The reviewed record of science sign in
Pith

arxiv: 2604.24131 · v1 · submitted 2026-04-27 · cs.CR

Detecting Avalanche Effect in Adversarial Settings: Spotting the Encryption Loops in Ransomware

Reviewed by Pith T0 review T1 audit T2 compute T3 formal T4 kernel 2026-05-08 03:10 UTCgrok-4.3open to challenge →

classification cs.CR
keywords avalanche effectransomwareencryption loop detectionreverse engineeringShapiro-Wilk testbinary analysisadversarial detection
0
0 comments X

The pith

A record-and-replay method with normality testing verifies the true avalanche effect to locate encryption loops inside ransomware binaries.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper establishes that encryption loops in ransomware can be spotted by confirming the avalanche effect directly rather than checking a weaker side condition. It introduces a record-and-replay mechanism that reapplies the Shapiro-Wilk normality test to execution traces, allowing the approach to tolerate imprecise input-output identification and code obfuscation. This yields zero false negatives and a 1.1 percent false positive rate on test data. The tool succeeds on every sample drawn from ten representative ransomware families. A reader would care because the method supplies a concrete, evasion-resistant way to isolate the encryption routine during binary reverse engineering.

Core claim

The authors claim that any secure encryption algorithm necessarily produces the avalanche effect, and that this effect can be verified in adversarial binary settings by replaying executions and applying the Shapiro-Wilk test to check whether small input perturbations produce output differences that pass a normality test. The resulting detection therefore identifies encryption loops even when the ransomware author has applied obfuscation or when input and output locations are identified only approximately.

What carries the argument

Record-and-replay detection mechanism that reapplies the Shapiro-Wilk normality test to input-output pairs to confirm the avalanche effect itself.

If this is right

  • Encryption loops become identifiable in obfuscated ransomware binaries.
  • All tested samples from ten ransomware families can be analyzed successfully.
  • Approaches that check only the ripple effect remain open to direct counterattacks.
  • False negative rate stays at zero while false positives remain near one percent.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • The same statistical replay check could be tried on other malware that hides cryptographic operations.
  • Pairing the method with existing dynamic binary instrumentation tools may reduce the remaining false positives.
  • Running the test on a larger corpus of benign programs that contain random-number routines would further calibrate the false-positive rate.

Load-bearing premise

Secure encryption algorithms always exhibit the avalanche effect and the Shapiro-Wilk test on replayed runs can still distinguish it despite errors in input-output identification and adversarial obfuscation.

What would settle it

A ransomware binary that uses a standard secure cipher yet produces no loop flagged by the method, or a non-encryption binary that the test consistently marks as positive.

Figures

Figures reproduced from arXiv: 2604.24131 by Haizhou Wang, Nanqing Luo, Peng Liu, Shuangyi Zhu, Xusheng Li, Yuan Ma.

Figure 1
Figure 1. Figure 1: Encrypted file structure analysis through loop body of encryption process in TeslaCrypt. Being a critical aspect of malware analysis, reverse engineering plays an indispensable role in defending against ransomware attacks. Besides such standard malware reverse engineering tasks as disassembly (4), type inference (5), function recognition (6), memory dependence analysis, and data/control dependence analysis… view at source ↗
Figure 2
Figure 2. Figure 2: Approach Overview. multiple times with bit-flipped inputs. However, this intuitive solution become less practical when analyzing ransomware due to several obstacles: Obstacle 1: The scalability is poor due to the uncertain execution time; Obstacle 2: The inputs of ransomware are not controllable, and the inputs to the encryption routines are also not controllable, making the bit flipping impractical. Appro… view at source ↗
read the original abstract

Spotting encryption loops in binary-only ransomware is a critical reverse engineering task. Since the existence of avalanche effect, an intrinsic characteristic of any secure encryption algorithms, is unavoidable during a victim data encryption attack, it is a very promising direction to spot encryption loops through avalanche effect detection. Unfortunately, no existing work in this direction ensures that the being-checked effect is the avalanche effect itself. Although CipherXRay is inspired by avalanche effect, it only checks whether a "ripple effect" (i.e., a necessary but non-sufficient condition) of avalanche effect exists, allowing a straightforward counterattack to succeed. In this work, we present a new approach that checks the avalanche effect itself. Because the detection is conducted in adversarial settings (e.g., the ransomware author may obfuscate the code), a viable approach must tolerate inaccurate input \& output identification and must be resilient to adversarial evasion. These challenges are addressed by a novel record-and-replay detection mechanism that takes advantage of the statistical guarantees provided by the Shapiro-Wilk normality test. The experimental results show that our approach achieves 0.0\% false negative rate and 1.1\% false positive rate. When our tool is employed to reverse engineer real-world ransomware samples, it succeeds in analyzing all the ransomware samples selected from ten representative families.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

2 major / 1 minor

Summary. The manuscript proposes a record-and-replay mechanism that applies the Shapiro-Wilk normality test to detect the avalanche effect directly in ransomware encryption loops. It claims this approach operates in adversarial settings by tolerating inaccurate input/output identification and resisting evasion, achieving 0.0% false negative rate and 1.1% false positive rate while successfully analyzing samples from ten representative ransomware families.

Significance. If the tolerance to I/O identification errors holds, the work would advance binary-only ransomware reverse engineering by targeting the avalanche effect itself rather than the weaker ripple condition checked by prior tools such as CipherXRay. The explicit use of the Shapiro-Wilk test's statistical guarantees and the empirical success across multiple real-world families constitute a concrete strength that could support practical malware analysis tools.

major comments (2)
  1. [Abstract] Abstract: The central claim that the method 'must tolerate inaccurate input & output identification' and remains 'resilient to adversarial evasion' rests on the Shapiro-Wilk test still detecting avalanche despite replay artifacts. No quantitative error bounds, sensitivity analysis, or demonstration that the normality test triggers correctly once identification noise reaches levels inducible by ransomware authors are supplied, leaving the 0.0% FN rate assertion unverified.
  2. [Experimental results] Experimental results: The reported 0.0% false negative and 1.1% false positive rates on real ransomware samples would require explicit values for the Shapiro-Wilk p-value threshold and a description of how replay inaccuracies or other high-entropy operations were isolated from true bit-diffusion signatures; without these, the data-to-claim link cannot be fully assessed.
minor comments (1)
  1. [Abstract] The abstract would be clearer if it briefly listed the ten ransomware families used in the evaluation.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for the constructive comments on our manuscript. These points highlight opportunities to strengthen the presentation of our claims regarding tolerance to I/O identification inaccuracies and the experimental methodology. We address each major comment below and commit to revisions that will improve clarity and verifiability without altering the core contributions.

read point-by-point responses
  1. Referee: [Abstract] Abstract: The central claim that the method 'must tolerate inaccurate input & output identification' and remains 'resilient to adversarial evasion' rests on the Shapiro-Wilk test still detecting avalanche despite replay artifacts. No quantitative error bounds, sensitivity analysis, or demonstration that the normality test triggers correctly once identification noise reaches levels inducible by ransomware authors are supplied, leaving the 0.0% FN rate assertion unverified.

    Authors: We agree that the manuscript would benefit from explicit quantitative support for the tolerance claim. In the revised version, we will add a dedicated sensitivity analysis subsection. This will include controlled injection of identification noise at levels consistent with common obfuscation techniques observed in the evaluated ransomware families, along with derived error bounds based on the Shapiro-Wilk test's known statistical properties under non-normality perturbations. The analysis will demonstrate that the test continues to flag true avalanche signatures above the decision threshold even as replay artifacts increase, thereby verifying the 0.0% FN rate under adversarial conditions. revision: yes

  2. Referee: [Experimental results] Experimental results: The reported 0.0% false negative and 1.1% false positive rates on real ransomware samples would require explicit values for the Shapiro-Wilk p-value threshold and a description of how replay inaccuracies or other high-entropy operations were isolated from true bit-diffusion signatures; without these, the data-to-claim link cannot be fully assessed.

    Authors: We acknowledge that greater detail is required for full assessment and reproducibility. In the revision, we will explicitly report the p-value threshold applied to the Shapiro-Wilk test and expand the experimental results section with a precise description of the record-and-replay procedure. This will explain how multiple replays are aggregated to mitigate identification inaccuracies, and how non-encryption high-entropy operations are isolated by requiring consistent bit-diffusion patterns across replays that align with the normality test outcome, thereby clarifying the connection to the reported false negative and false positive rates. revision: yes

Circularity Check

0 steps flagged

No circularity; derivation relies on external statistical test and independent samples

full rationale

The paper's core mechanism applies the Shapiro-Wilk normality test to differences observed in record-and-replay executions to identify the avalanche effect. This uses the test's established statistical properties (external to the paper) and evaluates on separate real-world ransomware families rather than fitting parameters to its own outputs or reducing via self-citation. No self-definitional loops, renamed predictions, or load-bearing self-citations appear in the derivation chain.

Axiom & Free-Parameter Ledger

1 free parameters · 1 axioms · 0 invented entities

The central claim rests on the domain assumption that secure encryption exhibits avalanche effect and on the statistical properties of the Shapiro-Wilk test; no new entities are postulated and only minor test thresholds appear to be chosen.

free parameters (1)
  • Shapiro-Wilk p-value threshold
    Decision threshold for declaring normality (avalanche) present; value not stated in abstract but required to operationalize the test.
axioms (1)
  • domain assumption Any secure encryption algorithm necessarily exhibits the avalanche effect
    Invoked in the abstract as an intrinsic and unavoidable characteristic during victim data encryption.

pith-pipeline@v0.9.0 · 5541 in / 1281 out tokens · 56671 ms · 2026-05-08T03:10:46.085116+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

31 extracted references · 31 canonical work pages

  1. [1]

    Wang, and W

    Li, X., X. Wang, and W. Chang. CipherXRay: Exposing cryptographic operations and transient secrets from monitored binary execution.IEEE transactions on dependable and secure computing, V ol. 11, No. 2, 2012, pp. 101–114

  2. [2]

    Wannacry ransomware campaign exploiting smb vulnerability.Retrieved from Cert Europa Website: https://cert

    Cert, E. Wannacry ransomware campaign exploiting smb vulnerability.Retrieved from Cert Europa Website: https://cert. europa. eu/static/SecurityAdvisories/2017/CERT- EU-SA201, 2017, pp. 7–012

  3. [3]

    Berent, Z

    Beerman, J., D. Berent, Z. Falter, and S. Bhunia. A review of colonial pipeline ransomware attack. In2023 IEEE/ACM 23rd International Symposium on Cluster, Cloud and Internet Computing Workshops (CCGridW). IEEE, 2023, pp. 8–15

  4. [4]

    Poudyal, S., K. P. Subedi, and D. Dasgupta. A framework for analyzing ransomware using machine learning. In2018 IEEE symposium series on computational intelligence (SSCI). IEEE, 2018, pp. 1692–1699

  5. [5]

    Caballero, J. and Z. Lin. Type inference on executables.ACM Computing Surveys (CSUR), V ol. 48, No. 4, 2016, pp. 1–35

  6. [6]

    Jia, J. and P. K. Chan. Representation learning with function call graph transformations for malware open set recognition. In2022 International Joint Conference on Neural Networks (IJCNN). IEEE, 2022, pp. 1–8

  7. [7]

    Banerjee, U.Dependence analysis, V ol. 3. Springer Science & Business Media, 1997

  8. [8]

    Looking into TeslaCrypt v3

    Skuratovich, S. Looking into TeslaCrypt v3. 0.1.Checkpoint, Tech. Rep. Prepared usingTRR.cls 14 Transportation Research Record XX(X)

  9. [9]

    Calvet, J., J. M. Fernandez, and J.-Y . Marion. Aligot: Cryptographic function identification in obfuscated binary programs. InProceedings of the 2012 ACM conference on Computer and communications security. 2012, pp. 169–182

  10. [10]

    Ming, and D

    Xu, D., J. Ming, and D. Wu. Cryptographic function detection in obfuscated binaries via bit-precise symbolic loop mapping. In2017 IEEE Symposium on Security and Privacy (SP). IEEE, 2017, pp. 921–937

  11. [11]

    Moonsamy, and J

    Meijer, C., V . Moonsamy, and J. Wetzels. Where’s Crypto?: Automated Identification and Classification of Proprietary Cryptographic Primitives in Binary Code. In30th USENIX Security Symposium (USENIX Security 21). 2021, pp. 555–572

  12. [12]

    Guihéry, and P.-A

    Lestringant, P., F. Guihéry, and P.-A. Fouque. Automated identification of cryptographic primitives in binary code with data flow graph isomorphism. InProceedings of the 10th ACM Symposium on Information, Computer and Communications Security. 2015, pp. 203–214

  13. [13]

    Shapiro, S. S. and M. B. Wilk. An Analysis of Variance Test for Normality (Complete Samples).Biometrika, V ol. 52, 1965, pp. 591–611

  14. [14]

    Webster, A. F. and S. E. Tavares. On the design of S-boxes. InConference on the theory and application of cryptographic techniques. Springer, 1985, pp. 523–534

  15. [15]

    John, and B

    Hull, G., H. John, and B. Arief. Ransomware deployment methods and analysis: views from a predictive model and human responses.Crime Science, V ol. 8, 2019, pp. 1–22

  16. [16]

    Halevi, and C

    Coppersmith, D., S. Halevi, and C. Jutla. Cryptanalysis of stream ciphers with linear masking. InAdvances in Cryptology—CRYPTO 2002: 22nd Annual International Cryptology Conference Santa Barbara, California, USA, August 18–22, 2002 Proceedings 22. Springer, 2002, pp. 515– 532

  17. [17]

    Ramanujam, S. and M. Karuppiah. Designing an algorithm with high Avalanche Effect.IJCSNS International Journal of Computer Science and Network Security, V ol. 11, No. 1, 2011, pp. 106–111

  18. [18]

    Kumar, A. and N. Tiwari. Effective implementation and avalanche effect of AES.International Journal of Security, Privacy and Trust Management (IJSPTM), V ol. 1, No. 3/4, 2012, pp. 31–35

  19. [19]

    Vadaviya, D. O. and P. Tandel. Study of avalanche effect in AES. InNational Conference on Recent Advances in Engineering for Sustainability. 2015, pp. 1–4

  20. [20]

    Verma, R. and A. K. Sharma. Cryptography: Avalanche effect of AES and RSA.International Journal of Scientific and Research Publications, V ol. 10, No. 4, 2020, pp. 119–122

  21. [21]

    pyrebox.https://github.com/ Cisco-Talos/pyrebox

    Cisco Talos Lab. pyrebox.https://github.com/ Cisco-Talos/pyrebox

  22. [22]

    Quynh, N. A. Unicorn – The ultimate CPU emulator.https: //www.unicorn-engine.org/, 2015

  23. [23]

    Saudel, F. and J. Salwan. Triton: A Dynamic Symbolic Execution Framework. InSymposium sur la sécurité des technologies de l’information et des communications. SSTIC, Rennes, France, 2015, pp. 31–54

  24. [24]

    Heys, H. M. A tutorial on linear and differential cryptanalysis. Cryptologia, V ol. 26, No. 3, 2002, pp. 189–221

  25. [25]

    Linear cryptanalysis method for DES cipher

    Matsui, M. Linear cryptanalysis method for DES cipher. In Workshop on the Theory and Application of of Cryptographic Techniques. Springer, 1993, pp. 386–397

  26. [26]

    Applied Cryptography: Protocols, Algorthms, and Source Code in C.-2nd, 1996

    Bruce, S. Applied Cryptography: Protocols, Algorthms, and Source Code in C.-2nd, 1996

  27. [27]

    Joan, D. and R. Vincent. The design of Rijndael: AES- the advanced encryption standard.Information Security and Cryptography

  28. [28]

    Dahab, N

    Braga, A., R. Dahab, N. Antunes, N. Laranjeiro, and M. Vieira. Understanding how to use static analysis tools for detecting cryptography misuse in software.IEEE Transactions on Reliability, V ol. 68, No. 4, 2019, pp. 1384–1403

  29. [29]

    Torres, G

    De Carli, L., R. Torres, G. Modelo-Howard, A. Tongaonkar, and S. Jha. Kali: Scalable encryption fingerprinting in dynamic malware traces. In2017 12th International Conference on Malicious and Unwanted Software (MALWARE). IEEE, 2017, pp. 3–10

  30. [30]

    Akbanov, M., V . G. Vassilakis, I. D. Moscholios, and M. D. Logothetis. Static and dynamic analysis of WannaCry ransmware. InProc. IEICE Inform. and Commun. Technol. Forum ICTF, V ol. 2018. 2018

  31. [31]

    Li, J., Z. Lin, J. Caballero, Y . Zhang, and D. Gu. K-Hunt: Pinpointing insecure cryptographic keys from execution traces. InProceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security. 2018, pp. 412–425. Prepared usingTRR.cls