Majority Voting Approach to Ransomware Detection: Conclusion

Authors: (1) Simon R. Davies, School of Computing, Edinburgh Napier University, Edinburgh, UK (s.davies@napier.ac.uk); (2) Richard Macfarlane, School of Computing, Edinburgh Napier University, Edinburgh, UK; (3) William J. Buchanan, School of Computing, Edinburgh Napier University, Edinburgh, UK. Table of Links Abstract and 1 Introduction 2. Related Work 3. Methodology and 3.1. File Content Analysis 3.2. File Name Analysis 3.3. Executable Analysis 3.4. Behaviour Analysis 4. Evaluation and Discussion 4.1. Majority Voting 5. Conclusion 5.1. Limitations 5.2. Future Work References and Appendix 5. Conclusion This paper proposes a ransomware detection system using a majority voting-based approach. A final malice score is derived from the combination of the results from many discrete tests that are conducted on the target process, its executable file or the output that the process generates. These distinct results are then aggregated and used as input for the malice score generation. Based on this score the target is classified as benign or malicious. The paper proposes 23 main tests that could potentially be used in a ransomware detection system with their outcomes, contributing to the overall malice score. The paper also investigates additional potential metrics that could be used in ransomware detection, for example, the presence of Windows API calls in the binary and executing processes’ volatile memory. This research demonstrates that many of the proposed tests achieved a high degree of accuracy in differentiating between benign and malicious targets. The accuracy was then enhanced when a selection of these tests was then combined into a majority voting model. One proposed majority voting model achieves an accuracy of 0.9989. The collaborative approach in generating the final result has many advantages, for example, some individual tests on some occasions may produce incorrect classifications, but the overall accuracy of the detection system as a whole will be unaffected if the majority of the tests produce the correct results. As this majority voting detection technique relies on well-known and easily understandable discrete tests, then it is easier for the model to be modified, updated and tuned as opposed to a machine learning approach where the weightings and strengths of the learned model can be unknown or difficult to influence. An additional advantage is that while machine learning models require training, the majority voting approach, proposed in this paper, does not. This paper is available on arxiv under CC BY 4.0 DEED license. Authors: (1) Simon R. Davies, School of Computing, Edinburgh Napier University, Edinburgh, UK (s.davies@napier.ac.uk); (2) Richard Macfarlane, School of Computing, Edinburgh Napier University, Edinburgh, UK; (3) William J. Buchanan, School of Computing, Edinburgh Napier University, Edinburgh, UK. Authors: Authors: (1) Simon R. Davies, School of Computing, Edinburgh Napier University, Edinburgh, UK (s.davies@napier.ac.uk); (2) Richard Macfarlane, School of Computing, Edinburgh Napier University, Edinburgh, UK; (3) William J. Buchanan, School of Computing, Edinburgh Napier University, Edinburgh, UK. Table of Links Abstract and 1 Introduction 2. Related Work 3. Methodology and 3.1. File Content Analysis 3.2. File Name Analysis 3.3. Executable Analysis 3.4. Behaviour Analysis 4. Evaluation and Discussion 4.1. Majority Voting 5. Conclusion 5.1. Limitations 5.2. Future Work References and Appendix Abstract and 1 Introduction Abstract and 1 Introduction 2. Related Work 2. Related Work 3. Methodology and 3.1. File Content Analysis 3. Methodology and 3.1. File Content Analysis 3.2. File Name Analysis 3.2. File Name Analysis 3.3. Executable Analysis 3.3. Executable Analysis 3.4. Behaviour Analysis 3.4. Behaviour Analysis 4. Evaluation and Discussion 4. Evaluation and Discussion 4.1. Majority Voting 4.1. Majority Voting 5. Conclusion 5. Conclusion 5.1. Limitations 5.1. Limitations 5.2. Future Work 5.2. Future Work References and Appendix References and Appendix 5. Conclusion This paper proposes a ransomware detection system using a majority voting-based approach. A final malice score is derived from the combination of the results from many discrete tests that are conducted on the target process, its executable file or the output that the process generates. These distinct results are then aggregated and used as input for the malice score generation. Based on this score the target is classified as benign or malicious. The paper proposes 23 main tests that could potentially be used in a ransomware detection system with their outcomes, contributing to the overall malice score. The paper also investigates additional potential metrics that could be used in ransomware detection, for example, the presence of Windows API calls in the binary and executing processes’ volatile memory. This research demonstrates that many of the proposed tests achieved a high degree of accuracy in differentiating between benign and malicious targets. The accuracy was then enhanced when a selection of these tests was then combined into a majority voting model. One proposed majority voting model achieves an accuracy of 0.9989. The collaborative approach in generating the final result has many advantages, for example, some individual tests on some occasions may produce incorrect classifications, but the overall accuracy of the detection system as a whole will be unaffected if the majority of the tests produce the correct results. As this majority voting detection technique relies on well-known and easily understandable discrete tests, then it is easier for the model to be modified, updated and tuned as opposed to a machine learning approach where the weightings and strengths of the learned model can be unknown or difficult to influence. An additional advantage is that while machine learning models require training, the majority voting approach, proposed in this paper, does not. This paper is available on arxiv under CC BY 4.0 DEED license. This paper is available on arxiv under CC BY 4.0 DEED license. available on arxiv