{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,10,11]],"date-time":"2025-10-11T02:09:31Z","timestamp":1760148571252,"version":"build-2065373602"},"reference-count":21,"publisher":"MDPI AG","issue":"10","license":[{"start":{"date-parts":[[2023,5,13]],"date-time":"2023-05-13T00:00:00Z","timestamp":1683936000000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"funder":[{"DOI":"10.13039\/501100003725","name":"National Research Foundation of Korea (NRF)","doi-asserted-by":"publisher","award":["NRF-2021R1F1A1050542","NRF-2021R1A4A2001810"],"award-info":[{"award-number":["NRF-2021R1F1A1050542","NRF-2021R1A4A2001810"]}],"id":[{"id":"10.13039\/501100003725","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["Sensors"],"abstract":"<jats:p>Ransomware is one type of malware that involves restricting access to files by encrypting files stored on the victim\u2019s system and demanding money in return for file recovery. Although various ransomware detection technologies have been introduced, existing ransomware detection technologies have certain limitations and problems that affect their detection ability. Therefore, there is a need for new detection technologies that can overcome the problems of existing detection methods and minimize the damage from ransomware. A technology that can be used to detect files infected by ransomware and by measuring the entropy of files has been proposed. However, from an attacker\u2019s point of view, neutralization technology can bypass detection through neutralization using entropy. A representative neutralization method is one that involves decreasing the entropy of encrypted files by using an encoding technology such as base64. This technology also makes it possible to detect files that are infected by ransomware by measuring entropy after decoding the encoded files, which, in turn, means the failure of the ransomware detection-neutralization technology. Therefore, this paper derives three requirements for a more sophisticated ransomware detection-neutralization method from the perspective of an attacker for it to have novelty. These requirements are (1) it must not be decoded; (2) it must support encryption using secret information; and (3) the entropy of the generated ciphertext must be similar to that of plaintext. The proposed neutralization method satisfies these requirements, supports encryption without decoding, and applies format-preserving encryption that can adjust the input and output lengths. To overcome the limitations of neutralization technology using the encoding algorithm, we utilized format-preserving encryption, which could allow the attacker to manipulate the entropy of the ciphertext as desired by changing the expression range of numbers and controlling the input and output lengths in a very free manner. To apply format-preserving encryption, Byte Split, BinaryToASCII, and Radix Conversion methods were evaluated, and an optimal neutralization method was derived based on the experimental results of these three methods. As a result of the comparative analysis of the neutralization performance with existing studies, when the entropy threshold value was 0.5 in the Radix Conversion method, which was the optimal neutralization method derived from the proposed study, the neutralization accuracy was improved by 96% based on the PPTX file format. The results of this study provide clues for future studies to derive a plan to counter the technology that can neutralize ransomware detection technology.<\/jats:p>","DOI":"10.3390\/s23104728","type":"journal-article","created":{"date-parts":[[2023,5,15]],"date-time":"2023-05-15T08:33:01Z","timestamp":1684139581000},"page":"4728","update-policy":"https:\/\/doi.org\/10.3390\/mdpi_crossmark_policy","source":"Crossref","is-referenced-by-count":5,"title":["Neutralization Method of Ransomware Detection Technology Using Format Preserving Encryption"],"prefix":"10.3390","volume":"23","author":[{"ORCID":"https:\/\/orcid.org\/0000-0003-1492-1241","authenticated-orcid":false,"given":"Jaehyuk","family":"Lee","sequence":"first","affiliation":[{"name":"Interdisciplinary Program of Information & Protection, Mokpo National University, Muan 58554, Republic of Korea"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-4686-9436","authenticated-orcid":false,"given":"Sun-Young","family":"Lee","sequence":"additional","affiliation":[{"name":"Department of Information Security Engineering, Soonchunhyang University, Asan 31538, Republic of Korea"}]},{"given":"Kangbin","family":"Yim","sequence":"additional","affiliation":[{"name":"Department of Information Security Engineering, Soonchunhyang University, Asan 31538, Republic of Korea"}]},{"given":"Kyungroul","family":"Lee","sequence":"additional","affiliation":[{"name":"Department of Information Security, Mokpo National University, Muan 58554, Republic of Korea"}]}],"member":"1968","published-online":{"date-parts":[[2023,5,13]]},"reference":[{"key":"ref_1","first-page":"136","article-title":"Ransomware, Threat and Detection Techniques: A Review","volume":"19","author":"Kok","year":"2019","journal-title":"Int. J. Comput. Sci. Netw. Secur."},{"key":"ref_2","first-page":"1938","article-title":"A brief study of wannacry threat: Ransomware attack 2017","volume":"8","author":"Mohurle","year":"2017","journal-title":"Int. J. Adv. Res. Comput. Sci."},{"key":"ref_3","doi-asserted-by":"crossref","unstructured":"(2022, November 25). Sophos, \u201cThe State of Ransomeware 2022\u201d. A Sophos Whitepaper, April 2022. Available online: https:\/\/www.sophos.com\/en-us\/content\/state-of-ransomware:.","DOI":"10.12968\/S1361-3723(22)70573-8"},{"key":"ref_4","unstructured":"Cabaj, K., Gregorczyk, M., and Mazurczyk, W. (arXiv, 2016). Software-Defined Networking-based Crypto Ransomware Detection Using HTTP Traffic Characteristics, arXiv."},{"key":"ref_5","doi-asserted-by":"crossref","unstructured":"Paik, J.-Y., Choi, J.-H., Jin, R., Wang, J., and Cho, E.-S. (2018, January 15). A Storage-Level Detection Mechanism against Crypto-Ransomware. Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, Toronto, ON, Canada.","DOI":"10.1145\/3243734.3278491"},{"key":"ref_6","doi-asserted-by":"crossref","first-page":"1286","DOI":"10.1109\/TIFS.2017.2787905","article-title":"Uncovering the face of android ransomware: Characterization and real-time detection","volume":"13","author":"Chen","year":"2017","journal-title":"IEEE Trans. Inf. Forensics Secur."},{"key":"ref_7","doi-asserted-by":"crossref","first-page":"111","DOI":"10.1016\/j.compeleceng.2019.03.012","article-title":"Ransomware detection and mitigation using software-defined networking: The case of WannaCry","volume":"76","author":"Akbanov","year":"2019","journal-title":"Comput. Electr. Eng."},{"key":"ref_8","doi-asserted-by":"crossref","first-page":"145","DOI":"10.1109\/18.61115","article-title":"Divergence measures based on the Shannon entropy","volume":"37","author":"Lin","year":"1991","journal-title":"IEEE Trans. Inf. Theory"},{"key":"ref_9","doi-asserted-by":"crossref","first-page":"78","DOI":"10.1109\/MC.2014.47","article-title":"The importance of entropy to information security","volume":"47","author":"Vassilev","year":"2014","journal-title":"Computer"},{"key":"ref_10","doi-asserted-by":"crossref","first-page":"391","DOI":"10.1137\/S0097539795291562","article-title":"Nonmalleable Cryptography","volume":"30","author":"Dolev","year":"2000","journal-title":"SIAM J. Comput."},{"key":"ref_11","first-page":"1","article-title":"CSI computer crime and security survey","volume":"1","author":"Richardson","year":"2008","journal-title":"Comput. Secur. Inst."},{"key":"ref_12","doi-asserted-by":"crossref","first-page":"2107","DOI":"10.1038\/s41598-020-58928-1","article-title":"An Approach to Cryptography Based on Continuous-Variable Quantum Neural Network","volume":"10","author":"Shi","year":"2020","journal-title":"Sci. Rep."},{"key":"ref_13","doi-asserted-by":"crossref","first-page":"110205","DOI":"10.1109\/ACCESS.2019.2931136","article-title":"Machine learning based file entropy analysis for ransomware detection in backup systems","volume":"7","author":"Lee","year":"2019","journal-title":"IEEE Access"},{"key":"ref_14","doi-asserted-by":"crossref","unstructured":"Lee, J., and Lee, K. (2022). A Method for Neutralizing Entropy Measurement-Based Ransomware Detection Technologies Using Encoding Algorithms. Entropy, 24.","DOI":"10.3390\/e24020239"},{"key":"ref_15","doi-asserted-by":"crossref","first-page":"6731","DOI":"10.1007\/s00500-018-3257-z","article-title":"Ransomware detection method based on context-aware entropy analysis","volume":"22","author":"Jung","year":"2018","journal-title":"Soft Comput."},{"key":"ref_16","unstructured":"Bellare, M., Ristenpart, T., Rogaway, P., and Stegers, T. (2009). International Workshop on Selected Areas in Cryptography, Springer."},{"key":"ref_17","first-page":"245","article-title":"Evaluation of format-preserving encryption algorithms for critical infrastructure protection","volume":"Volume 441","author":"Butts","year":"2014","journal-title":"Proceedings of the International Conference on Critical Infrastructure Protection"},{"key":"ref_18","doi-asserted-by":"crossref","unstructured":"Jang, W., and Lee, S.-Y. (2020, January 30). A format-preserving encryption FF1 FF3\u20131 using lightweight block ciphers LEA and SPECK. Proceedings of the 35th Annual ACM Symposium on Applied Computing, New York, NY, USA.","DOI":"10.1145\/3341105.3373953"},{"key":"ref_19","first-page":"279","article-title":"Accuracy Enhancement of Determining File Encryption Status through Divided Shannon Entropy","volume":"25","author":"Kwak","year":"2018","journal-title":"KIPS"},{"key":"ref_20","doi-asserted-by":"crossref","unstructured":"Davies, S.R., Macfarlane, R., and Buchanan, W.J. (2022). Comparison of Entropy Calculation Methods for Ransomware Encrypted File Identification. Entropy, 24.","DOI":"10.3390\/e24101503"},{"key":"ref_21","unstructured":"Timothy, M., Julian, J., Paul, W., and Teo, S. (2019). Communications in Computer and Information Science, Springer."}],"container-title":["Sensors"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.mdpi.com\/1424-8220\/23\/10\/4728\/pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,10,10]],"date-time":"2025-10-10T19:34:19Z","timestamp":1760124859000},"score":1,"resource":{"primary":{"URL":"https:\/\/www.mdpi.com\/1424-8220\/23\/10\/4728"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2023,5,13]]},"references-count":21,"journal-issue":{"issue":"10","published-online":{"date-parts":[[2023,5]]}},"alternative-id":["s23104728"],"URL":"https:\/\/doi.org\/10.3390\/s23104728","relation":{},"ISSN":["1424-8220"],"issn-type":[{"type":"electronic","value":"1424-8220"}],"subject":[],"published":{"date-parts":[[2023,5,13]]}}}