A Machine Learning-Based Ransomware Detection Method for Attackers’ Neutralization Techniques Using Format-Preserving Encryption
Ransomware, a type of malware that first appeared in 1989, encrypts user files and demands money for decryption, causing increasing global damage. To reduce the impact of ransomware, various file-based detection technologies are being developed; however, these have limitations, such as difficulties...
Saved in:
| Main Authors: | , , , |
|---|---|
| Format: | Article |
| Language: | English |
| Published: |
MDPI AG
2025-04-01
|
| Series: | Sensors |
| Subjects: | |
| Online Access: | https://www.mdpi.com/1424-8220/25/8/2406 |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| Summary: | Ransomware, a type of malware that first appeared in 1989, encrypts user files and demands money for decryption, causing increasing global damage. To reduce the impact of ransomware, various file-based detection technologies are being developed; however, these have limitations, such as difficulties in detecting ransomware that bypasses traditional methods like decoy files. A newer approach measures file entropy to detect infected files, but attackers counter this by using encoding algorithms like Base64 to bypass detection thresholds. Additionally, attackers can neutralize detection through format-preserving encryption (FPE), which allows files to be encrypted without changing their format, complicating detection. In this article, we present a machine learning-based method for detecting ransomware-infected files encrypted using FPE techniques. We employed various machine learning models, including K-Nearest Neighbors (KNN), Logistic Regression, and Decision Tree, and found that most trained models—except for Logistic Regression and Multi-Layer Perceptron (MLP)—effectively detected ransomware-infected files encrypted with FPE. In summary, to counter the ransomware neutralization attack using FPE and entropy manipulation, this paper proposes a machine learning-based method for detecting files infected with such manipulated ransomware entropy. The experimental results showed an average precision of 94.64% across various datasets, indicating that the proposed method effectively detects ransomware-infected files. Therefore, the findings of this study offer a solution to address new ransomware attacks that aim to bypass entropy-based detection techniques, contributing to the advancement of ransomware detection and the protection of users’ files and systems. |
|---|---|
| ISSN: | 1424-8220 |