A Machine Learning-Based Ransomware Detection Method for Attackers’ Neutralization Techniques Using Format-Preserving Encryption
Ransomware, a type of malware that first appeared in 1989, encrypts user files and demands money for decryption, causing increasing global damage. To reduce the impact of ransomware, various file-based detection technologies are being developed; however, these have limitations, such as difficulties...
Saved in:
| Main Authors: | , , , |
|---|---|
| Format: | Article |
| Language: | English |
| Published: |
MDPI AG
2025-04-01
|
| Series: | Sensors |
| Subjects: | |
| Online Access: | https://www.mdpi.com/1424-8220/25/8/2406 |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| _version_ | 1849713789642997760 |
|---|---|
| author | Jaehyuk Lee Jinwook Kim Hanjo Jeong Kyungroul Lee |
| author_facet | Jaehyuk Lee Jinwook Kim Hanjo Jeong Kyungroul Lee |
| author_sort | Jaehyuk Lee |
| collection | DOAJ |
| description | Ransomware, a type of malware that first appeared in 1989, encrypts user files and demands money for decryption, causing increasing global damage. To reduce the impact of ransomware, various file-based detection technologies are being developed; however, these have limitations, such as difficulties in detecting ransomware that bypasses traditional methods like decoy files. A newer approach measures file entropy to detect infected files, but attackers counter this by using encoding algorithms like Base64 to bypass detection thresholds. Additionally, attackers can neutralize detection through format-preserving encryption (FPE), which allows files to be encrypted without changing their format, complicating detection. In this article, we present a machine learning-based method for detecting ransomware-infected files encrypted using FPE techniques. We employed various machine learning models, including K-Nearest Neighbors (KNN), Logistic Regression, and Decision Tree, and found that most trained models—except for Logistic Regression and Multi-Layer Perceptron (MLP)—effectively detected ransomware-infected files encrypted with FPE. In summary, to counter the ransomware neutralization attack using FPE and entropy manipulation, this paper proposes a machine learning-based method for detecting files infected with such manipulated ransomware entropy. The experimental results showed an average precision of 94.64% across various datasets, indicating that the proposed method effectively detects ransomware-infected files. Therefore, the findings of this study offer a solution to address new ransomware attacks that aim to bypass entropy-based detection techniques, contributing to the advancement of ransomware detection and the protection of users’ files and systems. |
| format | Article |
| id | doaj-art-dc8b2d1160fe4b819d67327a72b5fc18 |
| institution | DOAJ |
| issn | 1424-8220 |
| language | English |
| publishDate | 2025-04-01 |
| publisher | MDPI AG |
| record_format | Article |
| series | Sensors |
| spelling | doaj-art-dc8b2d1160fe4b819d67327a72b5fc182025-08-20T03:13:53ZengMDPI AGSensors1424-82202025-04-01258240610.3390/s25082406A Machine Learning-Based Ransomware Detection Method for Attackers’ Neutralization Techniques Using Format-Preserving EncryptionJaehyuk Lee0Jinwook Kim1Hanjo Jeong2Kyungroul Lee3Process Development Team, Fescaro, Suwon 16512, Republic of KoreaInterdisciplinary Program of Information & Protection, Mokpo National University, Muan 58554, Republic of KoreaDepartment of Software Convergence Engineering, Mokpo National University, Muan 58554, Republic of KoreaDepartment of Information Security Engineering, Mokpo National University, Muan 58554, Republic of KoreaRansomware, a type of malware that first appeared in 1989, encrypts user files and demands money for decryption, causing increasing global damage. To reduce the impact of ransomware, various file-based detection technologies are being developed; however, these have limitations, such as difficulties in detecting ransomware that bypasses traditional methods like decoy files. A newer approach measures file entropy to detect infected files, but attackers counter this by using encoding algorithms like Base64 to bypass detection thresholds. Additionally, attackers can neutralize detection through format-preserving encryption (FPE), which allows files to be encrypted without changing their format, complicating detection. In this article, we present a machine learning-based method for detecting ransomware-infected files encrypted using FPE techniques. We employed various machine learning models, including K-Nearest Neighbors (KNN), Logistic Regression, and Decision Tree, and found that most trained models—except for Logistic Regression and Multi-Layer Perceptron (MLP)—effectively detected ransomware-infected files encrypted with FPE. In summary, to counter the ransomware neutralization attack using FPE and entropy manipulation, this paper proposes a machine learning-based method for detecting files infected with such manipulated ransomware entropy. The experimental results showed an average precision of 94.64% across various datasets, indicating that the proposed method effectively detects ransomware-infected files. Therefore, the findings of this study offer a solution to address new ransomware attacks that aim to bypass entropy-based detection techniques, contributing to the advancement of ransomware detection and the protection of users’ files and systems.https://www.mdpi.com/1424-8220/25/8/2406FPEransomware detection and neutralization technologiesentropymachine learning |
| spellingShingle | Jaehyuk Lee Jinwook Kim Hanjo Jeong Kyungroul Lee A Machine Learning-Based Ransomware Detection Method for Attackers’ Neutralization Techniques Using Format-Preserving Encryption Sensors FPE ransomware detection and neutralization technologies entropy machine learning |
| title | A Machine Learning-Based Ransomware Detection Method for Attackers’ Neutralization Techniques Using Format-Preserving Encryption |
| title_full | A Machine Learning-Based Ransomware Detection Method for Attackers’ Neutralization Techniques Using Format-Preserving Encryption |
| title_fullStr | A Machine Learning-Based Ransomware Detection Method for Attackers’ Neutralization Techniques Using Format-Preserving Encryption |
| title_full_unstemmed | A Machine Learning-Based Ransomware Detection Method for Attackers’ Neutralization Techniques Using Format-Preserving Encryption |
| title_short | A Machine Learning-Based Ransomware Detection Method for Attackers’ Neutralization Techniques Using Format-Preserving Encryption |
| title_sort | machine learning based ransomware detection method for attackers neutralization techniques using format preserving encryption |
| topic | FPE ransomware detection and neutralization technologies entropy machine learning |
| url | https://www.mdpi.com/1424-8220/25/8/2406 |
| work_keys_str_mv | AT jaehyuklee amachinelearningbasedransomwaredetectionmethodforattackersneutralizationtechniquesusingformatpreservingencryption AT jinwookkim amachinelearningbasedransomwaredetectionmethodforattackersneutralizationtechniquesusingformatpreservingencryption AT hanjojeong amachinelearningbasedransomwaredetectionmethodforattackersneutralizationtechniquesusingformatpreservingencryption AT kyungroullee amachinelearningbasedransomwaredetectionmethodforattackersneutralizationtechniquesusingformatpreservingencryption AT jaehyuklee machinelearningbasedransomwaredetectionmethodforattackersneutralizationtechniquesusingformatpreservingencryption AT jinwookkim machinelearningbasedransomwaredetectionmethodforattackersneutralizationtechniquesusingformatpreservingencryption AT hanjojeong machinelearningbasedransomwaredetectionmethodforattackersneutralizationtechniquesusingformatpreservingencryption AT kyungroullee machinelearningbasedransomwaredetectionmethodforattackersneutralizationtechniquesusingformatpreservingencryption |