Abstract | ||
---|---|---|
In this paper, a new approach for the detection of ransomware based on the runtime analysis of their behaviour is presented. The main idea is to get samples by using a mini-filter to intercept write requests, then decide if a sample corresponds to a benign or a malicious write request. To do so, in a learning phase, statistical models of structured file headers are built using Markov chains. Then in a detection phase, a maximum likelihood test is used to decide if a sample provided by a write request is normal or malicious. We introduce new statistical distances between two Markov chains, which are variants of the Kullback-Leibler divergence, which measure the efficiency of a maximum likelihood test to distinguish between two distributions given by Markov chains. This distance and extensive experiments are used to demonstrate the relevance of our method. |
Year | DOI | Venue |
---|---|---|
2021 | 10.5220/0010513104030411 | SECRYPT 2021: PROCEEDINGS OF THE 18TH INTERNATIONAL CONFERENCE ON SECURITY AND CRYPTOGRAPHY |
Keywords | DocType | Citations |
Ransomware, Detection, Malware, Markov Chain, File Header | Conference | 0 |
PageRank | References | Authors |
0.34 | 0 | 3 |
Name | Order | Citations | PageRank |
---|---|---|---|
Nicolas Bailluet | 1 | 0 | 0.34 |
Hélène Le Bouder | 2 | 0 | 0.34 |
David Lubicz | 3 | 0 | 0.34 |