{"id":"https://openalex.org/W2989588798","doi":"https://doi.org/10.3233/jcs-191346","title":"Multilayer ransomware detection using grouped registry key operations, file entropy and file signature monitoring","display_name":"Multilayer ransomware detection using grouped registry key operations, file entropy and file signature monitoring","publication_year":2019,"publication_date":"2019-11-28","ids":{"openalex":"https://openalex.org/W2989588798","doi":"https://doi.org/10.3233/jcs-191346","mag":"2989588798"},"language":"en","primary_location":{"id":"doi:10.3233/jcs-191346","is_oa":false,"landing_page_url":"https://doi.org/10.3233/jcs-191346","pdf_url":null,"source":{"id":"https://openalex.org/S106992369","display_name":"Journal of Computer Security","issn_l":"0926-227X","issn":["0926-227X","1875-8924"],"is_oa":false,"is_in_doaj":false,"is_core":true,"host_organization":"https://openalex.org/P4310318577","host_organization_name":"IOS Press","host_organization_lineage":["https://openalex.org/P4310318577"],"host_organization_lineage_names":["IOS Press"],"type":"journal"},"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Journal of Computer Security","raw_type":"journal-article"},"type":"article","indexed_in":["crossref"],"open_access":{"is_oa":false,"oa_status":"closed","oa_url":null,"any_repository_has_fulltext":false},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5019135815","display_name":"Brijesh Jethva","orcid":null},"institutions":[{"id":"https://openalex.org/I212119943","display_name":"University of Victoria","ror":"https://ror.org/04s5mat29","country_code":"CA","type":"education","lineage":["https://openalex.org/I212119943"]}],"countries":["CA"],"is_corresponding":false,"raw_author_name":"Brijesh Jethva","raw_affiliation_strings":["Department of Electrical and Computer Engineering, University of Victoria, BC, Canada. E-mails:\u00a0,\u00a0,\u00a0","Department of Electrical and Computer Engineering, University of Victoria, BC, Canada. E-mails:\u00a0bjethva@uvic.ca,\u00a0itraore@ece.uvic.ca,\u00a0aghaleb@uvic.ca"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"Department of Electrical and Computer Engineering, University of Victoria, BC, Canada. E-mails:\u00a0,\u00a0,\u00a0","institution_ids":["https://openalex.org/I212119943"]},{"raw_affiliation_string":"Department of Electrical and Computer Engineering, University of Victoria, BC, Canada. E-mails:\u00a0bjethva@uvic.ca,\u00a0itraore@ece.uvic.ca,\u00a0aghaleb@uvic.ca","institution_ids":["https://openalex.org/I212119943"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5041277719","display_name":"Issa Traor\u00e9","orcid":"https://orcid.org/0000-0003-2987-8047"},"institutions":[{"id":"https://openalex.org/I212119943","display_name":"University of Victoria","ror":"https://ror.org/04s5mat29","country_code":"CA","type":"education","lineage":["https://openalex.org/I212119943"]}],"countries":["CA"],"is_corresponding":true,"raw_author_name":"Issa Traor\u00e9","raw_affiliation_strings":["Department of Electrical and Computer Engineering, University of Victoria, BC, Canada. E-mails:\u00a0,\u00a0,\u00a0","Department of Electrical and Computer Engineering, University of Victoria, BC, Canada. E-mails:\u00a0bjethva@uvic.ca,\u00a0itraore@ece.uvic.ca,\u00a0aghaleb@uvic.ca"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"Department of Electrical and Computer Engineering, University of Victoria, BC, Canada. E-mails:\u00a0,\u00a0,\u00a0","institution_ids":["https://openalex.org/I212119943"]},{"raw_affiliation_string":"Department of Electrical and Computer Engineering, University of Victoria, BC, Canada. E-mails:\u00a0bjethva@uvic.ca,\u00a0itraore@ece.uvic.ca,\u00a0aghaleb@uvic.ca","institution_ids":["https://openalex.org/I212119943"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5046148961","display_name":"Asem Ghaleb","orcid":"https://orcid.org/0000-0002-2190-8304"},"institutions":[{"id":"https://openalex.org/I212119943","display_name":"University of Victoria","ror":"https://ror.org/04s5mat29","country_code":"CA","type":"education","lineage":["https://openalex.org/I212119943"]}],"countries":["CA"],"is_corresponding":false,"raw_author_name":"Asem Ghaleb","raw_affiliation_strings":["Department of Electrical and Computer Engineering, University of Victoria, BC, Canada. E-mails:\u00a0,\u00a0,\u00a0","Department of Electrical and Computer Engineering, University of Victoria, BC, Canada. E-mails:\u00a0bjethva@uvic.ca,\u00a0itraore@ece.uvic.ca,\u00a0aghaleb@uvic.ca"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"Department of Electrical and Computer Engineering, University of Victoria, BC, Canada. E-mails:\u00a0,\u00a0,\u00a0","institution_ids":["https://openalex.org/I212119943"]},{"raw_affiliation_string":"Department of Electrical and Computer Engineering, University of Victoria, BC, Canada. E-mails:\u00a0bjethva@uvic.ca,\u00a0itraore@ece.uvic.ca,\u00a0aghaleb@uvic.ca","institution_ids":["https://openalex.org/I212119943"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5050794132","display_name":"Karim Ganame","orcid":null},"institutions":[{"id":"https://openalex.org/I4210096115","display_name":"Efficient Innovation (France)","ror":"https://ror.org/00rqqd590","country_code":"FR","type":"company","lineage":["https://openalex.org/I4210096115"]}],"countries":["FR"],"is_corresponding":false,"raw_author_name":"Karim Ganame","raw_affiliation_strings":["Efficient Protections Inc., QC, Canada. E-mail:\u00a0","Efficient Protections Inc., QC, Canada. E-mail:\u00a0ganame@streamscan.io"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"Efficient Protections Inc., QC, Canada. E-mail:\u00a0","institution_ids":["https://openalex.org/I4210096115"]},{"raw_affiliation_string":"Efficient Protections Inc., QC, Canada. E-mail:\u00a0ganame@streamscan.io","institution_ids":[]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5103899894","display_name":"Sherif Ahmed","orcid":null},"institutions":[{"id":"https://openalex.org/I74413500","display_name":"University of Windsor","ror":"https://ror.org/01gw3d370","country_code":"CA","type":"education","lineage":["https://openalex.org/I74413500"]}],"countries":["CA"],"is_corresponding":false,"raw_author_name":"Sherif Ahmed","raw_affiliation_strings":["Department of Computer Science, University of Windsor, ON, Canada. E-mail:\u00a0","Department of Computer Science, University of Windsor, ON, Canada. E-mail:\u00a0Sherif.SaadAhmed@uwindsor.ca"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"Department of Computer Science, University of Windsor, ON, Canada. E-mail:\u00a0","institution_ids":["https://openalex.org/I74413500"]},{"raw_affiliation_string":"Department of Computer Science, University of Windsor, ON, Canada. E-mail:\u00a0Sherif.SaadAhmed@uwindsor.ca","institution_ids":["https://openalex.org/I74413500"]}]}],"institutions":[],"countries_distinct_count":2,"institutions_distinct_count":5,"corresponding_author_ids":["https://openalex.org/A5041277719"],"corresponding_institution_ids":["https://openalex.org/I212119943"],"apc_list":null,"apc_paid":null,"fwci":1.3357,"has_fulltext":false,"cited_by_count":51,"citation_normalized_percentile":{"value":0.82100646,"is_in_top_1_percent":false,"is_in_top_10_percent":false},"cited_by_percentile_year":{"min":89,"max":100},"biblio":{"volume":"28","issue":"3","first_page":"337","last_page":"373"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T11241","display_name":"Advanced Malware Detection Techniques","score":1.0,"subfield":{"id":"https://openalex.org/subfields/1711","display_name":"Signal Processing"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T11241","display_name":"Advanced Malware Detection Techniques","score":1.0,"subfield":{"id":"https://openalex.org/subfields/1711","display_name":"Signal Processing"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T12034","display_name":"Digital and Cyber Forensics","score":0.9993000030517578,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T10400","display_name":"Network Security and Intrusion Detection","score":0.9951000213623047,"subfield":{"id":"https://openalex.org/subfields/1705","display_name":"Computer Networks and Communications"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/ransomware","display_name":"Ransomware","score":0.9558577537536621},{"id":"https://openalex.org/keywords/computer-science","display_name":"Computer science","score":0.7967519760131836},{"id":"https://openalex.org/keywords/encryption","display_name":"Encryption","score":0.6454569101333618},{"id":"https://openalex.org/keywords/signature","display_name":"Signature (topology)","score":0.5572314858436584},{"id":"https://openalex.org/keywords/data-mining","display_name":"Data mining","score":0.4958702027797699},{"id":"https://openalex.org/keywords/entropy","display_name":"Entropy (arrow of time)","score":0.4774530529975891},{"id":"https://openalex.org/keywords/key","display_name":"Key (lock)","score":0.4730474352836609},{"id":"https://openalex.org/keywords/computer-security","display_name":"Computer security","score":0.4536943733692169},{"id":"https://openalex.org/keywords/malware","display_name":"Malware","score":0.24600300192832947},{"id":"https://openalex.org/keywords/mathematics","display_name":"Mathematics","score":0.08735495805740356}],"concepts":[{"id":"https://openalex.org/C2777667771","wikidata":"https://www.wikidata.org/wiki/Q926331","display_name":"Ransomware","level":3,"score":0.9558577537536621},{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.7967519760131836},{"id":"https://openalex.org/C148730421","wikidata":"https://www.wikidata.org/wiki/Q141090","display_name":"Encryption","level":2,"score":0.6454569101333618},{"id":"https://openalex.org/C2779696439","wikidata":"https://www.wikidata.org/wiki/Q7512811","display_name":"Signature (topology)","level":2,"score":0.5572314858436584},{"id":"https://openalex.org/C124101348","wikidata":"https://www.wikidata.org/wiki/Q172491","display_name":"Data mining","level":1,"score":0.4958702027797699},{"id":"https://openalex.org/C106301342","wikidata":"https://www.wikidata.org/wiki/Q4117933","display_name":"Entropy (arrow of time)","level":2,"score":0.4774530529975891},{"id":"https://openalex.org/C26517878","wikidata":"https://www.wikidata.org/wiki/Q228039","display_name":"Key (lock)","level":2,"score":0.4730474352836609},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.4536943733692169},{"id":"https://openalex.org/C541664917","wikidata":"https://www.wikidata.org/wiki/Q14001","display_name":"Malware","level":2,"score":0.24600300192832947},{"id":"https://openalex.org/C33923547","wikidata":"https://www.wikidata.org/wiki/Q395","display_name":"Mathematics","level":0,"score":0.08735495805740356},{"id":"https://openalex.org/C62520636","wikidata":"https://www.wikidata.org/wiki/Q944","display_name":"Quantum mechanics","level":1,"score":0.0},{"id":"https://openalex.org/C121332964","wikidata":"https://www.wikidata.org/wiki/Q413","display_name":"Physics","level":0,"score":0.0},{"id":"https://openalex.org/C2524010","wikidata":"https://www.wikidata.org/wiki/Q8087","display_name":"Geometry","level":1,"score":0.0}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.3233/jcs-191346","is_oa":false,"landing_page_url":"https://doi.org/10.3233/jcs-191346","pdf_url":null,"source":{"id":"https://openalex.org/S106992369","display_name":"Journal of Computer Security","issn_l":"0926-227X","issn":["0926-227X","1875-8924"],"is_oa":false,"is_in_doaj":false,"is_core":true,"host_organization":"https://openalex.org/P4310318577","host_organization_name":"IOS Press","host_organization_lineage":["https://openalex.org/P4310318577"],"host_organization_lineage_names":["IOS Press"],"type":"journal"},"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Journal of Computer Security","raw_type":"journal-article"}],"best_oa_location":null,"sustainable_development_goals":[],"awards":[],"funders":[],"has_content":{"grobid_xml":false,"pdf":false},"content_urls":null,"referenced_works_count":29,"referenced_works":["https://openalex.org/W1966583887","https://openalex.org/W2076342816","https://openalex.org/W2083183119","https://openalex.org/W2085896139","https://openalex.org/W2119359024","https://openalex.org/W2135143063","https://openalex.org/W2171796885","https://openalex.org/W2177710037","https://openalex.org/W2245015425","https://openalex.org/W2296579688","https://openalex.org/W2367504390","https://openalex.org/W2461373307","https://openalex.org/W2461651791","https://openalex.org/W2513529237","https://openalex.org/W2544488729","https://openalex.org/W2558619741","https://openalex.org/W2559964890","https://openalex.org/W2601591992","https://openalex.org/W2619422284","https://openalex.org/W2738263528","https://openalex.org/W2765383620","https://openalex.org/W2765713146","https://openalex.org/W2766662076","https://openalex.org/W2785743295","https://openalex.org/W2793829161","https://openalex.org/W2794482868","https://openalex.org/W2809780217","https://openalex.org/W2885096636","https://openalex.org/W2890196927"],"related_works":["https://openalex.org/W3201228709","https://openalex.org/W2922354075","https://openalex.org/W4389157351","https://openalex.org/W4253977752","https://openalex.org/W2964829536","https://openalex.org/W3120595989","https://openalex.org/W4232561318","https://openalex.org/W2904586340","https://openalex.org/W2942879794","https://openalex.org/W2413467815"],"abstract_inverted_index":{"The":[0,165],"last":[1],"few":[2],"years":[3],"have":[4],"come":[5],"with":[6,119],"a":[7,64,87,120,132,208],"sudden":[8],"rise":[9],"in":[10,37,92,215,239],"ransomware":[11,28,47,110,211,222,246],"attack":[12],"incidents,":[13],"causing":[14],"significant":[15],"financial":[16],"losses":[17],"to":[18,25,177],"individuals,":[19],"institutions":[20],"and":[21,51,73,140,151,162,173,223,244],"businesses.":[22],"In":[23,101],"reaction":[24],"these":[26],"attacks,":[27],"detection":[29,48,111,171,212],"has":[30],"become":[31],"an":[32,107,200],"important":[33],"topic":[34],"for":[35],"research":[36],"recent":[38],"years.":[39],"Currently,":[40],"there":[41],"are":[42],"two":[43],"broad":[44],"categories":[45],"of":[46,123,220],"techniques:":[49,158],"signature-based":[50,58],"behaviour-based":[52,81],"analyses.":[53],"On":[54,76],"the":[55,77,102,115,145,175,182],"one":[56],"hand,":[57,79],"detection,":[59],"which":[60,83,218],"mainly":[61,85],"relies":[62],"on":[63,86,126,136],"static":[65],"analysis,":[66,89],"can":[67],"easily":[68],"be":[69],"evaded":[70],"by":[71,149],"code-obfuscation":[72],"encryption":[74,97,188],"techniques.":[75],"other":[78],"current":[80,103],"models,":[82],"rely":[84],"dynamic":[88],"face":[90],"difficulties":[91],"accurately":[93],"differentiating":[94],"between":[95],"user-triggered":[96,187],"from":[98,189],"ransomware-triggered":[99,190],"encryption.":[100],"paper,":[104],"we":[105,206],"present":[106],"upgraded":[108],"behavioural":[109],"model":[112,134,148],"that":[113,231],"reinforces":[114],"existing":[116],"feature":[117,147],"space":[118],"new":[121,146,209],"set":[122],"features":[124],"based":[125,135],"grouped":[127],"registry":[128],"key":[129],"operations,":[130],"introducing":[131],"monitoring":[133],"combined":[137],"file":[138,141],"entropy":[139],"signature.":[142],"We":[143],"analyze":[144],"exploring":[150],"comparing":[152],"three":[153],"different":[154],"linear":[155],"machine":[156],"learning":[157],"SVM,":[159],"logistic":[160],"regression":[161],"random":[163],"forest.":[164],"proposed":[166,183,233],"approach":[167,184,234],"helps":[168,185],"achieve":[169],"improved":[170],"accuracy":[172,238],"provides":[174],"ability":[176],"detect":[178],"novel":[179,245],"ransomware.":[180],"Furthermore,":[181],"differentiate":[186],"encryption,":[191],"allowing":[192],"saving":[193],"as":[194,197],"many":[195],"files":[196],"possible":[198],"during":[199],"attack.":[201],"To":[202],"conduct":[203],"our":[204,216,232],"study,":[205],"use":[207],"public":[210],"dataset":[213],"collected":[214],"lab,":[217],"consists":[219],"666":[221],"103":[224],"benign":[225],"binaries.":[226],"Our":[227],"experimental":[228],"results":[229],"show":[230],"achieves":[235],"relatively":[236],"high":[237],"detecting":[240],"both":[241],"previously":[242],"seen":[243],"samples.":[247]},"counts_by_year":[{"year":2026,"cited_by_count":1},{"year":2025,"cited_by_count":15},{"year":2024,"cited_by_count":12},{"year":2023,"cited_by_count":15},{"year":2022,"cited_by_count":1},{"year":2021,"cited_by_count":6},{"year":2020,"cited_by_count":1}],"updated_date":"2026-05-04T08:30:34.212998","created_date":"2025-10-10T00:00:00"}