Enhancing File Entropy Analysis to Improve Machine Learning Detection Rate of Ransomware

Cybersecurity is the biggest threat in the world. More and more people are used to storing personal data on a computer and transmitting it through the Internet. Cybersecurity will be an important issue that everyone continues to pay attention to. One of the most serious problems recently is the prevalence of ransomware, especially crypto-ransomware. Unlike ordinary attacks, crypto-ransomware does not control the victim’s computer and steal important data. It focuses on encrypting all data and asking victims to provide ransom to decrypt the data. Currently, many studies focus on various aspects of ransomware, including file-based, behavior-based, and network-based ransomware detection method, and use machine learning to build detection models. In addition to the above research, we found that attackers have begun to develop a new method to encrypt data. It will not only increase the speed of data encryption but also reduce the detection rate in the existing detection system. In any case, we are still facing ransomware dangers, as it is hard to recognize and forestall ransomware executing obscure malicious programs. In other words, user data will be sabotaged as soon as the computer cannot detect the ransomware. To solve the problem, detecting files instead of detecting the executable program might be helpful to establish the backup system immediately before ransomware encrypts all of the user files. We analyze the 22 formats of the encrypted files, extract the specific features and use the Support Vector Machine to distinguish between encrypted and unencrypted files. Conducted analysis results confirm that our method has high performance and can maintain the detection rate of 85.17% (where the detection rate of SVM kernel Trick (Poly) exceeds 92%).