Interdisciplinary Program of Information & Protection, Mokpo National University, Muan 58554, Republic of Korea.
Department of Information Security Engineering, Soonchunhyang University, Asan 31538, Republic of Korea.
Sensors (Basel). 2023 May 13;23(10):4728. doi: 10.3390/s23104728.
Ransomware is one type of malware that involves restricting access to files by encrypting files stored on the victim's system and demanding money in return for file recovery. Although various ransomware detection technologies have been introduced, existing ransomware detection technologies have certain limitations and problems that affect their detection ability. Therefore, there is a need for new detection technologies that can overcome the problems of existing detection methods and minimize the damage from ransomware. A technology that can be used to detect files infected by ransomware and by measuring the entropy of files has been proposed. However, from an attacker's point of view, neutralization technology can bypass detection through neutralization using entropy. A representative neutralization method is one that involves decreasing the entropy of encrypted files by using an encoding technology such as base64. This technology also makes it possible to detect files that are infected by ransomware by measuring entropy after decoding the encoded files, which, in turn, means the failure of the ransomware detection-neutralization technology. Therefore, this paper derives three requirements for a more sophisticated ransomware detection-neutralization method from the perspective of an attacker for it to have novelty. These requirements are (1) it must not be decoded; (2) it must support encryption using secret information; and (3) the entropy of the generated ciphertext must be similar to that of plaintext. The proposed neutralization method satisfies these requirements, supports encryption without decoding, and applies format-preserving encryption that can adjust the input and output lengths. To overcome the limitations of neutralization technology using the encoding algorithm, we utilized format-preserving encryption, which could allow the attacker to manipulate the entropy of the ciphertext as desired by changing the expression range of numbers and controlling the input and output lengths in a very free manner. To apply format-preserving encryption, Byte Split, BinaryToASCII, and Radix Conversion methods were evaluated, and an optimal neutralization method was derived based on the experimental results of these three methods. As a result of the comparative analysis of the neutralization performance with existing studies, when the entropy threshold value was 0.5 in the Radix Conversion method, which was the optimal neutralization method derived from the proposed study, the neutralization accuracy was improved by 96% based on the PPTX file format. The results of this study provide clues for future studies to derive a plan to counter the technology that can neutralize ransomware detection technology.
勒索软件是一种恶意软件,它通过加密存储在受害者系统上的文件来限制对文件的访问,并要求支付赎金以恢复文件。尽管已经引入了各种勒索软件检测技术,但现有的勒索软件检测技术存在一定的局限性和问题,影响了它们的检测能力。因此,需要新的检测技术来克服现有检测方法的问题,并将勒索软件造成的损害降到最低。已经提出了一种可以检测感染勒索软件的文件并通过测量文件的熵来检测文件的技术。然而,从攻击者的角度来看,通过使用熵进行中和,可以绕过检测。一种代表性的中和方法是使用 base64 等编码技术降低加密文件的熵。这种技术还可以通过测量编码文件的熵来检测感染勒索软件的文件,这反过来又意味着勒索软件检测中和技术的失败。因此,本文从攻击者的角度出发,为更复杂的勒索软件检测中和方法推导出三个新颖性要求。这些要求是 (1) 它不能被解码;(2) 它必须支持使用秘密信息进行加密;(3) 生成的密文的熵必须与明文的熵相似。所提出的中和方法满足这些要求,支持无需解码的加密,并应用可以调整输入和输出长度的格式保持加密。为了克服使用编码算法进行中和技术的局限性,我们利用了格式保持加密,攻击者可以通过改变数字的表示范围并以非常自由的方式控制输入和输出长度来操纵密文的熵。为了应用格式保持加密,评估了 Byte Split、BinaryToASCII 和 Radix Conversion 方法,并根据这三种方法的实验结果推导出了一种最佳中和方法。通过与现有研究的中和性能的比较分析,当 Radix Conversion 方法中的熵阈值为 0.5 时(这是从提出的研究中推导出的最佳中和方法),基于 PPTX 文件格式,中和精度提高了 96%。本研究的结果为未来的研究提供了线索,以制定对抗可以中和勒索软件检测技术的技术的计划。
