior Knowledge and Related Workmentioning

confidence: 99%

Neutralization Method of Ransomware Detection Technology Using Format Preserving Encryption

Lee

Yim

Lee

2023

Sensors

View full text Add to dashboard Cite

Ransomware is one type of malware that involves restricting access to files by encrypting files stored on the victim’s system and demanding money in return for file recovery. Although various ransomware detection technologies have been introduced, existing ransomware detection technologies have certain limitations and problems that affect their detection ability. Therefore, there is a need for new detection technologies that can overcome the problems of existing detection methods and minimize the damage from ransomware. A technology that can be used to detect files infected by ransomware and by measuring the entropy of files has been proposed. However, from an attacker’s point of view, neutralization technology can bypass detection through neutralization using entropy. A representative neutralization method is one that involves decreasing the entropy of encrypted files by using an encoding technology such as base64. This technology also makes it possible to detect files that are infected by ransomware by measuring entropy after decoding the encoded files, which, in turn, means the failure of the ransomware detection-neutralization technology. Therefore, this paper derives three requirements for a more sophisticated ransomware detection-neutralization method from the perspective of an attacker for it to have novelty. These requirements are (1) it must not be decoded; (2) it must support encryption using secret information; and (3) the entropy of the generated ciphertext must be similar to that of plaintext. The proposed neutralization method satisfies these requirements, supports encryption without decoding, and applies format-preserving encryption that can adjust the input and output lengths. To overcome the limitations of neutralization technology using the encoding algorithm, we utilized format-preserving encryption, which could allow the attacker to manipulate the entropy of the ciphertext as desired by changing the expression range of numbers and controlling the input and output lengths in a very free manner. To apply format-preserving encryption, Byte Split, BinaryToASCII, and Radix Conversion methods were evaluated, and an optimal neutralization method was derived based on the experimental results of these three methods. As a result of the comparative analysis of the neutralization performance with existing studies, when the entropy threshold value was 0.5 in the Radix Conversion method, which was the optimal neutralization method derived from the proposed study, the neutralization accuracy was improved by 96% based on the PPTX file format. The results of this study provide clues for future studies to derive a plan to counter the technology that can neutralize ransomware detection technology.

show abstract

Comparison of Entropy Calculation Methods for Ransomware Encrypted File Identification

Cited by 10 publications

References 45 publications

Entropy Sharing in Ransomware: Bypassing Entropy-Based Detection of Cryptographic Operations

Entropy Sharing in Ransomware: Bypassing Entropy-Based Detection of Cryptographic Operations

A Study on Countermeasures against Neutralizing Technology: Encoding Algorithm-Based Ransomware Detection Methods Using Machine Learning

Neutralization Method of Ransomware Detection Technology Using Format Preserving Encryption

Contact Info

Product

Resources

About