Ransomware Detection using Markov Chain Models over File Headers
Nicolas Bailluet, Hélène Bouder, David Lubicz
2021
Abstract
In this paper, a new approach for the detection of ransomware based on the runtime analysis of their behaviour is presented. The main idea is to get samples by using a mini-filter to intercept write requests, then decide if a sample corresponds to a benign or a malicious write request. To do so, in a learning phase, statistical models of structured file headers are built using Markov chains. Then in a detection phase, a maximum likelihood test is used to decide if a sample provided by a write request is normal or malicious. We introduce new statistical distances between two Markov chains, which are variants of the Kullback-Leibler divergence, which measure the efficiency of a maximum likelihood test to distinguish between two distributions given by Markov chains. This distance and extensive experiments are used to demonstrate the relevance of our method.
DownloadPaper Citation
in Harvard Style
Bailluet N., Bouder H. and Lubicz D. (2021). Ransomware Detection using Markov Chain Models over File Headers. In Proceedings of the 18th International Conference on Security and Cryptography - Volume 1: SECRYPT, ISBN 978-989-758-524-1, pages 403-411. DOI: 10.5220/0010513104030411
in Bibtex Style
@conference{secrypt21,
author={Nicolas Bailluet and Hélène Bouder and David Lubicz},
title={Ransomware Detection using Markov Chain Models over File Headers},
booktitle={Proceedings of the 18th International Conference on Security and Cryptography - Volume 1: SECRYPT,},
year={2021},
pages={403-411},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0010513104030411},
isbn={978-989-758-524-1},
}
in EndNote Style
TY - CONF
JO - Proceedings of the 18th International Conference on Security and Cryptography - Volume 1: SECRYPT,
TI - Ransomware Detection using Markov Chain Models over File Headers
SN - 978-989-758-524-1
AU - Bailluet N.
AU - Bouder H.
AU - Lubicz D.
PY - 2021
SP - 403
EP - 411
DO - 10.5220/0010513104030411