Cargando…

Neutralization Method of Ransomware Detection Technology Using Format Preserving Encryption

Ransomware is one type of malware that involves restricting access to files by encrypting files stored on the victim’s system and demanding money in return for file recovery. Although various ransomware detection technologies have been introduced, existing ransomware detection technologies have cert...

Descripción completa

Detalles Bibliográficos
Autores principales: Lee, Jaehyuk, Lee, Sun-Young, Yim, Kangbin, Lee, Kyungroul
Formato: Online Artículo Texto
Lenguaje:English
Publicado: MDPI 2023
Materias:
Acceso en línea:https://www.ncbi.nlm.nih.gov/pmc/articles/PMC10221448/
https://www.ncbi.nlm.nih.gov/pubmed/37430642
http://dx.doi.org/10.3390/s23104728
_version_ 1785049458613944320
author Lee, Jaehyuk
Lee, Sun-Young
Yim, Kangbin
Lee, Kyungroul
author_facet Lee, Jaehyuk
Lee, Sun-Young
Yim, Kangbin
Lee, Kyungroul
author_sort Lee, Jaehyuk
collection PubMed
description Ransomware is one type of malware that involves restricting access to files by encrypting files stored on the victim’s system and demanding money in return for file recovery. Although various ransomware detection technologies have been introduced, existing ransomware detection technologies have certain limitations and problems that affect their detection ability. Therefore, there is a need for new detection technologies that can overcome the problems of existing detection methods and minimize the damage from ransomware. A technology that can be used to detect files infected by ransomware and by measuring the entropy of files has been proposed. However, from an attacker’s point of view, neutralization technology can bypass detection through neutralization using entropy. A representative neutralization method is one that involves decreasing the entropy of encrypted files by using an encoding technology such as base64. This technology also makes it possible to detect files that are infected by ransomware by measuring entropy after decoding the encoded files, which, in turn, means the failure of the ransomware detection-neutralization technology. Therefore, this paper derives three requirements for a more sophisticated ransomware detection-neutralization method from the perspective of an attacker for it to have novelty. These requirements are (1) it must not be decoded; (2) it must support encryption using secret information; and (3) the entropy of the generated ciphertext must be similar to that of plaintext. The proposed neutralization method satisfies these requirements, supports encryption without decoding, and applies format-preserving encryption that can adjust the input and output lengths. To overcome the limitations of neutralization technology using the encoding algorithm, we utilized format-preserving encryption, which could allow the attacker to manipulate the entropy of the ciphertext as desired by changing the expression range of numbers and controlling the input and output lengths in a very free manner. To apply format-preserving encryption, Byte Split, BinaryToASCII, and Radix Conversion methods were evaluated, and an optimal neutralization method was derived based on the experimental results of these three methods. As a result of the comparative analysis of the neutralization performance with existing studies, when the entropy threshold value was 0.5 in the Radix Conversion method, which was the optimal neutralization method derived from the proposed study, the neutralization accuracy was improved by 96% based on the PPTX file format. The results of this study provide clues for future studies to derive a plan to counter the technology that can neutralize ransomware detection technology.
format Online
Article
Text
id pubmed-10221448
institution National Center for Biotechnology Information
language English
publishDate 2023
publisher MDPI
record_format MEDLINE/PubMed
spelling pubmed-102214482023-05-28 Neutralization Method of Ransomware Detection Technology Using Format Preserving Encryption Lee, Jaehyuk Lee, Sun-Young Yim, Kangbin Lee, Kyungroul Sensors (Basel) Article Ransomware is one type of malware that involves restricting access to files by encrypting files stored on the victim’s system and demanding money in return for file recovery. Although various ransomware detection technologies have been introduced, existing ransomware detection technologies have certain limitations and problems that affect their detection ability. Therefore, there is a need for new detection technologies that can overcome the problems of existing detection methods and minimize the damage from ransomware. A technology that can be used to detect files infected by ransomware and by measuring the entropy of files has been proposed. However, from an attacker’s point of view, neutralization technology can bypass detection through neutralization using entropy. A representative neutralization method is one that involves decreasing the entropy of encrypted files by using an encoding technology such as base64. This technology also makes it possible to detect files that are infected by ransomware by measuring entropy after decoding the encoded files, which, in turn, means the failure of the ransomware detection-neutralization technology. Therefore, this paper derives three requirements for a more sophisticated ransomware detection-neutralization method from the perspective of an attacker for it to have novelty. These requirements are (1) it must not be decoded; (2) it must support encryption using secret information; and (3) the entropy of the generated ciphertext must be similar to that of plaintext. The proposed neutralization method satisfies these requirements, supports encryption without decoding, and applies format-preserving encryption that can adjust the input and output lengths. To overcome the limitations of neutralization technology using the encoding algorithm, we utilized format-preserving encryption, which could allow the attacker to manipulate the entropy of the ciphertext as desired by changing the expression range of numbers and controlling the input and output lengths in a very free manner. To apply format-preserving encryption, Byte Split, BinaryToASCII, and Radix Conversion methods were evaluated, and an optimal neutralization method was derived based on the experimental results of these three methods. As a result of the comparative analysis of the neutralization performance with existing studies, when the entropy threshold value was 0.5 in the Radix Conversion method, which was the optimal neutralization method derived from the proposed study, the neutralization accuracy was improved by 96% based on the PPTX file format. The results of this study provide clues for future studies to derive a plan to counter the technology that can neutralize ransomware detection technology. MDPI 2023-05-13 /pmc/articles/PMC10221448/ /pubmed/37430642 http://dx.doi.org/10.3390/s23104728 Text en © 2023 by the authors. https://creativecommons.org/licenses/by/4.0/Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https://creativecommons.org/licenses/by/4.0/).
spellingShingle Article
Lee, Jaehyuk
Lee, Sun-Young
Yim, Kangbin
Lee, Kyungroul
Neutralization Method of Ransomware Detection Technology Using Format Preserving Encryption
title Neutralization Method of Ransomware Detection Technology Using Format Preserving Encryption
title_full Neutralization Method of Ransomware Detection Technology Using Format Preserving Encryption
title_fullStr Neutralization Method of Ransomware Detection Technology Using Format Preserving Encryption
title_full_unstemmed Neutralization Method of Ransomware Detection Technology Using Format Preserving Encryption
title_short Neutralization Method of Ransomware Detection Technology Using Format Preserving Encryption
title_sort neutralization method of ransomware detection technology using format preserving encryption
topic Article
url https://www.ncbi.nlm.nih.gov/pmc/articles/PMC10221448/
https://www.ncbi.nlm.nih.gov/pubmed/37430642
http://dx.doi.org/10.3390/s23104728
work_keys_str_mv AT leejaehyuk neutralizationmethodofransomwaredetectiontechnologyusingformatpreservingencryption
AT leesunyoung neutralizationmethodofransomwaredetectiontechnologyusingformatpreservingencryption
AT yimkangbin neutralizationmethodofransomwaredetectiontechnologyusingformatpreservingencryption
AT leekyungroul neutralizationmethodofransomwaredetectiontechnologyusingformatpreservingencryption