Byte Frequency Based Indicators for Crypto-Ransomware Detection from Empirical Analysis  

作　　者：Geun Yong Kim Joon-Young Paik Yeongcheol Kim Eun-Sun Cho 

机构地区：[1]Department of Computer Science and Engineering,Chungnam National University,Daejeon 34134,South Korea [2]School of Computer Science and Technology,Tiangong University,Tianjin 300387,China

出　　处：《Journal of Computer Science & Technology》2022年第2期423-442,共20页计算机科学技术学报（英文版）

基　　金：supported in part by the National Natural Science Foundation of China under Grant No.61806142;the Natural Science Foundation of Tianjin under Grant No.18JCYBJC44000;the Tianjin Science and Technology Program under Grant No.19PTZWHZ00020;the Institute for Information&Communications Technology Planning&Evaluation(IITP)grant funded by the Korea government(MSIT)(Training Key Talents in Industrial Convergence Security)under Grant No.2019-0-01343.

摘　　要：File entropy is one of the major indicators of crypto-ransomware because the encryption by ransomware increases the randomness of file contents.However,entropy-based ransomware detection has certain limitations;for example,when distinguishing ransomware-encrypted files from normal files with inherently high-level entropy,misclassification is very possible.In addition,the entropy evaluation cost for an entire file renders entropy-based detection impractical for large files.In this paper,we propose two indicators based on byte frequency for use in ransomware detection;these are termed EntropySA and DistSA,and both consider the interesting characteristics of certain file subareas termed“sample areas”(SAs).For an encrypted file,both the sampled area and the whole file exhibit high-level randomness,but for a plain file,the sampled area embeds informative structures such as a file header and thus exhibits relatively low-level randomness even though the entire file exhibits high-level randomness.EntropySA and DistSA use“byte frequency”and a variation of byte frequency,respectively,derived from sampled areas.Both indicators cause less overhead than other entropy-based detection methods,as experimentally proven using realistic ransomware samples.To evaluate the effectiveness and feasibility of our indicators,we also employ three expensive but elaborate classification models(neural network,support vector machine and threshold-based approaches).Using these models,our experimental indicators yielded an average Fl-measure of 0.994 and an average detection rate of 99.46%for file encryption attacks by realistic ransomware samples.

关 键 词：computer security CRYPTOGRAPHY machine learning ransomware 

分 类 号：TP309.7[自动化与计算机技术—计算机系统结构]