БАГАТОСИГНАЛЬНІ МЕХАНІЗМИ РАННЬОГО ВИЯВЛЕННЯ ШИФРУВАННЯ ФАЙЛІВ НА ОСНОВІ ФАЙЛІВ-ПРИМАНОК.
Saved in:
| Title: | БАГАТОСИГНАЛЬНІ МЕХАНІЗМИ РАННЬОГО ВИЯВЛЕННЯ ШИФРУВАННЯ ФАЙЛІВ НА ОСНОВІ ФАЙЛІВ-ПРИМАНОК. |
|---|---|
| Alternate Title: | MULTI-SIGNAL MECHANISMS FOR EARLY DETECTION OF FILE ENCRYPTION USING CANARY FILES. |
| Authors: | Яцків, В. В.1 jazkiv@ukr.net, Яцків, Н. Г.1, Смірнов, Д. С.1 |
| Source: | Informatics & Mathematical Methods in Simulation / Informatika ta Matematičnì Metodi v Modelûvannì. 2026, Vol. 16 Issue 3, p579-593. 15p. |
| Subjects: | Data encryption, Intrusion detection systems (Computer security), Inventions, Ransomware, Multisensor data fusion |
| Abstract: | The article investigates an approach to the early detection of unauthorized file encryption based on decoy files (Canary Files) and multi-signal correlation of file activity indicators. The relevance of this work is driven by the fact that ransomware-like attacks perform mass modification of user data within a short period of time; therefore, the effectiveness of protection depends on a system’s ability to detect malicious activity before large-scale file damage occurs. The proposed architecture places control files in the file system as hidden signaling objects, while the decision about an incident is made not on the basis of a single event, but through a combination of event-based, integrity-based, and content-based features. Within the proposed approach, write, rename, move operations, and mass file access events are taken into account, along with changes in hash values, file size, time attributes, and extensions, as well as the loss of control markers and an increase in content entropy. The principles of designing decoy files, their distributed placement within a directory hierarchy, and a multi-level triggering logic aimed at reducing false positives are substantiated. To formalize the detection process, local and global suspicion scores are used to aggregate signals within a defined time window.To validate the proposed approach, an experimental testbed was implemented with controlled scenarios of malicious and legitimate file activity. A series of 250 runs was conducted, including 100 encryption scenarios and 150 legitimate operation scenarios. The experimental results showed Precision = 1.0, Recall = 0.7, Specificity = 1.0, Accuracy = 0.88, and F1 = 0.8235. The average detection time was 1.05 s, and the average number of modified files before triggering was 40.9. The obtained results confirm the feasibility of using multi-signal mechanisms based on decoy files for building early warning systems against file encryption attacks. [ABSTRACT FROM AUTHOR] |
| Copyright of Informatics & Mathematical Methods in Simulation / Informatika ta Matematičnì Metodi v Modelûvannì is the property of Odessa Polytechnic University and its content may not be copied or emailed to multiple sites without the copyright holder's express written permission. Additionally, content may not be used with any artificial intelligence tools or machine learning technologies. However, users may print, download, or email articles for individual use. This abstract may be abridged. No warranty is given about the accuracy of the copy. Users should refer to the original published version of the material for the full abstract. (Copyright applies to all Abstracts.) | |
| Database: | Engineering Source |
| FullText | Links: – Type: pdflink Text: Availability: 0 |
|---|---|
| Header | DbId: egs DbLabel: Engineering Source An: 194922496 AccessLevel: 6 PubType: Academic Journal PubTypeId: academicJournal PreciseRelevancyScore: 0 |
| IllustrationInfo | |
| Items | – Name: Title Label: Title Group: Ti Data: БАГАТОСИГНАЛЬНІ МЕХАНІЗМИ РАННЬОГО ВИЯВЛЕННЯ ШИФРУВАННЯ ФАЙЛІВ НА ОСНОВІ ФАЙЛІВ-ПРИМАНОК. – Name: TitleAlt Label: Alternate Title Group: TiAlt Data: MULTI-SIGNAL MECHANISMS FOR EARLY DETECTION OF FILE ENCRYPTION USING CANARY FILES. – Name: Author Label: Authors Group: Au Data: <searchLink fieldCode="AR" term="%22Яцків%2C+В%2E+В%2E%22">Яцків, В. В.</searchLink><relatesTo>1</relatesTo><i> jazkiv@ukr.net</i><br /><searchLink fieldCode="AR" term="%22Яцків%2C+Н%2E+Г%2E%22">Яцків, Н. Г.</searchLink><relatesTo>1</relatesTo><br /><searchLink fieldCode="AR" term="%22Смірнов%2C+Д%2E+С%2E%22">Смірнов, Д. С.</searchLink><relatesTo>1</relatesTo> – Name: TitleSource Label: Source Group: Src Data: <searchLink fieldCode="JN" term="%22Informatics+%26+Mathematical+Methods+in+Simulation+%2F+Informatika+ta+Matematičnì+Metodi+v+Modelûvannì%22">Informatics & Mathematical Methods in Simulation / Informatika ta Matematičnì Metodi v Modelûvannì</searchLink>. 2026, Vol. 16 Issue 3, p579-593. 15p. – Name: Subject Label: Subjects Group: Su Data: <searchLink fieldCode="DE" term="%22Data+encryption%22">Data encryption</searchLink><br /><searchLink fieldCode="DE" term="%22Intrusion+detection+systems+%28Computer+security%29%22">Intrusion detection systems (Computer security)</searchLink><br /><searchLink fieldCode="DE" term="%22Inventions%22">Inventions</searchLink><br /><searchLink fieldCode="DE" term="%22Ransomware%22">Ransomware</searchLink><br /><searchLink fieldCode="DE" term="%22Multisensor+data+fusion%22">Multisensor data fusion</searchLink> – Name: Abstract Label: Abstract Group: Ab Data: The article investigates an approach to the early detection of unauthorized file encryption based on decoy files (Canary Files) and multi-signal correlation of file activity indicators. The relevance of this work is driven by the fact that ransomware-like attacks perform mass modification of user data within a short period of time; therefore, the effectiveness of protection depends on a system’s ability to detect malicious activity before large-scale file damage occurs. The proposed architecture places control files in the file system as hidden signaling objects, while the decision about an incident is made not on the basis of a single event, but through a combination of event-based, integrity-based, and content-based features. Within the proposed approach, write, rename, move operations, and mass file access events are taken into account, along with changes in hash values, file size, time attributes, and extensions, as well as the loss of control markers and an increase in content entropy. The principles of designing decoy files, their distributed placement within a directory hierarchy, and a multi-level triggering logic aimed at reducing false positives are substantiated. To formalize the detection process, local and global suspicion scores are used to aggregate signals within a defined time window.To validate the proposed approach, an experimental testbed was implemented with controlled scenarios of malicious and legitimate file activity. A series of 250 runs was conducted, including 100 encryption scenarios and 150 legitimate operation scenarios. The experimental results showed Precision = 1.0, Recall = 0.7, Specificity = 1.0, Accuracy = 0.88, and F1 = 0.8235. The average detection time was 1.05 s, and the average number of modified files before triggering was 40.9. The obtained results confirm the feasibility of using multi-signal mechanisms based on decoy files for building early warning systems against file encryption attacks. [ABSTRACT FROM AUTHOR] – Name: AbstractSuppliedCopyright Label: Group: Ab Data: <i>Copyright of Informatics & Mathematical Methods in Simulation / Informatika ta Matematičnì Metodi v Modelûvannì is the property of Odessa Polytechnic University and its content may not be copied or emailed to multiple sites without the copyright holder's express written permission. Additionally, content may not be used with any artificial intelligence tools or machine learning technologies. However, users may print, download, or email articles for individual use. This abstract may be abridged. No warranty is given about the accuracy of the copy. Users should refer to the original published version of the material for the full abstract.</i> (Copyright applies to all Abstracts.) |
| PLink | https://search.ebscohost.com/login.aspx?direct=true&site=eds-live&db=egs&AN=194922496 |
| RecordInfo | BibRecord: BibEntity: Identifiers: – Type: doi Value: 10.15276/imms.v16.no3.579 Languages: – Code: ukr Text: Ukrainian PhysicalDescription: Pagination: PageCount: 15 StartPage: 579 Subjects: – SubjectFull: Data encryption Type: general – SubjectFull: Intrusion detection systems (Computer security) Type: general – SubjectFull: Inventions Type: general – SubjectFull: Ransomware Type: general – SubjectFull: Multisensor data fusion Type: general Titles: – TitleFull: БАГАТОСИГНАЛЬНІ МЕХАНІЗМИ РАННЬОГО ВИЯВЛЕННЯ ШИФРУВАННЯ ФАЙЛІВ НА ОСНОВІ ФАЙЛІВ-ПРИМАНОК. Type: main BibRelationships: HasContributorRelationships: – PersonEntity: Name: NameFull: Яцків, В. В. – PersonEntity: Name: NameFull: Яцків, Н. Г. – PersonEntity: Name: NameFull: Смірнов, Д. С. IsPartOfRelationships: – BibEntity: Dates: – D: 01 M: 07 Text: 2026 Type: published Y: 2026 Identifiers: – Type: issn-print Value: 22235744 Numbering: – Type: volume Value: 16 – Type: issue Value: 3 Titles: – TitleFull: Informatics & Mathematical Methods in Simulation / Informatika ta Matematičnì Metodi v Modelûvannì Type: main |
| ResultId | 1 |