Ransomware Detection Using Convolutional Neural Networks and Isolation Forests in Network Traffic Patterns

Ransomware Detection Using Convolutional Neural Networks and Isolation Forests in Network Traffic Patterns | Research Square window.SnipcartSettings = { analytics: { enabled: false } }; (function() { var accessVector = localStorage.getItem('access_vector') || ''; window.dataLayer = window.dataLayer || []; if (accessVector) { window.dataLayer.push({ user: { profile: { profileInfo: { snid: accessVector } } } }); } })(); (function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start':new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src='https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);})(window,document,'script','dataLayer','GTM-K279D39R'); Browse Preprints In Review Journals COVID-19 Preprints AJE Video Bytes Research Tools Research Promotion AJE Professional Editing AJE Rubriq About Preprint Platform In Review Editorial Policies Our Team Advisory Board Help Center Sign In Submit a Preprint Cite Share Download PDF Research Article Ransomware Detection Using Convolutional Neural Networks and Isolation Forests in Network Traffic Patterns Frank Alzonem, Guillermo Albrecht, Dimitrios Castellanos, Matthias Vandermeer, and 1 more This is a preprint; it has not been peer reviewed by a journal. https://doi.org/ 10.21203/rs.3.rs-5278706/v1 This work is licensed under a CC BY 4.0 License Status: Posted Version 1 posted You are reading this latest preprint version Abstract Ransomware has rapidly become one of the most disruptive cyber threats, targeting critical infrastructures and sensitive data with sophisticated encryption techniques. The proposed approach introduces a novel combination of Convolutional Neural Networks (CNN) and Isolation Forest (iForest) for detecting ransomware in network traffic patterns, providing a significant alternative to traditional signature-based and heuristic methods. The CNN component effectively captures high-level spatial relationships between packet sequences, while iForest isolates anomalous traffic patterns associated with ransomware activity. The hybrid model demonstrates robust performance in distinguishing between benign and ransomware-infected traffic flows, achieving high accuracy and minimizing false positives. Extensive experiments on publicly available datasets highlight the model’s adaptability in detecting previously unseen ransomware variants, offering scalability and computational efficiency suitable for real-time network monitoring. The findings suggest that this approach has the potential to enhance cybersecurity defenses against evolving ransomware threats. Computer Architecture and Engineering ransomware network traffic machine learning anomaly detection CNN iForest Full Text Additional Declarations The authors declare no competing interests. Cite Share Download PDF Status: Posted Version 1 posted You are reading this latest preprint version Research Square lets you share your work early, gain feedback from the community, and start making changes to your manuscript prior to peer review in a journal. As a division of Research Square Company, we’re committed to making research communication faster, fairer, and more useful. We do this by developing innovative software and high quality services for the global research community. Our growing team is made up of researchers and industry professionals working together to solve the most critical problems facing scientific publishing. Also discoverable on Platform About Our Team In Review Editorial Policies Advisory Board Help Center Resources Author Services Accessibility API Access RSS feed Manage Cookie Preferences © Research Square 2026 | ISSN 2693-5015 (online) Privacy Policy Terms of Service Do Not Sell My Personal Information {"props":{"pageProps":{"initialData":{"identity":"rs-5278706","acceptedTermsAndConditions":true,"allowDirectSubmit":true,"archivedVersions":[],"articleType":"Research Article","associatedPublications":[],"authors":[{"id":366978416,"identity":"016c6470-12bc-46b8-94d9-c1355153784d","order_by":0,"name":"Frank Alzonem","email":"data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAZAAAAAyAQMAAABI0h/eAAAABlBMVEX///8AAABVwtN+AAAACXBIWXMAAA7EAAAOxAGVKw4bAAAA0UlEQVRIiWNgGAWjYBAC+8PMDWAGvwSYSkggqMWAvRGiRXIGA2MDcVp4DkK0GNwgWotEYvOHjztsoo1vNx9/XFGRlsfAfvjoBnxa7CUSGwxnnknL3XbnWGLjmTM5xQw8aWk3CNjSkMzbdjh3240cw8bGtorEBgkeM/xa5B82HOZt+5+7eQbRWiQSG5t52w7kbpAAa8khSksz48y25NwZN9ISZzacSUtsI+yX5MMfPrbZ5fbPSD7wsaEiObGf/fAxvFowARtpykfBKBgFo2AUYAMAUQxTdT327V8AAAAASUVORK5CYII=","orcid":"https://orcid.org/0009-0008-4151-8283","institution":"","correspondingAuthor":true,"prefix":"","firstName":"Frank","middleName":"","lastName":"Alzonem","suffix":""},{"id":366978417,"identity":"f34d6bc9-cbd0-4308-ba5e-47bad7c0d6c7","order_by":1,"name":"Guillermo Albrecht","email":"","orcid":"","institution":"","correspondingAuthor":false,"prefix":"","firstName":"Guillermo","middleName":"","lastName":"Albrecht","suffix":""},{"id":366978418,"identity":"22a2aefd-7119-4c4a-a75f-dacf1f207212","order_by":2,"name":"Dimitrios Castellanos","email":"","orcid":"","institution":"","correspondingAuthor":false,"prefix":"","firstName":"Dimitrios","middleName":"","lastName":"Castellanos","suffix":""},{"id":366978419,"identity":"d4a45a33-cead-45a0-9045-712b7bb7de83","order_by":3,"name":"Matthias Vandermeer","email":"","orcid":"","institution":"","correspondingAuthor":false,"prefix":"","firstName":"Matthias","middleName":"","lastName":"Vandermeer","suffix":""},{"id":366978420,"identity":"17127d8c-a4a4-47ab-bb9c-000e9a0ceb72","order_by":4,"name":"Bernard Stansfield","email":"","orcid":"","institution":"","correspondingAuthor":false,"prefix":"","firstName":"Bernard","middleName":"","lastName":"Stansfield","suffix":""}],"badges":[],"createdAt":"2024-10-17 00:32:58","currentVersionCode":1,"declarations":{"humanSubjects":false,"vertebrateSubjects":false,"conflictsOfInterestStatement":false,"humanSubjectEthicalGuidelines":false,"humanSubjectConsent":false,"humanSubjectClinicalTrial":false,"humanSubjectCaseReport":false,"vertebrateSubjectEthicalGuidelines":false},"doi":"10.21203/rs.3.rs-5278706/v1","doiUrl":"https://doi.org/10.21203/rs.3.rs-5278706/v1","draftVersion":[],"editorialEvents":[],"editorialNote":"","failedWorkflow":false,"files":[{"id":66925633,"identity":"3f8bbe03-1f44-4992-ab7a-3ae750eda64b","added_by":"auto","created_at":"2024-10-18 06:06:18","extension":"pdf","order_by":1,"title":"","display":"","copyAsset":false,"role":"manuscript-pdf","size":233746,"visible":true,"origin":"","legend":"","description":"","filename":"pre.pdf","url":"https://assets-eu.researchsquare.com/files/rs-5278706/v1_covered_9038e12f-d0a1-40e3-86c0-2018f5704479.pdf"}],"financialInterests":"The authors declare no competing interests.","formattedTitle":"\u003cp\u003eRansomware Detection Using Convolutional Neural Networks and Isolation Forests in Network Traffic Patterns\u003c/p\u003e","fulltext":[],"fulltextSource":"","fullText":"","funders":[],"hasAdminPriorityOnWorkflow":false,"hasManuscriptDocX":false,"hasOptedInToPreprint":true,"hasPassedJournalQc":"","hasAnyPriority":true,"hideJournal":true,"highlight":"","institution":"","isAcceptedByJournal":false,"isAuthorSuppliedPdf":true,"isDeskRejected":"","isHiddenFromSearch":false,"isInQc":false,"isInWorkflow":false,"isPdf":true,"isPdfUpToDate":true,"isWithdrawnOrRetracted":false,"journal":{"display":true,"email":"[email protected]","identity":"researchsquare","isNatureJournal":false,"hasQc":true,"allowDirectSubmit":true,"externalIdentity":"","sideBox":"","snPcode":"","submissionUrl":"/submission","title":"Research Square","twitterHandle":"researchsquare","acdcEnabled":true,"dfaEnabled":false,"editorialSystem":"","reportingPortfolio":"","inReviewEnabled":false,"inReviewRevisionsEnabled":true},"keywords":"ransomware, network traffic, machine learning, anomaly detection, CNN, iForest","lastPublishedDoi":"10.21203/rs.3.rs-5278706/v1","lastPublishedDoiUrl":"https://doi.org/10.21203/rs.3.rs-5278706/v1","license":{"name":"CC BY 4.0","url":"https://creativecommons.org/licenses/by/4.0/"},"manuscriptAbstract":"\u003cp\u003eRansomware has rapidly become one of the most disruptive cyber threats, targeting critical infrastructures and sensitive data with sophisticated encryption techniques. The proposed approach introduces a novel combination of Convolutional Neural Networks (CNN) and Isolation Forest (iForest) for detecting ransomware in network traffic patterns, providing a significant alternative to traditional signature-based and heuristic methods. The CNN component effectively captures high-level spatial relationships between packet sequences, while iForest isolates anomalous traffic patterns associated with ransomware activity. The hybrid model demonstrates robust performance in distinguishing between benign and ransomware-infected traffic flows, achieving high accuracy and minimizing false positives. Extensive experiments on publicly available datasets highlight the model’s adaptability in detecting previously unseen ransomware variants, offering scalability and computational efficiency suitable for real-time network monitoring. The findings suggest that this approach has the potential to enhance cybersecurity defenses against evolving ransomware threats.\t\u003c/p\u003e","manuscriptTitle":"Ransomware Detection Using Convolutional Neural Networks and Isolation Forests in Network Traffic Patterns","msid":"","msnumber":"","nonDraftVersions":[{"code":1,"date":"2024-10-18 05:58:11","doi":"10.21203/rs.3.rs-5278706/v1","editorialEvents":[{"type":"communityComments","content":0}],"status":"published","journal":{"display":true,"email":"[email protected]","identity":"researchsquare","isNatureJournal":false,"hasQc":true,"allowDirectSubmit":true,"externalIdentity":"","sideBox":"","snPcode":"","submissionUrl":"/submission","title":"Research Square","twitterHandle":"researchsquare","acdcEnabled":true,"dfaEnabled":false,"editorialSystem":"","reportingPortfolio":"","inReviewEnabled":false,"inReviewRevisionsEnabled":true}}],"origin":"","ownerIdentity":"39fc9a56-8f8d-43d4-9e5d-f48e0f358e2f","owner":[],"postedDate":"October 18th, 2024","published":true,"recentEditorialEvents":[],"rejectedJournal":[],"revision":"","amendment":"","status":"posted","subjectAreas":[{"id":39048747,"name":"Computer Architecture and Engineering"}],"tags":[],"updatedAt":"2024-10-18T05:58:11+00:00","versionOfRecord":[],"versionCreatedAt":"2024-10-18 05:58:11","video":"","vorDoi":"","vorDoiUrl":"","workflowStages":[]},"version":"v1","identity":"rs-5278706","journalConfig":"researchsquare"},"__N_SSP":true},"page":"/article/[identity]/[[...version]]","query":{"redirect":"/article/rs-5278706","identity":"rs-5278706","version":["v1"]},"buildId":"qtupq5eGEP_6zYnWcrvyt","isFallback":false,"isExperimentalCompile":false,"dynamicIds":[84888],"gssp":true,"scriptLoader":[]}