Sequence Learning over Behavioral Attack Patterns for Early Detection of Human-Operated Ransomware

Human-operated ransomware (HoR) is one of the most persistent and evolving threats in cybersecurity, as attackers use changing tactics, techniques, and procedures (TTPs) to evade traditional detection. The lack of structured and publicly available TTP-level datasets has limited the development of models capable of identifying HoR behavior early. In this study, we construct a dataset of TTP sequences from fifteen prominent ransomware families observed in 2023 and 2024, structured according to the MITRE ATT&CK framework. We evaluate a range of sequence modeling approaches, including Markov chains, n-gram analysis, LSTM, GRU, and RNN, to classify ransomware behavior based on the progression of observed TTPs. The RNN model achieved the highest accuracy of 82% and an AUC of 0.9694 (95% CI: 0.0087 to 0.0168), with an average false positive rate between 0.0087 and 0.0168 using 10-fold cross-validation. SMOTE was used to address class imbalance, improving model accuracy by 6% (from 76% to 82%). These results show that learning from ordered TTP patterns can support timely detection of ransomware activity, enabling earlier intervention in threat response workflows.

• Publication year

  2025

• Venue

  Digital Threats: Research and Practice

• Publication date

  2025-12-26

• Fields of study

  Not labeled

• Identifiers
  DOI 10.1145/3786772
• External record

  Open on Semantic Scholar

• Source metadata

  Semantic Scholar

• No claims are published for this paper.

• No concepts are published for this paper.

• DeepOP: A Hybrid Framework for MITRE ATT&CK Sequence Prediction via Deep Learning and Ontology

  2025cited by this paper
• A hybrid ensemble model for ransomware detection using feature engineering and deep learning

  2025influential reference
• Decoding shadows: Towards Tactics, Techniques, and Procedures (TTP)-based Advanced Persistent Threat (APT) attribution

  2025cited by this paper
• Deciphering Ransomware: Strategic API Usage and Behavioral Patterns for Advanced Detection Techniques

  2025cited by this paper
• RansomFormer: A Cross-Modal Transformer Architecture for Ransomware Detection via the Fusion of Byte and API Features

  2025influential reference
• Hierarchical Manifold Projection for Ransomware Detection: A Novel Geometric Approach to Identifying Malicious Encryption Patterns

  2025influential reference
• Neural Encrypted State Transduction for Ransomware Classification: A Novel Approach Using Cryptographic Flow Residuals

  2025influential reference
• Entropy-Synchronized Neural Hashing for Unsupervised Ransomware Detection

  2025cited by this paper
• The Evolution of Ransomware: Tactics, Techniques, and Mitigation Strategies

  2024cited by this paper
• Exploiting TTPs to Design an Extensible and Explainable Malware Detection System

  2024cited by this paper
• IPMES: A Tool for Incremental TTP Detection Over the System Audit Event Stream

  2024cited by this paper
• CloudIntellMal: An advanced cloud based intelligent malware detection framework to analyze android applications

  2024cited by this paper
• Machine Learning Techniques for Cyberattack Prevention in IoT Systems: A Comparative Perspective of Cybersecurity and Cyberdefense in Colombia

  2024cited by this paper
• Ransomware Detection Using Machine Learning: A Survey

  2023cited by this paper
• Applying staged event-driven access control to combat ransomware

  2023cited by this paper
• Similarity Analysis of Ransomware Attacks Based on ATT&CK Matrix

  2023cited by this paper
• Crypto-Ransomware: A Revision of the State of the Art, Advances and Challenges

  2023cited by this paper
• Towards Automated Classification of Attackers' TTPs by combining NLP with ML Techniques

  2022cited by this paper
• A Survey on Ransomware: Evolution, Taxonomy, and Defense Solutions

  2021cited by this paper
• Ransomware Analysis using Cyber Kill Chain

  2021cited by this paper
• Cyber-Attack Scoring Model Based on the Offensive Cybersecurity Framework

  2021cited by this paper
• Ransomware: Recent advances, analysis, challenges and future research directions

  2021cited by this paper
• When Malware is Packin' Heat; Limits of Machine Learning Classifiers Based on Static Analysis Features

  2020influential reference
• Ransomware Detection using Random Forest Technique

  2020influential reference
• A New Method for Ransomware Detection Based on PE Header Using Convolutional Neural Networks

  2020influential reference
• Ransomware Prevention and Mitigation Techniques

  2020cited by this paper
• Intelligent and Dynamic Ransomware Spread Detection and Mitigation in Integrated Clinical Environments

  2019influential reference
• RansomWall: A layered defense system against cryptographic ransomware attacks using machine learning

  2018influential reference
• RWGuard: A Real-Time Detection System Against Cryptographic Ransomware

  2018influential reference
• Detecting crypto-ransomware in IoT networks based on energy consumption footprint

  2017cited by this paper
• Integrated Static and Dynamic Analysis for Malware Detection

  2015influential reference
• A Study on Advanced Persistent Threats

  2014cited by this paper

• No citing papers are available for this paper.