The Inadequacy of Entropy-Based Ransomware Detection

被引：40

作者：

McIntosh, Timothy ^{[1
]}

Jang-Jaccard, Julian ^{[1
]}

Watters, Paul ^{[2
]}

Susnjak, Teo ^{[1
]}

机构：

[1] Massey Univ, Auckland 0632, New Zealand

[2] La Trobe Univ, Bundoora, Vic 3086, Australia

来源：

NEURAL INFORMATION PROCESSING, ICONIP 2019, PT V | 2019年 / 1143卷

关键词：

Ransomware; Entropy; Encryption; File integrity;

D O I：

10.1007/978-3-030-36802-9_20

中图分类号：

TP18 [人工智能理论];

学科分类号：

081104 ; 0812 ; 0835 ; 1405 ;

摘要：

Many state-of-the-art anti-ransomware implementations monitoring file system activities choose to monitor file entropy-based changes to determine whether the changes may have been committed by ransomware, or to distinguish between compression and encryption operations. However, such detections can be victims of spoofing attacks, when attackers manipulate the entropy values in the expected range during the attacks. This paper explored the limitations of entropy-based ransomware detection on several different file types. We demonstrated how to use Base64-Encoding and Distributed Non-Selective Partial Encryption to manipulate entropy values and to bypass current entropy-based detection mechanisms. By exploiting this vulnerability, attackers can avoid entropy-based detection or degrade detection performance. We recommended that the practice of relying on file entropy change thresholds to detect ransomware encryption should be deprecated.

引用

页码：181 / 189

页数：9

共 19 条

[1] Ahmadian MM, 2015, 2015 12TH INTERNATIONAL IRANIAN SOCIETY OF CRYPTOLOGY CONFERENCE ON INFORMATION SECURITY AND CRYPTOLOGY (ISCISC), P79, DOI 10.1109/ISCISC.2015.7387902
[2] ShieldFS: A Self-healing, Ransomware-aware Filesystem
Continella, Andrea
Guagnelli, Alessandro
Zingaro, Giovanni
De Pasquale, Giulio
Barenghi, Alessandro
Zanero, Stefano
Maggi, Federico
[J]. 32ND ANNUAL COMPUTER SECURITY APPLICATIONS CONFERENCE (ACSAC 2016), 2016, : 336 - 347
[3] Bringing science to digital forensics with standardized forensic corpora
Garfinkel, Simson
Farrell, Paul
Roussev, Vassil
Dinolt, George
[J]. DIGITAL INVESTIGATION, 2009, 6 : S2 - S11
[4] Genc Z.A., 2018, Proceedings of the Central European Cybersecurity Conference 2018, page, P7
[5] R-Locker: Thwarting ransomware action through a honeyfile-based approach
Gomez-Hernandez, J. A.
Alvarez-Gonzalez, L.
Garcia-Teodoro, P.
[J]. COMPUTERS & SECURITY, 2018, 73 : 389 - 398
[6] Held M., 2018, P 11 NORW INF SEC C
[7] Know Abnormal, Find Evil: Frequent Pattern Mining for Ransomware Threat Hunting and Intelligence
Homayoun, Sajad
Dehghantanha, Ali
Ahmadzadeh, Marzieh
Hashemi, Sattar
Khayami, Raouf
[J]. IEEE TRANSACTIONS ON EMERGING TOPICS IN COMPUTING, 2020, 8 (02) : 341 - 351
[8] Josefsson S., 2006, INTERNET REQUESTS CO
[9] Redemption: Real-Time Protection Against Ransomware at End-Hosts
Kharraz, Amin
Kirda, Engin
[J]. RESEARCH IN ATTACKS, INTRUSIONS, AND DEFENSES (RAID 2017), 2017, 10453 : 98 - 119
[10] Kirda E., 2017, 2017 IEEE 24 INT C S, P1

← 1 2 →