Elastic Shifts: I/O Sequence Patterns of Ransomware and Detection Evasion
Cyber-criminals frequently use crypto-ransomware to gain financial benefit by encrypting victims’ valuable digital assets, such as photos and documents. The unique I/O behavior sequence patterns of such crypto-ransomware have been used as key features in ransomware detection. Prior behavi...
Saved in:
| Main Authors: | , |
|---|---|
| Format: | Article |
| Language: | English |
| Published: |
IEEE
2025-01-01
|
| Series: | IEEE Access |
| Subjects: | |
| Online Access: | https://ieeexplore.ieee.org/document/11077114/ |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| _version_ | 1849304159777456128 |
|---|---|
| author | Il Hyeon Ju Huy Kang Kim |
| author_facet | Il Hyeon Ju Huy Kang Kim |
| author_sort | Il Hyeon Ju |
| collection | DOAJ |
| description | Cyber-criminals frequently use crypto-ransomware to gain financial benefit by encrypting victims’ valuable digital assets, such as photos and documents. The unique I/O behavior sequence patterns of such crypto-ransomware have been used as key features in ransomware detection. Prior behavior-profiling approaches built detection patterns from existing ransomware datasets using their own tools or third-party tools for behavior monitoring. In addition, these approaches applied simple rule-based matching. However, future ransomware may not consistently exhibit previous patterns, since its behavior can change significantly. Furthermore, the monitoring tools used in existing detection methods may not be sufficient to interpret the behavior of future ransomware. This study demonstrates that ransomware can effectively evade existing detection methods by changing its I/O behavior sequence patterns. We induce monitoring tools to misinterpret the semantics of ransomware I/O operations, which leads detection systems to construct incorrect behavioral patterns. Our findings expose weaknesses in current endpoint behavior-based ransomware detectors, including an antivirus program’s real-time detection, and underscore the need for methods that remain effective against previously unseen patterns. |
| format | Article |
| id | doaj-art-ff6477bbb3f44e5bb57e7e5ae6b3529c |
| institution | Kabale University |
| issn | 2169-3536 |
| language | English |
| publishDate | 2025-01-01 |
| publisher | IEEE |
| record_format | Article |
| series | IEEE Access |
| spelling | doaj-art-ff6477bbb3f44e5bb57e7e5ae6b3529c2025-08-20T03:55:48ZengIEEEIEEE Access2169-35362025-01-011312234112235310.1109/ACCESS.2025.358769811077114Elastic Shifts: I/O Sequence Patterns of Ransomware and Detection EvasionIl Hyeon Ju0https://orcid.org/0009-0006-8839-8392Huy Kang Kim1https://orcid.org/0000-0002-0760-8807School of Cybersecurity, Korea University, Seoul, Republic of KoreaSchool of Cybersecurity, Korea University, Seoul, Republic of KoreaCyber-criminals frequently use crypto-ransomware to gain financial benefit by encrypting victims’ valuable digital assets, such as photos and documents. The unique I/O behavior sequence patterns of such crypto-ransomware have been used as key features in ransomware detection. Prior behavior-profiling approaches built detection patterns from existing ransomware datasets using their own tools or third-party tools for behavior monitoring. In addition, these approaches applied simple rule-based matching. However, future ransomware may not consistently exhibit previous patterns, since its behavior can change significantly. Furthermore, the monitoring tools used in existing detection methods may not be sufficient to interpret the behavior of future ransomware. This study demonstrates that ransomware can effectively evade existing detection methods by changing its I/O behavior sequence patterns. We induce monitoring tools to misinterpret the semantics of ransomware I/O operations, which leads detection systems to construct incorrect behavioral patterns. Our findings expose weaknesses in current endpoint behavior-based ransomware detectors, including an antivirus program’s real-time detection, and underscore the need for methods that remain effective against previously unseen patterns.https://ieeexplore.ieee.org/document/11077114/Computer securityransomwaremalwaremalware detectiondetection evasion |
| spellingShingle | Il Hyeon Ju Huy Kang Kim Elastic Shifts: I/O Sequence Patterns of Ransomware and Detection Evasion IEEE Access Computer security ransomware malware malware detection detection evasion |
| title | Elastic Shifts: I/O Sequence Patterns of Ransomware and Detection Evasion |
| title_full | Elastic Shifts: I/O Sequence Patterns of Ransomware and Detection Evasion |
| title_fullStr | Elastic Shifts: I/O Sequence Patterns of Ransomware and Detection Evasion |
| title_full_unstemmed | Elastic Shifts: I/O Sequence Patterns of Ransomware and Detection Evasion |
| title_short | Elastic Shifts: I/O Sequence Patterns of Ransomware and Detection Evasion |
| title_sort | elastic shifts i o sequence patterns of ransomware and detection evasion |
| topic | Computer security ransomware malware malware detection detection evasion |
| url | https://ieeexplore.ieee.org/document/11077114/ |
| work_keys_str_mv | AT ilhyeonju elasticshiftsiosequencepatternsofransomwareanddetectionevasion AT huykangkim elasticshiftsiosequencepatternsofransomwareanddetectionevasion |