Simon Davies S.Davies@napier.ac.uk
Visiting Fellow
Majority Voting Ransomware Detection System
Davies, Simon R.; Macfarlane, Rich; Buchanan, William J.
Authors
Rich Macfarlane R.Macfarlane@napier.ac.uk
Associate Professor
Prof Bill Buchanan B.Buchanan@napier.ac.uk
Professor
Abstract
Crypto-ransomware remains a significant threat to governments and companies alike, with high-profile cyber security incidents regularly making headlines. Many different detection systems have been proposed as solutions to the ever-changing dynamic landscape of ransomware detection. In the majority of cases, these described systems propose a method based on the result of a single test performed on either the executable code, the process under investigation, its behaviour, or its output. In a small subset of ransomware detection systems, the concept of a scorecard is employed where multiple tests are performed on various aspects of a process under investigation and their results are then analysed using machine learning. The purpose of this paper is to propose a new majority voting approach to ransomware detection by developing a method that uses a cumulative score derived from discrete tests based on calculations using algorithmic rather than heuristic techniques. The paper describes 23 candidate tests, as well as 9 Windows API tests which are validated to determine both their accuracy and viability for use within a ransomware detection system. Using a cumulative score calculation approach to ransomware detection has several benefits, such as the immunity to the occasional inaccuracy of individual tests when making its final classification. The system can also leverage multiple tests that can be both comprehensive and complimentary in an attempt to achieve a broader, deeper, and more robust analysis of the program under investigation. Additionally, the use of multiple collaborative tests also significantly hinders ransomware from masking or modifying its behaviour in an attempt to bypass detection. The results achieved by this research demonstrate that many of the proposed tests achieved a high degree of accuracy in differentiating between benign and malicious targets and suggestions are offered as to how these tests, and combinations of tests, could be adapted to further improve the detection accuracy.
Citation
Davies, S. R., Macfarlane, R., & Buchanan, W. J. (2023). Majority Voting Ransomware Detection System. Journal of Information Security, 14(4), 264-293. https://doi.org/10.4236/jis.2023.144016
Journal Article Type | Article |
---|---|
Acceptance Date | Aug 13, 2023 |
Online Publication Date | Aug 16, 2023 |
Publication Date | 2023-10 |
Deposit Date | Aug 16, 2023 |
Publicly Available Date | Aug 16, 2023 |
Journal | Journal of Information Security |
Print ISSN | 2153-1234 |
Electronic ISSN | 2153-1242 |
Publisher | Scientific Research Publishing |
Peer Reviewed | Peer Reviewed |
Volume | 14 |
Issue | 4 |
Pages | 264-293 |
DOI | https://doi.org/10.4236/jis.2023.144016 |
Keywords | Ransomware |
Files
Majority Voting Ransomware Detection System
(5.9 Mb)
PDF
Publisher Licence URL
http://creativecommons.org/licenses/by/4.0/
You might also like
Comparison Of Common Mathematical Techniques Used In The Calculation Of File Entropy
(2022)
Presentation / Conference Contribution
Comparison of Entropy Calculation Methods for Ransomware Encrypted File Identification
(2022)
Journal Article
Review of Current Ransomware Detection Techniques
(2022)
Presentation / Conference Contribution
Exploring the Need For an Updated Mixed File Research Data Set
(2022)
Presentation / Conference Contribution
Downloadable Citations
About Edinburgh Napier Research Repository
Administrator e-mail: repository@napier.ac.uk
This application uses the following open-source libraries:
SheetJS Community Edition
Apache License Version 2.0 (http://www.apache.org/licenses/)
PDF.js
Apache License Version 2.0 (http://www.apache.org/licenses/)
Font Awesome
SIL OFL 1.1 (http://scripts.sil.org/OFL)
MIT License (http://opensource.org/licenses/mit-license.html)
CC BY 3.0 ( http://creativecommons.org/licenses/by/3.0/)
Powered by Worktribe © 2025
Advanced Search