Machine Learning Based File Entropy Analysis for Ransomware Detection in Backup Systems

Lee, Kyungroul; Lee, Sun-Young; Yim, Kangbin

doi:10.1109/access.2019.2931136

Cited by 80 publications

(78 citation statements)

References 36 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The performance of the IDH is compared with the state of the art Honeypot and ransomware detection systems [20] is shown in Figure 11. In order to measure the efficiency of the proposed IDH and Honeypot, ransomware detection systems [20][14] [23], the same number of samples is tested and validated in both the proposed IDH and Honeypot, ransomware detection systems [20][14] [23]. A confusion matrix is constructed based on the results obtained, and the performance is evaluated based on the accuracy (a ratio of correctly predicted ransomwares to the total number of samples), precision (a ratio of correctly predicted positive ransomwares to the total predicted positive ransomwares) and Recall (a ratio of correctly predicted positive ransomwares to the total number of samples).…”

Section: A Discussionmentioning

confidence: 99%

“…When the CryptoLocker starts to encrypt the files, the Honeyfolder sends an alert regarding the suspicious process and halts the process. Furthermore, to verify the process, the AuditWatch calculates the entropy value [23] for encrypted folders and sends the entropy value to the CEP engine. CEP engine correlates the values from the Honeyfolder, AuditWatch, and SDN application and generates an alert based on an advanced set of rules that provides a high degree of output accuracy.…”

Section: Ransomware Detection Using Idhmentioning

confidence: 99%

“…It is observed that the proposed IDH outperforms the existing Honeypot and ransomware detection systems [20][14] [23] in terms of detection accuracy. Figure 12 shows that the proposed IDH is cost-efficient and capable of running in a minimal configuration, and the time taken for ransomware detection is reasonable when deployed in IoT platform.…”

Section: Figure12 Execution Time Of Various Processorsmentioning

confidence: 99%

See 2 more Smart Citations

Design of Intrusion Detection Honeypot Using Social Leopard Algorithm to Detect IoT Ransomware Attacks

et al. 2020

View full text Add to dashboard Cite

In recent times, ransomware has become the most significant cyber-attack targeting individuals, enterprises, healthcare industries, and the Internet of Things (IoT). Existing security systems like Intrusion Detection and Prevention System (IDPS) and Anti-virus (AV) as a single monitoring agent is complicated and timeconsuming, thus fails in ransomware detection. A robust Intrusion Detection Honeypot (IDH) is proposed to address the issues mentioned above. IDH consists of i) Honeyfolder, ii) Audit Watch, and iii) Complex Event Processing (CEP). Honeyfolder is a decoy folder modeled using Social Leopard Algorithm (SoLA), especially for getting attacked and acting as an early warning system to alert the user during the suspicious file activities. AuditWatch is an Entropy module that verifies the entropy of the files and folders. CEP engine is used to aggregate data from different security systems to confirm the ransomware behavior, attack pattern, and promptly respond to them. The proposed IDH is experimentally tested in a secured testbed using more than 20 variants of recent ransomware of all types. The experimental result confirms that the proposed IDH significantly improves the ransomware detection time, rate, and accuracy compared with the existing state of the art ransomware detection model.

show abstract

Section: A Discussionmentioning

confidence: 99%

Section: Ransomware Detection Using Idhmentioning

confidence: 99%

Section: Figure12 Execution Time Of Various Processorsmentioning

confidence: 99%

See 1 more Smart Citation

Design of Intrusion Detection Honeypot Using Social Leopard Algorithm to Detect IoT Ransomware Attacks

et al. 2020

View full text Add to dashboard Cite

show abstract

“…Monitoring file in the users' machine [11]- [13] has been used in the literature to detect ransomware [11]. In [11], the authors used an entropy-based technique to compare the status of original files in the backup and an infected file in its current state, thus stopping the synchronization if file is infected. This is an approach which can be considered as a countermeasure, however it has limitation towards the zero-day detection.…”

Section: Introductionmentioning

confidence: 99%

Avoiding Future Digital Extortion Through Robust Protection Against Ransomware Threats Using Deep Learning Based Adaptive Approaches

et al. 2020

View full text Add to dashboard Cite

Digital extortion has become a major cyber risk for many organizations; small-medium enterprises (SME) to large enterprises business and individual entrepreneurs. Ransomware is a kind of malware that is the main threat to digital extortion and has caused many organizations to lose huge revenue by paying much bigger ransom demands to the cybercriminals in recent years. The explosive growth of ransomware is due to the existing large infection vector such as social engineering, email attachment, zip file download, browsing malicious site, infected search engine which are boosted dramatically by easily available cryptographic tools, Ransomware As a Service (RaaS), increased cloud storage and off-the-self ransomware toolkits. The large infection vector and available toolkits not only grew ransomware extremely, but also made them more obfuscated, encrypted and varying patterns in the new variants. This, in turn, caused the conventional supervised analysis and detection engine to fail to detect the new variants of ransomware. This paper addresses the limitations of conventional supervised detection engine and proposes semi-supervised framework to compute the inherent latent sources of the varying patterns in the new variants in an unsupervised way using deep learning approaches. The proposed framework extracts the inherent characteristics in the varying patterns from the unlabelled ransomware obtained from the wild which is scalable to accommodate upcoming malicious executables. Then the unsupervised learned model is combined with supervised classification, thus constructing an adaptive detection model. The proposed framework has been verified using real ransomware data with a dynamic analysis testbed. Our extensive experimental results and discussion demonstrate that the proposed adaptive framework can successfully identify different variants of ransomware and achieve higher performance than existing supervised approaches.

show abstract

“…Initially, only communication theory used the concept of Shannon entropy. However, subsequently, the Shannon entropy began to be used in many different fields of science and technology such as machine learning [2], biomedical informatics [3], reliability [4], prognostics [5], fault detection [6], condition monitoring [7], maintenance [8], fingerprint recognition [9], geosciences [10], fatigue damage modeling [11], and many others.…”

Section: Introductionmentioning

confidence: 99%

Optimization of Condition Monitoring Decision Making by the Criterion of Minimum Entropy

Raza

Ulansky

2019

Entropy

View full text Add to dashboard Cite

Condition-based maintenance (CBM) is a promising technique for a wide variety of deteriorating systems. Condition-based maintenance’s effectiveness largely depends on the quality of condition monitoring. The majority of CBM mathematical models consider perfect inspections, in which the system condition is assumed to be determined error-free. This article presents a mathematical model of CBM with imperfect condition monitoring conducted at discrete times. Mathematical expressions were derived for evaluating the probabilities of correct and incorrect decisions when monitoring the system condition at a scheduled time. Further, these probabilities were incorporated into the equation of the Shannon entropy. The problem of determining the optimal preventive maintenance threshold at each inspection time by the criterion of the minimum of Shannon entropy was formulated. For the first time, the article showed that Shannon’s entropy is a convex function of the preventive maintenance threshold for each moment of condition monitoring. It was also shown that the probabilities of correct and incorrect decisions depend on the time and parameters of the degradation model. Numerical calculations show that the proposed approach to determining the optimal preventive maintenance threshold can significantly reduce uncertainty when deciding on the condition of the monitoring object.

show abstract

Machine Learning Based File Entropy Analysis for Ransomware Detection in Backup Systems

Cited by 80 publications

References 36 publications

Design of Intrusion Detection Honeypot Using Social Leopard Algorithm to Detect IoT Ransomware Attacks

Design of Intrusion Detection Honeypot Using Social Leopard Algorithm to Detect IoT Ransomware Attacks

Avoiding Future Digital Extortion Through Robust Protection Against Ransomware Threats Using Deep Learning Based Adaptive Approaches

Optimization of Condition Monitoring Decision Making by the Criterion of Minimum Entropy

Contact Info

Product

Resources

About