A new ransomware detection scheme based on tracking file signature and file entropy

Files

Jethva_Brijesh_MASc_2019.pdf (2.33 MB)

Date

2019-08-26

Authors

Jethva, Brijesh

Journal Title

Journal ISSN

Volume Title

Publisher

Abstract

Ransomware is a type of malware that hijack victims’ computers, by encrypting or locking corresponding files, and demanding the payment of some ransom in cryptocurrency for the restoration of the files. The last few years have witnessed a sudden rise in ransomware attack incidents, causing significant amount of financial loss to individuals, institutions, and businesses. In reaction to that, ransomware detection has become an important topic for research in recent years. Currently, there are three types of ransomware detection techniques available in the wild: static, dynamic and hybrid. Unfortunately, the current static detection techniques can be easily evaded by code-obfuscation and encryption techniques. Furthermore, current dynamic and hybrid techniques face difficulties to detect novel ransomware. In the current thesis, we present an upgraded dynamic ransomware detection model with two new sets of features: grouped registry key operation, and combined file entropy and file signature. We analyze the new feature model by exploring and comparing 3 different linear machine learning techniques: SVM, Logistic Regression and Random Forest. The proposed approach help achieves improved detection accuracy and provides the ability to detect novel ransomware. Furthermore, the proposed approach helps differentiate user-triggered encryption from ransomware-triggered encryption, which allows saving as many files as possible during an attack. To conduct our study, we use a new public ransomware detection dataset collected at the ISOT lab, which consists of 666 ransomware and 103 benign binaries. Our experimental results show that our proposed approach achieves relatively high accuracy in detecting both previously seen and novel ransomware samples.

Description

Keywords

Dynamic Malware Detection, Machine Learning, Ransomware, File Entropy & File Signature

Citation

URI

http://hdl.handle.net/1828/11066

Collections

ETD (Electronic Theses and Dissertations)
Theses (Electrical and Computer Engineering)
 
University of Victoria Libraries

We acknowledge and respect the Lək̓ʷəŋən (Songhees and Esquimalt) Peoples on whose territory the university stands, and the Lək̓ʷəŋən and W̱SÁNEĆ Peoples whose historical relationships with the land continue to this day.