Differential Area Analysis for Ransomware Attack Detection within Mixed File Datasets

by   Simon R. Davies, et al.

The threat from ransomware continues to grow both in the number of affected victims as well as the cost incurred by the people and organisations impacted in a successful attack. In the majority of cases, once a victim has been attacked there remain only two courses of action open to them; either pay the ransom or lose their data. One common behaviour shared between all crypto ransomware strains is that at some point during their execution they will attempt to encrypt the users' files. Previous research Penrose et al. (2013); Zhao et al. (2011) has highlighted the difficulty in differentiating between compressed and encrypted files using Shannon entropy as both file types exhibit similar values. One of the experiments described in this paper shows a unique characteristic for the Shannon entropy of encrypted file header fragments. This characteristic was used to differentiate between encrypted files and other high entropy files such as archives. This discovery was leveraged in the development of a file classification model that used the differential area between the entropy curve of a file under analysis and one generated from random data. When comparing the entropy plot values of a file under analysis against one generated by a file containing purely random numbers, the greater the correlation of the plots is, the higher the confidence that the file under analysis contains encrypted data.


page 1

page 2

page 3

page 4


Differential Area Analysis for Ransomware: Attacks, Countermeasures, and Limitations

Crypto-ransomware attacks have been a growing threat over the last few y...

Comparison of Entropy Calculation Methods for Ransomware Encrypted File Identification

Ransomware is a malicious class of software that utilises encryption to ...

NapierOne: A modern mixed file data set alternative to Govdocs1

It was found when reviewing the ransomware detection research literature...

Crypto-ransomware detection using machine learning models in file-sharing network scenario with encrypted traffic

Ransomware is considered as a significant threat for most enterprises si...

Reliable Detection of Compressed and Encrypted Data

Several cybersecurity domains, such as ransomware detection, forensics a...

Parallel decompression of gzip-compressed files and random access to DNA sequences

Decompressing a file made by the gzip program at an arbitrary location i...

Fight Virus Like a Virus: A New Defense Method Against File-Encrypting Ransomware

Nowadays ransomware has become a new profitable form of attack. This typ...

Please sign up or login with your details

Forgot password? Click here to reset