Entropi Temelli Kötü Amaçlı Yazılım Tespit Yönteminin Fidye Yazılımı Saldırılarını Önlemede Tek Başına Güvenilirliği

Year 2024, EARLY VIEW, 1 - 1

Abdulkerim Oğuzhan Alkan , İbrahim Alper Doğru , İsmail Atacak

https://doi.org/10.2339/politeknik.1537076

Abstract

Fidye yazılımı saldırılarının karmaşıklığı arttıkça, geleneksel yöntemlerin tehditleri tespit etme ve önleme konusunda yetersiz kalmaya başlaması sebebiyle modern kötü amaçlı yazılım tespit yöntemleri kullanılmaya başlanmıştır. Bunlar davranış temelli algılama, sistem temelli algılama, kaynak temelli algılama, bağlantı temelli algılama ve entropi temelli fidye yazılımı algılamadır. Bu çalışmada Binalayze AIR ve Binalayze Tactical yazılımları yardımıyla tespit edilen kötü amaçlı yazılımların entropi değerlerini değerlendirerek, entropi temelli kötü amaçlı yazılım tespit yönteminin fidye yazılımı saldırılarını tespit etme ve önlemedeki etkinliği değerlendirilmeye çalışılmıştır. 41477 kötü amaçlı yazılımın değerlendirildiği kapsamlı saha çalışmamızın sonuçlarında da ortaya konduğu üzere, entropi temelli kötü amaçlı yazılım tespit yönteminin kolay uygulanabilir olması, diğer yöntemlerle entegre olarak kullanılabilmesi ve hızlı sonuç vermesi gibi avantajları olmasına rağmen tek başına kullanıldığında yüksek oranda yanlış pozitif ve yanlış negatif sonuçlar verebilmektedir. Entropi temelli yöntem, hibrit modellerle birlikte kullanılmadığı sürece tek başına güvenilir değildir. Etkili siber güvenlik savunmaları sağlamak için daha gelişmiş ve bütünsel yaklaşımların benimsenmesi gerekmektedir.

Keywords

Fidye yazılımı atakları, kötücül yazılım tespiti, entropi temelli kötücül yazılım tespiti, Binalayze

Thanks

Danışman hocalarıma, dergi editörü ve alan editörü hocalarıma teşekkür ediyorum.

Reliability of Entropy-based Malware Detection as a Single Method in Preventing Ransomware Attacks

Abstract

As the complexity of ransomware attacks increases, traditional detection methodologies are often insufficient for detecting and preventing threats. Therefore, modern malware detection methods are used. These are the behavior-, system-, resource-, connection- and entropy-based ransomware detection methods. In this study, we evaluated the effectiveness of an entropy-based malware detection method in detecting ransomware attacks by evaluating the entropy values of malware detected using Binalayze AIR and Binalayze Tactical software. As revealed in the results of our comprehensive field study in which 41477 malware were evaluated, although the entropy-based malware detection method has advantages in that it is easily applicable, can be integrated with other methods, and provides fast results, it can give high rates of false-positive and false-negative results when used alone. The entropy-based method is unreliable unless it is used with hybrid models. More advanced and holistic approaches must be adopted for effective cybersecurity defense.

Keywords

Ransomware attacks, malware detection, entropy-based malware detection, Binalayze

References

• [1] Cabaj K, Gregorczyk M, Mazurczyk W, “Software-defined networking-based crypto ransomware detection using HTTP traffic characteristics”, Computers & Electrical Engineering, 66:353-68, (2018).
• [2] Paik J-Y, Choi J-H, Jin R, Wang J, Cho E-S, “A storage-level detection mechanism against crypto-ransomware”, Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, (2018).
• [3] Al-Rimy BAS, Maarof MA, Shaid SZM, “Ransomware threat success factors, taxonomy, and countermeasures: A survey and research directions”, Computers & Security, 74:144-66, (2018).
• [4] Kim D, Kim S, “Design of quantification model for ransom ware prevent”, World Journal of Engineering and Technology, 3(03):203, (2015).
• [5] Song S, Kim B, Lee S, “The effective ransomware prevention technique using process monitoring on android platform”, Mobile Information Systems, (2016-1):2946735, (2016).
• [6] Nieuwenhuizen D., “A behavioural-based approach to ransomware detection”, Whitepaper MWR Labs Whitepaper, 2017:20, (2017).
• [7] Ahmadian MM, Shahriari HR, Ghaffarian SM, “Connection-monitor & connection-breaker: A novel approach for prevention and detection of high survivable ransomwares”, 2015 12th International Iranian society of cryptology conference on information security and cryptology (ISCISC), 2015: IEEE, (2015).
• [8] Shannon CE, “A mathematical theory of communication”, The Bell system technical journal, 27(3):379-423, (1948).
• [9] Davies SR, Macfarlane R, Buchanan WJ, “Differential area analysis for ransomware attack detection within mixed file datasets”, Computers & Security, 108:102377, (2021).
• [10] Saxe J, Berlin K, “Deep neural network based malware detection using two dimensional binary program features”, 2015 10th international conference on malicious and unwanted software (MALWARE), 2015: IEEE, (2015).
• [11] Lee K, Lee S-Y, Yim K, “Effective ransomware detection using entropy estimation of files for cloud services”, International Symposium on Pervasive Systems, Algorithms and Networks, 2019: Springer, (2019).
• [12] Kornblum J, “Identifying almost identical files using context triggered piecewise hashing”, Digital investigation, 3:91-7, (2006).
• [13] Deng X, Jiang M, Cen M, “A Ransomware Classification Method Based on Entropy Map”, 2022 IEEE 21st International Conference on Ubiquitous Computing and Communications (IUCC/CIT/DSCI/SmartCNS), 2022: IEEE, (2022).
• [14] You I, Yim K, “Malware obfuscation techniques: A brief survey”, 2010 International conference on broadband, wireless computing, communication and applications, 2010: IEEE, (2010).
• [15] Lyda R, Hamrock J, “Using entropy analysis to find encrypted and packed malware”, IEEE Security & Privacy, 5(2):40-5, (2007).
• [16] Paik JY, Jin R, Cho ES, “Malware classification using a byte‐granularity feature based on structural entropy”, Computational Intelligence, 38(4):1536-58, (2022).
• [17] Shafiq MZ, Khayam SA, Farooq M, “Embedded malware detection using markov n-grams”, International conference on detection of intrusions and malware, and vulnerability assessment, 2008: Springer, (2008).
• [18] Han J, Lin Z, Porter DE, “On the effectiveness of behavior-based ransomware detection”, Security and Privacy in Communication Networks: 16th EAI International Conference, SecureComm 2020, Washington, DC, USA, October 21-23, 2020, Proceedings, Part II 16, 2020: Springer, (2020).
• [19] Davies SR, Macfarlane R, Buchanan WJ, “Comparison of entropy calculation methods for ransomware encrypted file identification”, Entropy, 24(10):1503, (2022).
• [20] Hsu C-M, Yang C-C, Cheng H-H, Setiasabda PE, Leu J-S, “Enhancing file entropy analysis to improve machine learning detection rate of ransomware”, IEEE Access, 9:138345-51, (2021).
• [21] Fridrich J, Goljan M, Du R, “Detecting LSB steganography in color, and gray-scale images”, IEEE multimedia, 8(4):22-8, (2001).
• [22] Guo F, Ferrie P, Chiueh T-C, “A study of the packer problem and its solutions”, International Workshop on Recent Advances in Intrusion Detection, 2008: Springer, (2008).
• [23] De Gaspari F, Hitaj D, Pagnotta G, De Carli L, Mancini LV, “Evading behavioral classifiers: a comprehensive analysis on evading ransomware detection techniques”, Neural Computing and Applications, 34(14):12077-96, (2022).
• [24] Moser A, Kruegel C, Kirda E, “Exploring multiple execution paths for malware analysis”, 2007 IEEE Symposium on Security and Privacy (SP'07), 2007: IEEE, (2007).
• [25] Christodorescu M, Jha S, “Static analysis of executables to detect malicious patterns”, 12th USENIX Security Symposium (USENIX Security 03), (2003).
• [26] Jung S, Won Y, “Ransomware detection method based on context-aware entropy analysis”, Soft Computing, 22(20):6731-40, (2018).
• [27] Gibert D, Mateu C, Planes J, “The rise of machine learning for detection and classification of malware: Research developments, trends and challenges”, Journal of Network and Computer Applications, 153:102526, (2020).
• [28] Maniriho P, Mahmood AN, Chowdhury MJM, “A study on malicious software behaviour analysis and detection techniques: Taxonomy, current trends and challenges”, Future Generation Computer Systems, 130:1-18, (2022).
• [29] Arabo A, Dijoux R, Poulain T, Chevalier G, “Detecting ransomware using process behavior analysis”, Procedia Computer Science, 168:289-96, (2020).
• [30] Hwang J, Kim J, Lee S, Kim K, “Two-stage ransomware detection using dynamic analysis and machine learning techniques”, Wireless Personal Communications, 112(4):2597-609, (2020).
• [31] Chew CJ, Kumar V, Behaviour based ransomware detection, (2019).
• [32] Rosli NA, Yassin W, Faizal M, Selamat SR, “Clustering analysis for malware behavior detection using registry data”, International Journal of Advanced Computer Science and Applications (IJACSA), 10:12, (2019).
• [33] Urooj U, Al-rimy BAS, Zainal A, Ghaleb FA, Rassam MA, “Ransomware detection using the dynamic analysis and machine learning: A survey and research directions”, Applied Sciences, 12(1):172, (2021).
• [34] Hurtuk J, Chovanec M, Kičina M, Billík R, “Case study of ransomware malware hiding using obfuscation methods”, 2018 16th International Conference on Emerging eLearning Technologies and Applications (ICETA), 2018: IEEE, (2018).
• [35] Herrera Silva JA, “Ransomware detection by cognitive security, EPN, (2023).
• [36] Lee J, Lee K, “A method for neutralizing entropy measurement-based ransomware detection technologies using encoding algorithms”, Entropy, 24(2):239, (2022).