TITLE:
Majority Voting Ransomware Detection System
AUTHORS:
Simon R. Davies, Richard Macfarlane, William J. Buchanan
KEYWORDS:
Ransomware Detection, Malice Score, Score Card, Malware, NapierOne Dataset
JOURNAL NAME:
Journal of Information Security,
Vol.14 No.4,
August
16,
2023
ABSTRACT: Crypto-ransomware remains a significant threat to governments and
companies alike, with high-profile cyber security incidents regularly making
headlines. Many different detection systems have been proposed as solutions to
the ever-changing dynamic landscape of ransomware detection. In the majority of
cases, these described systems propose a method based on the result of a single
test performed on either the executable code, the process under investigation,
its behaviour, or its output. In a small subset of ransomware detection
systems, the concept of a scorecard is employed where multiple tests are
performed on various aspects of a process under investigation and their results
are then analysed using machine learning. The
purpose of this paper is to propose a new majority voting approach to
ransomware detection by developing a method that uses a cumulative score
derived from discrete tests based on calculations using algorithmic rather than
heuristic techniques. The paper describes 23 candidate tests, as well as 9
Windows API tests which are validated to determine both their accuracy and
viability for use within a ransomware detection system. Using a
cumulative score calculation approach to ransomware detection has several
benefits, such as the immunity to the occasional inaccuracy of individual tests
when making its final classification. The system can also leverage multiple
tests that can be both comprehensive and complimentary in an attempt to achieve
a broader, deeper, and more robust analysis of the program under investigation.
Additionally, the use of multiple collaborative tests also significantly
hinders ransomware from masking or modifying
its behaviour in an attempt to bypass detection. The results achieved by this research demonstrate that many of the proposed tests achieved a
high degree of accuracy in differentiating between benign and malicious targets
and suggestions are offered as to how these tests, and combinations of tests,
could be adapted to further improve the detection accuracy.