RansomTrack: A Hybrid Behavioral Analysis Framework for Ransomware Detection
Busra Caliskan, Ibrahim Gulatas, H. Hakan Kilinc, A. Halim Zaim
TL;DR
RansomTrack is a hybrid behavioral analysis framework that combines static and dynamic features to detect ransomware rapidly and accurately, providing explainability and scalability for real-time detection.
Contribution
It introduces a novel hybrid detection framework that integrates static and dynamic analysis, along with a new dataset and interpretability features, improving early ransomware detection.
Findings
Achieves up to 96% accuracy in ransomware detection.
Detects ransomware in under 9.2 seconds.
Provides high interpretability with SHAP-based feature importance.
Abstract
Ransomware poses a serious and fast-acting threat to critical systems, often encrypting files within seconds of execution. Research indicates that ransomware is the most reported cybercrime in terms of financial damage, highlighting the urgent need for early-stage detection before encryption is complete. In this paper, we present RansomTrack, a hybrid behavioral analysis framework to eliminate the limitations of using static and dynamic detection methods separately. Static features are extracted using the Radare2 sandbox, while dynamic behaviors such as memory protection changes, mutex creation, registry access and network activity are obtained using the Frida toolkit. Our dataset of 165 different ransomware and benign software families is publicly released, offering the highest family-to-sample ratio known in the literature. Experimental evaluation using machine learning models shows…
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.