Elastic Shifts: I/O Sequence Patterns of Ransomware and Detection Evasion
Cyber-criminals frequently use crypto-ransomware to gain financial benefit by encrypting victims’ valuable digital assets, such as photos and documents. The unique I/O behavior sequence patterns of such crypto-ransomware have been used as key features in ransomware detection. Prior behavi...
Saved in:
| Main Authors: | , |
|---|---|
| Format: | Article |
| Language: | English |
| Published: |
IEEE
2025-01-01
|
| Series: | IEEE Access |
| Subjects: | |
| Online Access: | https://ieeexplore.ieee.org/document/11077114/ |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| Summary: | Cyber-criminals frequently use crypto-ransomware to gain financial benefit by encrypting victims’ valuable digital assets, such as photos and documents. The unique I/O behavior sequence patterns of such crypto-ransomware have been used as key features in ransomware detection. Prior behavior-profiling approaches built detection patterns from existing ransomware datasets using their own tools or third-party tools for behavior monitoring. In addition, these approaches applied simple rule-based matching. However, future ransomware may not consistently exhibit previous patterns, since its behavior can change significantly. Furthermore, the monitoring tools used in existing detection methods may not be sufficient to interpret the behavior of future ransomware. This study demonstrates that ransomware can effectively evade existing detection methods by changing its I/O behavior sequence patterns. We induce monitoring tools to misinterpret the semantics of ransomware I/O operations, which leads detection systems to construct incorrect behavioral patterns. Our findings expose weaknesses in current endpoint behavior-based ransomware detectors, including an antivirus program’s real-time detection, and underscore the need for methods that remain effective against previously unseen patterns. |
|---|---|
| ISSN: | 2169-3536 |