Discriminating Unknown Software Using Distance Model

Abstract : Crypto-ransomware is a class of malware that en-crypt their victim's data and only return the decryption key in exchange for a ransom. In a previous work, we have yet designed a solution able to detect any ciphering of files using statistical estimator. Once detected, a pop up requests the user to verify if that operation is allowed on not. To improve our tool, automation is needed. In this paper, an anomaly detection mechanism to determine if a suspected group of threads is an authorized cryptographic software or a malicious code is presented. The effectiveness of our solution to correctly distinguish between valid programs and ransomware is evaluated using a string analysis. The tf-idf metric is used to choose the most pertinent features. The distance of a candidate software with a vector representing the allowed cryptographic software is measured. If the distance exceeds a threshold, the suspected process is flagged as a ransomware. We have evaluated our approach with the samples provided by open databases and executed on our bare metal platform.
Document type :
Conference papers
Complete list of metadatas

Cited literature [15 references]  Display  Hide  Download

Contributor : Hélène Le Bouder <>
Submitted on : Thursday, November 7, 2019 - 9:27:29 AM
Last modification on : Tuesday, November 12, 2019 - 4:09:22 PM


 Restricted access
To satisfy the distribution rights of the publisher, the document is embargoed until : 2020-05-07

Please log in to resquest access to the document


  • HAL Id : hal-02352861, version 1


Yassine Lemmou, Hélène Le Bouder, Jean-Louis Lanet. Discriminating Unknown Software Using Distance Model. ICACSIS 2019, Nov 2019, Bali, Indonesia. ⟨hal-02352861⟩



Record views