Multilayer ransomware detection using grouped registry key operations, file entropy and file signature monitoring
The last few years have come with a sudden rise in ransomware attack incidents, causing significant financial losses to individuals, institutions and businesses. In reaction to these attacks, ransomware detection has become an important topic for research in recent years. Currently, there are two br...
Saved in:
| Published in | Journal of computer security Vol. 28; no. 3; pp. 337 - 373 |
|---|---|
| Main Authors | , , , , |
| Format | Journal Article |
| Language | English |
| Published |
London, England
SAGE Publications
01.01.2020
Sage Publications Ltd |
| Subjects | |
| Online Access | Get full text |
Cover
Loading…
| Abstract | The last few years have come with a sudden rise in ransomware attack incidents, causing significant financial losses to individuals, institutions and businesses. In reaction to these attacks, ransomware detection has become an important topic for research in recent years. Currently, there are two broad categories of ransomware detection techniques: signature-based and behaviour-based analyses. On the one hand, signature-based detection, which mainly relies on a static analysis, can easily be evaded by code-obfuscation and encryption techniques. On the other hand, current behaviour-based models, which rely mainly on a dynamic analysis, face difficulties in accurately differentiating between user-triggered encryption from ransomware-triggered encryption. In the current paper, we present an upgraded behavioural ransomware detection model that reinforces the existing feature space with a new set of features based on grouped registry key operations, introducing a monitoring model based on combined file entropy and file signature. We analyze the new feature model by exploring and comparing three different linear machine learning techniques: SVM, logistic regression and random forest. The proposed approach helps achieve improved detection accuracy and provides the ability to detect novel ransomware. Furthermore, the proposed approach helps differentiate user-triggered encryption from ransomware-triggered encryption, allowing saving as many files as possible during an attack. To conduct our study, we use a new public ransomware detection dataset collected in our lab, which consists of 666 ransomware and 103 benign binaries. Our experimental results show that our proposed approach achieves relatively high accuracy in detecting both previously seen and novel ransomware samples. |
|---|---|
| AbstractList | The last few years have come with a sudden rise in ransomware attack incidents, causing significant financial losses to individuals, institutions and businesses. In reaction to these attacks, ransomware detection has become an important topic for research in recent years. Currently, there are two broad categories of ransomware detection techniques: signature-based and behaviour-based analyses. On the one hand, signature-based detection, which mainly relies on a static analysis, can easily be evaded by code-obfuscation and encryption techniques. On the other hand, current behaviour-based models, which rely mainly on a dynamic analysis, face difficulties in accurately differentiating between user-triggered encryption from ransomware-triggered encryption. In the current paper, we present an upgraded behavioural ransomware detection model that reinforces the existing feature space with a new set of features based on grouped registry key operations, introducing a monitoring model based on combined file entropy and file signature. We analyze the new feature model by exploring and comparing three different linear machine learning techniques: SVM, logistic regression and random forest. The proposed approach helps achieve improved detection accuracy and provides the ability to detect novel ransomware. Furthermore, the proposed approach helps differentiate user-triggered encryption from ransomware-triggered encryption, allowing saving as many files as possible during an attack. To conduct our study, we use a new public ransomware detection dataset collected in our lab, which consists of 666 ransomware and 103 benign binaries. Our experimental results show that our proposed approach achieves relatively high accuracy in detecting both previously seen and novel ransomware samples. |
| Author | Jethva, Brijesh Traoré, Issa Ganame, Karim Ahmed, Sherif Ghaleb, Asem |
| Author_xml | – sequence: 1 givenname: Brijesh surname: Jethva fullname: Jethva, Brijesh email: bjethva@uvic.ca organization: Department of Computer Science – sequence: 2 givenname: Issa surname: Traoré fullname: Traoré, Issa organization: Department of Computer Science – sequence: 3 givenname: Asem surname: Ghaleb fullname: Ghaleb, Asem email: aghaleb@uvic.ca organization: Department of Computer Science – sequence: 4 givenname: Karim surname: Ganame fullname: Ganame, Karim email: ganame@streamscan.io organization: Department of Computer Science – sequence: 5 givenname: Sherif surname: Ahmed fullname: Ahmed, Sherif email: Sherif.SaadAhmed@uwindsor.ca organization: Department of Computer Science |
| BookMark | eNptkE1LxDAQhoOs4K568RcEPAhiNR_ttjnK4ieKBxW8lWk7LdFu0k1SpP_eagVB9jQwPO87w7MgM2MNEnLE2bkUUl7cr54jrriMlztkzrM0iTIl4hmZMyWWkRDp2x5ZeP_OmOBcZXOyeezboFsY0FEHxtv1JzikFQYsg7aG9l6bhjbO9h1W1GGjfXAD_cCB2g4dfEP-jNa6RYomONsNFEw1LbxuDIR-LFxbo4N1Y9cB2a2h9Xj4O_fJ6_XVy-o2eni6uVtdPkSlUDxEsUxA8apGUaoSslgWaS0UqyEtVMWKLONKMlFCkiUZJgmMqzopliCKOGWwLOU-OZ56O2c3PfqQv9vemfFkLuRoI46FikfqdKJKZ713WOed02twQ85Z_q00H5Xmk9IRZv_gUocfA8GBbrdHTqaIhwb_PthCfgFXXIm5 |
| CitedBy_id | crossref_primary_10_1109_ACCESS_2024_3461965 crossref_primary_10_1109_TDSC_2024_3364209 crossref_primary_10_3390_s24010189 crossref_primary_10_1016_j_cose_2023_103595 crossref_primary_10_1016_j_cose_2024_103703 crossref_primary_10_1007_s11042_023_16946_x crossref_primary_10_1109_ACCESS_2024_3397921 crossref_primary_10_1016_j_cose_2023_103349 crossref_primary_10_1093_comjnl_bxad005 crossref_primary_10_1016_j_cose_2024_104280 crossref_primary_10_1109_TDSC_2022_3214781 crossref_primary_10_3233_JIFS_202465 crossref_primary_10_3390_app14083520 crossref_primary_10_1109_TIFS_2025_3531230 crossref_primary_10_1109_ACCESS_2023_3322427 crossref_primary_10_3390_app12010172 crossref_primary_10_3390_s23031053 |
| Cites_doi | 10.1145/3052973.3053035 10.1155/2016/2946735 10.1145/3180465.3180467 10.1007/978-3-319-64701-2_14 10.1109/SP.2012.14 10.1109/HPCC-CSS-ICESS.2015.39 10.1007/978-3-319-26362-5_18 10.1145/3133956.3134035 10.1007/978-3-319-20550-2_1 10.1016/j.compeleceng.2017.10.012 10.1109/ICCITECHN.2017.8281835 10.1145/3230833.3234691 10.1145/3019612.3019793 10.1109/MSP.2018.2701165 10.1145/3129676.3129713 10.1007/978-3-319-39570-8_14 10.1109/ICDCS.2016.46 10.1145/1402256.1402262 10.1007/978-3-319-48965-0_32 10.1007/978-3-030-00470-5_6 10.1145/2991079.2991110 10.1109/COMSNETS.2018.8328219 10.1145/3129676.3129704 10.1145/586110.586145 10.1109/ISCISC.2015.7387902 10.1016/j.diin.2009.06.016 |
| ContentType | Journal Article |
| Copyright | 2020 – IOS Press and the authors. All rights reserved Copyright IOS Press BV 2020 |
| Copyright_xml | – notice: 2020 – IOS Press and the authors. All rights reserved – notice: Copyright IOS Press BV 2020 |
| DBID | AAYXX CITATION 7SC 8FD JQ2 L7M L~C L~D |
| DOI | 10.3233/JCS-191346 |
| DatabaseName | CrossRef Computer and Information Systems Abstracts Technology Research Database ProQuest Computer Science Collection Advanced Technologies Database with Aerospace Computer and Information Systems Abstracts Academic Computer and Information Systems Abstracts Professional |
| DatabaseTitle | CrossRef Computer and Information Systems Abstracts Technology Research Database Computer and Information Systems Abstracts – Academic Advanced Technologies Database with Aerospace ProQuest Computer Science Collection Computer and Information Systems Abstracts Professional |
| DatabaseTitleList | Computer and Information Systems Abstracts CrossRef |
| DeliveryMethod | fulltext_linktorsrc |
| Discipline | Computer Science |
| EISSN | 1875-8924 |
| EndPage | 373 |
| ExternalDocumentID | 10_3233_JCS_191346 10.3233_JCS-191346 |
| GroupedDBID | .4S .DC 0R~ 4.4 6KP 8VB AAGLT AAQXI ABDBF ABJNI ABUJY ACGFS ACPQW ACUHS ADMLS ADZMO AEMOZ AFRHK AHDMH AHQJS AJNRN AKVCP ALMA_UNASSIGNED_HOLDINGS ARCSS ARTOV ASPBG AVWKF EAD EAP EAS EAU EBA EBE EBR EBS EBU EDO EIS EMK EPL EST ESX FIL H13 HZ~ I-F IOS ITG ITH J8X K1G MET MIO MV1 NGNOM O9- P2P PQQKQ QWB SAUOL SCNPE SFC TH9 TUS XJE ZL0 AAYXX AJGYC CITATION 7SC 8FD AAPII JQ2 L7M L~C L~D |
| ID | FETCH-LOGICAL-c291t-435a91dfe2c9ca843b7f290fa7b9d0b8819302ca5858e55a0b8f5b6a2b470a6c3 |
| ISSN | 0926-227X |
| IngestDate | Fri Jul 25 10:06:24 EDT 2025 Tue Jul 01 05:26:41 EDT 2025 Thu Apr 24 22:59:54 EDT 2025 Tue Jun 17 22:29:16 EDT 2025 |
| IsPeerReviewed | true |
| IsScholarly | true |
| Issue | 3 |
| Keywords | file signature machine learning file entropy Ransomware detection |
| Language | English |
| LinkModel | OpenURL |
| MergedId | FETCHMERGED-LOGICAL-c291t-435a91dfe2c9ca843b7f290fa7b9d0b8819302ca5858e55a0b8f5b6a2b470a6c3 |
| Notes | ObjectType-Article-1 SourceType-Scholarly Journals-1 ObjectType-Feature-2 content type line 14 |
| PQID | 2392644294 |
| PQPubID | 2046403 |
| PageCount | 37 |
| ParticipantIDs | proquest_journals_2392644294 crossref_primary_10_3233_JCS_191346 crossref_citationtrail_10_3233_JCS_191346 sage_journals_10_3233_JCS_191346 |
| ProviderPackageCode | CITATION AAYXX |
| PublicationCentury | 2000 |
| PublicationDate | 2020-01-01 |
| PublicationDateYYYYMMDD | 2020-01-01 |
| PublicationDate_xml | – month: 01 year: 2020 text: 2020-01-01 day: 01 |
| PublicationDecade | 2020 |
| PublicationPlace | London, England |
| PublicationPlace_xml | – name: London, England – name: London |
| PublicationTitle | Journal of computer security |
| PublicationYear | 2020 |
| Publisher | SAGE Publications Sage Publications Ltd |
| Publisher_xml | – name: SAGE Publications – name: Sage Publications Ltd |
| References | 2018; 16 2008; 26 2016; 26 ref009 ref007 ref029 ref005 ref027 ref006 ref028 ref003 ref025 ref004 ref026 Douceur J.R. (ref008) 2016; 26 ref012 ref034 ref013 ref035 ref010 ref032 ref011 ref033 ref030 ref031 ref018 ref019 ref016 ref038 ref017 ref039 ref014 ref036 ref015 ref037 ref001 ref023 ref002 ref024 ref021 ref022 ref041 ref020 ref040 |
| References_xml | – volume: 26 start-page: 212 issue: 4 year: 2016 end-page: 221 article-title: A large-scale study of file-system contents publication-title: ACM SIGMETRICS Performance Evaluation Review – volume: 26 start-page: 23 issue: 4 year: 2008 article-title: Organizing and managing personal electronic files: A mechanical engineer’s perspective publication-title: ACM Transactions on Information Systems (TOIS) – volume: 16 start-page: 103 issue: 3 year: 2018 end-page: 107 article-title: Protecting against ransomware: A new line of research or restating classic ideas? publication-title: IEEE Security & Privacy – ident: ref018 doi: 10.1145/3052973.3053035 – ident: ref030 – ident: ref032 – ident: ref003 – ident: ref037 doi: 10.1155/2016/2946735 – ident: ref007 doi: 10.1145/3180465.3180467 – ident: ref024 – ident: ref010 doi: 10.1007/978-3-319-64701-2_14 – ident: ref031 doi: 10.1109/SP.2012.14 – ident: ref040 doi: 10.1109/HPCC-CSS-ICESS.2015.39 – ident: ref028 – ident: ref002 doi: 10.1007/978-3-319-26362-5_18 – volume: 26 start-page: 212 issue: 4 year: 2016 ident: ref008 publication-title: ACM SIGMETRICS Performance Evaluation Review – ident: ref013 doi: 10.1145/3133956.3134035 – ident: ref041 – ident: ref015 – ident: ref022 – ident: ref020 – ident: ref016 doi: 10.1007/978-3-319-20550-2_1 – ident: ref004 doi: 10.1016/j.compeleceng.2017.10.012 – ident: ref011 doi: 10.1109/ICCITECHN.2017.8281835 – ident: ref034 – ident: ref027 doi: 10.1145/3230833.3234691 – ident: ref038 – ident: ref021 doi: 10.1145/3019612.3019793 – ident: ref029 – ident: ref017 doi: 10.1109/MSP.2018.2701165 – ident: ref019 doi: 10.1145/3129676.3129713 – ident: ref026 doi: 10.1007/978-3-319-39570-8_14 – ident: ref033 doi: 10.1109/ICDCS.2016.46 – ident: ref012 doi: 10.1145/1402256.1402262 – ident: ref023 doi: 10.1007/978-3-319-48965-0_32 – ident: ref025 doi: 10.1007/978-3-030-00470-5_6 – ident: ref006 doi: 10.1145/2991079.2991110 – ident: ref036 doi: 10.1109/COMSNETS.2018.8328219 – ident: ref005 doi: 10.1145/3129676.3129704 – ident: ref014 – ident: ref035 – ident: ref039 doi: 10.1145/586110.586145 – ident: ref001 doi: 10.1109/ISCISC.2015.7387902 – ident: ref009 doi: 10.1016/j.diin.2009.06.016 |
| SSID | ssj0021198 |
| Score | 2.4135933 |
| Snippet | The last few years have come with a sudden rise in ransomware attack incidents, causing significant financial losses to individuals, institutions and... |
| SourceID | proquest crossref sage |
| SourceType | Aggregation Database Enrichment Source Index Database Publisher |
| StartPage | 337 |
| SubjectTerms | Encryption Entropy Machine learning Malware Monitoring Multilayers Ransomware Regression analysis Static code analysis |
| Title | Multilayer ransomware detection using grouped registry key operations, file entropy and file signature monitoring |
| URI | https://journals.sagepub.com/doi/full/10.3233/JCS-191346 https://www.proquest.com/docview/2392644294 |
| Volume | 28 |
| hasFullText | 1 |
| inHoldings | 1 |
| isFullTextHit | |
| isPrint | |
| link | http://utb.summon.serialssolutions.com/2.0.0/link/0/eLvHCXMwnV1Jb9NAFB6F9sIFKIsIlGokuCBjsMfrHKPStCppOTSRcrNmxuMW1MQhdkDiT_CXebN4aRsh4GJFz9YomvfN2-YtCL0pgjwtZB64rOCeG6o2hOAGUZeFKQ0LP6cpVwH9s_P4ZBaezqP5YPCrl7W0qfl78XNrXcn_cBVowFdVJfsPnG0XBQL8Bv7CEzgMz7_isa6evWZgNTtK5ZSLHyqPK5e1NAPANzoQoAs3pKpSudSj3Rw4t065kob3mo-qO5Oj4rzlyvRj0gSV26H7fjoLffLXjZq7a8wKOxzCqew8vDYzR9ZX38145_WXr7Jqo8-gJEt7Ta_lVFW1CuL4CrSWvicaVTayrKhsycxI90_g3y_64Qri3QpX9DORTKpfl72ko5IkdglJ5kY9GZkMLpWbUlNq3QhtkvbAGfQkcGB6yNzWDAFRkevx6eGF66tkgy3tt88_Z-PZZJJNj-bTe2iXgN8BgnN39PFsctH68L6vxyu3_9N0vFWrf-jWvmnjdI5LL1dQmy_TR-iBZRUeGRDtoYFcPkYPm5ke2Ir4J-hbhyncYQq3mMIaU9hiCjeYwoAp3GHqHVYAwhZRGBBlCC2icIeop2g2Ppoenrh2LIcrCPVrONARo35eSCKoYGkY8KQg1CtYwmnu8RRszMAjgoEjmsooYkAqIh4zwsPEY7EInqGdZbmUzxFOGKUREaAjqLqwpxwc7CAVJA9jQRLJhuhts5GZsD3r1eiU6wx8V7XpGWx6ZjZ9iF63365Mp5atX-03_MjsSa4yAk4C-AWEhkOEFY-6V3dXePHnFV6i-x3s99FOvd7IV2C31vzAYuk3g-6eyg |
| linkProvider | EBSCOhost |
| openUrl | ctx_ver=Z39.88-2004&ctx_enc=info%3Aofi%2Fenc%3AUTF-8&rfr_id=info%3Asid%2Fsummon.serialssolutions.com&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=article&rft.atitle=Multilayer+ransomware+detection+using+grouped+registry+key+operations%2C+file+entropy+and+file+signature+monitoring&rft.jtitle=Journal+of+computer+security&rft.au=Jethva%2C+Brijesh&rft.au=Traor%C3%A9%2C+Issa&rft.au=Ghaleb%2C+Asem&rft.au=Ganame%2C+Karim&rft.date=2020-01-01&rft.pub=Sage+Publications+Ltd&rft.issn=0926-227X&rft.eissn=1875-8924&rft.volume=28&rft.issue=3&rft.spage=337&rft_id=info:doi/10.3233%2FJCS-191346&rft.externalDBID=NO_FULL_TEXT |
| thumbnail_l | http://covers-cdn.summon.serialssolutions.com/index.aspx?isbn=/lc.gif&issn=0926-227X&client=summon |
| thumbnail_m | http://covers-cdn.summon.serialssolutions.com/index.aspx?isbn=/mc.gif&issn=0926-227X&client=summon |
| thumbnail_s | http://covers-cdn.summon.serialssolutions.com/index.aspx?isbn=/sc.gif&issn=0926-227X&client=summon |