This HTML5 document contains 31 embedded RDF statements represented using HTML+Microdata notation.

The embedded RDF content will be recognized by any processor of HTML5 Microdata.

Namespace Prefixes

PrefixIRI
n21https://kar.kent.ac.uk/id/eprint/82960#
n20doi:10.1007/
dctermshttp://purl.org/dc/terms/
n2https://kar.kent.ac.uk/id/eprint/
wdrshttp://www.w3.org/2007/05/powder-s#
dchttp://purl.org/dc/elements/1.1/
n4http://purl.org/ontology/bibo/status/
rdfshttp://www.w3.org/2000/01/rdf-schema#
n11https://kar.kent.ac.uk/id/subject/
n18https://demo.openlinksw.com/about/id/entity/https/raw.githubusercontent.com/annajordanous/CO644Files/main/
n5http://eprints.org/ontology/
n6https://kar.kent.ac.uk/id/event/
bibohttp://purl.org/ontology/bibo/
n9https://kar.kent.ac.uk/id/publication/
n12https://kar.kent.ac.uk/id/org/
n17https://kar.kent.ac.uk/82960/
rdfhttp://www.w3.org/1999/02/22-rdf-syntax-ns#
owlhttp://www.w3.org/2002/07/owl#
n7https://kar.kent.ac.uk/id/document/
n22https://kar.kent.ac.uk/id/
xsdhhttp://www.w3.org/2001/XMLSchema#
n15https://demo.openlinksw.com/about/id/entity/https/www.cs.kent.ac.uk/people/staff/akj22/materials/CO644/
n13https://kar.kent.ac.uk/id/person/

Statements

Subject Item
n2:82960
rdf:type
n5:ConferenceItemEPrint n5:EPrint bibo:AcademicArticle bibo:Article
rdfs:seeAlso
n17:
owl:sameAs
n20:978-3-030-62974-8_12
n5:hasAccepted
n7:3216609
n5:hasDocument
n7:3216609 n7:3216614 n7:3216616 n7:3216617 n7:3216618 n7:3216619
dc:hasVersion
n7:3216609
dcterms:title
Why Current Statistical Approaches to Ransomware Detection Fail
wdrs:describedby
n15:export_kar_RDFN3.n3 n18:export_kar_RDFN3.n3
dcterms:date
2020-11-25
dcterms:creator
n13:ext-j.c.hernandez-castro@kent.ac.uk n13:ext-jjp31@kent.ac.uk n13:ext-b.arief@kent.ac.uk
bibo:status
n4:published n4:peerReviewed
dcterms:publisher
n12:ext-1c5ddec173ca8cdfba8b274309638579
bibo:abstract
The frequent use of basic statistical techniques to detect ransomware is a popular and intuitive strategy; statistical tests can be used to identify randomness, which in turn can indicate the presence of encryption and, by extension, a ransomware attack. However, common file formats such as images and compressed data can look random from the perspective of some of these tests. In this work, we investigate the current frequent use of statistical tests in the context of ransomware detection, primarily focusing on false positive rates. The main aim of our work is to show that the current over-dependence on simple statistical tests within anti-ransomware tools can cause serious issues with the reliability and consistency of ransomware detection in the form of frequent false classifications. We determined thresholds for five key statistics frequently used in detecting randomness, namely Shannon entropy, chi-square, arithmetic mean, Monte Carlo estimation for Pi and serial correlation coefficient. We obtained a large data set of 84,327 files comprising of images, compressed data and encrypted data. We then tested these thresholds (taken from a variety of previous publications in the literature where possible) against our dataset, showing that the rate of false positives is far beyond what could be considered acceptable. False positive rates were often above 50% and even above 90% on several occasions. False negative rates were also generally between 5% and 20%, numbers which are also far too high. As a direct result of these experiments, we determine that relying on these simple statistical approaches is not good enough to detect ransomware attacks consistently. We instead recommend the exploration of higher-order statistics such as skewness and kurtosis for future ransomware detection techniques.
dcterms:isPartOf
n9:ext-03029743 n22:repository
dcterms:subject
n11:QA76
bibo:authorList
n21:authors
bibo:presentedAt
n6:ext-330dae75faa13220e91ec8250c9d5270
bibo:volume
12472