| Ransomware has emerged as a significant cybersecurity threat, posing challenges to data protection, operational continuity, and financial security. Existing detection methods, primarily reliant on signature-based techniques, often fail to detect rapidly evolving ransomware variants, especially zero-day and polymorphic attacks. To address these limitations, this research introduces an enhanced framework leveraging mean-based statistical metrics within the RD-SAP (Ransomware Detection using Storage Access Patterns) model. By detecting anomalies in storage access behaviors through statistical thresholds, including the mean and complementary features such as entropy, this work aims to enhance early detection capabilities. Extensive experiments using the RanSAP dataset demonstrate that integrating mean-based metrics significantly improves detection performance. The model, evaluated using k-Nearest Neighbors (KNN), achieved an F1-score of 0.73, 0.74, and 0.75 at 30s, 60s, and 90s, respectively, compared to the baseline KNN scores of 0.70, 0.71, and 0.72. This demonstrates a consistent improvement across different time intervals, with a maximum performance gain of 4.2% over the baseline. The proposed approach reduces false positives, detects anomalies earlier, and provides robust defense mechanisms suitable for real-time environments. |
*** Title, author list and abstract as submitted during Camera-Ready version delivery. Small changes that may have occurred during processing by Springer may not appear in this window.