Ransomware detection based on server-side file operation logs using machine learning

Abstract Purpose This research examines the feasibility and effectiveness of detecting ransomware attacks in quasi real-time by leveraging AI-based monitoring of centralized file operations. As ransomware continues to evolve in speed and complexity, traditional endpoint protection mechanisms often fall short, especially in environments with limited client-side defense. The goal is to determine whether lightweight, server-side monitoring combined with machine learning can provide a quasi real-time and accurate detection mechanism without relying on client instrumentation. Applied methodology A virtualized SME (small- and medium-sized enterprise) infrastructure was developed, simulating realistic user behavior through automated file operations and randomly triggered attacks by ransomware samples (Ryuk, NotPetya, Lockbit, Teslacrypt, and WannaCry). A nanosecond-scale time-stamped logging mechanism was implemented using Fluentbit and InfluxDB to track file creation, renaming, and deletion events. Five classic and ensemble machine learning models (Random Forest, Decision Tree, SVM, AdaBoost, XGBoost) were trained and optimized using supervised learning on aggregated file operation sequences using one-second intervals. Results The comparative evaluation of the models showed that all five achieved reliable detection performance, but XGBoost outperformed the others with a sensitivity of 91.87% and prediction speeds below 1 ms. The model identified ransomware activity during the early phases of execution in the majority of test cases, even when operating in a high-noise environment with real-world file usage patterns. Conclusions Monitoring centralized file activity offers a practical and efficient means for detecting ransomware attacks without requiring access to client systems or process-level telemetry. By using only three simple file operation metrics and binary classification, the system does not require complex, resource-intensive behavioral models. Contribution This study presents a scalable, quasi real-time detection framework that complements existing security layers and is especially valuable in scenarios where endpoint protection is weak or inconsistent. The findings highlight an alternative direction in ransomware defense that emphasizes simplicity, performance, and deployability.