Intermittent File Encryption in Ransomware: Measurement, Modeling, and Detection

• URL: http://arxiv.org/abs/2510.15133v1
• Date: Thu, 16 Oct 2025 20:48:22 GMT
• Title: Intermittent File Encryption in Ransomware: Measurement, Modeling, and Detection
• Authors: Ynes Ineza, Gerald Jackson, Prince Niyonkuru, Jaden Kevil, Abdul Serwadda,
• Abstract summary: This paper provides a systematic empirical characterization of byte level statistics under intermittent encryption across common file types.<n>We specialize a classical KL divergence upper bound on a tailored mixture model of intermittent encryption, yielding filetype specific detectability ceilings for histogram-based detectors.
• Score: 0.32622301272834514
• License: http://arxiv.org/licenses/nonexclusive-distrib/1.0/
• Abstract: File encrypting ransomware increasingly employs intermittent encryption techniques, encrypting only parts of files to evade classical detection methods. These strategies, exemplified by ransomware families like BlackCat, complicate file structure based detection techniques due to diverse file formats exhibiting varying traits under partial encryption. This paper provides a systematic empirical characterization of byte level statistics under intermittent encryption across common file types, establishing a comprehensive baseline of how partial encryption impacts data structure. We specialize a classical KL divergence upper bound on a tailored mixture model of intermittent encryption, yielding filetype specific detectability ceilings for histogram-based detectors. Leveraging insights from this analysis, we empirically evaluate convolutional neural network (CNN) based detection methods using realistic intermittent encryption configurations derived from leading ransomware variants. Our findings demonstrate that localized analysis via chunk level CNNs consistently outperforms global analysis methods, highlighting their practical effectiveness and establishing a robust baseline for future detection systems.

Related papers

• Propose and Rectify: A Forensics-Driven MLLM Framework for Image Manipulation Localization [49.71303998618939]
  This paper presents a novel Propose-Rectify framework that bridges semantic reasoning with forensic-specific analysis.<n>Our framework ensures that initial semantic proposals are systematically validated and enhanced through concrete technical evidence, resulting in comprehensive detection accuracy and localization precision.
  arXiv  Detail & Related papers  (2025-08-25T12:43:53Z)
• Data Encryption Battlefield: A Deep Dive into the Dynamic Confrontations in Ransomware Attacks [8.67152196724378]
  This study explores the battle between adversaries who continually refine encryption strategies and defenders developing advanced countermeasures to protect vulnerable data.<n>We investigate the application of online incremental machine learning algorithms designed to predict file encryption activities despite adversaries evolving obfuscation techniques.<n>Results highlight the Hoeffding Tree algorithms superior incremental learning capability, particularly effective in detecting traditional and AES-Base64 encryption methods employed to lower entropy.
  arXiv  Detail & Related papers  (2025-04-29T12:01:43Z)
• Hierarchical Manifold Projection for Ransomware Detection: A Novel Geometric Approach to Identifying Malicious Encryption Patterns [0.0]
  Encryption-based cyber threats continue to evolve, employing increasingly sophisticated techniques to bypass traditional detection mechanisms.<n>A novel classification framework structured through hierarchical manifold projection introduces a mathematical approach to detecting malicious encryption.<n>The proposed methodology transforms encryption sequences into structured manifold embeddings, ensuring classification robustness through non-Euclidean feature separability.
  arXiv  Detail & Related papers  (2025-02-11T23:20:58Z)
• Semantic Entanglement-Based Ransomware Detection via Probabilistic Latent Encryption Mapping [0.0]
  Probabilistic Latent Encryption Mapping models encryption behaviors through statistical representations of entropy deviations and probabilistic dependencies in execution traces.<n> Evaluations demonstrate that entropy-driven classification reduces false positive rates while maintaining high detection accuracy across diverse ransomware families and encryption methodologies.<n>The ability to systematically infer encryption-induced deviations without requiring static attack signatures strengthens detection against adversarial evasion techniques.
  arXiv  Detail & Related papers  (2025-02-04T21:27:58Z)
• Spectral Entanglement Fingerprinting: A Novel Framework for Ransomware Detection Using Cross-Frequency Anomalous Waveform Signatures [0.0]
  Malicious encryption techniques continue to evolve, bypassing conventional detection mechanisms.<n> Spectral analysis presents an alternative approach that transforms system activity data into the frequency domain.<n>The proposed Spectral Entanglement Fingerprinting (SEF) framework leverages power spectral densities, coherence functions, and entropy-based metrics to extract hidden patterns.
  arXiv  Detail & Related papers  (2025-02-03T11:46:41Z)
• Hierarchical Pattern Decryption Methodology for Ransomware Detection Using Probabilistic Cryptographic Footprints [0.0]
  The framework combines advanced clustering algorithms with machine learning to isolate ransomware-induced anomalies.<n>It effectively distinguishes malicious encryption operations from benign activities while maintaining low false positive rates.<n>The inclusion of real-time anomaly evaluation ensures rapid response capabilities, addressing critical latency challenges in ransomware detection.
  arXiv  Detail & Related papers  (2025-01-25T05:26:17Z)
• Cryptanalysis via Machine Learning Based Information Theoretic Metrics [58.96805474751668]
  We propose two novel applications of machine learning (ML) algorithms to perform cryptanalysis on any cryptosystem.<n>These algorithms can be readily applied in an audit setting to evaluate the robustness of a cryptosystem.<n>We show that our classification model correctly identifies the encryption schemes that are not IND-CPA secure, such as DES, RSA, and AES ECB, with high accuracy.
  arXiv  Detail & Related papers  (2025-01-25T04:53:36Z)
• C2P-CLIP: Injecting Category Common Prompt in CLIP to Enhance Generalization in Deepfake Detection [98.34703790782254]
  We introduce Category Common Prompt CLIP, which integrates the category common prompt into the text encoder to inject category-related concepts into the image encoder.<n>Our method achieves a 12.41% improvement in detection accuracy compared to the original CLIP, without introducing additional parameters during testing.
  arXiv  Detail & Related papers  (2024-08-19T02:14:25Z)
• Spatial-Frequency Discriminability for Revealing Adversarial Perturbations [53.279716307171604]
  Vulnerability of deep neural networks to adversarial perturbations has been widely perceived in the computer vision community. Current algorithms typically detect adversarial patterns through discriminative decomposition for natural and adversarial data. We propose a discriminative detector relying on a spatial-frequency Krawtchouk decomposition.
  arXiv  Detail & Related papers  (2023-05-18T10:18:59Z)
• ORF-Net: Deep Omni-supervised Rib Fracture Detection from Chest CT Scans [47.7670302148812]
  radiologists need to investigate and annotate rib fractures on a slice-by-slice basis. We propose a novel omni-supervised object detection network, which can exploit multiple different forms of annotated data. Our proposed method outperforms other state-of-the-art approaches consistently.
  arXiv  Detail & Related papers  (2022-07-05T07:06:57Z)
• ZippyPoint: Fast Interest Point Detection, Description, and Matching through Mixed Precision Discretization [71.91942002659795]
  We investigate and adapt network quantization techniques to accelerate inference and enable its use on compute limited platforms. ZippyPoint, our efficient quantized network with binary descriptors, improves the network runtime speed, the descriptor matching speed, and the 3D model size. These improvements come at a minor performance degradation as evaluated on the tasks of homography estimation, visual localization, and map-free visual relocalization.
  arXiv  Detail & Related papers  (2022-03-07T18:59:03Z)
• MD-CSDNetwork: Multi-Domain Cross Stitched Network for Deepfake Detection [80.83725644958633]
  Current deepfake generation methods leave discriminative artifacts in the frequency spectrum of fake images and videos. We present a novel approach, termed as MD-CSDNetwork, for combining the features in the spatial and frequency domains to mine a shared discriminative representation.
  arXiv  Detail & Related papers  (2021-09-15T14:11:53Z)
• Detecting malicious PDF using CNN [46.86114958340962]
  Malicious PDF files represent one of the biggest threats to computer security. We propose a novel algorithm that uses an ensemble of Convolutional Neural Network (CNN) on the byte level of the file. We show, using a data set of 90000 files downloadable online, that our approach maintains a high detection rate (94%) of PDF malware.
  arXiv  Detail & Related papers  (2020-07-24T18:27:45Z)

This list is automatically generated from the titles and abstracts of the papers in this site.

This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.