БАГАТОСИГНАЛЬНІ МЕХАНІЗМИ РАННЬОГО ВИЯВЛЕННЯ ШИФРУВАННЯ ФАЙЛІВ НА ОСНОВІ ФАЙЛІВ-ПРИМАНОК.

Saved in:
Bibliographic Details
Title: БАГАТОСИГНАЛЬНІ МЕХАНІЗМИ РАННЬОГО ВИЯВЛЕННЯ ШИФРУВАННЯ ФАЙЛІВ НА ОСНОВІ ФАЙЛІВ-ПРИМАНОК.
Alternate Title: MULTI-SIGNAL MECHANISMS FOR EARLY DETECTION OF FILE ENCRYPTION USING CANARY FILES.
Authors: Яцків, В. В.1 jazkiv@ukr.net, Яцків, Н. Г.1, Смірнов, Д. С.1
Source: Informatics & Mathematical Methods in Simulation / Informatika ta Matematičnì Metodi v Modelûvannì. 2026, Vol. 16 Issue 3, p579-593. 15p.
Subjects: Data encryption, Intrusion detection systems (Computer security), Inventions, Ransomware, Multisensor data fusion
Abstract: The article investigates an approach to the early detection of unauthorized file encryption based on decoy files (Canary Files) and multi-signal correlation of file activity indicators. The relevance of this work is driven by the fact that ransomware-like attacks perform mass modification of user data within a short period of time; therefore, the effectiveness of protection depends on a system’s ability to detect malicious activity before large-scale file damage occurs. The proposed architecture places control files in the file system as hidden signaling objects, while the decision about an incident is made not on the basis of a single event, but through a combination of event-based, integrity-based, and content-based features. Within the proposed approach, write, rename, move operations, and mass file access events are taken into account, along with changes in hash values, file size, time attributes, and extensions, as well as the loss of control markers and an increase in content entropy. The principles of designing decoy files, their distributed placement within a directory hierarchy, and a multi-level triggering logic aimed at reducing false positives are substantiated. To formalize the detection process, local and global suspicion scores are used to aggregate signals within a defined time window.To validate the proposed approach, an experimental testbed was implemented with controlled scenarios of malicious and legitimate file activity. A series of 250 runs was conducted, including 100 encryption scenarios and 150 legitimate operation scenarios. The experimental results showed Precision = 1.0, Recall = 0.7, Specificity = 1.0, Accuracy = 0.88, and F1 = 0.8235. The average detection time was 1.05 s, and the average number of modified files before triggering was 40.9. The obtained results confirm the feasibility of using multi-signal mechanisms based on decoy files for building early warning systems against file encryption attacks. [ABSTRACT FROM AUTHOR]
Copyright of Informatics & Mathematical Methods in Simulation / Informatika ta Matematičnì Metodi v Modelûvannì is the property of Odessa Polytechnic University and its content may not be copied or emailed to multiple sites without the copyright holder's express written permission. Additionally, content may not be used with any artificial intelligence tools or machine learning technologies. However, users may print, download, or email articles for individual use. This abstract may be abridged. No warranty is given about the accuracy of the copy. Users should refer to the original published version of the material for the full abstract. (Copyright applies to all Abstracts.)
Database: Engineering Source
FullText Links:
  – Type: pdflink
Text:
  Availability: 0
Header DbId: egs
DbLabel: Engineering Source
An: 194922496
AccessLevel: 6
PubType: Academic Journal
PubTypeId: academicJournal
PreciseRelevancyScore: 0
IllustrationInfo
Items – Name: Title
  Label: Title
  Group: Ti
  Data: БАГАТОСИГНАЛЬНІ МЕХАНІЗМИ РАННЬОГО ВИЯВЛЕННЯ ШИФРУВАННЯ ФАЙЛІВ НА ОСНОВІ ФАЙЛІВ-ПРИМАНОК.
– Name: TitleAlt
  Label: Alternate Title
  Group: TiAlt
  Data: MULTI-SIGNAL MECHANISMS FOR EARLY DETECTION OF FILE ENCRYPTION USING CANARY FILES.
– Name: Author
  Label: Authors
  Group: Au
  Data: <searchLink fieldCode="AR" term="%22Яцків%2C+В%2E+В%2E%22">Яцків, В. В.</searchLink><relatesTo>1</relatesTo><i> jazkiv@ukr.net</i><br /><searchLink fieldCode="AR" term="%22Яцків%2C+Н%2E+Г%2E%22">Яцків, Н. Г.</searchLink><relatesTo>1</relatesTo><br /><searchLink fieldCode="AR" term="%22Смірнов%2C+Д%2E+С%2E%22">Смірнов, Д. С.</searchLink><relatesTo>1</relatesTo>
– Name: TitleSource
  Label: Source
  Group: Src
  Data: <searchLink fieldCode="JN" term="%22Informatics+%26+Mathematical+Methods+in+Simulation+%2F+Informatika+ta+Matematičnì+Metodi+v+Modelûvannì%22">Informatics & Mathematical Methods in Simulation / Informatika ta Matematičnì Metodi v Modelûvannì</searchLink>. 2026, Vol. 16 Issue 3, p579-593. 15p.
– Name: Subject
  Label: Subjects
  Group: Su
  Data: <searchLink fieldCode="DE" term="%22Data+encryption%22">Data encryption</searchLink><br /><searchLink fieldCode="DE" term="%22Intrusion+detection+systems+%28Computer+security%29%22">Intrusion detection systems (Computer security)</searchLink><br /><searchLink fieldCode="DE" term="%22Inventions%22">Inventions</searchLink><br /><searchLink fieldCode="DE" term="%22Ransomware%22">Ransomware</searchLink><br /><searchLink fieldCode="DE" term="%22Multisensor+data+fusion%22">Multisensor data fusion</searchLink>
– Name: Abstract
  Label: Abstract
  Group: Ab
  Data: The article investigates an approach to the early detection of unauthorized file encryption based on decoy files (Canary Files) and multi-signal correlation of file activity indicators. The relevance of this work is driven by the fact that ransomware-like attacks perform mass modification of user data within a short period of time; therefore, the effectiveness of protection depends on a system’s ability to detect malicious activity before large-scale file damage occurs. The proposed architecture places control files in the file system as hidden signaling objects, while the decision about an incident is made not on the basis of a single event, but through a combination of event-based, integrity-based, and content-based features. Within the proposed approach, write, rename, move operations, and mass file access events are taken into account, along with changes in hash values, file size, time attributes, and extensions, as well as the loss of control markers and an increase in content entropy. The principles of designing decoy files, their distributed placement within a directory hierarchy, and a multi-level triggering logic aimed at reducing false positives are substantiated. To formalize the detection process, local and global suspicion scores are used to aggregate signals within a defined time window.To validate the proposed approach, an experimental testbed was implemented with controlled scenarios of malicious and legitimate file activity. A series of 250 runs was conducted, including 100 encryption scenarios and 150 legitimate operation scenarios. The experimental results showed Precision = 1.0, Recall = 0.7, Specificity = 1.0, Accuracy = 0.88, and F1 = 0.8235. The average detection time was 1.05 s, and the average number of modified files before triggering was 40.9. The obtained results confirm the feasibility of using multi-signal mechanisms based on decoy files for building early warning systems against file encryption attacks. [ABSTRACT FROM AUTHOR]
– Name: AbstractSuppliedCopyright
  Label:
  Group: Ab
  Data: <i>Copyright of Informatics & Mathematical Methods in Simulation / Informatika ta Matematičnì Metodi v Modelûvannì is the property of Odessa Polytechnic University and its content may not be copied or emailed to multiple sites without the copyright holder's express written permission. Additionally, content may not be used with any artificial intelligence tools or machine learning technologies. However, users may print, download, or email articles for individual use. This abstract may be abridged. No warranty is given about the accuracy of the copy. Users should refer to the original published version of the material for the full abstract.</i> (Copyright applies to all Abstracts.)
PLink https://search.ebscohost.com/login.aspx?direct=true&site=eds-live&db=egs&AN=194922496
RecordInfo BibRecord:
  BibEntity:
    Identifiers:
      – Type: doi
        Value: 10.15276/imms.v16.no3.579
    Languages:
      – Code: ukr
        Text: Ukrainian
    PhysicalDescription:
      Pagination:
        PageCount: 15
        StartPage: 579
    Subjects:
      – SubjectFull: Data encryption
        Type: general
      – SubjectFull: Intrusion detection systems (Computer security)
        Type: general
      – SubjectFull: Inventions
        Type: general
      – SubjectFull: Ransomware
        Type: general
      – SubjectFull: Multisensor data fusion
        Type: general
    Titles:
      – TitleFull: БАГАТОСИГНАЛЬНІ МЕХАНІЗМИ РАННЬОГО ВИЯВЛЕННЯ ШИФРУВАННЯ ФАЙЛІВ НА ОСНОВІ ФАЙЛІВ-ПРИМАНОК.
        Type: main
  BibRelationships:
    HasContributorRelationships:
      – PersonEntity:
          Name:
            NameFull: Яцків, В. В.
      – PersonEntity:
          Name:
            NameFull: Яцків, Н. Г.
      – PersonEntity:
          Name:
            NameFull: Смірнов, Д. С.
    IsPartOfRelationships:
      – BibEntity:
          Dates:
            – D: 01
              M: 07
              Text: 2026
              Type: published
              Y: 2026
          Identifiers:
            – Type: issn-print
              Value: 22235744
          Numbering:
            – Type: volume
              Value: 16
            – Type: issue
              Value: 3
          Titles:
            – TitleFull: Informatics & Mathematical Methods in Simulation / Informatika ta Matematičnì Metodi v Modelûvannì
              Type: main
ResultId 1