Cargando…
Neutralization Method of Ransomware Detection Technology Using Format Preserving Encryption
Ransomware is one type of malware that involves restricting access to files by encrypting files stored on the victim’s system and demanding money in return for file recovery. Although various ransomware detection technologies have been introduced, existing ransomware detection technologies have cert...
Autores principales: | , , , |
---|---|
Formato: | Online Artículo Texto |
Lenguaje: | English |
Publicado: |
MDPI
2023
|
Materias: | |
Acceso en línea: | https://www.ncbi.nlm.nih.gov/pmc/articles/PMC10221448/ https://www.ncbi.nlm.nih.gov/pubmed/37430642 http://dx.doi.org/10.3390/s23104728 |
_version_ | 1785049458613944320 |
---|---|
author | Lee, Jaehyuk Lee, Sun-Young Yim, Kangbin Lee, Kyungroul |
author_facet | Lee, Jaehyuk Lee, Sun-Young Yim, Kangbin Lee, Kyungroul |
author_sort | Lee, Jaehyuk |
collection | PubMed |
description | Ransomware is one type of malware that involves restricting access to files by encrypting files stored on the victim’s system and demanding money in return for file recovery. Although various ransomware detection technologies have been introduced, existing ransomware detection technologies have certain limitations and problems that affect their detection ability. Therefore, there is a need for new detection technologies that can overcome the problems of existing detection methods and minimize the damage from ransomware. A technology that can be used to detect files infected by ransomware and by measuring the entropy of files has been proposed. However, from an attacker’s point of view, neutralization technology can bypass detection through neutralization using entropy. A representative neutralization method is one that involves decreasing the entropy of encrypted files by using an encoding technology such as base64. This technology also makes it possible to detect files that are infected by ransomware by measuring entropy after decoding the encoded files, which, in turn, means the failure of the ransomware detection-neutralization technology. Therefore, this paper derives three requirements for a more sophisticated ransomware detection-neutralization method from the perspective of an attacker for it to have novelty. These requirements are (1) it must not be decoded; (2) it must support encryption using secret information; and (3) the entropy of the generated ciphertext must be similar to that of plaintext. The proposed neutralization method satisfies these requirements, supports encryption without decoding, and applies format-preserving encryption that can adjust the input and output lengths. To overcome the limitations of neutralization technology using the encoding algorithm, we utilized format-preserving encryption, which could allow the attacker to manipulate the entropy of the ciphertext as desired by changing the expression range of numbers and controlling the input and output lengths in a very free manner. To apply format-preserving encryption, Byte Split, BinaryToASCII, and Radix Conversion methods were evaluated, and an optimal neutralization method was derived based on the experimental results of these three methods. As a result of the comparative analysis of the neutralization performance with existing studies, when the entropy threshold value was 0.5 in the Radix Conversion method, which was the optimal neutralization method derived from the proposed study, the neutralization accuracy was improved by 96% based on the PPTX file format. The results of this study provide clues for future studies to derive a plan to counter the technology that can neutralize ransomware detection technology. |
format | Online Article Text |
id | pubmed-10221448 |
institution | National Center for Biotechnology Information |
language | English |
publishDate | 2023 |
publisher | MDPI |
record_format | MEDLINE/PubMed |
spelling | pubmed-102214482023-05-28 Neutralization Method of Ransomware Detection Technology Using Format Preserving Encryption Lee, Jaehyuk Lee, Sun-Young Yim, Kangbin Lee, Kyungroul Sensors (Basel) Article Ransomware is one type of malware that involves restricting access to files by encrypting files stored on the victim’s system and demanding money in return for file recovery. Although various ransomware detection technologies have been introduced, existing ransomware detection technologies have certain limitations and problems that affect their detection ability. Therefore, there is a need for new detection technologies that can overcome the problems of existing detection methods and minimize the damage from ransomware. A technology that can be used to detect files infected by ransomware and by measuring the entropy of files has been proposed. However, from an attacker’s point of view, neutralization technology can bypass detection through neutralization using entropy. A representative neutralization method is one that involves decreasing the entropy of encrypted files by using an encoding technology such as base64. This technology also makes it possible to detect files that are infected by ransomware by measuring entropy after decoding the encoded files, which, in turn, means the failure of the ransomware detection-neutralization technology. Therefore, this paper derives three requirements for a more sophisticated ransomware detection-neutralization method from the perspective of an attacker for it to have novelty. These requirements are (1) it must not be decoded; (2) it must support encryption using secret information; and (3) the entropy of the generated ciphertext must be similar to that of plaintext. The proposed neutralization method satisfies these requirements, supports encryption without decoding, and applies format-preserving encryption that can adjust the input and output lengths. To overcome the limitations of neutralization technology using the encoding algorithm, we utilized format-preserving encryption, which could allow the attacker to manipulate the entropy of the ciphertext as desired by changing the expression range of numbers and controlling the input and output lengths in a very free manner. To apply format-preserving encryption, Byte Split, BinaryToASCII, and Radix Conversion methods were evaluated, and an optimal neutralization method was derived based on the experimental results of these three methods. As a result of the comparative analysis of the neutralization performance with existing studies, when the entropy threshold value was 0.5 in the Radix Conversion method, which was the optimal neutralization method derived from the proposed study, the neutralization accuracy was improved by 96% based on the PPTX file format. The results of this study provide clues for future studies to derive a plan to counter the technology that can neutralize ransomware detection technology. MDPI 2023-05-13 /pmc/articles/PMC10221448/ /pubmed/37430642 http://dx.doi.org/10.3390/s23104728 Text en © 2023 by the authors. https://creativecommons.org/licenses/by/4.0/Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https://creativecommons.org/licenses/by/4.0/). |
spellingShingle | Article Lee, Jaehyuk Lee, Sun-Young Yim, Kangbin Lee, Kyungroul Neutralization Method of Ransomware Detection Technology Using Format Preserving Encryption |
title | Neutralization Method of Ransomware Detection Technology Using Format Preserving Encryption |
title_full | Neutralization Method of Ransomware Detection Technology Using Format Preserving Encryption |
title_fullStr | Neutralization Method of Ransomware Detection Technology Using Format Preserving Encryption |
title_full_unstemmed | Neutralization Method of Ransomware Detection Technology Using Format Preserving Encryption |
title_short | Neutralization Method of Ransomware Detection Technology Using Format Preserving Encryption |
title_sort | neutralization method of ransomware detection technology using format preserving encryption |
topic | Article |
url | https://www.ncbi.nlm.nih.gov/pmc/articles/PMC10221448/ https://www.ncbi.nlm.nih.gov/pubmed/37430642 http://dx.doi.org/10.3390/s23104728 |
work_keys_str_mv | AT leejaehyuk neutralizationmethodofransomwaredetectiontechnologyusingformatpreservingencryption AT leesunyoung neutralizationmethodofransomwaredetectiontechnologyusingformatpreservingencryption AT yimkangbin neutralizationmethodofransomwaredetectiontechnologyusingformatpreservingencryption AT leekyungroul neutralizationmethodofransomwaredetectiontechnologyusingformatpreservingencryption |