RANSOMWARE DETECTION AND PREVENTION | IJCT Volume 12 – Issue 5 | IJCT-V12I5P84

In the current digital landscape, ransomware attacks have emerged as one of the most disruptive cyber threats, causing massive data loss and financial damage. Traditional antivirus solutions often fail to detect zero-day or evolving ransomware variants due to their signature-based limitations. The proposed project, “Hybrid Machine Learning and Honeypot-Based Ransomware Detection System,” introduces a proactive and intelligent approach to ransomware defense. The system continuously monitors file-system activities in real time, leveraging Python’s watchdog module and socket-based communication to detect suspicious patterns such as mass file modifications or unauthorized encryption attempts. A network-connected Security Operations Center (SOC) dashboard visualizes live metrics, including events per minute, alerts per minute, and folder-level anomaly trends. Integrated honeypot files serve as early warning triggers, while a trained machine learning model classifies behavior patterns to minimize false positives. By combining behavioral analysis, ML prediction, and interactive visualization, this hybrid framework ensures faster detection, greater transparency, and adaptive protection against modern ransomware. The system contributes to advancing endpoint security through an efficient, interpretable, and real-time ransomware monitoring architecture.

The project titled Hybrid Machine Learning and Honeypot-Based Ransomware Detection System represents a practical implementation of an adaptive and data-driven defense mechanism against modern ransomware attacks. Examination of the extracted folders—particularly the directories honeypot_package/scripts/ and ml_models/— shows that the system integrates two complementary layers: a Python-based honeypot environment for behavioral monitoring and a machine-learning detection engine for intelligent classification. The honeypot module, developed using Python and shell-based automation, continuously monitors file-system events, registry changes, and process creation activities within an isolated virtual environment. The logging scripts record encryption attempts, file I/O rates, and entropy changes—critical behavioral indicators of ransomware execution. These logs are parsed and converted into structured datasets that serve as live input to the learning pipeline. The machine-learning component, implemented with scikit-learn, pandas, and TensorFlow, processes both static and dynamic features extracted from the honeypot. The models—Random Forest, SVM, and Gradient Boosting Ensemble—were trained and evaluated using balanced datasets contained in the dataset/ and model_training/ subfolders. A key insight drawn from the implementation is the hybrid feedback loop between the honeypot and the ML engine. Each time a ransomware sample interacts with the honeypot, the captured behavior is automatically appended to the training corpus. The retraining routine (retrain_model.py) periodically updates model parameters, ensuring continuous adaptation to newly discovered ransomware variants. This mechanism transforms the framework into a self-learning and evolving security system rather than a static detector. A key insight drawn from the implementation is the hybrid feedback loop between the honeypot and the ML engine. Each time a ransomware sample interacts with the honeypot, the captured behavior is automatically appended to the training corpus. The retraining routine (retrain_model.py) periodically updates model parameters, ensuring continuous adaptation to newly discovered ransomware variants. This mechanism transforms the framework into a self-learning and evolving security system rather than a static detector. The project also emphasizes forensic readiness. Every malicious event is logged with a timestamp, process identifier, and file-hash record stored in structured CSV and JSON formats. These records facilitate trace-back analysis, allowing investigators to reconstruct attack sequences. The presence of well-documented logging utilities and structured output directories confirms the project’s alignment with digital-forensics best practices. In essential,the system developed in this project demonstrates that the synergy between honeypot-based behavioral capture and machine-learning classification can create a proactive cybersecurity framework capable of evolving alongside emerging ransomware threats. The modular design, empirical accuracy, and adaptability established through the implementation files mark this hybrid model as a promising foundation for future research and enterprise-grade ransomware defense solutions.

1] A. Kharraz, W. Robertson, D. Balzarotti, L. Bilge, and E. Kirda, “Cutting the gordian knot: a look under the hood of ransomware attacks,” in Detection of Intrusions and Malware, and Vulnerability Assessment, Springer, 2015, pp. 3–24. [2]D. Sgandurra, L. Muñoz-González, R. Mohsen, and E. C. Lupu, “Automated Dynamic Analysis of Ransomware: Benefits, Limitations and use for Detection,” arXiv preprint arXiv:1609.03020, 2016. arXiv [3]“Detecting Ransomware with Honeypot Techniques,” ResearchGate, Chris Moore, University of St Mark & St John. ResearchGate+1 [4]H. Mohsin Ahmed Salman and S. Jawad, “Ransomware Detection and Prevention Using Machine Learning and Honeypots: A Short Review,” Iraqi Journal of Computers, Communications, Control & Systems Engineering (IJCCCE), vol. 24, no. 2, 2024. ResearchGate [5]M. Rahardjo and others, “Malware Detection Using Honeypot and Machine Learning,” presented in [conference/venue], 2023. Semantic Scholar [6]Sevvandi Kandanaarachchi, Hideya Ochiai, and Asha Rao, “Honeyboost: Boosting Honeypot Performance with Data Fusion and Anomaly Detection,” arXiv preprint arXiv:2105.02526, 2021. arXiv [7]Ahmed Kubba, Qassim Nasir, Omnia Elmutasim, and Manar Abu Talib, “A Systematic Review of Honeypot Data Collection, Threat Intelligence Platforms, and AI/ML Techniques,” SSRN, 2025. SSRN+1 [8]“Harnessing AI for Cyber Defense: Honeypot-Driven Intrusion Detection,” MDPI, integrating an enhanced Isolation Forest model for anomaly detection. MDPI [9]“Advancing Cybersecurity with Honeypots and Deception Strategies,” mdpi.com / ResearchGate, systematic analysis of honeypot types and integration with deception strategies. ResearchGate+1 [10]“Utilizing Virtualized Honeypots for Threat Hunting, Malware Analysis and SIEM Integration,” IACIS / IIS proceedings, 2024.

Call for Paper (Hub) Fast Paper Publication IJCT Indexing & Databases Submit Manuscript Call for Paper: Sep–Oct 2025 Call for Paper: Publish Research