The inadequacy of entropy-based ransomware detection

Timothy McIntosh; Julian Jang-Jaccard; Paul Watters; Teo Susnjak

doi:10.1007/978-3-030-36802-9_20

The inadequacy of entropy-based ransomware detection

Timothy McIntosh^*, Julian Jang-Jaccard, Paul Watters, Teo Susnjak

^*Corresponding author for this work

Research output: Chapter in Book/Report/Conference proceeding › Conference proceeding contribution › peer-review

76 Citations (Scopus)

Abstract

Many state-of-the-art anti-ransomware implementations monitoring file system activities choose to monitor file entropy-based changes to determine whether the changes may have been committed by ransomware, or to distinguish between compression and encryption operations. However, such detections can be victims of spoofing attacks, when attackers manipulate the entropy values in the expected range during the attacks. This paper explored the limitations of entropy-based ransomware detection on several different file types. We demonstrated how to use Base64-Encoding and Distributed Non-Selective Partial Encryption to manipulate entropy values and to bypass current entropy-based detection mechanisms. By exploiting this vulnerability, attackers can avoid entropy-based detection or degrade detection performance. We recommended that the practice of relying on file entropy change thresholds to detect ransomware encryption should be deprecated.

Original language	English
Title of host publication	Neural Information Processing
Subtitle of host publication	26th International Conference, ICONIP 2019, Proceedings
Editors	Tom Gedeon, Kok Wai Wong, Minho Lee
Place of Publication	Cham, Switzerland
Publisher	Springer, Springer Nature
Pages	181-189
Number of pages	9
ISBN (Electronic)	9783030368029
ISBN (Print)	9783030368012
DOIs	https://doi.org/10.1007/978-3-030-36802-9_20
Publication status	Published - 2019
Externally published	Yes
Event	26th International Conference on Neural Information Processing, ICONIP 2019 - Sydney, Australia Duration: 12 Dec 2019 → 15 Dec 2019

Publication series

Name	Communications in Computer and Information Science
Volume	1143 CCIS
ISSN (Print)	1865-0929
ISSN (Electronic)	1865-0937

Conference

Conference	26th International Conference on Neural Information Processing, ICONIP 2019
Country/Territory	Australia
City	Sydney
Period	12/12/19 → 15/12/19

Keywords

Encryption
Entropy
File integrity
Ransomware

Access to Document

10.1007/978-3-030-36802-9_20

Cite this

McIntosh, T., Jang-Jaccard, J., Watters, P., & Susnjak, T. (2019). The inadequacy of entropy-based ransomware detection. In T. Gedeon, K. W. Wong, & M. Lee (Eds.), Neural Information Processing: 26th International Conference, ICONIP 2019, Proceedings (pp. 181-189). (Communications in Computer and Information Science; Vol. 1143 CCIS). Springer, Springer Nature. https://doi.org/10.1007/978-3-030-36802-9_20

McIntosh, Timothy ; Jang-Jaccard, Julian ; Watters, Paul et al. / The inadequacy of entropy-based ransomware detection. Neural Information Processing: 26th International Conference, ICONIP 2019, Proceedings. editor / Tom Gedeon ; Kok Wai Wong ; Minho Lee. Cham, Switzerland : Springer, Springer Nature, 2019. pp. 181-189 (Communications in Computer and Information Science).

@inproceedings{7c61fbf39fb646cc9868833dc283f987,

title = "The inadequacy of entropy-based ransomware detection",

abstract = "Many state-of-the-art anti-ransomware implementations monitoring file system activities choose to monitor file entropy-based changes to determine whether the changes may have been committed by ransomware, or to distinguish between compression and encryption operations. However, such detections can be victims of spoofing attacks, when attackers manipulate the entropy values in the expected range during the attacks. This paper explored the limitations of entropy-based ransomware detection on several different file types. We demonstrated how to use Base64-Encoding and Distributed Non-Selective Partial Encryption to manipulate entropy values and to bypass current entropy-based detection mechanisms. By exploiting this vulnerability, attackers can avoid entropy-based detection or degrade detection performance. We recommended that the practice of relying on file entropy change thresholds to detect ransomware encryption should be deprecated.",

keywords = "Encryption, Entropy, File integrity, Ransomware",

author = "Timothy McIntosh and Julian Jang-Jaccard and Paul Watters and Teo Susnjak",

year = "2019",

doi = "10.1007/978-3-030-36802-9\_20",

language = "English",

isbn = "9783030368012",

series = "Communications in Computer and Information Science",

publisher = "Springer, Springer Nature",

pages = "181--189",

editor = "Tom Gedeon and Wong, \{Kok Wai\} and Minho Lee",

booktitle = "Neural Information Processing",

address = "United States",

note = "26th International Conference on Neural Information Processing, ICONIP 2019 ; Conference date: 12-12-2019 Through 15-12-2019",

}

McIntosh, T, Jang-Jaccard, J, Watters, P & Susnjak, T 2019, The inadequacy of entropy-based ransomware detection. in T Gedeon, KW Wong & M Lee (eds), Neural Information Processing: 26th International Conference, ICONIP 2019, Proceedings. Communications in Computer and Information Science, vol. 1143 CCIS, Springer, Springer Nature, Cham, Switzerland, pp. 181-189, 26th International Conference on Neural Information Processing, ICONIP 2019, Sydney, New South Wales, Australia, 12/12/19. https://doi.org/10.1007/978-3-030-36802-9_20

The inadequacy of entropy-based ransomware detection. / McIntosh, Timothy; Jang-Jaccard, Julian; Watters, Paul et al.
Neural Information Processing: 26th International Conference, ICONIP 2019, Proceedings. ed. / Tom Gedeon; Kok Wai Wong; Minho Lee. Cham, Switzerland: Springer, Springer Nature, 2019. p. 181-189 (Communications in Computer and Information Science; Vol. 1143 CCIS).

Research output: Chapter in Book/Report/Conference proceeding › Conference proceeding contribution › peer-review

TY - GEN

T1 - The inadequacy of entropy-based ransomware detection

AU - McIntosh, Timothy

AU - Jang-Jaccard, Julian

AU - Watters, Paul

AU - Susnjak, Teo

PY - 2019

Y1 - 2019

N2 - Many state-of-the-art anti-ransomware implementations monitoring file system activities choose to monitor file entropy-based changes to determine whether the changes may have been committed by ransomware, or to distinguish between compression and encryption operations. However, such detections can be victims of spoofing attacks, when attackers manipulate the entropy values in the expected range during the attacks. This paper explored the limitations of entropy-based ransomware detection on several different file types. We demonstrated how to use Base64-Encoding and Distributed Non-Selective Partial Encryption to manipulate entropy values and to bypass current entropy-based detection mechanisms. By exploiting this vulnerability, attackers can avoid entropy-based detection or degrade detection performance. We recommended that the practice of relying on file entropy change thresholds to detect ransomware encryption should be deprecated.

AB - Many state-of-the-art anti-ransomware implementations monitoring file system activities choose to monitor file entropy-based changes to determine whether the changes may have been committed by ransomware, or to distinguish between compression and encryption operations. However, such detections can be victims of spoofing attacks, when attackers manipulate the entropy values in the expected range during the attacks. This paper explored the limitations of entropy-based ransomware detection on several different file types. We demonstrated how to use Base64-Encoding and Distributed Non-Selective Partial Encryption to manipulate entropy values and to bypass current entropy-based detection mechanisms. By exploiting this vulnerability, attackers can avoid entropy-based detection or degrade detection performance. We recommended that the practice of relying on file entropy change thresholds to detect ransomware encryption should be deprecated.

KW - Encryption

KW - Entropy

KW - File integrity

KW - Ransomware

UR - https://www.scopus.com/pages/publications/85078484114

U2 - 10.1007/978-3-030-36802-9_20

DO - 10.1007/978-3-030-36802-9_20

M3 - Conference proceeding contribution

AN - SCOPUS:85078484114

SN - 9783030368012

T3 - Communications in Computer and Information Science

SP - 181

EP - 189

BT - Neural Information Processing

A2 - Gedeon, Tom

A2 - Wong, Kok Wai

A2 - Lee, Minho

PB - Springer, Springer Nature

CY - Cham, Switzerland

T2 - 26th International Conference on Neural Information Processing, ICONIP 2019

Y2 - 12 December 2019 through 15 December 2019

ER -

McIntosh T, Jang-Jaccard J, Watters P, Susnjak T. The inadequacy of entropy-based ransomware detection. In Gedeon T, Wong KW, Lee M, editors, Neural Information Processing: 26th International Conference, ICONIP 2019, Proceedings. Cham, Switzerland: Springer, Springer Nature. 2019. p. 181-189. (Communications in Computer and Information Science). doi: 10.1007/978-3-030-36802-9_20

The inadequacy of entropy-based ransomware detection

Abstract

Publication series

Conference

Keywords

Access to Document

Other files and links

Fingerprint

Cite this