Evading behavioral classifiers: a comprehensive analysis on evading ransomware detection techniques

Gaspari, Fabio De; Hitaj, Dorjan; Pagnotta, Giulio; Carli, Lorenzo De; Mancini, Luigi V.

doi:10.1007/s00521-022-07096-6

Cited by 21 publications

(37 citation statements)

References 49 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…One suggested approach is to further encode the encrypted files in a way as to reduce their overall entropy value, by for example, using base64 encoding. However, despite this theoretical mitigation technique, crypto-ransomware techniques are still being proposed that utilise entropy calculations as part of their design [ 21 , 75 , 76 , 77 , 78 ].…”

Section: Discussionmentioning

confidence: 99%

Comparison of Entropy Calculation Methods for Ransomware Encrypted File Identification

Davies

Macfarlane

Buchanan

2022

Entropy

View full text Add to dashboard Cite

Ransomware is a malicious class of software that utilises encryption to implement an attack on system availability. The target’s data remains encrypted and is held captive by the attacker until a ransom demand is met. A common approach used by many crypto-ransomware detection techniques is to monitor file system activity and attempt to identify encrypted files being written to disk, often using a file’s entropy as an indicator of encryption. However, often in the description of these techniques, little or no discussion is made as to why a particular entropy calculation technique is selected or any justification given as to why one technique is selected over the alternatives. The Shannon method of entropy calculation is the most commonly-used technique when it comes to file encryption identification in crypto-ransomware detection techniques. Overall, correctly encrypted data should be indistinguishable from random data, so apart from the standard mathematical entropy calculations such as Chi-Square (χ2), Shannon Entropy and Serial Correlation, the test suites used to validate the output from pseudo-random number generators would also be suited to perform this analysis. The hypothesis being that there is a fundamental difference between different entropy methods and that the best methods may be used to better detect ransomware encrypted files. The paper compares the accuracy of 53 distinct tests in being able to differentiate between encrypted data and other file types. The testing is broken down into two phases, the first phase is used to identify potential candidate tests, and a second phase where these candidates are thoroughly evaluated. To ensure that the tests were sufficiently robust, the NapierOne dataset is used. This dataset contains thousands of examples of the most commonly used file types, as well as examples of files that have been encrypted by crypto-ransomware. During the second phase of testing, 11 candidate entropy calculation techniques were tested against more than 270,000 individual files—resulting in nearly three million separate calculations. The overall accuracy of each of the individual test’s ability to differentiate between files encrypted using crypto-ransomware and other file types is then evaluated and each test is compared using this metric in an attempt to identify the entropy method most suited for encrypted file identification. An investigation was also undertaken to determine if a hybrid approach, where the results of multiple tests are combined, to discover if an improvement in accuracy could be achieved.

show abstract

Section: Discussionmentioning

confidence: 99%

Comparison of Entropy Calculation Methods for Ransomware Encrypted File Identification

Davies

Macfarlane

Buchanan

2022

Entropy

View full text Add to dashboard Cite

show abstract

“…Since many ransomware detectors follow a similar process-based approach, a relevant research question is whether they exhibit similar vulnerabilities. Recently, in [8], the authors proposed a novel family of evasion attacks against processbased ransomware detectors. Specifically, the authors suggested three attacks: process splitting, functional splitting, and mimicry attack.…”

Section: Evasive Ransomware: Cerberusmentioning

confidence: 99%

“…The more powerful functional splitting attack generates a smaller number of processes, each performing few types of operations (such as performing only file reads or file writes). While this attack is practical, it can be mitigated with adversarial training [8]. Finally, the mimicry attack works by splitting ransomware into multiple processes, each mimicking the behavioral profile of benign applications from the point of view of disk operations.…”

Section: Evasive Ransomware: Cerberusmentioning

confidence: 99%

“…This approach is reasonable: ransomware operations involve intense disk I/O and encryption, typically resulting in entirely different behavioral profiles than benign applications. However, recent work [8] demonstrated a series of adversarial attacks that can readily bypass both academic and commercial process-based behavioral detectors. These evasive ransomware attacks entail distributing the ransomware workload across several cooperating processes, each emulating, feature-wise, the behavior of a benign process.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Minerva: A File-Based Ransomware Detector

Hitaj¹,

Pagnotta²,

Gaspari³

et al. 2023

Preprint

View full text Add to dashboard Cite

Ransomware is a rapidly evolving type of malware designed to encrypt user files on a device, making them inaccessible in order to exact a ransom. Ransomware attacks resulted in billions of dollars in damages in recent years and are expected to cause hundreds of billions more in the next decade. With current state-of-the-art process-based detectors being heavily susceptible to evasion attacks, no comprehensive solution to this problem is available today. This paper presents Minerva, a new approach to ransomware detection. Unlike current methods focused on identifying ransomware based on process-level behavioral modeling, Minerva detects ransomware by building behavioral profiles of files based on all the operations they receive in a time window. Minerva addresses some of the critical challenges associated with process-based approaches, specifically their vulnerability to complex evasion attacks. Our evaluation of Minerva demonstrates its effectiveness in detecting ransomware attacks, including those that are able to bypass existing defenses. Our results show that Minerva identifies ransomware activity with an average accuracy of 99.45% and an average recall of 99.66%, with 99.97% of ransomware detected within 1 second.

show abstract

“…Consequently, there is no clear understanding of how these approaches: (i) fare on a variety of compressed file formats and sizes, and (ii) compare to each other. The potential negative implications are significant: the use of ineffective techniques for identifying encrypted content can hinder the effectiveness of ransomware detectors [17,18], and significantly limit the capability of forensic tools.…”

Section: Introductionmentioning

confidence: 99%

Reliable detection of compressed and encrypted data

Gaspari

Hitaj

Pagnotta

et al. 2022

Neural Comput & Applic

Self Cite

View full text Add to dashboard Cite

Several cybersecurity domains, such as ransomware detection, forensics and data analysis, require methods to reliably identify encrypted data fragments. Typically, current approaches employ statistics derived from byte-level distribution, such as entropy estimation, to identify encrypted fragments. However, modern content types use compression techniques which alter data distribution pushing it closer to the uniform distribution. The result is that current approaches exhibit unreliable encryption detection performance when compressed data appear in the dataset. Furthermore, proposed approaches are typically evaluated over few data types and fragment sizes, making it hard to assess their practical applicability. This paper compares existing statistical tests on a large, standardized dataset and shows that current approaches consistently fail to distinguish encrypted and compressed data on both small and large fragment sizes. We address these shortcomings and design EnCoD, a learning-based classifier which can reliably distinguish compressed and encrypted data. We evaluate EnCoD on a dataset of 16 different file types and fragment sizes ranging from 512B to 8KB. Our results highlight that EnCoD outperforms current approaches by a wide margin, with accuracy ranging from $$\sim 82\%$$ ∼ 82 % for 512B fragments up to $$\sim 92\%$$ ∼ 92 % for 8KB data fragments. Moreover, EnCoD can pinpoint the exact format of a given data fragment, rather than performing only binary classification like previous approaches.

show abstract

Evading behavioral classifiers: a comprehensive analysis on evading ransomware detection techniques

Cited by 21 publications

References 49 publications

Comparison of Entropy Calculation Methods for Ransomware Encrypted File Identification

Comparison of Entropy Calculation Methods for Ransomware Encrypted File Identification

Minerva: A File-Based Ransomware Detector

Reliable detection of compressed and encrypted data

Contact Info

Product

Resources

About