Ransomware detection method based on context-aware entropy analysis

摘要

Numerous countermeasures have been proposed since the first appearance of ransomware. However, many ransomware mutants continue to be created, and the damage they cause has been continually increasing. Existing antivirus tools are signature-dependent and cannot easily detect ransomware attack patterns. If the database used by the antivirus program does not contain the signature of the new malicious behavior, it is not possible to detect the new malware. Thus, the need has emerged for a normal/abnormal behavior analysis technique via a context-aware method. Therefore, a multilateral context-aware-based ransomware detection and response system model is presented in this paper. The proposed model is designed to preemptively respond to ransomware, and post-detection management is performed. An evaluation was conducted to obtain evidence that the given files were altered by ransomware through analyses based on multiple-context awareness. Entropy information was then used to detect abnormal behavior.