Ransomware Detection with ML and Deep Learning: An Evidence-Based Survey and Drift-Aware Taxonomy
Issued Date
2026-01-01
Resource Type
Scopus ID
2-s2.0-105040590243
Journal Title
2026 International Conference on Advances in Artificial Intelligence and Machine Learning Aaiml 2026
Start Page
181
End Page
186
Rights Holder(s)
SCOPUS
Bibliographic Citation
2026 International Conference on Advances in Artificial Intelligence and Machine Learning Aaiml 2026 (2026) , 181-186
Suggested Citation
Tritilanunt S. Ransomware Detection with ML and Deep Learning: An Evidence-Based Survey and Drift-Aware Taxonomy. 2026 International Conference on Advances in Artificial Intelligence and Machine Learning Aaiml 2026 (2026) , 181-186. 186. doi:10.1109/AAIML67890.2026.11498152 Retrieved from: https://repository.li.mahidol.ac.th/handle/123456789/117134
Title
Ransomware Detection with ML and Deep Learning: An Evidence-Based Survey and Drift-Aware Taxonomy
Author(s)
Author's Affiliation
Corresponding Author(s)
Other Contributor(s)
Abstract
Ransomware remains a major threat that requires early and reliable detection. This paper offers an evidence-based survey and a drift-aware taxonomy that help practitioners choose between classic machine learning (ML) and deep learning (DL) across static, dynamic, and graph-based feature regimes. We outline when lightweight tree-based ML provides strong accuracy and low latency, and when sequence or graph DL adds value on long, high-quality traces despite higher compute cost. We high-light common pitfalls-especially random splits and insufficient temporal testing-that inflate performance under concept drift, and recommend time-aware evaluation with temporal splits and challenge subsets. We summarize the space into a feature-method matching table and a deployment-oriented decision flow, and we recommend hybrid pipelines where fast static or aggregated dynamic ML acts as a filter and heavier DL as a confirmer. Practical routines for continual learning and lightweight drift monitoring (e.g., feature-frequency or trace-coverage shifts) are also provided. Finally, we call for a dynamic, drift-aware benchmark analogous to EMBER2024 and emphasize minimum reporting standards: FPR@TPR at fixed operating points (0.1%, 1%), end-to-end latency (p50/p95), and clear sandbox/EDR configuration.