iCNN-LSTM: An incremental CNN-LSTM based ransomware detection system

Jamil Ispahany; MD Rafiqul Islam; M. Arif Khan; MD Zahid Islam

doi:10.1007/978-981-96-1483-7_4

iCNN-LSTM: An incremental CNN-LSTM based ransomware detection system

Research output: Book chapter/Published conference paper › Chapter (peer-reviewed) › peer-review

Abstract

In response to the increasing ransomware threat, this study presents a novel detection system that combines parallel Convolutional Neural Networks (CNNs) and Long Short-Term Memory (LSTM) networks. By leveraging Sysmon logs, the system enables real-time analysis on Windows-based endpoints. Our approach overcomes the limitations of traditional models by employing batch-based incremental learning, allowing the system to continuously adapt to new ransomware variants without requiring full retraining. The proposed model achieved an impressive average F2 score of 99.57%, with low false positive and false negative rates of 0.16% and 4.89%, respectively, within a highly imbalanced dataset, demonstrating exceptional accuracy in detecting malicious behaviour. The dynamic detection capabilities of Sysmon enhance the model’s effectiveness by providing a continuous stream of security events, reducing the vulnerabilities associated with static detection methods. Additionally, the parallel processing of LSTM and CNN modules, along with attention mechanisms, enables our system to achieve the highest F2 score and the lowest false negative rate compared to other popular deep learning algorithms for ransomware detection, making it highly suitable for real-world applications. These results underscore the potential of our iCNN-LSTM framework as a robust solution for real-time ransomware detection, ensuring adaptability and resilience against evolving cyber threats.

Original language	English
Title of host publication	Web information systems engineering – WISE 2024 PhD symposium, demos and workshops - WEB-for-GOOD 2024, AIWDA 2024, SWIFT-AG 2024, Proceedings
Editors	Mahmoud Barhamgi, Hua Wang, Xin Wang, Esma Aïmeur, Michael Mrissa, Belkacem Chikhaoui, Khouloud Boukadi, Rima Grati, Zakaria Maamar
Place of Publication	Singapore
Publisher	Springer
Pages	46-60
Number of pages	15
ISBN (Electronic)	978-981-96-1483-7
ISBN (Print)	978-981-96-1482-0
DOIs	https://doi.org/10.1007/978-981-96-1483-7_4
Publication status	Published - Feb 2025

Publication series

Name	Lecture Notes in Computer Science
Volume	15463 LNCS
ISSN (Print)	0302-9743
ISSN (Electronic)	1611-3349

Access to Document

10.1007/978-981-96-1483-7_4

Cite this

Ispahany, J., Islam, MD. R., Khan, M. A., & Islam, MD. Z. (2025). iCNN-LSTM: An incremental CNN-LSTM based ransomware detection system. In M. Barhamgi, H. Wang, X. Wang, E. Aïmeur, M. Mrissa, B. Chikhaoui, K. Boukadi, R. Grati, & Z. Maamar (Eds.), Web information systems engineering – WISE 2024 PhD symposium, demos and workshops - WEB-for-GOOD 2024, AIWDA 2024, SWIFT-AG 2024, Proceedings (pp. 46-60). (Lecture Notes in Computer Science; Vol. 15463 LNCS). Springer. https://doi.org/10.1007/978-981-96-1483-7_4

Ispahany, Jamil ; Islam, MD Rafiqul ; Khan, M. Arif et al. / iCNN-LSTM: An incremental CNN-LSTM based ransomware detection system. Web information systems engineering – WISE 2024 PhD symposium, demos and workshops - WEB-for-GOOD 2024, AIWDA 2024, SWIFT-AG 2024, Proceedings. editor / Mahmoud Barhamgi ; Hua Wang ; Xin Wang ; Esma Aïmeur ; Michael Mrissa ; Belkacem Chikhaoui ; Khouloud Boukadi ; Rima Grati ; Zakaria Maamar. Singapore : Springer, 2025. pp. 46-60 (Lecture Notes in Computer Science).

@inbook{68b9cac8fa4342868a2c6dec6cd9f056,

title = "iCNN-LSTM: An incremental CNN-LSTM based ransomware detection system",

abstract = "In response to the increasing ransomware threat, this study presents a novel detection system that combines parallel Convolutional Neural Networks (CNNs) and Long Short-Term Memory (LSTM) networks. By leveraging Sysmon logs, the system enables real-time analysis on Windows-based endpoints. Our approach overcomes the limitations of traditional models by employing batch-based incremental learning, allowing the system to continuously adapt to new ransomware variants without requiring full retraining. The proposed model achieved an impressive average F2 score of 99.57\%, with low false positive and false negative rates of 0.16\% and 4.89\%, respectively, within a highly imbalanced dataset, demonstrating exceptional accuracy in detecting malicious behaviour. The dynamic detection capabilities of Sysmon enhance the model{\textquoteright}s effectiveness by providing a continuous stream of security events, reducing the vulnerabilities associated with static detection methods. Additionally, the parallel processing of LSTM and CNN modules, along with attention mechanisms, enables our system to achieve the highest F2 score and the lowest false negative rate compared to other popular deep learning algorithms for ransomware detection, making it highly suitable for real-world applications. These results underscore the potential of our iCNN-LSTM framework as a robust solution for real-time ransomware detection, ensuring adaptability and resilience against evolving cyber threats.",

keywords = "ransomware detection, CNN-LSTM, deep-learning, incremental-learning",

author = "Jamil Ispahany and Islam, \{MD Rafiqul\} and Khan, \{M. Arif\} and Islam, \{MD Zahid\}",

year = "2025",

month = feb,

doi = "10.1007/978-981-96-1483-7\_4",

language = "English",

isbn = "978-981-96-1482-0",

series = "Lecture Notes in Computer Science",

publisher = "Springer",

pages = "46--60",

editor = "Mahmoud Barhamgi and Hua Wang and Xin Wang and Esma A{\"i}meur and Michael Mrissa and Belkacem Chikhaoui and Khouloud Boukadi and Rima Grati and Zakaria Maamar",

booktitle = "Web information systems engineering – WISE 2024 PhD symposium, demos and workshops - WEB-for-GOOD 2024, AIWDA 2024, SWIFT-AG 2024, Proceedings",

address = "United States",

}

Ispahany, J, Islam, MDR , Khan, MA & Islam, MDZ 2025, iCNN-LSTM: An incremental CNN-LSTM based ransomware detection system. in M Barhamgi, H Wang, X Wang, E Aïmeur, M Mrissa, B Chikhaoui, K Boukadi, R Grati & Z Maamar (eds), Web information systems engineering – WISE 2024 PhD symposium, demos and workshops - WEB-for-GOOD 2024, AIWDA 2024, SWIFT-AG 2024, Proceedings. Lecture Notes in Computer Science, vol. 15463 LNCS, Springer, Singapore, pp. 46-60. https://doi.org/10.1007/978-981-96-1483-7_4

iCNN-LSTM: An incremental CNN-LSTM based ransomware detection system. / Ispahany, Jamil; Islam, MD Rafiqul ; Khan, M. Arif et al.
Web information systems engineering – WISE 2024 PhD symposium, demos and workshops - WEB-for-GOOD 2024, AIWDA 2024, SWIFT-AG 2024, Proceedings. ed. / Mahmoud Barhamgi; Hua Wang; Xin Wang; Esma Aïmeur; Michael Mrissa; Belkacem Chikhaoui; Khouloud Boukadi; Rima Grati; Zakaria Maamar. Singapore: Springer, 2025. p. 46-60 (Lecture Notes in Computer Science; Vol. 15463 LNCS).

Research output: Book chapter/Published conference paper › Chapter (peer-reviewed) › peer-review

TY - CHAP

T1 - iCNN-LSTM: An incremental CNN-LSTM based ransomware detection system

AU - Ispahany, Jamil

AU - Islam, MD Rafiqul

AU - Khan, M. Arif

AU - Islam, MD Zahid

PY - 2025/2

Y1 - 2025/2

N2 - In response to the increasing ransomware threat, this study presents a novel detection system that combines parallel Convolutional Neural Networks (CNNs) and Long Short-Term Memory (LSTM) networks. By leveraging Sysmon logs, the system enables real-time analysis on Windows-based endpoints. Our approach overcomes the limitations of traditional models by employing batch-based incremental learning, allowing the system to continuously adapt to new ransomware variants without requiring full retraining. The proposed model achieved an impressive average F2 score of 99.57%, with low false positive and false negative rates of 0.16% and 4.89%, respectively, within a highly imbalanced dataset, demonstrating exceptional accuracy in detecting malicious behaviour. The dynamic detection capabilities of Sysmon enhance the model’s effectiveness by providing a continuous stream of security events, reducing the vulnerabilities associated with static detection methods. Additionally, the parallel processing of LSTM and CNN modules, along with attention mechanisms, enables our system to achieve the highest F2 score and the lowest false negative rate compared to other popular deep learning algorithms for ransomware detection, making it highly suitable for real-world applications. These results underscore the potential of our iCNN-LSTM framework as a robust solution for real-time ransomware detection, ensuring adaptability and resilience against evolving cyber threats.

AB - In response to the increasing ransomware threat, this study presents a novel detection system that combines parallel Convolutional Neural Networks (CNNs) and Long Short-Term Memory (LSTM) networks. By leveraging Sysmon logs, the system enables real-time analysis on Windows-based endpoints. Our approach overcomes the limitations of traditional models by employing batch-based incremental learning, allowing the system to continuously adapt to new ransomware variants without requiring full retraining. The proposed model achieved an impressive average F2 score of 99.57%, with low false positive and false negative rates of 0.16% and 4.89%, respectively, within a highly imbalanced dataset, demonstrating exceptional accuracy in detecting malicious behaviour. The dynamic detection capabilities of Sysmon enhance the model’s effectiveness by providing a continuous stream of security events, reducing the vulnerabilities associated with static detection methods. Additionally, the parallel processing of LSTM and CNN modules, along with attention mechanisms, enables our system to achieve the highest F2 score and the lowest false negative rate compared to other popular deep learning algorithms for ransomware detection, making it highly suitable for real-world applications. These results underscore the potential of our iCNN-LSTM framework as a robust solution for real-time ransomware detection, ensuring adaptability and resilience against evolving cyber threats.

KW - ransomware detection

KW - CNN-LSTM

KW - deep-learning

KW - incremental-learning

UR - https://www.scopus.com/pages/publications/105000358531

UR - https://www.scopus.com/pages/publications/105000358531#tab=citedBy

U2 - 10.1007/978-981-96-1483-7_4

DO - 10.1007/978-981-96-1483-7_4

M3 - Chapter (peer-reviewed)

SN - 978-981-96-1482-0

T3 - Lecture Notes in Computer Science

SP - 46

EP - 60

BT - Web information systems engineering – WISE 2024 PhD symposium, demos and workshops - WEB-for-GOOD 2024, AIWDA 2024, SWIFT-AG 2024, Proceedings

A2 - Barhamgi, Mahmoud

A2 - Wang, Hua

A2 - Wang, Xin

A2 - Aïmeur, Esma

A2 - Mrissa, Michael

A2 - Chikhaoui, Belkacem

A2 - Boukadi, Khouloud

A2 - Grati, Rima

A2 - Maamar, Zakaria

PB - Springer

CY - Singapore

ER -

Ispahany J, Islam MDR , Khan MA , Islam MDZ. iCNN-LSTM: An incremental CNN-LSTM based ransomware detection system. In Barhamgi M, Wang H, Wang X, Aïmeur E, Mrissa M, Chikhaoui B, Boukadi K, Grati R, Maamar Z, editors, Web information systems engineering – WISE 2024 PhD symposium, demos and workshops - WEB-for-GOOD 2024, AIWDA 2024, SWIFT-AG 2024, Proceedings. Singapore: Springer. 2025. p. 46-60. (Lecture Notes in Computer Science). doi: 10.1007/978-981-96-1483-7_4

iCNN-LSTM: An incremental CNN-LSTM based ransomware detection system

Abstract

Publication series

Access to Document

Other files and links

Fingerprint

Cite this