Secure Heartbeat-Driven Detection of Ransomware in ECG-Based IoMT Devices

Introduction

Ransomware poses a major threat to the Internet of Medical Things (IoMT), where real-time data and system integrity are critical. This project presents a hybrid detection framework that combines classical metrics (like CPU and Disk activity) with lightweight behavioral indicators derived from a secure heartbeat protocol.

Core Idea

Three novel security features were proposed:

Heartbeat Delay: Detects anomalies in system scheduling.
Hash Consistency: Flags unauthorized file modifications.
Token Validity: Ensures authenticity of signed messages.

These were extracted from secure, timestamped messages periodically sent by ECG-based devices, and embedded in a private telemetry dataset.

Experimental Setup

Over 60,000 samples were collected with 4 types of events: normal, anomalies, brutal ransomware, and stealth ransomware. Models were evaluated with and without behavioral features.

AUC Improvements (Random Forest):

Baseline: 0.739
+Heartbeat Delay: 0.894
+Hash Consistency: 0.918
+Token Validity: 0.933

These features significantly improved recall and reduced false negatives, especially for stealth attacks.

Why It Matters

Stealth ransomware mimics normal behavior. Traditional detection fails here. By observing how the device behaves—its timing, file integrity, and message validity—we improved robustness without adding heavy computation. The framework supports real-time alerts and is deployable at the IoMT gateway level.

Conclusion

This work shows that ransomware detection in healthcare must evolve beyond resource metrics. Lightweight, behavior-aware features enhance both speed and reliability. The model can be adapted to various medical and industrial settings. ➡️ Download the full PDF