{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,3,14]],"date-time":"2026-03-14T20:14:24Z","timestamp":1773519264946,"version":"3.50.1"},"reference-count":41,"publisher":"SAGE Publications","issue":"3","license":[{"start":{"date-parts":[[2019,11,28]],"date-time":"2019-11-28T00:00:00Z","timestamp":1574899200000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/journals.sagepub.com\/page\/policies\/text-and-data-mining-license"}],"content-domain":{"domain":["journals.sagepub.com"],"crossmark-restriction":true},"short-container-title":["Journal of Computer Security"],"published-print":{"date-parts":[[2020,4,21]]},"abstract":"<jats:p> The last few years have come with a sudden rise in ransomware attack incidents, causing significant financial losses to individuals, institutions and businesses. In reaction to these attacks, ransomware detection has become an important topic for research in recent years. Currently, there are two broad categories of ransomware detection techniques: signature-based and behaviour-based analyses. On the one hand, signature-based detection, which mainly relies on a static analysis, can easily be evaded by code-obfuscation and encryption techniques. On the other hand, current behaviour-based models, which rely mainly on a dynamic analysis, face difficulties in accurately differentiating between user-triggered encryption from ransomware-triggered encryption. In the current paper, we present an upgraded behavioural ransomware detection model that reinforces the existing feature space with a new set of features based on grouped registry key operations, introducing a monitoring model based on combined file entropy and file signature. We analyze the new feature model by exploring and comparing three different linear machine learning techniques: SVM, logistic regression and random forest. The proposed approach helps achieve improved detection accuracy and provides the ability to detect novel ransomware. Furthermore, the proposed approach helps differentiate user-triggered encryption from ransomware-triggered encryption, allowing saving as many files as possible during an attack. To conduct our study, we use a new public ransomware detection dataset collected in our lab, which consists of 666 ransomware and 103 benign binaries. Our experimental results show that our proposed approach achieves relatively high accuracy in detecting both previously seen and novel ransomware samples. <\/jats:p>","DOI":"10.3233\/jcs-191346","type":"journal-article","created":{"date-parts":[[2019,11,29]],"date-time":"2019-11-29T18:04:59Z","timestamp":1575050699000},"page":"337-373","update-policy":"https:\/\/doi.org\/10.1177\/sage-journals-update-policy","source":"Crossref","is-referenced-by-count":41,"title":["Multilayer ransomware detection using grouped registry key operations, file entropy and file signature monitoring"],"prefix":"10.1177","volume":"28","author":[{"given":"Brijesh","family":"Jethva","sequence":"first","affiliation":[{"name":"Department of Electrical and Computer Engineering, University of Victoria, BC, Canada. E-mails:\u00a0,\u00a0,\u00a0"}]},{"given":"Issa","family":"Traor\u00e9","sequence":"additional","affiliation":[{"name":"Department of Electrical and Computer Engineering, University of Victoria, BC, Canada. E-mails:\u00a0,\u00a0,\u00a0"}]},{"given":"Asem","family":"Ghaleb","sequence":"additional","affiliation":[{"name":"Department of Electrical and Computer Engineering, University of Victoria, BC, Canada. E-mails:\u00a0,\u00a0,\u00a0"}]},{"given":"Karim","family":"Ganame","sequence":"additional","affiliation":[{"name":"Efficient Protections Inc., QC, Canada. E-mail:\u00a0"}]},{"given":"Sherif","family":"Ahmed","sequence":"additional","affiliation":[{"name":"Department of Computer Science, University of Windsor, ON, Canada. E-mail:\u00a0"}]}],"member":"179","published-online":{"date-parts":[[2019,11,28]]},"reference":[{"key":"ref001","doi-asserted-by":"publisher","DOI":"10.1109\/ISCISC.2015.7387902"},{"key":"ref002","doi-asserted-by":"crossref","unstructured":"N.\u00a0Andronio, S.\u00a0Zanero and F.\u00a0Maggi, Heldroid: Dissecting and detecting mobile ransomware, in: International Workshop on Recent Advances in Intrusion Detection, Springer Verlag, New York, 2015, pp.\u00a0382\u2013404.","DOI":"10.1007\/978-3-319-26362-5_18"},{"key":"ref003","unstructured":"J.\u00a0Brownlee, An introduction to feature selection, 2014. https:\/\/machinelearningmastery.com\/an-introduction-to-feature-selection."},{"key":"ref004","doi-asserted-by":"crossref","unstructured":"K.\u00a0Cabaj, M.\u00a0Gregorczyk and W.\u00a0Mazurczyk, Software-defined networking-based crypto ransomware detection using HTTP traffic characteristics, Computers & Electrical Engineering (2017).","DOI":"10.1016\/j.compeleceng.2017.10.012"},{"key":"ref005","doi-asserted-by":"publisher","DOI":"10.1145\/3129676.3129704"},{"key":"ref006","doi-asserted-by":"crossref","unstructured":"A.\u00a0Continella, A.\u00a0Guagnelli, G.\u00a0Zingaro, G.\u00a0De Pasquale, A.\u00a0Barenghi, S.\u00a0Zanero and F.\u00a0Maggi, ShieldFS: A self-healing, ransomware-aware filesystem, in: Proceedings of the 32nd Annual Conference on Computer Security Applications, ACM, 2016, pp.\u00a0336\u2013347.","DOI":"10.1145\/2991079.2991110"},{"key":"ref007","doi-asserted-by":"crossref","unstructured":"G.\u00a0Cusack, O.\u00a0Michel and E.\u00a0Keller, Machine learning-based detection of ransomware using SDN, in: Proceedings of the 2018 ACM International Workshop on Security in Software Defined Networks & Network Function Virtualization, ACM, 2018, pp.\u00a01\u20136.","DOI":"10.1145\/3180465.3180467"},{"issue":"4","key":"ref008","first-page":"212","volume":"26","author":"Douceur J.R.","year":"2016","journal-title":"ACM SIGMETRICS Performance Evaluation Review"},{"key":"ref009","doi-asserted-by":"crossref","unstructured":"S.\u00a0Garfinkel, P.\u00a0Farrell and G.\u00a0Dinolt, Bringing science to digital forensics with standardized forensic corpora, in: Digital Forensic Research Conference, Montreal, Canada, 2009.","DOI":"10.1016\/j.diin.2009.06.016"},{"key":"ref010","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-64701-2_14"},{"key":"ref011","doi-asserted-by":"crossref","unstructured":"M.M.\u00a0Hasan and M.M.\u00a0Rahman, RansHunt: A support vector machines based ransomware analysis framework with integrated feature set, in: 20th International Conference of Computer and Information Technology (ICCIT), 2017.","DOI":"10.1109\/ICCITECHN.2017.8281835"},{"key":"ref012","doi-asserted-by":"publisher","DOI":"10.1145\/1402256.1402262"},{"key":"ref013","doi-asserted-by":"crossref","unstructured":"J.\u00a0Huang, J.\u00a0Xu, X.\u00a0Xing, P.\u00a0Liu and M.K.\u00a0Qureshi, FlashGuard: Leveraging intrinsic flash properties to defend against encryption ransomware, in: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, ACM, 2017, pp.\u00a02231\u20132244.","DOI":"10.1145\/3133956.3134035"},{"key":"ref014","unstructured":"G.C.\u00a0Kessler, File Signatures, 2019. https:\/\/www.garykessler.net\/library\/file_sigs.html."},{"key":"ref015","unstructured":"A.\u00a0Kharraz, S.\u00a0Arshad, C.\u00a0Mulliner, W.K.\u00a0Robertson and E.\u00a0Kirda, Unveil: A large-scale, automated approach to detecting ransomware, in: USENIX Security Symposium, 2016, pp.\u00a0757\u2013772."},{"key":"ref016","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-20550-2_1"},{"key":"ref017","doi-asserted-by":"publisher","DOI":"10.1109\/MSP.2018.2701165"},{"key":"ref018","doi-asserted-by":"crossref","unstructured":"E.\u00a0Kolodenker, W.\u00a0Koch, G.\u00a0Stringhini and M.\u00a0Egele, PayBreak: Defense against cryptographic ransomware, in: Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security, ACM, 2017, pp.\u00a0599\u2013611.","DOI":"10.1145\/3052973.3053035"},{"key":"ref019","doi-asserted-by":"publisher","DOI":"10.1145\/3129676.3129713"},{"key":"ref020","unstructured":"LogRhythm, The ransomware threat: A guide to detecting an attack before it\u2019s too late, Technical report, LogRhythm EMEA, 2018. http:\/\/www.ncstrl.org:8900\/ncstrl\/servlet\/search?formname=detail&id=oai%3Ancstrlh%3Amitai%3AMIT-LCS%2F%2FMIT%2FLCS%2FTR-200."},{"key":"ref021","doi-asserted-by":"publisher","DOI":"10.1145\/3019612.3019793"},{"key":"ref022","unstructured":"L.\u00a0Mathews, NotPetya ransomware attack cost shipping giant Maersk over $200 million, Forbes Magazine (2017). https:\/\/www.forbes.com\/sites\/leemathews\/2017\/08\/16\/notpetya-ransomware-attack-cost-shipping-giant-maersk-over-200-million\/#3c3ec1eb4f9a."},{"key":"ref023","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-48965-0_32"},{"key":"ref024","unstructured":"J.\u00a0McKnight, The evolution of ransomware and breadth of its economic impact, Master\u2019s thesis, Utica College, 2017."},{"key":"ref025","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-00470-5_6"},{"key":"ref026","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-39570-8_14"},{"key":"ref027","doi-asserted-by":"crossref","unstructured":"R.\u00a0Moussaileb, B.\u00a0Bouget, A.\u00a0Palisse, H.\u00a0Le Bouder, N.\u00a0Cuppens and J.L.\u00a0Lanet, Ransomware\u2019s early mitigation mechanisms, in: Proceedings of the 13th International Conference on Availability, Reliability and Security, ACM, 2018, p.\u00a02.","DOI":"10.1145\/3230833.3234691"},{"key":"ref028","unstructured":"N.B.\u00a0University\u00a0of Texas San\u00a0Antonio, University of Texas San Antonio, FILETYPES1 File Type Samples, 2014. http:\/\/digitalcorpora.org\/corp\/nps\/files\/filetypes1\/."},{"key":"ref029","unstructured":"D.\u00a0Nieuwenhuizen, A behavioural-based approach to ransomware detection, Whitepaper. MWR Labs Whitepapery (2017). https:\/\/pdfs.semanticscholar.org\/93b6\/e2fdf2a79608e44ab64e37bddd6973f54f1d.pdf."},{"key":"ref030","unstructured":"M.\u00a0Reynolds, Ransomware attack hits 200,000 computers across the globe, New Scientist (2017). https:\/\/www.newscientist.com\/article\/2130983-ransomware-attack-hits-200000-computers-across-the-globe."},{"key":"ref031","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2012.14"},{"key":"ref032","unstructured":"C.\u00a0Sandbox, Cuckoo Sandbox \u2013 Automated malware analysis, 2017. https:\/\/cuckoosandbox.org."},{"key":"ref033","doi-asserted-by":"crossref","unstructured":"N.\u00a0Scaife, H.\u00a0Carter, P.\u00a0Traynor and K.R.\u00a0Butler, Cryptolock (and drop it): Stopping ransomware attacks on user data, in: IEEE 36th International Conference on Distributed Computing Systems (ICDCS), IEEE, 2016, pp.\u00a0303\u2013312.","DOI":"10.1109\/ICDCS.2016.46"},{"key":"ref034","unstructured":"T.\u00a0Seals, Troldesh Nabs top ransomware spot, Infosecurity Magazine (2017). https:\/\/www.infosecurity-magazine.com\/news\/troldesh-nabs-top-ransomware-spot."},{"key":"ref035","unstructured":"D.\u00a0Sgandurra, L.\u00a0Mu\u00f1oz-Gonz\u00e1lez, R.\u00a0Mohsen and E.C.\u00a0Lupu, Automated dynamic analysis of ransomware: Benefits, limitations and use for detection, Preprint, 2016. arXiv:1609.03020."},{"key":"ref036","doi-asserted-by":"crossref","unstructured":"S.K.\u00a0Shaukat and V.J.\u00a0Ribeiro, RansomWall: A layered defense system against cryptographic ransomware attacks using machine learning, in: 10th International Conference on Communication Systems and Networks (COMSNETS), 2018, pp.\u00a0356\u2013363.","DOI":"10.1109\/COMSNETS.2018.8328219"},{"key":"ref037","doi-asserted-by":"crossref","unstructured":"S.\u00a0Song, B.\u00a0Kim and S.\u00a0Lee, The effective ransomware prevention technique using process monitoring on android platform, Computer Fraud & Security 2016 (2016).","DOI":"10.1155\/2016\/2946735"},{"key":"ref038","unstructured":"R.\u00a0Soto and J.\u00a0Zadeh, Automated prevention of ransomware with machine learning and GPOs, 2017. https:\/\/www.rsaconference.com\/events\/us17\/agenda\/sessions\/6695-automated-prevention-of-ransomware-with-machine."},{"key":"ref039","doi-asserted-by":"crossref","unstructured":"D.\u00a0Wagner and P.\u00a0Soto, Mimicry attacks on host-based intrusion detection systems, in: Proceedings of the 9th ACM Conference on Computer and Communications Security, ACM, 2002, pp.\u00a0255\u2013264.","DOI":"10.1145\/586110.586145"},{"key":"ref040","doi-asserted-by":"crossref","unstructured":"T.\u00a0Yang, Y.\u00a0Yang, K.\u00a0Qian, D.C.T.\u00a0Lo, Y.\u00a0Qian and L.\u00a0Tao, Automated detection and analysis for Android ransomware, in: 2015 IEEE 7th International Symposium on Cyberspace Safety and Security (CSS), 2015 IEEE 12th International Conferen on Embedded Software and Systems (ICESS), IEEE, 2015, pp.\u00a01338\u20131343.","DOI":"10.1109\/HPCC-CSS-ICESS.2015.39"},{"key":"ref041","unstructured":"K.\u00a0Yeager, LibGuides: SPSS Tutorials: Pearson Correlation, 2019. https:\/\/libguides.library.kent.edu\/SPSS\/PearsonCorr."}],"container-title":["Journal of Computer Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/journals.sagepub.com\/doi\/pdf\/10.3233\/JCS-191346","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/journals.sagepub.com\/doi\/full-xml\/10.3233\/JCS-191346","content-type":"application\/xml","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/journals.sagepub.com\/doi\/pdf\/10.3233\/JCS-191346","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,3,10]],"date-time":"2025-03-10T14:17:50Z","timestamp":1741616270000},"score":1,"resource":{"primary":{"URL":"https:\/\/journals.sagepub.com\/doi\/10.3233\/JCS-191346"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2019,11,28]]},"references-count":41,"journal-issue":{"issue":"3","published-print":{"date-parts":[[2020,4,21]]}},"alternative-id":["10.3233\/JCS-191346"],"URL":"https:\/\/doi.org\/10.3233\/jcs-191346","relation":{},"ISSN":["0926-227X","1875-8924"],"issn-type":[{"value":"0926-227X","type":"print"},{"value":"1875-8924","type":"electronic"}],"subject":[],"published":{"date-parts":[[2019,11,28]]}}}