Ransomware is a malicious class of software that utilises encryption to implement an attack on system availability. The target's data remains encrypted and is held captive by the attacker until a ransom demand is met. A common approach used by many crypto-ransomware detection techniques is to monitor file system activity and attempt to identify encrypted files being written to disk, often using a file's entropy as an indicator of encryption. However, often in the description of these techniques, little or no discussion is made as to why a particular entropy calculation technique is selected or any justification given as to why one technique is selected over the alternatives. The Shannon method of entropy calculation is the most commonly-used technique when it comes to file encryption identification in crypto-ransomware detection techniques. Overall, correctly encrypted data should be indistinguishable from random data, so apart from the standard mathematical entropy calculations such as Chi-Square, Shannon Entropy and Serial Correlation, the test suites used to validate the output from pseudo-random number generators would also be suited to perform this analysis. he hypothesis being that there is a fundamental difference between different entropy methods and that the best methods may be used to better detect ransomware encrypted files. The paper compares the accuracy of 53 distinct tests in being able to differentiate between encrypted data and other file types. The testing is broken down into two phases, the first phase is used to identify potential candidate tests, and a second phase where these candidates are thoroughly evaluated. To ensure that the tests were sufficiently robust, the NapierOne dataset is used. This dataset contains thousands of examples of the most commonly used file types, as well as examples of files that have been encrypted by crypto-ransomware.
翻译:Ransomware 是一种使用加密来执行系统可用性攻击的恶意软件类别。 目标数据仍然加密, 并被攻击者控制, 直到赎金需求得到满足。 许多加密软件检测技术使用的一种常见方法是监控文件系统活动, 并试图识别正在写入磁盘的加密文件, 通常使用文件的加密作为加密指标。 但是, 在描述这些技术时, 通常很少或不讨论为什么选择特定的加密计算技术, 或给出任何理由说明为什么选择了一种技术。 香农计算方法是最常用的技术, 直至满足赎金需求。 许多加密软件检测技术所使用的常见方法是监测文件系统活动, 并试图识别加密文件的加密文件, 通常使用正确的加密数据数据, 通常使用的标准数学计算方法如 Chi- Qquarre、 Shannon Entropy 和 Sermirormorl Corration, 测试套房用来验证假随机数的输出结果, 也是用来进行最彻底分析的。 他假设的是, 在加密测试过程中, 使用一种最精确的测试方法是使用一种最精确的数据, 一种最精确的测试方法, 用来用来测量。