A HOLISTIC PERFORMANCE METRIC SCHEME FOR MACHINE LEARNING APPROACHES TO CRYPTO-RANSOMWARE DETECTION

Abstract

The study introduces a two-tier machine learning framework designed to identify crypto-ransomware at an early stage—before the encryption process begins. The architecture consists of two core components: a Signature Recognition (SR) module and a Learning Agent (LA). Both components rely on the Random Forest algorithm, but each serves a different purpose. The SR module focuses on spotting previously known malicious behaviors, while the LA specializes in identifying new, unfamiliar, or evolving attack patterns. This combined approach enables the model to adapt to a wide range of threat scenarios.

In terms of performance, the system demonstrates strong results, achieving an average accuracy of 90% and an ROC AUC score of 0.94, indicating a high level of reliability. Its effectiveness is further validated using a comprehensive set of evaluation metrics, including accuracy, precision, recall, F1-score, and ROC AUC, ensuring that the assessment covers both general performance and class-specific behavior.

The proposed N-DIMEL framework ultimately offers a proactive and well-balanced defense strategy. By detecting both known and emerging ransomware activities, it provides cybersecurity teams with meaningful insights and practical support in choosing, improving, and deploying robust ransomware detection mechanisms. Additionally, the model’s adaptability makes it suitable for real-world environments where threats continuously evolve, helping organizations strengthen their early-warning and response capabilities.

Keywords

Crypto-ransomware, Early detection, machine learning, Random Forest, Signature recognition, Learning Agent, ROC-AUC