SHIELD: A Host-Independent Framework for Ransomware Detection using Deep Filesystem Features

TL;DR

SHIELD is a host-independent framework that uses filesystem-level features and machine learning to detect ransomware activity in real-time, providing a tamper-proof, deployable solution that effectively identifies and mitigates ransomware threats.

Contribution

This work introduces a novel filesystem-layer based detection framework that is host-independent, tamper-proof, and capable of real-time ransomware detection and mitigation, including deployment on storage controllers.

Findings

Achieves 97.29% accuracy in binary ransomware detection.

Hardware-only features retain 95.97% accuracy, enabling FPGA/ASIC deployment.

Halts disk operations within tens of actions, limiting affected files to <0.4%.

Abstract

Ransomware's escalating sophistication necessitates tamper-resistant, off-host detection solutions that capture deep disk activity beyond the reach of a compromised operating system. Existing detection systems use host/kernel signals or rely on coarse block-I/O statistics, which are easy to evade and miss filesystem semantics. The filesystem layer itself remains underexplored as a source of robust indicators for storage-controller-level defense. To address this, we present SHIELD: a Secure Host-Independent Extensible Metric Logging Framework for Tamper-Proof Detection and Real-Time Mitigation of Ransomware Threats. SHIELD parses and logs filesystem-level features that cannot be evaded or obfuscated to expose deep disk activity for real-time ML-based detection and mitigation. We evaluate the efficacy of these metrics through experiments with both binary (benign vs. malicious behavior) and multiclass (ransomware strain identification) classifiers. In evaluations across diverse ransomware families, the best binary classifier achieves 97.29% accuracy in identifying malicious disk behavior. A hardware-only feature set that excludes all transport-layer metrics retains 95.97% accuracy, confirming feasibility for FPGA/ASIC deployment within the storage controller datapath. In a proof-of-concept closed-loop deployment, SHIELD halts disk operations within tens of disk actions, limiting targeted files affected to <0.4% for zero-shot strains at small action-windows, while maintaining low false-positive rates (<3.6%) on unseen benign applications. Results demonstrate that filesystem-aware, off-host telemetry enables accurate, resilient ransomware detection, including intermittent/partial encryption, and is practical for embedded integration in storage controllers or alongside other defense mechanisms.