{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,5,13]],"date-time":"2026-05-13T17:20:15Z","timestamp":1778692815439,"version":"3.51.4"},"reference-count":62,"publisher":"Oxford University Press (OUP)","issue":"1","license":[{"start":{"date-parts":[[2025,4,9]],"date-time":"2025-04-09T00:00:00Z","timestamp":1744156800000},"content-version":"vor","delay-in-days":98,"URL":"https:\/\/creativecommons.org\/licenses\/by-nc-nd\/4.0\/"}],"funder":[{"DOI":"10.13039\/501100000780","name":"European Commission","doi-asserted-by":"publisher","award":["101168562"],"award-info":[{"award-number":["101168562"]}],"id":[{"id":"10.13039\/501100000780","id-type":"DOI","asserted-by":"publisher"}]},{"name":"LAZARUS","award":["101070303"],"award-info":[{"award-number":["101070303"]}]},{"DOI":"10.13039\/501100007601","name":"European Union","doi-asserted-by":"publisher","award":["101084929"],"award-info":[{"award-number":["101084929"]}],"id":[{"id":"10.13039\/501100007601","id-type":"DOI","asserted-by":"publisher"}]},{"DOI":"10.13039\/501100000921","name":"COST","doi-asserted-by":"publisher","award":["CA 19121"],"award-info":[{"award-number":["CA 19121"]}],"id":[{"id":"10.13039\/501100000921","id-type":"DOI","asserted-by":"publisher"}]},{"DOI":"10.13039\/100014440","name":"Ministerio de Ciencia, Innovaci\u00f3n y Universidades","doi-asserted-by":"publisher","award":["PID2021-127409OB-C33"],"award-info":[{"award-number":["PID2021-127409OB-C33"]}],"id":[{"id":"10.13039\/100014440","id-type":"DOI","asserted-by":"publisher"}]},{"DOI":"10.13039\/501100004837","name":"Spanish Ministry of Science and Innovation","doi-asserted-by":"publisher","award":["RYC2023-044857-I"],"award-info":[{"award-number":["RYC2023-044857-I"]}],"id":[{"id":"10.13039\/501100004837","id-type":"DOI","asserted-by":"publisher"}]},{"DOI":"10.13039\/501100003030","name":"AGAUR","doi-asserted-by":"publisher","award":["2021SGR-00111"],"award-info":[{"award-number":["2021SGR-00111"]}],"id":[{"id":"10.13039\/501100003030","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2025,1,17]]},"abstract":"<jats:title>Abstract<\/jats:title>\n               <jats:p>The double-edged sword of continuous digitization of services and systems opens the door to a myriad of beneficial opportunities, as well as challenging threats. Currently, ransomware is catalogued as the first threat in cybersecurity due to its impact on organizations, critical infrastructure, industry, and society as a whole. Thus, devoting efforts toward developing methodologies to effectively prevent and mitigate ransomware is crucial. In this article, we present an accurate method to identify encrypted bit streams by differentiating them from other high-entropy streams (e.g. compressed files), which is a critical task to detect potentially malicious file write events on the file system in current operating systems. After extensive evaluation, our findings demonstrate that the proposed solution outperforms the current state of the art in both adaptability and accuracy, enabling it to be integrated into current Endpoint Detection and Response systems.<\/jats:p>","DOI":"10.1093\/cybsec\/tyaf009","type":"journal-article","created":{"date-parts":[[2025,4,9]],"date-time":"2025-04-09T17:39:11Z","timestamp":1744220351000},"source":"Crossref","is-referenced-by-count":4,"title":["Not on my watch: ransomware detection through classification of high-entropy file segments"],"prefix":"10.1093","volume":"11","author":[{"ORCID":"https:\/\/orcid.org\/0000-0003-4296-2876","authenticated-orcid":false,"given":"Fran","family":"Casino","sequence":"first","affiliation":[{"name":"Department of Computer Engineering and Mathematics, Universitat Rovira i Virgili , Avinguda dels Pa\u00efsos Catalans, 26, 43007, Tarragona ,","place":["Spain"]},{"name":"Information Management Systems Institute, Athena Research Centre , Artemidos 6, Marousi 15125 ,","place":["Greece"]}]},{"given":"Darren","family":"Hurley-Smith","sequence":"additional","affiliation":[{"name":"University of Kent , Giles Ln, Canterbury CT2 7NZ ,","place":["United Kingdom"]}]},{"given":"Julio","family":"Hernandez-Castro","sequence":"additional","affiliation":[{"name":"Universidad Polit\u00e9cnica de Madrid , Alan Turing, s\/n, 28031 Madrid ,","place":["Spain"]}]},{"given":"Constantinos","family":"Patsakis","sequence":"additional","affiliation":[{"name":"Information Management Systems Institute, Athena Research Centre , Artemidos 6, Marousi 15125 ,","place":["Greece"]},{"name":"Department of Informatics, University of Piraeus , 80 Karaoli & Dimitriou str., 18534 Piraeus ,","place":["Greece"]}]}],"member":"286","published-online":{"date-parts":[[2025,4,9]]},"reference":[{"key":"2025040917390232500_bib1","article-title":"Sophos the state of ransomware 2023","author":"Sophos"},{"key":"2025040917390232500_bib2","article-title":"Global ransomware damage costs predicted to exceed $265 billion by 2031","author":"Braue","year":"2022"},{"key":"2025040917390232500_bib3","doi-asserted-by":"crossref","first-page":"158","DOI":"10.1016\/j.eswa.2018.02.039","article-title":"Trusted detection of ransomware in a private cloud using machine learning methods leveraging meta-features from volatile memory","volume":"102","author":"Cohen","year":"2018","journal-title":"Expert Syst Appl"},{"key":"2025040917390232500_bib4","first-page":"371","article-title":"The Malware as a service ecosystem","volume-title":"Malware: Handbook of Prevention and Detection","author":"Patsakis","year":"2024"},{"key":"2025040917390232500_bib5","doi-asserted-by":"crossref","first-page":"656","DOI":"10.1002\/j.1538-7305.1949.tb00928.x","article-title":"Communication theory of secrecy systems","volume":"28","author":"Shannon","year":"1949","journal-title":"Bell Syst Tech J"},{"key":"2025040917390232500_bib6","article-title":"Entropy tests for random number generators","author":"L\u2019\u00c9cuyer","year":"1996"},{"key":"2025040917390232500_bib7","doi-asserted-by":"crossref","DOI":"10.1201\/9780203753064","volume-title":"Goodness-of-fit-techniques","author":"D\u2019Agostino","year":"2017"},{"key":"2025040917390232500_bib8","volume-title":"Handbook of Sequential Analysis","author":"Ghosh","year":"1991"},{"key":"2025040917390232500_bib9","doi-asserted-by":"crossref","first-page":"591","DOI":"10.1093\/biomet\/52.3-4.591","article-title":"An analysis of variance test for normality (complete samples)","volume":"52","author":"Shapiro","year":"1965","journal-title":"Biometrika"},{"key":"2025040917390232500_bib10","doi-asserted-by":"crossref","first-page":"718","DOI":"10.1007\/978-3-642-04898-2_326","article-title":"Kolmogorov\u2013Smirnov test","volume-title":"International Encyclopedia of Statistical Science","author":"Lopes","year":"2011"},{"key":"2025040917390232500_bib11","first-page":"21","article-title":"Power comparisons of Shapiro\u2013Wilk, Kolmogorov\u2013Smirnov, Lilliefors and Anderson\u2013Darling tests","volume":"2","author":"Razali","year":"2011","journal-title":"J Stat Model Anal"},{"key":"2025040917390232500_bib13","article-title":"A statistical test suite for random and pseudorandom number generators for cryptographic applications. NIST DTIC Document","author":"Rukhin","year":"2010"},{"key":"2025040917390232500_bib14","doi-asserted-by":"crossref","first-page":"25464","DOI":"10.1109\/ACCESS.2022.3154059","article-title":"Research trends, challenges, and emerging topics in digital forensics: a review of reviews","volume":"10","author":"Casino","year":"2022","journal-title":"IEEE Access"},{"key":"2025040917390232500_bib15","doi-asserted-by":"crossref","first-page":"288","DOI":"10.1145\/3134600.3134642","article-title":"Malware detection in adversarial settings: exploiting feature evolutions and confusions in android apps","volume-title":"Proceedings of the 33rd Annual Computer Security Applications Conference","author":"Yang","year":"2017"},{"key":"2025040917390232500_bib16","doi-asserted-by":"crossref","first-page":"119133","DOI":"10.1016\/j.eswa.2022.119133","article-title":"Fileless malware threats: recent advances, analysis approach through memory forensics and research challenges","volume":"214","author":"Kara","year":"2022","journal-title":"Expert Syst Appl"},{"key":"2025040917390232500_bib17","doi-asserted-by":"crossref","first-page":"116198","DOI":"10.1016\/j.eswa.2021.116198","article-title":"The rise of ransomware: forensic analysis for windows based ransomware attacks","volume":"190","author":"Kara","year":"2022","journal-title":"Expert Syst Appl"},{"key":"2025040917390232500_bib18","article-title":"Ransomware activity report","author":"VirusTotal","year":"2021"},{"key":"2025040917390232500_bib19","doi-asserted-by":"crossref","first-page":"116198","DOI":"10.1016\/j.eswa.2021.116198","article-title":"The rise of ransomware: forensic analysis for windows based ransomware attacks","volume":"190","author":"Kara","year":"2022","journal-title":"Expert Syst Appl"},{"key":"2025040917390232500_bib20","doi-asserted-by":"crossref","first-page":"6731","DOI":"10.1007\/s00500-018-3257-z","article-title":"Ransomware detection method based on context-aware entropy analysis","volume":"22","author":"Jung","year":"2018","journal-title":"Soft Comput"},{"key":"2025040917390232500_bib21","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1109\/FUZZ-IEEE.2018.8491637","article-title":"A novel structural-entropy-based classification technique for supporting android ransomware detection and analysis","volume-title":"Proceedings of the 2018 IEEE International Conference on Fuzzy Systems (FUZZ-IEEE)","author":"Cuzzocrea","year":"2018"},{"key":"2025040917390232500_bib22","doi-asserted-by":"crossref","first-page":"110205","DOI":"10.1109\/ACCESS.2019.2931136","article-title":"Machine learning based file entropy analysis for ransomware detection in backup systems","volume":"7","author":"Lee","year":"2019","journal-title":"IEEE Access"},{"key":"2025040917390232500_bib23","doi-asserted-by":"crossref","first-page":"181","DOI":"10.1007\/978-3-030-36802-9_20","article-title":"The inadequacy of entropy-based ransomware detection","volume-title":"Proceedings of the International Conference on Neural Information Processing","author":"McIntosh","year":"2019"},{"key":"2025040917390232500_bib24","doi-asserted-by":"crossref","first-page":"199","DOI":"10.1007\/978-3-030-62974-8_12","article-title":"Why current statistical approaches to ransomware detection fail","volume-title":"Proceedings of the International Conference on Information Security","author":"Pont","year":"2020"},{"key":"2025040917390232500_bib25","first-page":"1","article-title":"On the unbearable lightness of FIPS 140-2 randomness tests","volume-title":"Proceedings of the IEEE Transactions on Information Forensics and Security","author":"Hurley-Smith","year":"2020"},{"key":"2025040917390232500_bib26","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1145\/3465481.3470116","article-title":"RansomClave: ransomware key management using SGX","volume-title":"Proceedings of the 16th International Conference on Availability, Reliability and Security","author":"Bhudia","year":"2021"},{"key":"2025040917390232500_bib27","doi-asserted-by":"crossref","first-page":"599","DOI":"10.1145\/3052973.3053035","article-title":"Paybreak: defense against cryptographic ransomware","volume-title":"Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security","author":"Kolodenker","year":"2017"},{"key":"2025040917390232500_bib28","article-title":"Raccine","author":"Roth","year":"2021"},{"key":"2025040917390232500_bib29","doi-asserted-by":"crossref","first-page":"1191","DOI":"10.1162\/089976603321780272","article-title":"Estimation of entropy and mutual information","volume":"15","author":"Paninski","year":"2003","journal-title":"Neur Comput"},{"key":"2025040917390232500_bib30","doi-asserted-by":"crossref","first-page":"2200","DOI":"10.1109\/TIT.2004.833360","article-title":"Estimating entropy on m bins given fewer than m samples","volume":"50","author":"Paninski","year":"2004","journal-title":"IEEE T Inf Theor"},{"key":"2025040917390232500_bib31","doi-asserted-by":"crossref","first-page":"1503","DOI":"10.3390\/e24101503","article-title":"Comparison of entropy calculation methods for ransomware encrypted file identification","volume":"24","author":"Davies","year":"2022","journal-title":"Entropy"},{"key":"2025040917390232500_bib32","doi-asserted-by":"crossref","first-page":"128433","DOI":"10.1109\/ACCESS.2022.3227073","article-title":"A complete review on the application of statistical methods for evaluating internet traffic usage","volume":"10","author":"Cunha","year":"2022","journal-title":"IEEE Access"},{"key":"2025040917390232500_bib33","doi-asserted-by":"crossref","first-page":"45","DOI":"10.1109\/NAS.2011.18","article-title":"Using entropy to classify traffic more deeply","volume-title":"Proceedings of the 2011 IEEE Sixth International Conference on Networking, Architecture, and Storage","author":"Wang","year":"2011"},{"key":"2025040917390232500_bib34","article-title":"Detecting compressed cleartext traffic from consumer internet of things devices","author":"Hahn","year":"2018"},{"key":"2025040917390232500_bib35","doi-asserted-by":"crossref","first-page":"249","DOI":"10.1134\/S0361768821040058","article-title":"Model of pseudo-random sequences generated by encryption and compression algorithms","volume":"47","author":"Kozachok","year":"2021","journal-title":"Prog Comput Softw"},{"key":"2025040917390232500_bib36","doi-asserted-by":"crossref","first-page":"2916","DOI":"10.1109\/TIFS.2019.2911156","article-title":"Hedge: efficient traffic classification of encrypted and compressed packets","volume":"14","author":"Casino","year":"2019","journal-title":"IEEE T Inf Foren Secur"},{"key":"2025040917390232500_bib37","doi-asserted-by":"crossref","first-page":"42","DOI":"10.1007\/978-3-030-65745-1_3","article-title":"Encod: distinguishing compressed and encrypted file fragments","volume-title":"Proceedings of the International Conference on Network and System Security","author":"De\u00a0Gaspari","year":"2020"},{"key":"2025040917390232500_bib38","doi-asserted-by":"crossref","first-page":"20379","DOI":"10.1007\/s00521-022-07586-7","article-title":"Reliable detection of compressed and encrypted data","volume":"34","author":"De\u00a0Gaspari","year":"2022","journal-title":"Neur Comput Appl"},{"key":"2025040917390232500_bib39","article-title":"Filter manager concepts","author":"Microsoft","year":"2021"},{"key":"2025040917390232500_bib40","article-title":"Clear and present data: opaque traffic and its security implications for the future","volume-title":"Proceedings of the NDSS","author":"White","year":"2013"},{"key":"2025040917390232500_bib41","doi-asserted-by":"crossref","first-page":"1076","DOI":"10.1109\/TNET.2012.2219591","article-title":"An information-theoretical approach to high-speed flow nature identification","volume":"21","author":"Khakpour","year":"2013","journal-title":"IEEE\/ACM Trans Netw"},{"key":"2025040917390232500_bib42","first-page":"740","article-title":"Microsoft Coco: common objects in context","volume-title":"Proceedings of the European Conference on Computer Vision","author":"Lin","year":"2014"},{"key":"2025040917390232500_bib43","unstructured":"Criminisi A . Rgb-d dataset 7-scenes. Redmond, WA: Microsoft, 2013. https:\/\/www.microsoft.com\/en-us\/research\/project\/rgb-d-dataset-7-scenes\/. (4 January 2024, date last accessed)."},{"key":"2025040917390232500_bib44","article-title":"Project Gutenberg","author":"Hart","year":"1971"},{"key":"2025040917390232500_bib45","article-title":"Youtube-8m: a large-scale video classification benchmark","author":"Abu-El-Haija","year":"2016","journal-title":"arXiv:1609.08675"},{"key":"2025040917390232500_bib46","doi-asserted-by":"crossref","first-page":"103135","DOI":"10.1016\/j.jnca.2021.103135","article-title":"Intercepting hail hydra: real-time detection of algorithmically generated domains","volume":"190","author":"Casino","year":"2021","journal-title":"J Netw Comput Appl"},{"key":"2025040917390232500_bib47","doi-asserted-by":"crossref","unstructured":"Karatas G, Demir O, Sahingoz OK. \u00a0Increasing the performance of machine learning-based idss on an imbalanced and up-to-date dataset. IEEE Access. 2020;8:32150\u201362.","DOI":"10.1109\/ACCESS.2020.2973219"},{"key":"2025040917390232500_bib48","doi-asserted-by":"crossref","first-page":"20","DOI":"10.1145\/1007730.1007735","article-title":"A study of the behavior of several methods for balancing machine learning training data","volume":"6","author":"Batista","year":"2004","journal-title":"ACM SIGKDD Explor Newsl"},{"key":"2025040917390232500_bib49","article-title":"Distinguishing between high entropy bit streams","author":"Casino","year":"2021"},{"key":"2025040917390232500_bib50","first-page":"99","article-title":"Certifiably biased: an in-depth analysis of a Common Criteria EAL4+ certified TRNG","author":"Hurley-Smith","year":"2017","journal-title":"Proceedings of the IEEE Transactions on Information Forensics and Security"},{"key":"2025040917390232500_bib51","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1145\/1268776.1268777","article-title":"TestU01: AC library for empirical testing of random number generators","volume":"33","author":"L\u2019\u00c9cuyer","year":"2007","journal-title":"ACM T Math Softw"},{"key":"2025040917390232500_bib52","doi-asserted-by":"crossref","first-page":"84","DOI":"10.1016\/j.inffus.2021.11.011","article-title":"Tabular data: deep learning is not all you need","volume":"81","author":"Shwartz-Ziv","year":"2022","journal-title":"Inform Fusion"},{"key":"2025040917390232500_bib53","doi-asserted-by":"crossref","first-page":"1139","DOI":"10.1145\/3593013.3594069","article-title":"The role of explainable AI in the context of the AI act","volume-title":"Proceedings of the 2023 ACM Conference on Fairness, Accountability, and Transparency","author":"Panigutti","year":"2023"},{"key":"2025040917390232500_bib54","doi-asserted-by":"crossref","first-page":"118888","DOI":"10.1016\/j.eswa.2022.118888","article-title":"Quod erat demonstrandum? Towards a typology of the concept of explanation for the design of explainable AI","volume":"213","author":"Cabitza","year":"2023","journal-title":"Expert Syst Appl"},{"key":"2025040917390232500_bib55","unstructured":"Koutsokostas V, Lykousas N, Orazi G \u00a0et al. \u00a0Malicious MS Office documents dataset. Zenodo, 2021."},{"key":"2025040917390232500_bib56","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1145\/3365001","article-title":"Malware dynamic analysis evasion techniques: a survey","volume":"52","author":"Afianian","year":"2019","journal-title":"ACM Comput Surv"},{"key":"2025040917390232500_bib57","doi-asserted-by":"crossref","first-page":"103595","DOI":"10.1016\/j.cose.2023.103595","article-title":"A survey of strategy-driven evasion methods for pe malware: transformation, concealment, and attack","volume":"137","author":"Geng","year":"2024","journal-title":"Comput Secur"},{"key":"2025040917390232500_bib58","doi-asserted-by":"crossref","first-page":"4471","DOI":"10.3390\/app11104471","article-title":"Privacy and security in cognitive cities: a systematic review","volume":"11","author":"Machin","year":"2021","journal-title":"Appl Sci"},{"key":"2025040917390232500_bib59","doi-asserted-by":"crossref","first-page":"tyac014","DOI":"10.1093\/cybsec\/tyac014","article-title":"Sok: cross-border criminal investigations and digital evidence","volume":"8","author":"Casino","year":"2022","journal-title":"J Cybersecur"},{"key":"2025040917390232500_bib60","doi-asserted-by":"crossref","first-page":"103236","DOI":"10.1016\/j.advengsoft.2022.103236","article-title":"An efficient optimal security system for intrusion detection in cloud computing environment using hybrid deep learning technique","volume":"173","author":"Mayuranathan","year":"2022","journal-title":"Adv Eng Softw"},{"key":"2025040917390232500_bib61","doi-asserted-by":"crossref","first-page":"57","DOI":"10.1007\/978-3-030-87954-9_3","article-title":"Multi-agent systems for distributed data mining techniques: an overview","author":"Qasem","year":"2022","journal-title":"Big Data Intelligence for Smart Applications"},{"key":"2025040917390232500_bib62","doi-asserted-by":"crossref","first-page":"367","DOI":"10.1007\/s10586-022-03621-3","article-title":"DMAIDPS: a distributed multi-agent intrusion detection and prevention system for cloud IoT environments","volume":"26","author":"Javadpour","year":"2023","journal-title":"Cluster Comput"},{"key":"2025040917390232500_bib63","doi-asserted-by":"crossref","first-page":"116","DOI":"10.1109\/IAW.2004.1437806","article-title":"Honeyfiles: deceptive files for intrusion detection","volume-title":"Proceedings from the Fifth Annual IEEE SMC Information Assurance Workshop","author":"Yuill","year":"2004"}],"container-title":["Journal of Cybersecurity"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/academic.oup.com\/cybersecurity\/article-pdf\/11\/1\/tyaf009\/62899092\/tyaf009.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"syndication"},{"URL":"https:\/\/academic.oup.com\/cybersecurity\/article-pdf\/11\/1\/tyaf009\/62899092\/tyaf009.pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,4,9]],"date-time":"2025-04-09T17:39:24Z","timestamp":1744220364000},"score":1,"resource":{"primary":{"URL":"https:\/\/academic.oup.com\/cybersecurity\/article\/doi\/10.1093\/cybsec\/tyaf009\/8109429"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025]]},"references-count":62,"journal-issue":{"issue":"1","published-print":{"date-parts":[[2025,1,17]]}},"URL":"https:\/\/doi.org\/10.1093\/cybsec\/tyaf009","relation":{},"ISSN":["2057-2085","2057-2093"],"issn-type":[{"value":"2057-2085","type":"print"},{"value":"2057-2093","type":"electronic"}],"subject":[],"published-other":{"date-parts":[[2025]]},"published":{"date-parts":[[2025]]},"article-number":"tyaf009"}}