Authors:
(1) Simon R. Davies, School of Computing, Edinburgh Napier University, Edinburgh, UK (s.davies@napier.ac.uk);
(2) Richard Macfarlane, School of Computing, Edinburgh Napier University, Edinburgh, UK;
(3) William J. Buchanan, School of Computing, Edinburgh Napier University, Edinburgh, UK. Table of Links Abstract and 1 Introduction
2. Related Work
3. Methodology and 3.1. File Content Analysis
3.2. File Name Analysis
3.3. Executable Analysis
3.4. Behaviour Analysis
4. Evaluation and Discussion
4.1. Majority Voting
5. Conclusion
5.1. Limitations
5.2. Future Work
References and Appendix 3.4. Behaviour Analysis The actions and behaviour exhibited by the ransomware can also be monitored to identify suspicious behaviour. These tests are outlined below. Modification of System Restore Points. System restore points are used to recover a system’s state or file system files. There are very few occasions where a process needs to issue commands relating to system restore points, especially concerning their deletion. The state of the system’s restore points will be monitored, during the execution of the process under investigation, to determine if they are modified. This test was applied to the running process. If the systems restore points remained intact two minutes after the launch of the process, then the test passed and the process was considered benign, otherwise, if the restore points had been altered or deleted, the test failed and the process was considered malicious. Process escalation Some ransomware processes attempt to gain elevated access to resources that are normally protected from an application or user. This is attempted so that the process can gain deeper and broader control of the system and allow them to perform more destructive actions. Identification of such behaviour would prove to be a useful indicator of malicious activity. This test was applied to the running process. If the running process achieves elevated access or spawns a child process with elevated access then the test fails and the process is considered malicious, otherwise, if the access remains unchanged then the test passed and the process was considered benign. This paper is available on arxiv under CC BY 4.0 DEED license. Authors: (1) Simon R. Davies, School of Computing, Edinburgh Napier University, Edinburgh, UK (s.davies@napier.ac.uk); (2) Richard Macfarlane, School of Computing, Edinburgh Napier University, Edinburgh, UK; (3) William J. Buchanan, School of Computing, Edinburgh Napier University, Edinburgh, UK. Authors: Authors: (1) Simon R. Davies, School of Computing, Edinburgh Napier University, Edinburgh, UK (s.davies@napier.ac.uk); (2) Richard Macfarlane, School of Computing, Edinburgh Napier University, Edinburgh, UK; (3) William J. Buchanan, School of Computing, Edinburgh Napier University, Edinburgh, UK. Table of Links Abstract and 1 Introduction 2. Related Work 3. Methodology and 3.1. File Content Analysis 3.2. File Name Analysis 3.3. Executable Analysis 3.4. Behaviour Analysis 4. Evaluation and Discussion 4.1. Majority Voting 5. Conclusion 5.1. Limitations 5.2. Future Work References and Appendix Abstract and 1 Introduction Abstract and 1 Introduction 2. Related Work 2. Related Work 3. Methodology and 3.1. File Content Analysis 3. Methodology and 3.1. File Content Analysis 3.2. File Name Analysis 3.2. File Name Analysis 3.3. Executable Analysis 3.3. Executable Analysis 3.4. Behaviour Analysis 3.4. Behaviour Analysis 4. Evaluation and Discussion 4. Evaluation and Discussion 4.1. Majority Voting 4.1. Majority Voting 5. Conclusion 5. Conclusion 5.1. Limitations 5.1. Limitations 5.2. Future Work 5.2. Future Work References and Appendix References and Appendix 3.4. Behaviour Analysis The actions and behaviour exhibited by the ransomware can also be monitored to identify suspicious behaviour. These tests are outlined below. Modification of System Restore Points. System restore points are used to recover a system’s state or file system files. There are very few occasions where a process needs to issue commands relating to system restore points, especially concerning their deletion. The state of the system’s restore points will be monitored, during the execution of the process under investigation, to determine if they are modified. Modification of System Restore Points. This test was applied to the running process. If the systems restore points remained intact two minutes after the launch of the process, then the test passed and the process was considered benign, otherwise, if the restore points had been altered or deleted, the test failed and the process was considered malicious. Process escalation Some ransomware processes attempt to gain elevated access to resources that are normally protected from an application or user. This is attempted so that the process can gain deeper and broader control of the system and allow them to perform more destructive actions. Identification of such behaviour would prove to be a useful indicator of malicious activity. Process escalation This test was applied to the running process. If the running process achieves elevated access or spawns a child process with elevated access then the test fails and the process is considered malicious, otherwise, if the access remains unchanged then the test passed and the process was considered benign. This paper is available on arxiv under CC BY 4.0 DEED license. This paper is available on arxiv under CC BY 4.0 DEED license. available on arxiv

Part of HackerNoon's growing list of open-source research papers, promoting free access to academic material.

Majority Voting Approach to Ransomware Detection: Evaluation and Discussion

Majority Voting Approach to Ransomware Detection: Majority Voting

Read My Stories

Too Long; Didn't Read

Download free Tech Leaders Productivity Report!

Majority Voting Approach to Ransomware Detection: Behaviour Analysis

About Author

Comments

TOPICS

THIS ARTICLE WAS FEATURED IN

Related Stories

Untitled Story

Applications of Verifiable Privacy-Preserving Computing

Beware of These Cryptocurrency Scams

Majority Voting Approach to Ransomware Detection: Related Work

Majority Voting Approach to Ransomware Detection: Conclusion

Majority Voting Approach to Ransomware Detection: References and Appendix

Applications of Verifiable Privacy-Preserving Computing

Beware of These Cryptocurrency Scams

Majority Voting Approach to Ransomware Detection: Related Work

Majority Voting Approach to Ransomware Detection: Conclusion

Majority Voting Approach to Ransomware Detection: References and Appendix

Light-Mode

Classic

Newspaper

Dark-Mode

Neon Noir

Minty

HN StartUps