Malware detection poses a critical challenge for both society and Business and Industry (B&I), particularly given the necessity for secure digital transformation. Among various cybersecurity threats, ransomware has emerged as especially disruptive, capable of halting operations, interrupting business continuity, and causing significant financial damage. Recent research has increasingly leveraged machine learning (ML) techniques to detect ransomware using Hardware Performance Counters (HPCs)—special CPU registers that track low-level hardware activities. In this study, we first propose a Sample Entropy (SampEn)-based method for compressing HPC time series data. This method effectively reduces dimensionality while preserving essential behavioral patterns, thus making it particularly suitable for practical B&I scenarios where accuracy and computational efficiency are crucial. Second, we investigate explainable algorithms for ransomware detection in B&I contexts, emphasizing transparency and interpretability. To achieve this goal, we focus on graphical models, specifically Markov Random Fields (MRFs) and Bayesian Networks. We evaluate the performance of these explainable methods against a baseline comprising Elastic Net, Support Vector Machines (SVM) with a radial kernel, XGBoost, and Autoencoder models. Our results demonstrate that these graphical models provide consistent and interpretable outcomes, closely aligned with known ransomware behaviors.
Ransomware Detection Using Sample Entropy and Graphical Models: A Methodology for Explainable Artificial Intelligence (XAI) in Cybersecurity / D. Bruschi, M. De Corato, A. Ferrara, S. Salini. - In: APPLIED STOCHASTIC MODELS IN BUSINESS AND INDUSTRY. - ISSN 1524-1904. - 41:6(2025 Dec), pp. e70061.1-e70061.15. [10.1002/asmb.70061]
Ransomware Detection Using Sample Entropy and Graphical Models: A Methodology for Explainable Artificial Intelligence (XAI) in Cybersecurity
D. BruschiPrimo
;M. De Corato
Secondo
;A. FerraraPenultimo
;S. SaliniUltimo
2025
Abstract
Malware detection poses a critical challenge for both society and Business and Industry (B&I), particularly given the necessity for secure digital transformation. Among various cybersecurity threats, ransomware has emerged as especially disruptive, capable of halting operations, interrupting business continuity, and causing significant financial damage. Recent research has increasingly leveraged machine learning (ML) techniques to detect ransomware using Hardware Performance Counters (HPCs)—special CPU registers that track low-level hardware activities. In this study, we first propose a Sample Entropy (SampEn)-based method for compressing HPC time series data. This method effectively reduces dimensionality while preserving essential behavioral patterns, thus making it particularly suitable for practical B&I scenarios where accuracy and computational efficiency are crucial. Second, we investigate explainable algorithms for ransomware detection in B&I contexts, emphasizing transparency and interpretability. To achieve this goal, we focus on graphical models, specifically Markov Random Fields (MRFs) and Bayesian Networks. We evaluate the performance of these explainable methods against a baseline comprising Elastic Net, Support Vector Machines (SVM) with a radial kernel, XGBoost, and Autoencoder models. Our results demonstrate that these graphical models provide consistent and interpretable outcomes, closely aligned with known ransomware behaviors.
Pubblicazioni consigliate
I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.
