Enhanced Ransomware Detection Via Multi-fragment Differential Area Analysis: Attacks, Countermeasures, And Resilience Evaluation

• Author(s):

  Dr. Ravindra Krishna Chandar V | Kaliyamoorthi B | Shakthi aravinth M | Sekar C | Mohamed Ismail Anas M

• Keywords:

  Ransomware Detection; Differential Area Analysis; Shannon Entropy; File Header Fragmentation; Support Vector Machine; XGBoost; Adversarial Evasion.

• Abstract:

  Crypto-ransomware Remains One Of The Most Destructive Categories Of Malware, Exploiting Strong Symmetric Encryption To Render Victim Data Inaccessible Until A Ransom Is Paid. Differential Area Analysis (DAA), Introduced By Davies Et Al., Analyzes Shannon Entropy Variations Within File Headers To Discriminate Ransomware-encrypted Files From Compressed And Legitimately Encrypted Content. Despite Its Efficacy, DAA Is Susceptible To Adversarial Header Manipulation. This Paper Presents Three Novel Header-injection Attack Strategies—designated Attack-I, Attack-II, And Attack-III—that Exploit The Header-dependency Of DAA To Systematically Suppress Detectable Entropy Signatures. To Counteract These Evasion Vectors, We Propose Three Enhanced Countermeasure Techniques, Namely 2-Fragments (2F), 3-Fragments (3F), And 4-Fragments (4F), Which Partition File Headers Into Multiple Non-overlapping Segments And Compute Differential Entropy Across Each Fragment To Improve Detection Sensitivity. Machine Learning Classifiers, Including Logistic Regression (LR), Support Vector Machine (SVM), And XGBoost, Are Trained On Entropy-derived Feature Vectors Extracted Via The Proposed Fragmentation Schemes. Extensive Experiments On A Dataset Comprising Over 130,000 Files—including Real-world Ransomware Samples From WannaCry, Ryuk, Phobos, Sodinokibi, And NetWalker—demonstrate That Multi-fragment Analysis Substantially Improves Detection Robustness, Achieving F1-scores Exceeding 96% While Maintaining High Throughput In Files-per-second Benchmarks. The System Is Validated For Resilience Against Low-entropy Data Injection And Operates Effectively Under Adversarial Conditions Where Vanilla DAA Fails.

---

Other Details

• Paper id:

  IJSARTV12I5105432

• Published in:

  Volume: 12 Issue: 5 May 2026

• Publication Date:

  2026-05-22

Download Article