Dual-Path Ransomware Detection Framework
摘要
Modern ransomware increasingly employs intermittent encryption—strategically encrypting only portions of a file—to evade detection systems that rely on global statistical features. This tactic effectively masks malicious activity, rendering conventional supervised classifiers and simple entropy-based heuristics obsolete. To counter this advanced threat, we introduce a novel dual-path hybrid intelligence framework that combines high-speed supervised classification with deep unsupervised anomaly detection. Our core innovation is to reframe the detection of intermittent encryption as an unsupervised learning problem. We use a density-based clustering algorithm (DBSCAN), augmented with specialized periodicity features derived from autocorrelation and Fourier analysis, to automatically identify the dense, anomalous statistical signatures of encrypted blocks within a file’s body. This deep scan runs concurrently with a rapid, supervised stacked generalization model that performs triage on file headers and footers. Evaluated on a large-scale dataset of 200,000 files, our integrated framework achieves an accuracy of 0.999. More critically, it demonstrates unprecedented effectiveness on difficult-case scenarios, correctly identifying 99.5% of intermittently encrypted files (compared to 21% for supervised-only models) while simultaneously reducing the false positive rate on legitimate compressed archives to just 0.1%. By resolving the speed-versus-depth trade-off, our framework presents a robust and scalable solution to a critical, evolving challenge in cybersecurity.