Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Federated Cyber Defense: Privacy-Preserving Ransomware Detection Across Distributed Systems

Daniel M. Jimenez-Gutierrez, Enrique Zuazua, Joaquin Del Rio, Oleksii Sliusarenko, Xabi Uribe-Etxebarria

TL;DR

This study addresses the challenge of detecting ransomware in distributed, privacy-constrained environments by applying Federated Learning on the Sherpa.ai platform. By comparing centralized, federated, and local training across RanSAP-derived datasets on four servers, the authors demonstrate that federated learning yields a 9% relative improvement over the best-performing local models and approaches centralized performance while preserving data privacy. The work highlights the practicality of FL for cybersecurity vendors operating at scale, where data cannot leave customer environments due to regulatory constraints. The findings support a privacy-preserving, scalable threat-detection paradigm that can be deployed across millions of endpoints without compromising sensitive telemetry.

Abstract

Detecting malware, especially ransomware, is essential to securing today's interconnected ecosystems, including cloud storage, enterprise file-sharing, and database services. Training high-performing artificial intelligence (AI) detectors requires diverse datasets, which are often distributed across multiple organizations, making centralization necessary. However, centralized learning is often impractical due to security, privacy regulations, data ownership issues, and legal barriers to cross-organizational sharing. Compounding this challenge, ransomware evolves rapidly, demanding models that are both robust and adaptable. In this paper, we evaluate Federated Learning (FL) using the Sherpa.ai FL platform, which enables multiple organizations to collaboratively train a ransomware detection model while keeping raw data local and secure. This paradigm is particularly relevant for cybersecurity companies (including both software and hardware vendors) that deploy ransomware detection or firewall systems across millions of endpoints. In such environments, data cannot be transferred outside the customer's device due to strict security, privacy, or regulatory constraints. Although FL applies broadly to malware threats, we validate the approach using the Ransomware Storage Access Patterns (RanSAP) dataset. Our experiments demonstrate that FL improves ransomware detection accuracy by a relative 9% over server-local models and achieves performance comparable to centralized training. These results indicate that FL offers a scalable, high-performing, and privacy-preserving framework for proactive ransomware detection across organizational and regulatory boundaries.

Federated Cyber Defense: Privacy-Preserving Ransomware Detection Across Distributed Systems

TL;DR

This study addresses the challenge of detecting ransomware in distributed, privacy-constrained environments by applying Federated Learning on the Sherpa.ai platform. By comparing centralized, federated, and local training across RanSAP-derived datasets on four servers, the authors demonstrate that federated learning yields a 9% relative improvement over the best-performing local models and approaches centralized performance while preserving data privacy. The work highlights the practicality of FL for cybersecurity vendors operating at scale, where data cannot leave customer environments due to regulatory constraints. The findings support a privacy-preserving, scalable threat-detection paradigm that can be deployed across millions of endpoints without compromising sensitive telemetry.

Abstract

Detecting malware, especially ransomware, is essential to securing today's interconnected ecosystems, including cloud storage, enterprise file-sharing, and database services. Training high-performing artificial intelligence (AI) detectors requires diverse datasets, which are often distributed across multiple organizations, making centralization necessary. However, centralized learning is often impractical due to security, privacy regulations, data ownership issues, and legal barriers to cross-organizational sharing. Compounding this challenge, ransomware evolves rapidly, demanding models that are both robust and adaptable. In this paper, we evaluate Federated Learning (FL) using the Sherpa.ai FL platform, which enables multiple organizations to collaboratively train a ransomware detection model while keeping raw data local and secure. This paradigm is particularly relevant for cybersecurity companies (including both software and hardware vendors) that deploy ransomware detection or firewall systems across millions of endpoints. In such environments, data cannot be transferred outside the customer's device due to strict security, privacy, or regulatory constraints. Although FL applies broadly to malware threats, we validate the approach using the Ransomware Storage Access Patterns (RanSAP) dataset. Our experiments demonstrate that FL improves ransomware detection accuracy by a relative 9% over server-local models and achieves performance comparable to centralized training. These results indicate that FL offers a scalable, high-performing, and privacy-preserving framework for proactive ransomware detection across organizational and regulatory boundaries.

Paper Structure

This paper contains 23 sections, 14 equations, 6 figures, 2 tables.

Table of Contents

  1. Introduction
  2. Problem Formulation
  3. Ransomware Detection
  4. Related Work
  5. Problem Description
  6. ML privacy-preserving solution
  7. The ML Approach
  8. Privacy and Regulatory Limitations
  9. Introduction to FL
  10. FL Paradigms
  11. HFL
  12. Centralized Dataset and Preprocessing
  13. Description of the Dataset
  14. Preprocessing of the Dataset
  15. Centralized Architecture
  16. ...and 8 more sections

Figures (6)

  • Figure 1: Privacy-preserving FL over customers' endpoints (servers): each server trains locally on its own logs (data) and shares only model updates; no raw data leaves the servers.
  • Figure 2: ML lifecycle for ransomware detection. During the training phase, labeled data comprising benign software (benignware) and known ransomware samples is used to train and validate a predictive model. In the protection phase, the trained model is deployed to classify unseen executables, enabling real-time ransomware detection based on their behavioral or static characteristics. Image modified from Herrera et al. herrera2023dynamic
  • Figure 3: Overview of the RanSAP data collection environment. A write-protected USB containing BitVisor boots the test machine. The hypervisor intercepts AT Bus Attachment (ATA) input/output operations between the Windows OS and the storage device using the Advanced Host Controller Interface (AHCI) protocol. These access patterns are transmitted via a 10 Gbps Ethernet connection using User Datagram Protocol (UDP) to a monitoring machine, which records them as CSV files. Image modified from Hirano et al. hirano2022ransap
  • Figure 4: Centralized architecture.
  • Figure 5: Federated architecture implemented on the https://www.sherpa.ai/ FL platform.
  • ...and 1 more figures

Theorems & Definitions (2)

  • Remark 1: Existence of solutions
  • Remark 2: Convexity