Development of Enhanced Ransomware Detection Model Using Hybrid Static-Dynamic Feature Integration

Abstract

Ransomware remains a devastating cyber threat, encrypting critical data, disrupting operations, and extorting ransoms, with global losses exceeding $20 billion in 2024 and projected to reach $265 billion annually by 2031. Conventional detection methods, limited to static or dynamic analysis, falter against advanced, obfuscated, and zero-day variants. This study introduces a hybrid AI model for ransomware detection, employing a late-fusion framework to integrate static and dynamic features. It combines an Enhanced Multi-Layer Perceptron (MLP) trained on 500 static features from the EMBER dataset with a Conditional Variational Autoencoder 1-Dimensional Convolutional Neural Network (CVAE–1D CNN) trained on 1,000 dynamic behavioural features from the MLRan dataset. Model predictions are fused via optimized weighted averaging to enhance performance, especially on unseen families. Evaluations reveal superior results: 95.14% accuracy, 89.77% macro F1-score, 94.2% recall, and 95.33% zero-day F1-score, outperforming single-model baselines. Integrating static pre-execution and dynamic runtime features boosts detection accuracy and generalization. The static component's compact 3.8 Megabyte size suits resource-constrained deployments. This hybrid solution provides a robust, scalable defence for multi-family ransomware, strengthening enterprise cybersecurity.