Authors:
(1) Simon R. Davies, School of Computing, Edinburgh Napier University, Edinburgh, UK (s.davies@napier.ac.uk);
(2) Richard Macfarlane, School of Computing, Edinburgh Napier University, Edinburgh, UK;
(3) William J. Buchanan, School of Computing, Edinburgh Napier University, Edinburgh, UK.
Table of Links
- Abstract and 1 Introduction
- 2. Related Work
- 3. Methodology and 3.1. File Content Analysis
- 3.2. File Name Analysis
- 3.3. Executable Analysis
- 3.4. Behaviour Analysis
- 4. Evaluation and Discussion
- 4.1. Majority Voting
- 5. Conclusion
- 5.1. Limitations
- 5.2. Future Work
- References and Appendix
5.1. Limitations
While the majority voting approach to identifying malicious processes has a high level of accuracy, as always the situation exists where once a ransomware developer is aware of the techniques being used to identify malicious behaviour, they have the possibility of modifying or adapting the ransomware’s behaviour to avoid the tests in newer releases of their programs. The advantage of the majority voting approach is that the system does not rely on a single catchall test, rather detection is a combination of many accurate tests. A consequence of this is that the ransomware developer may have to significantly modify the behaviour of their programs, and possibly disregard some aspects of their original behaviour to avoid detection.
This paper is available on arxiv under CC BY 4.0 DEED license.