A Bio-Inspired Behavior-Based Hybrid Framework for Ransomware Detection

Ransomware remains a critical and evolving cybersecurity threat, increasingly rendering traditional signature-based detection techniques ineffective. While modern machine learning models achieve high detection accuracy, they often operate as opaque “black boxes”, introducing a significant explainability gap that undermines analyst trust. In addition, behavior-based anomaly detection systems frequently suffer from high false-positive rates, limiting their operational viability. To address these challenges, this study adopts a Design Science Research Methodology to develop a novel, interpretable, multi-stage ransomware detection framework. The proposed architecture integrates three complementary components: a bio-inspired Negative Selection Algorithm from Artificial Immune Systems to filter benign behavioral patterns, a first-order Markov chain model to capture probabilistic deviations in execution sequences, and a Random Forest ensemble classifier to synthesize these signals for final decision-making. The framework is evaluated using a dual-pipeline experimental design on real-world ransomware and benign software samples, enabling controlled comparison between probabilistic and pattern-based behavioral modeling. Experimental results demonstrate that the proposed approach achieves high detection performance while maintaining a low false-positive rate and providing interpretable behavioral evidence. Overall, the framework offers a principled balance between detection effectiveness and interpretability, addressing key limitations of existing ransomware detection systems.