paint-brush
Majority Voting Approach to Ransomware Detection: Behaviour Analysisby@encapsulation

Majority Voting Approach to Ransomware Detection: Behaviour Analysis

tldt arrow

Too Long; Didn't Read

In this paper, researchers propose a new majority voting approach to ransomware detection.
featured image - Majority Voting Approach to Ransomware Detection: Behaviour Analysis
Bundling data and functions into a single unit HackerNoon profile picture

Authors:

(1) Simon R. Davies, School of Computing, Edinburgh Napier University, Edinburgh, UK ([email protected]);

(2) Richard Macfarlane, School of Computing, Edinburgh Napier University, Edinburgh, UK;

(3) William J. Buchanan, School of Computing, Edinburgh Napier University, Edinburgh, UK.

3.4. Behaviour Analysis

The actions and behaviour exhibited by the ransomware can also be monitored to identify suspicious behaviour. These tests are outlined below.


Modification of System Restore Points. System restore points are used to recover a system’s state or file system files. There are very few occasions where a process needs to issue commands relating to system restore points, especially concerning their deletion. The state of the system’s restore points will be monitored, during the execution of the process under investigation, to determine if they are modified.


This test was applied to the running process. If the systems restore points remained intact two minutes after the launch of the process, then the test passed and the process was considered benign, otherwise, if the restore points had been altered or deleted, the test failed and the process was considered malicious.


Process escalation Some ransomware processes attempt to gain elevated access to resources that are normally protected from an application or user. This is attempted so that the process can gain deeper and broader control of the system and allow them to perform more destructive actions. Identification of such behaviour would prove to be a useful indicator of malicious activity.


This test was applied to the running process. If the running process achieves elevated access or spawns a child process with elevated access then the test fails and the process is considered malicious, otherwise, if the access remains unchanged then the test passed and the process was considered benign.


Table 3: Possible classification outcomes


Table 4: File Test Performance Metrics


This paper is available on arxiv under CC BY 4.0 DEED license.