Machine Learning Based File Entropy Analysis for Ransomware Detection in Backup Systems

With the advent of big data and cloud services, user data has become an important issue. Although a variety of detection and prevention technologies are used to protect user data, ransomware that demands money in exchange for one's data has emerged. In order to detect and prevent ransomware, fi...

Full description

Saved in:
Bibliographic Details
Published in:IEEE access 2019, Vol.7, p.110205-110215
Main Authors: Lee, Kyungroul, Lee, Sun-Young, Yim, Kangbin
Format: Article
Language:English
Subjects:
artificial intelligence
Back up systems
Backup system
Ciphers
Cloud computing
data reliability
data security
Entropy
Machine learning
malicious code detection
Malware
Monitoring
Ransomware
Synchronization
Citations: Items that this one cites
Items that cite this one
Online Access:Get full text
Tags: Add Tag
No Tags, Be the first to tag this record!
Description
Summary:With the advent of big data and cloud services, user data has become an important issue. Although a variety of detection and prevention technologies are used to protect user data, ransomware that demands money in exchange for one's data has emerged. In order to detect and prevent ransomware, file- and behavior-based detection methods have been investigated. Nevertheless, we are still facing from ransomware threats, as it is difficult to detect and prevent ransomware containing unknown malicious codes. In particular, these methods are limited in that they cannot detect ransomware for backup systems such as cloud services. For instance, if files infected with ransomware are synchronized with the backup systems, the infected files will not be able to be restored through the backed-up files. In this paper, we utilize an entropy technique to measure a characteristic of the encrypted file (i.e., uniformity). Machine learning is applied for classifying infected files based file entropy analysis. The proposed method can recover the original file from the backup system by detecting ransomware infected files that have been synchronized to the backup system, even if the user system is infected by ransomware. Conducted analysis results confirm that the proposed method provides a high detection rate with low false positive and false negative rates compared with the existing detection methods.
ISSN:2169-3536
2169-3536
DOI:10.1109/ACCESS.2019.2931136