Distributed Ransomware Detection using Causality Graph Reconstruction for Cybersecurity

Authors

  • Nirwan Dogra Independent Security Researcher, USA Author

DOI:

https://doi.org/10.15662/IJARCST.2025.0805014

Keywords:

ransomware detection, distributed systems security, provenance, causality graph, graph machine learning, zero trust, anomaly detection

Abstract

Modern ransomware attacks exploit distributed environments through lateral movement and multi-stage execution chains that evade traditional host-centric detection systems. This paper presents a novel distributed detection framework that reconstructs system-level causality graphs across heterogeneous nodes to identify ransomware behaviors in early stages. Our approach correlates process, file, network, and memory events into an evolving provenance graph, enabling isolation of malicious encryption cascades and command-and-control patterns with significantly reduced false positives. Through evaluation on realistic attack scenarios and benign workloads, our system achieves 94.7% detection accuracy with sub-3 second median detection latency while maintaining less than 2% CPU overhead per monitored host.

References

[1] M. Almashhadani et al., "A Multi-Classifier Network-Based Crypto Ransomware Detection System," IEEE Access, vol. 9, pp. 48223-48237, 2021.

[2] N. Scaife et al., "CryptoLock (and Drop It): Stopping Ransomware Attacks on User Data," Proceedings of ICDCS 2016, pp. 303-312, 2016.

[3] D. Sgandurra et al., "Automated Dynamic Analysis of Ransomware," Proceedings of DIMVA 2016, pp. 99-118, 2016.

[4] A. Kharraz et al., "UNVEIL: A Large-Scale, Automated Approach to Detecting Ransomware," Proceedings of USENIX Security 2016, pp. 757-772, 2016.

[5] A. Kharraz and E. Kirda, "Redemption: Real-Time Protection Against Ransomware at End-Hosts," Proceedings of RAID 2017, pp. 98-119, 2017.

[6] D. Sgandurra et al., "Automated Dynamic Analysis of Ransomware," Computer Communications, vol. 109, pp. 122-133, 2017.

[7] S. Homayoun et al., "BoTShark: A Deep Learning Approach for Botnet Traffic Detection," Proceedings of CISIS 2017, pp. 745-756, 2017.

[8] K.-K. Muniswamy-Reddy et al., "Provenance-aware Storage Systems," Proceedings of USENIX ATC 2006, pp. 43-56, 2006.

[9] A. Gehani and D. Tariq, "SPADE: Support for Provenance Auditing in Distributed Environments," Proceedings of Middleware 2012, pp. 101-120, 2012.

[10] D. J. Pohly et al., "Hi-Fi: Collecting High-Fidelity Whole-System Provenance," Proceedings of ACSAC 2012, pp. 259-268, 2012.

Downloads

Published

2025-10-02

Issue

Vol. 8 No. 5 (2025): International Journal of Advanced Research in Computer Science & Technology

Section

Articles

How to Cite

Distributed Ransomware Detection using Causality Graph Reconstruction for Cybersecurity. (2025). International Journal of Advanced Research in Computer Science & Technology(IJARCST), 8(5), 12850-12857. https://doi.org/10.15662/IJARCST.2025.0805014