Ransomware Detection using Markov Chain Models over File Headers

Nicolas Bailluet, Hélène Bouder, David Lubicz

2021

Abstract

In this paper, a new approach for the detection of ransomware based on the runtime analysis of their behaviour is presented. The main idea is to get samples by using a mini-filter to intercept write requests, then decide if a sample corresponds to a benign or a malicious write request. To do so, in a learning phase, statistical models of structured file headers are built using Markov chains. Then in a detection phase, a maximum likelihood test is used to decide if a sample provided by a write request is normal or malicious. We introduce new statistical distances between two Markov chains, which are variants of the Kullback-Leibler divergence, which measure the efficiency of a maximum likelihood test to distinguish between two distributions given by Markov chains. This distance and extensive experiments are used to demonstrate the relevance of our method.

Download


Paper Citation


in Harvard Style

Bailluet N., Bouder H. and Lubicz D. (2021). Ransomware Detection using Markov Chain Models over File Headers. In Proceedings of the 18th International Conference on Security and Cryptography - Volume 1: SECRYPT, ISBN 978-989-758-524-1, pages 403-411. DOI: 10.5220/0010513104030411


in Bibtex Style

@conference{secrypt21,
author={Nicolas Bailluet and Hélène Bouder and David Lubicz},
title={Ransomware Detection using Markov Chain Models over File Headers},
booktitle={Proceedings of the 18th International Conference on Security and Cryptography - Volume 1: SECRYPT,},
year={2021},
pages={403-411},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0010513104030411},
isbn={978-989-758-524-1},
}


in EndNote Style

TY - CONF

JO - Proceedings of the 18th International Conference on Security and Cryptography - Volume 1: SECRYPT,
TI - Ransomware Detection using Markov Chain Models over File Headers
SN - 978-989-758-524-1
AU - Bailluet N.
AU - Bouder H.
AU - Lubicz D.
PY - 2021
SP - 403
EP - 411
DO - 10.5220/0010513104030411