Ransomware has emerged as a significant cybersecurity threat, posing challenges to data protection, operational continuity, and financial security. Existing detection methods, primarily reliant on signature-based techniques, often fail to detect rapidly evolving ransomware variants, especially zero-day and polymorphic attacks. To address these limitations, this research introduces an enhanced framework leveraging mean-based statistical metrics within the RD-SAP (Ransomware Detection using Storage Access Patterns) model. By detecting anomalies in storage access behaviors through statistical thresholds, including the mean and complementary features such as entropy, this work aims to enhance early detection capabilities. Extensive experiments using the RanSAP dataset demonstrate that integrating mean-based metrics significantly improves detection performance. The model, evaluated using k-Nearest Neighbors (KNN), achieved an F1-score of 0.73, 0.74, and 0.75 at 30 s, 60 s, and 90 s, respectively, compared to the baseline KNN scores of 0.70, 0.71, and 0.72. This demonstrates a consistent improvement across different time intervals, with a maximum performance gain of 4.2% over the baseline. The proposed approach reduces false positives, detects anomalies earlier, and provides robust defense mechanisms suitable for real-time environments.

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

Enhancing Ransomware Detection Using Storage Access Pattern

  • Amjad Alraizza,
  • Abdulmohsen Algarni,
  • Asmaa Alrayzah

摘要

Ransomware has emerged as a significant cybersecurity threat, posing challenges to data protection, operational continuity, and financial security. Existing detection methods, primarily reliant on signature-based techniques, often fail to detect rapidly evolving ransomware variants, especially zero-day and polymorphic attacks. To address these limitations, this research introduces an enhanced framework leveraging mean-based statistical metrics within the RD-SAP (Ransomware Detection using Storage Access Patterns) model. By detecting anomalies in storage access behaviors through statistical thresholds, including the mean and complementary features such as entropy, this work aims to enhance early detection capabilities. Extensive experiments using the RanSAP dataset demonstrate that integrating mean-based metrics significantly improves detection performance. The model, evaluated using k-Nearest Neighbors (KNN), achieved an F1-score of 0.73, 0.74, and 0.75 at 30 s, 60 s, and 90 s, respectively, compared to the baseline KNN scores of 0.70, 0.71, and 0.72. This demonstrates a consistent improvement across different time intervals, with a maximum performance gain of 4.2% over the baseline. The proposed approach reduces false positives, detects anomalies earlier, and provides robust defense mechanisms suitable for real-time environments.