Comparison Of Common Mathematical Techniques Used In The Calculation Of File Entropy

Abstract

The research described in this paper focuses on the use of mathematical techniques to identify high entropy encrypted files generated during the execution of ransomware. A common approach used by many ransomware detection techniques is to monitor file system activity and attempt to identify encrypted files being written to disk, often using the file's entropy as an indicator of encryption. However, often in the description of these techniques, little or no discussion is made as to why a particular entropy calculation technique is used or any justification given as to why one technique was selected over the alternatives. The paper compares the suitability for five of the most common mathematical techniques currently being used for entropy calculation: Chi-Square (χ2) , Shannon Entropy, Mean Average, Monte Carlo estimation, and Serial Correlation. During the testing, the five separate entropy values were calculated for each of the 245,000 target files - resulting in nearly 1.2 million separate calculations. The overall accuracy of each of the individual test's ability to differentiate between high entropy files encrypted using ransomware and other file types is then evaluated. Each test is compared using this metric in an attempt to identify the entropy method most suited for encrypted file identification. The hypothesis being that there is a fundamental difference between different entropy methods and that the best methods can be used to better detect random ware encrypted files