Ransomware Detection Through Processor and Disk Usage Patterns Using Machine Learning

Abstract

This project addresses the challenge of detecting ransomware by focusing on the limitations of
existing methods that rely heavily on process monitoring and traditional data analysis. The goal is
to develop a reliable and efficient method for identifying ransomware on virtual machines (VMs)
by monitoring specific processor and disk I/O activities across the entire VM from the host
machine. The proposed solution employs machine learning (ML), particularly a Random Forest
(RF) classifier, to build a robust detection model that minimizes monitoring overhead and reduces
the risk of data corruption by ransomware. A key advantage of this approach is its adaptability to
varying user workloads, allowing the model to function effectively in diverse scenarios without
the need for constant process monitoring on the target machine. The project's effectiveness is tested
using 22 ransomware samples and various user workloads, demonstrating its practical application
in real-world environments. To further enhance detection accuracy, the project incorporates a
Convolutional Neural Network 2D (CNN2D) and an ensemble model with a voting classifier. This
ensemble approach, which combines multiple machine learning classifiers, achieved an impressive
99% accuracy, showcasing the effectiveness of integrating various models for robust ransomware
detection. This project offers a practical solution to the evolving threat of ransomware, providing
efficient detection while maintaining adaptability and low overhead.