Majority Voting Approach to Ransomware Detection: Behaviour Analysis
by Bundling data and functions into a single unitJune 13th, 2024
Bundling data and functions into a single unit
@encapsulation
At Encapsulation.Tech we organize and structure code, enhancing security and...
Read this story in a terminal
Print this story
Read this story w/o Javascript
Too Long; Didn't Read
In this paper, researchers propose a new majority voting approach to ransomware detection.
1x
Read by Dr. One
Listen to this story
Bundling data and functions into a single unit
@encapsulation
At Encapsulation.Tech we organize and structure code, enhancing security and promote a software design.
Learn More
LEARN MORE ABOUT @ENCAPSULATION'S
EXPERTISE AND PLACE ON THE INTERNET.
EXPERTISE AND PLACE ON THE INTERNET.
STORY’S CREDIBILITY
Academic Research Paper
Part of HackerNoon's growing list of open-source research papers, promoting free access to academic material.
Authors:
(1) Simon R. Davies, School of Computing, Edinburgh Napier University, Edinburgh, UK (s.davies@napier.ac.uk);
(2) Richard Macfarlane, School of Computing, Edinburgh Napier University, Edinburgh, UK;
(3) William J. Buchanan, School of Computing, Edinburgh Napier University, Edinburgh, UK.
Table of Links
- Abstract and 1 Introduction
- 2. Related Work
- 3. Methodology and 3.1. File Content Analysis
- 3.2. File Name Analysis
- 3.3. Executable Analysis
- 3.4. Behaviour Analysis
- 4. Evaluation and Discussion
- 4.1. Majority Voting
- 5. Conclusion
- 5.1. Limitations
- 5.2. Future Work
- References and Appendix
3.4. Behaviour Analysis
The actions and behaviour exhibited by the ransomware can also be monitored to identify suspicious behaviour. These tests are outlined below.
Modification of System Restore Points. System restore points are used to recover a system’s state or file system files. There are very few occasions where a process needs to issue commands relating to system restore points, especially concerning their deletion. The state of the system’s restore points will be monitored, during the execution of the process under investigation, to determine if they are modified.
This test was applied to the running process. If the systems restore points remained intact two minutes after the launch of the process, then the test passed and the process was considered benign, otherwise, if the restore points had been altered or deleted, the test failed and the process was considered malicious.
Process escalation Some ransomware processes attempt to gain elevated access to resources that are normally protected from an application or user. This is attempted so that the process can gain deeper and broader control of the system and allow them to perform more destructive actions. Identification of such behaviour would prove to be a useful indicator of malicious activity.
This test was applied to the running process. If the running process achieves elevated access or spawns a child process with elevated access then the test fails and the process is considered malicious, otherwise, if the access remains unchanged then the test passed and the process was considered benign.
Table 3: Possible classification outcomes
Table 4: File Test Performance Metrics
This paper is available on arxiv under CC BY 4.0 DEED license.
L O A D I N G
. . . comments & more!
. . . comments & more!
About Author
TOPICS
THIS ARTICLE WAS FEATURED IN...
RELATED STORIES
X REMOVE AD
