XRGuard: A Model-Agnostic Approach to Ransomware Detection Using Dynamic Analysis and Explainable AI

IF 3.4 3区计算机科学 Q2 COMPUTER SCIENCE, INFORMATION SYSTEMS

IEEE Access Pub Date : 2025-03-24 DOI:10.1109/ACCESS.2025.3553562

M. Adnan Alvi;Zunera Jalil

{"title":"XRGuard: A Model-Agnostic Approach to Ransomware Detection Using Dynamic Analysis and Explainable AI","authors":"M. Adnan Alvi;Zunera Jalil","doi":"10.1109/ACCESS.2025.3553562","DOIUrl":null,"url":null,"abstract":"Ransomware remains a persistent and evolving cybersecurity threat, demanding advanced and adaptable detection strategies. Traditional methods often fall short as signature-based systems are easily circumvented by emerging ransomware variants, while techniques like obfuscation and polymorphism add complexity to the detection process. Although machine learning and deep learning techniques present viable solutions, the opacity of complex black-box models can hinder their application in critical security environments. This paper introduces XRGuard, a novel ransomware detection framework that utilizes machine learning techniques to analyze Event Tracing for Windows (ETW) logs, identifying critical file I/O patterns indicative of ransomware attacks. By incorporating XAI techniques such as SHapley Additive exPlanations (SHAP) and Local Interpretable Model-Agnostic Explanations (LIME), XRGuard bridges the trust gap associated with complex machine learning models by providing transparent and interpretable explanations for its decisions. Experimental results demonstrate that XRGuard achieves a 99.69% accuracy rate with an exceptionally low false positive rate of 0.5%. By enhancing detection accuracy and offering clear explanations of its operations, XRGuard not only improves security but also fosters trust and a deeper understanding of ransomware behaviors.","PeriodicalId":13079,"journal":{"name":"IEEE Access","volume":"13 ","pages":"53159-53170"},"PeriodicalIF":3.4000,"publicationDate":"2025-03-24","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=10937028","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"IEEE Access","FirstCategoryId":"94","ListUrlMain":"https://ieeexplore.ieee.org/document/10937028/","RegionNum":3,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q2","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}

引用次数: 0

Abstract

Ransomware remains a persistent and evolving cybersecurity threat, demanding advanced and adaptable detection strategies. Traditional methods often fall short as signature-based systems are easily circumvented by emerging ransomware variants, while techniques like obfuscation and polymorphism add complexity to the detection process. Although machine learning and deep learning techniques present viable solutions, the opacity of complex black-box models can hinder their application in critical security environments. This paper introduces XRGuard, a novel ransomware detection framework that utilizes machine learning techniques to analyze Event Tracing for Windows (ETW) logs, identifying critical file I/O patterns indicative of ransomware attacks. By incorporating XAI techniques such as SHapley Additive exPlanations (SHAP) and Local Interpretable Model-Agnostic Explanations (LIME), XRGuard bridges the trust gap associated with complex machine learning models by providing transparent and interpretable explanations for its decisions. Experimental results demonstrate that XRGuard achieves a 99.69% accuracy rate with an exceptionally low false positive rate of 0.5%. By enhancing detection accuracy and offering clear explanations of its operations, XRGuard not only improves security but also fosters trust and a deeper understanding of ransomware behaviors.

查看原文本刊更多论文

XRGuard：利用动态分析和可解释人工智能的勒索软件检测模型诊断方法

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

IEEE Access COMPUTER SCIENCE, INFORMATION SYSTEMSENGIN-ENGINEERING, ELECTRICAL & ELECTRONIC

CiteScore

9.80

自引率

7.70%

发文量

6673

审稿时长

6 weeks

期刊介绍： IEEE Access® is a multidisciplinary, open access (OA), applications-oriented, all-electronic archival journal that continuously presents the results of original research or development across all of IEEE''s fields of interest. IEEE Access will publish articles that are of high interest to readers, original, technically correct, and clearly presented. Supported by author publication charges (APC), its hallmarks are a rapid peer review and publication process with open access to all readers. Unlike IEEE''s traditional Transactions or Journals, reviews are "binary", in that reviewers will either Accept or Reject an article in the form it is submitted in order to achieve rapid turnaround. Especially encouraged are submissions on: Multidisciplinary topics, or applications-oriented articles and negative results that do not fit within the scope of IEEE''s traditional journals. Practical articles discussing new experiments or measurement techniques, interesting solutions to engineering. Development of new or improved fabrication or manufacturing techniques. Reviews or survey articles of new or evolving fields oriented to assist others in understanding the new area.