Skip to main content

Ransomware detection method based on context-aware entropy analysis

  • Focus
  • Published:
Soft Computing Aims and scope Submit manuscript

Abstract

Numerous countermeasures have been proposed since the first appearance of ransomware. However, many ransomware mutants continue to be created, and the damage they cause has been continually increasing. Existing antivirus tools are signature-dependent and cannot easily detect ransomware attack patterns. If the database used by the antivirus program does not contain the signature of the new malicious behavior, it is not possible to detect the new malware. Thus, the need has emerged for a normal/abnormal behavior analysis technique via a context-aware method. Therefore, a multilateral context-aware-based ransomware detection and response system model is presented in this paper. The proposed model is designed to preemptively respond to ransomware, and post-detection management is performed. An evaluation was conducted to obtain evidence that the given files were altered by ransomware through analyses based on multiple-context awareness. Entropy information was then used to detect abnormal behavior.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10
Fig. 11
Fig. 12
Fig. 13
Fig. 14
Fig. 15
Fig. 16
Fig. 17
Fig. 18
Fig. 19
Fig. 20
Fig. 21
Fig. 22

Similar content being viewed by others

Explore related subjects

Discover the latest articles, news and stories from top researchers in related subjects.

References

  • Hoe J (2011) Commercial antivirus software effectiveness: an empirical study. Computer 44:63–70. https://doi.org/10.1109/MC.2010.187

    Article  MathSciNet  Google Scholar 

  • Joo JW (2015) Security considerations for a connected car. J Converg 6:1–9

    Google Scholar 

  • Jung J-S (2014) An unified representation of context knowledge base for mobile context-aware system. J Inf Process Syst 10(4):581–588

    Article  Google Scholar 

  • Kang WM (2017) An enhanced security framework for home appliances in smart home. Hum Cent Comput Inf Sci 7:6

    Article  Google Scholar 

  • Kharraz A (2015) Cutting the gordian knot: a look under the hood of ransomware attacks. In: Almgren M, Maggi F, Gulisano V (eds) Detection of intrusions and malware, and vulnerability assessment. Springer, Cham

    Google Scholar 

  • Ki Y (2015) A novel approach to detect malware based on API call sequence analysis. Int J Distrib Sens Netw 11:659101

    Article  Google Scholar 

  • Kim W (2010) Design and implementation of the detection tool of API hooking based on Window XP Kernel. J Secur Eng 7:385–397

    Google Scholar 

  • Le Guernic C (2017) Ransomware and the legacy crypto API. In: 11th international conference on risks and security of internet and systems, CRiSIS 2016, Roscoff, France, 5–7 Sept 2016, Revised Selected Papers 10158

  • Lee JK (2016) HB-DIPM: human behavior analysis-based malware detection and intrusion prevention model in the future Internet. J Inf Process Syst 12(3):489–501

    Google Scholar 

  • Scaif N (2016) CryptoLock (and Drop It): stopping ransomware attacks on user data. In: 2016 IEEE 36th international conference on distributed computing systems (ICDCS), Nara, 2016, pp 303–312. https://doi.org/10.1109/ICDCS

  • Song S (2016) The effective ransomware prevention technique using process monitoring on android platform. Mob Inf Syst

  • Willems C (2007) Toward automated dynamic malware analysis using CWS and box. IEEE Secur Priv 5:32–39

    Article  Google Scholar 

  • Youn J-M (2017) How to detect and block ransomware with file extension management in MacOS. J Korea Inst Inf Secur Cryptol 27(2):251–258

    Article  Google Scholar 

Download references

Acknowledgements

This research was supported by the Ministry of Science and ICT (MSIT), Korea, under the Information Technology Research Center (ITRC) support program (IITP-2017-2016-0-00304) supervised by the Institute for Information and communications Technology Promotion (IITP).

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Yoojae Won.

Ethics declarations

Conflict of interest

The authors declare that they have no conflict of interest.

Ethical approval

This article does not contain any studies with human participants or animals performed by any of the authors.

Additional information

Communicated by G. Yi.

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Jung, S., Won, Y. Ransomware detection method based on context-aware entropy analysis. Soft Comput 22, 6731–6740 (2018). https://doi.org/10.1007/s00500-018-3257-z

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s00500-018-3257-z

Keywords