Authors:
(1) Simon R. Davies, School of Computing, Edinburgh Napier University, Edinburgh, UK (s.davies@napier.ac.uk);
(2) Richard Macfarlane, School of Computing, Edinburgh Napier University, Edinburgh, UK;
(3) William J. Buchanan, School of Computing, Edinburgh Napier University, Edinburgh, UK.
Table of Links
- Abstract and 1 Introduction
- 2. Related Work
- 3. Methodology and 3.1. File Content Analysis
- 3.2. File Name Analysis
- 3.3. Executable Analysis
- 3.4. Behaviour Analysis
- 4. Evaluation and Discussion
- 4.1. Majority Voting
- 5. Conclusion
- 5.1. Limitations
- 5.2. Future Work
- References and Appendix
4.1. Majority Voting
When reviewing the results from the separate tests mentioned above, it can be seen that several tests achieved a high degree of accuracy in differentiating between benign and malicious programs, using both static and dynamic tests. The results from some tests such as attempting to identify cryptographic artefacts, ransom note identification within the process and executable or Windows API enumeration, delivered inconclusive results and these tests would require some more investigation, analysis and modification.
It is proposed that a system could be developed that uses a combination of the tests that have been found to be accurate in identifying ransomware. Each test’s vote would contribute to an overall malice score for the target file or process, and based on the maximum number of votes the system would classify the target as either malicious or benign. For example, a system could be developed that used the following tests: created file name and extension entropy, well-known extensions, file magic number and printable characters, file content BitByte and entropy values, ransom note creation detection and system restore point removal detection. Based on the findings from this research, a system configured with these tests would have an accuracy of 0.9989 on the dataset used. Some of the interesting test results are highlighted in Figure 7.
When reviewing the results for benign programs shown in Figure 7, it can be seen that the majority of tests consider the processes/files to be benign. Even in cases where some of the individual tests do occasionally give false positives, in all cases, the majority of the tests vote correctly resulting in a correct overall classification. For example, when looking at the classification for WEBP file types, it can be seen that the individual file entropy and BitByte tests, result in a classification accuracy of around 55%, and 45% of the samples are incorrectly classified as malicious. However, as the remaining six tests correctly vote that the file is benign, these files are ultimately classified as benign. Likewise, when reviewing the result for the ransomware files, in most cases the majority of tests classify the file/process as malicious. The only exception would be on the very rare occasion, the files generated by the Jigsaw ransomware strain, may theoretically receive a false positive classification if the majority of the tests vote that the file/process is benign.
A major strength of the majority voting approach to ransomware detection is that not every test needs to correctly classify a malicious program every time. With equal weighting on the result of each test, it would be sufficient for just a majority of tests to correctly classify the target, for the system to work successfully. Some work could also be performed to investigate whether a weighting or bias could also be applied to the test results meaning that some tests would then have a greater influence on the overall outcome of the classification, than others.
As the detection technique relies on well-known discrete tests, it is also easier for the detection model to be modified, updated and tuned as opposed to a machine learning model where the weightings and strengths of the learned model can be unknown or difficult to influence.
This paper is available on arxiv under CC BY 4.0 DEED license.