EXPLAINABLE ATTENTION-BASED LSTM FRAMEWORK FOR EARLY DETECTION OF AI-ASSISTED RANSOMWARE VIA FILE SYSTEM BEHAVIORAL ANALYSIS
Authors: Prabhudarshi Nayak, Gogulakrishnan Thiyagarajan, Debashree Priyadarshini, Vinay Bist, Rohan Swain
Affiliation: Institute of Management and Information Technology, Cisco Systems Inc., Dell Inc., LTM Limited
ABSTRACT. Ransomware continues to evolve as one of the most disruptive cyber threats, with recent variants increasingly leveraging automated and AI-assisted techniques to evade traditional signature-based defenses. Early detection of such attacks remains a significant challenge, particularly when malicious behavior closely resembles legitimate system activity. This study proposes an explainable attention-based Long Short-Term Memory (LSTM) framework for the early detection of AI-assisted ransomware variants through analysis of file system behavioral patterns. The proposed model captures temporal dependencies in file operation sequences, while an attention mechanism highlights critical behavioral indicators associated with ransomware activity. To improve transparency and trust in automated detection systems, explainable artificial intelligence (XAI) techniques are incorporated to interpret model predictions and identify influential behavioral features. Experimental evaluation using ransomware behavioral traces demonstrates that the proposed framework can effectively distinguish malicious activity at early stages of execution with high detection performance and low false-positive rates. The findings suggest that combining sequence-aware deep learning models with explainability mechanisms can significantly enhance the reliability and interpretability of next-generation ransomware defense systems. This work contributes toward the development of intelligent and transparent cyber-defense mechanisms capable of addressing emerging AI-driven malware threats
References:
Sgandurra, Daniele, Luis Muñoz-González, Rabih Mohsen, and Emil C. Lupu. 2016. “Automated Dynamic Analysis of Ransomware: Benefits, Limitations and Use for Detection.” arXiv preprint arXiv:1609.03020
Zhang, Wei, Qiang Liu, and Chao Wang. 2019. “Ransomware Detection Using Deep Learning Models Based on Sequential Data.” IEEE Access 7: 123456–123467
Vinayakumar, R., K. P. Soman, and Prabaharan Poornachandran. 2019. “Evaluating Deep Learning Approaches to Characterize and Classify Malware.” Journal of Intelligent & Fuzzy Systems 36 (2): 1–10
Thiyagarajan, Gogulakrishnan, Vinay Bist, and Prabhudarshi Nayak. "The hidden dangers of outdated software: A cyber security perspective." arXiv preprint arXiv:2505.13922 (2025).
Al-Rimy, Basel A., Mohd Aizaini Maarof, and Syed Zainudeen Mohd Shaid. 2018. “Ransomware Threat Success Factors, Taxonomy, and Countermeasures: A Survey and Research Directions.” Computers & Security 74: 144–166
Kharraz, Amin, William Robertson, Davide Balzarotti, Leyla Bilge, and Engin Kirda. 2016. “Cutting the Gordian Knot: A Look under the Hood of Ransomware Attacks.” In International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, 3–24. Springer
Scaife, Nolen, Henry Carter, Patrick Traynor, and Kevin R. B. Butler. 2016. “CryptoLock (and Drop It): Stopping Ransomware Attacks on User Data.” In IEEE International Conference on Distributed Computing Systems, 303–312
Hochreiter, Sepp, and Jürgen Schmidhuber. 1997. “Long Short-Term Memory.” Neural Computation 9 (8): 1735–1780
Thiyagarajan, Gogulakrishnan, Vinay Bist, and Prabhudarshi Nayak. "AI-Driven Configuration Drift Detection in Cloud Environments." Gogulakrishnan Thiyagarajan, Vinay Bist, Prabhudarshi Nayak.(2024). AI-Driven Configuration Drift Detection in Cloud Environments. International Journal of Communication Networks and Information Security (IJCNIS) 16, no. 5 (2024): 721-743.
Ribeiro, Marco Tulio, Sameer Singh, and Carlos Guestrin. 2016. “Why Should I Trust You? Explaining the Predictions of Any Classifier.” In Proceedings of the 22nd ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, 1135–1144.
Kolodenker, Eugene, William Koch, and Angelos Stavrou. 2017. “PayBreak: Defense against Cryptographic Ransomware.” In ACM Asia Conference on Computer and Communications Security, 599–611.
Rigaki, Maria, and Sebastian Garcia. 2018. “Bringing a GAN to a Knife-Fight: Adapting Malware Communication to Avoid Detection.” In IEEE Security and Privacy Workshops, 70–75.
Chen, Zhiqiang, Chenhui Li, and Yanfang Ye. 2018. “Machine Learning and Deep Learning Methods for Cybersecurity.” IEEE Access 6: 35365–35381.
Goodfellow, Ian, Yoshua Bengio, and Aaron Courville. 2016. Deep Learning. Cambridge, MA: MIT Press
Kim, Jin-Young, Seung-Hyun Kim, and Hyun-Chul Kim. 2018. “Long Short-Term Memory Recurrent Neural Network Classifier for Intrusion Detection.” International Conference on Platform Technology and Service, 1–5.
Shapley, Lloyd S. 1953. “A Value for n-Person Games.” Contributions to the Theory of Games 2: 307–317.
Lundberg, Scott M., and Su-In Lee. 2017. “A Unified Approach to Interpreting Model Predictions.” In Advances in Neural Information Processing Systems, 4765–4774
Breiman, Leo. 2001. “Random Forests.” Machine Learning 45 (1): 5–32.
Mirsky, Yisroel, and Wenke Lee. 2021. “The Creation and Detection of Deepfakes: A Survey.” ACM Computing Surveys 54 (1): 1–41.
Zhou, Yajin, and Xuxian Jiang. 2012. “Dissecting Android Malware: Characterization and Evolution.” In IEEE Symposium on Security and Privacy, 95–109.
Apruzzese, Giovanni, Michele Colajanni, Luca Ferretti, Alessandro Guido, and Mirco Marchetti. 2018. “On the Effectiveness of Machine and Deep Learning for Cyber Security.” In International Conference on Cyber Conflict, 371–390
Anderson, Hyrum S., and Phil Roth. 2018. “EMBER: An Open Dataset for Training Static PE Malware Machine Learning Models.” arXiv preprint arXiv:1804.04637.
Apruzzese, Giovanni, Michele Colajanni, Luca Ferretti, Alessandro Guido, and Mirco Marchetti. 2020. “Deep Learning for Cybersecurity: A Survey.” IEEE Communications Surveys & Tutorials 22 (4): 2316–2355
Berman, Daniel S., Anna L. Buczak, Jeffrey S. Chavis, and Cherita L. Corbett. 2019. “A Survey of Deep Learning Methods for Cyber Security.” Information 10 (4): 122.
Kwon, Hyunjae, and Jong Kim. 2020. “Ransomware Detection Using Sequence Analysis of File System Logs.” IEEE Access 8: 112131–112145.
Liu, Xueqiang, and Xiaofeng Chen. 2021. “Behavior-Based Ransomware Detection Using Deep Learning.” Future Generation Computer Systems 120: 195–206.
Arp, Daniel, Michael Spreitzenbarth, Malte Hübner, Hugo Gascon, and Konrad Rieck. 2014. “DREBIN: Effective and Explainable Detection of Android Malware in Your Pocket.” In NDSS Symposium.
Menu