Evaluating the Efficacy of Machine Learning Techniques in Ransomware Detection
Issued Date
2025-01-01
Resource Type
Scopus ID
2-s2.0-105032444619
Journal Title
Jcsse 2025 22nd International Joint Conference on Computer Science and Software Engineering
Start Page
209
End Page
216
Rights Holder(s)
SCOPUS
Bibliographic Citation
Jcsse 2025 22nd International Joint Conference on Computer Science and Software Engineering (2025) , 209-216
Suggested Citation
Meechanchuang K., Sitsaengchai P., Bowornsujaritkul K., Tritilanunt S., Phienthrakul T. Evaluating the Efficacy of Machine Learning Techniques in Ransomware Detection. Jcsse 2025 22nd International Joint Conference on Computer Science and Software Engineering (2025) , 209-216. 216. doi:10.1109/JCSSE67377.2025.11297864 Retrieved from: https://repository.li.mahidol.ac.th/handle/123456789/115726
Title
Evaluating the Efficacy of Machine Learning Techniques in Ransomware Detection
Author's Affiliation
Corresponding Author(s)
Other Contributor(s)
Abstract
Ransomware continues to pose a critical threat to computer systems worldwide, requiring effective detection strategies that can generalize across evolving variants. This paper presents a comparative evaluation of multiple machine learning algorithms for ransomware detection using dynamic analysis. Behavioral features were extracted from ransomware samples via Cuckoo Sandbox, and standard classifiers including Decision Tree, Random Forest, Gradient Boosting, and XGBoost were evaluated with appropriate train-test splits and feature selection. Results show that Random Forest consistently achieves superior performance on unseen ransomware families, highlighting its robustness and practical applicability.Beyond accuracy, this study examines computational considerations, revealing that tree-based models offer favorable tradeoffs between detection efficacy and inference latency, making them suitable for near real-time deployment. Feature importance analysis further indicates that registry modifications, file operations, and cryptographic API calls are key behavioral traits distinguishing ransomware activity.Nevertheless, the study faces limitations, including a relatively small dataset (582 ransomware samples), basic class imbalance handling, and the absence of deep learning baselines. To address these gaps, future work will explore dataset expansion, advanced imbalance handling techniques, neural architectures, and large-scale deployment evaluation. By emphasizing both detection accuracy and forensic interpretability, this work contributes practical insights for improving ransomware defense in real-world environments.