Detecting Avalanche Effect in Adversarial Settings: Spotting the Encryption Loops in Ransomware
Reviewed by Pith T0 review T1 audit T2 compute T3 formal T4 kernel 2026-05-08 03:10 UTCgrok-4.3open to challenge →
The pith
A record-and-replay method with normality testing verifies the true avalanche effect to locate encryption loops inside ransomware binaries.
A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.
Core claim
The authors claim that any secure encryption algorithm necessarily produces the avalanche effect, and that this effect can be verified in adversarial binary settings by replaying executions and applying the Shapiro-Wilk test to check whether small input perturbations produce output differences that pass a normality test. The resulting detection therefore identifies encryption loops even when the ransomware author has applied obfuscation or when input and output locations are identified only approximately.
What carries the argument
Record-and-replay detection mechanism that reapplies the Shapiro-Wilk normality test to input-output pairs to confirm the avalanche effect itself.
If this is right
- Encryption loops become identifiable in obfuscated ransomware binaries.
- All tested samples from ten ransomware families can be analyzed successfully.
- Approaches that check only the ripple effect remain open to direct counterattacks.
- False negative rate stays at zero while false positives remain near one percent.
Where Pith is reading between the lines
- The same statistical replay check could be tried on other malware that hides cryptographic operations.
- Pairing the method with existing dynamic binary instrumentation tools may reduce the remaining false positives.
- Running the test on a larger corpus of benign programs that contain random-number routines would further calibrate the false-positive rate.
Load-bearing premise
Secure encryption algorithms always exhibit the avalanche effect and the Shapiro-Wilk test on replayed runs can still distinguish it despite errors in input-output identification and adversarial obfuscation.
What would settle it
A ransomware binary that uses a standard secure cipher yet produces no loop flagged by the method, or a non-encryption binary that the test consistently marks as positive.
Figures
read the original abstract
Spotting encryption loops in binary-only ransomware is a critical reverse engineering task. Since the existence of avalanche effect, an intrinsic characteristic of any secure encryption algorithms, is unavoidable during a victim data encryption attack, it is a very promising direction to spot encryption loops through avalanche effect detection. Unfortunately, no existing work in this direction ensures that the being-checked effect is the avalanche effect itself. Although CipherXRay is inspired by avalanche effect, it only checks whether a "ripple effect" (i.e., a necessary but non-sufficient condition) of avalanche effect exists, allowing a straightforward counterattack to succeed. In this work, we present a new approach that checks the avalanche effect itself. Because the detection is conducted in adversarial settings (e.g., the ransomware author may obfuscate the code), a viable approach must tolerate inaccurate input \& output identification and must be resilient to adversarial evasion. These challenges are addressed by a novel record-and-replay detection mechanism that takes advantage of the statistical guarantees provided by the Shapiro-Wilk normality test. The experimental results show that our approach achieves 0.0\% false negative rate and 1.1\% false positive rate. When our tool is employed to reverse engineer real-world ransomware samples, it succeeds in analyzing all the ransomware samples selected from ten representative families.
Editorial analysis
A structured set of objections, weighed in public.
Referee Report
Summary. The manuscript proposes a record-and-replay mechanism that applies the Shapiro-Wilk normality test to detect the avalanche effect directly in ransomware encryption loops. It claims this approach operates in adversarial settings by tolerating inaccurate input/output identification and resisting evasion, achieving 0.0% false negative rate and 1.1% false positive rate while successfully analyzing samples from ten representative ransomware families.
Significance. If the tolerance to I/O identification errors holds, the work would advance binary-only ransomware reverse engineering by targeting the avalanche effect itself rather than the weaker ripple condition checked by prior tools such as CipherXRay. The explicit use of the Shapiro-Wilk test's statistical guarantees and the empirical success across multiple real-world families constitute a concrete strength that could support practical malware analysis tools.
major comments (2)
- [Abstract] Abstract: The central claim that the method 'must tolerate inaccurate input & output identification' and remains 'resilient to adversarial evasion' rests on the Shapiro-Wilk test still detecting avalanche despite replay artifacts. No quantitative error bounds, sensitivity analysis, or demonstration that the normality test triggers correctly once identification noise reaches levels inducible by ransomware authors are supplied, leaving the 0.0% FN rate assertion unverified.
- [Experimental results] Experimental results: The reported 0.0% false negative and 1.1% false positive rates on real ransomware samples would require explicit values for the Shapiro-Wilk p-value threshold and a description of how replay inaccuracies or other high-entropy operations were isolated from true bit-diffusion signatures; without these, the data-to-claim link cannot be fully assessed.
minor comments (1)
- [Abstract] The abstract would be clearer if it briefly listed the ten ransomware families used in the evaluation.
Simulated Author's Rebuttal
We thank the referee for the constructive comments on our manuscript. These points highlight opportunities to strengthen the presentation of our claims regarding tolerance to I/O identification inaccuracies and the experimental methodology. We address each major comment below and commit to revisions that will improve clarity and verifiability without altering the core contributions.
read point-by-point responses
-
Referee: [Abstract] Abstract: The central claim that the method 'must tolerate inaccurate input & output identification' and remains 'resilient to adversarial evasion' rests on the Shapiro-Wilk test still detecting avalanche despite replay artifacts. No quantitative error bounds, sensitivity analysis, or demonstration that the normality test triggers correctly once identification noise reaches levels inducible by ransomware authors are supplied, leaving the 0.0% FN rate assertion unverified.
Authors: We agree that the manuscript would benefit from explicit quantitative support for the tolerance claim. In the revised version, we will add a dedicated sensitivity analysis subsection. This will include controlled injection of identification noise at levels consistent with common obfuscation techniques observed in the evaluated ransomware families, along with derived error bounds based on the Shapiro-Wilk test's known statistical properties under non-normality perturbations. The analysis will demonstrate that the test continues to flag true avalanche signatures above the decision threshold even as replay artifacts increase, thereby verifying the 0.0% FN rate under adversarial conditions. revision: yes
-
Referee: [Experimental results] Experimental results: The reported 0.0% false negative and 1.1% false positive rates on real ransomware samples would require explicit values for the Shapiro-Wilk p-value threshold and a description of how replay inaccuracies or other high-entropy operations were isolated from true bit-diffusion signatures; without these, the data-to-claim link cannot be fully assessed.
Authors: We acknowledge that greater detail is required for full assessment and reproducibility. In the revision, we will explicitly report the p-value threshold applied to the Shapiro-Wilk test and expand the experimental results section with a precise description of the record-and-replay procedure. This will explain how multiple replays are aggregated to mitigate identification inaccuracies, and how non-encryption high-entropy operations are isolated by requiring consistent bit-diffusion patterns across replays that align with the normality test outcome, thereby clarifying the connection to the reported false negative and false positive rates. revision: yes
Circularity Check
No circularity; derivation relies on external statistical test and independent samples
full rationale
The paper's core mechanism applies the Shapiro-Wilk normality test to differences observed in record-and-replay executions to identify the avalanche effect. This uses the test's established statistical properties (external to the paper) and evaluates on separate real-world ransomware families rather than fitting parameters to its own outputs or reducing via self-citation. No self-definitional loops, renamed predictions, or load-bearing self-citations appear in the derivation chain.
Axiom & Free-Parameter Ledger
free parameters (1)
- Shapiro-Wilk p-value threshold
axioms (1)
- domain assumption Any secure encryption algorithm necessarily exhibits the avalanche effect
Reference graph
Works this paper leans on
-
[1]
Li, X., X. Wang, and W. Chang. CipherXRay: Exposing cryptographic operations and transient secrets from monitored binary execution.IEEE transactions on dependable and secure computing, V ol. 11, No. 2, 2012, pp. 101–114
work page 2012
-
[2]
Cert, E. Wannacry ransomware campaign exploiting smb vulnerability.Retrieved from Cert Europa Website: https://cert. europa. eu/static/SecurityAdvisories/2017/CERT- EU-SA201, 2017, pp. 7–012
work page 2017
- [3]
-
[4]
Poudyal, S., K. P. Subedi, and D. Dasgupta. A framework for analyzing ransomware using machine learning. In2018 IEEE symposium series on computational intelligence (SSCI). IEEE, 2018, pp. 1692–1699
work page 2018
-
[5]
Caballero, J. and Z. Lin. Type inference on executables.ACM Computing Surveys (CSUR), V ol. 48, No. 4, 2016, pp. 1–35
work page 2016
-
[6]
Jia, J. and P. K. Chan. Representation learning with function call graph transformations for malware open set recognition. In2022 International Joint Conference on Neural Networks (IJCNN). IEEE, 2022, pp. 1–8
work page 2022
-
[7]
Banerjee, U.Dependence analysis, V ol. 3. Springer Science & Business Media, 1997
work page 1997
-
[8]
Skuratovich, S. Looking into TeslaCrypt v3. 0.1.Checkpoint, Tech. Rep. Prepared usingTRR.cls 14 Transportation Research Record XX(X)
-
[9]
Calvet, J., J. M. Fernandez, and J.-Y . Marion. Aligot: Cryptographic function identification in obfuscated binary programs. InProceedings of the 2012 ACM conference on Computer and communications security. 2012, pp. 169–182
work page 2012
-
[10]
Xu, D., J. Ming, and D. Wu. Cryptographic function detection in obfuscated binaries via bit-precise symbolic loop mapping. In2017 IEEE Symposium on Security and Privacy (SP). IEEE, 2017, pp. 921–937
work page 2017
-
[11]
Meijer, C., V . Moonsamy, and J. Wetzels. Where’s Crypto?: Automated Identification and Classification of Proprietary Cryptographic Primitives in Binary Code. In30th USENIX Security Symposium (USENIX Security 21). 2021, pp. 555–572
work page 2021
-
[12]
Lestringant, P., F. Guihéry, and P.-A. Fouque. Automated identification of cryptographic primitives in binary code with data flow graph isomorphism. InProceedings of the 10th ACM Symposium on Information, Computer and Communications Security. 2015, pp. 203–214
work page 2015
-
[13]
Shapiro, S. S. and M. B. Wilk. An Analysis of Variance Test for Normality (Complete Samples).Biometrika, V ol. 52, 1965, pp. 591–611
work page 1965
-
[14]
Webster, A. F. and S. E. Tavares. On the design of S-boxes. InConference on the theory and application of cryptographic techniques. Springer, 1985, pp. 523–534
work page 1985
-
[15]
Hull, G., H. John, and B. Arief. Ransomware deployment methods and analysis: views from a predictive model and human responses.Crime Science, V ol. 8, 2019, pp. 1–22
work page 2019
-
[16]
Coppersmith, D., S. Halevi, and C. Jutla. Cryptanalysis of stream ciphers with linear masking. InAdvances in Cryptology—CRYPTO 2002: 22nd Annual International Cryptology Conference Santa Barbara, California, USA, August 18–22, 2002 Proceedings 22. Springer, 2002, pp. 515– 532
work page 2002
-
[17]
Ramanujam, S. and M. Karuppiah. Designing an algorithm with high Avalanche Effect.IJCSNS International Journal of Computer Science and Network Security, V ol. 11, No. 1, 2011, pp. 106–111
work page 2011
-
[18]
Kumar, A. and N. Tiwari. Effective implementation and avalanche effect of AES.International Journal of Security, Privacy and Trust Management (IJSPTM), V ol. 1, No. 3/4, 2012, pp. 31–35
work page 2012
-
[19]
Vadaviya, D. O. and P. Tandel. Study of avalanche effect in AES. InNational Conference on Recent Advances in Engineering for Sustainability. 2015, pp. 1–4
work page 2015
-
[20]
Verma, R. and A. K. Sharma. Cryptography: Avalanche effect of AES and RSA.International Journal of Scientific and Research Publications, V ol. 10, No. 4, 2020, pp. 119–122
work page 2020
-
[21]
pyrebox.https://github.com/ Cisco-Talos/pyrebox
Cisco Talos Lab. pyrebox.https://github.com/ Cisco-Talos/pyrebox
-
[22]
Quynh, N. A. Unicorn – The ultimate CPU emulator.https: //www.unicorn-engine.org/, 2015
work page 2015
-
[23]
Saudel, F. and J. Salwan. Triton: A Dynamic Symbolic Execution Framework. InSymposium sur la sécurité des technologies de l’information et des communications. SSTIC, Rennes, France, 2015, pp. 31–54
work page 2015
-
[24]
Heys, H. M. A tutorial on linear and differential cryptanalysis. Cryptologia, V ol. 26, No. 3, 2002, pp. 189–221
work page 2002
-
[25]
Linear cryptanalysis method for DES cipher
Matsui, M. Linear cryptanalysis method for DES cipher. In Workshop on the Theory and Application of of Cryptographic Techniques. Springer, 1993, pp. 386–397
work page 1993
-
[26]
Applied Cryptography: Protocols, Algorthms, and Source Code in C.-2nd, 1996
Bruce, S. Applied Cryptography: Protocols, Algorthms, and Source Code in C.-2nd, 1996
work page 1996
-
[27]
Joan, D. and R. Vincent. The design of Rijndael: AES- the advanced encryption standard.Information Security and Cryptography
- [28]
- [29]
-
[30]
Akbanov, M., V . G. Vassilakis, I. D. Moscholios, and M. D. Logothetis. Static and dynamic analysis of WannaCry ransmware. InProc. IEICE Inform. and Commun. Technol. Forum ICTF, V ol. 2018. 2018
work page 2018
-
[31]
Li, J., Z. Lin, J. Caballero, Y . Zhang, and D. Gu. K-Hunt: Pinpointing insecure cryptographic keys from execution traces. InProceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security. 2018, pp. 412–425. Prepared usingTRR.cls
work page 2018
discussion (0)
Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.