Europe/Paris
About
Work
Blog
Gallery
14:20:05
Posts

Hybrid Risk-Based Detection of Ransomware in IoMT Using ML and Temporal Convolutional Networks

June 1, 2025

Introduction

Ransomware attacks are a growing threat to IoMT systems, where continuous operation and data integrity are critical. Traditional detection methods—static rules or snapshot-based classifiers—struggle to catch stealthy attacks that evolve over time. This study proposes a hybrid framework that models the temporal evolution of risk rather than isolated anomalies.

Core Idea

The approach consists of two stages:
  1. Risk Scoring: A supervised ML model (Random Forest or XGBoost) analyzes engineered features (e.g., CPU usage, alert amplitude) to produce a risk probability per sample.
  2. Temporal Modeling: These probabilities are structured into time series and analyzed by a Temporal Convolutional Network (TCN) to detect behavior patterns over time.
This setup allows the system to identify both abrupt attacks and stealthy threats that escape static inspection.

Experimental Setup

A custom IoMT dataset (≈ 50,000 samples) simulates telemetry from infusion pumps under four states: normal, benign anomalies, stealth ransomware, and brutal ransomware. Key features include:
  • Risk Signal Score: captures subtle behavioral drift
  • Alert Amplitude: reacts to sudden spikes
The TCN uses these time-structured probabilities to model evolving threat patterns with high efficiency.

Model Performance (AUC scores)

XGBoost Baseline
  • AUC: 0.7509
  • F1-Score: 0.4371
XGBoost + TCN
  • AUC: 0.8441
  • F1-Score: 0.6402
Random Forest Baseline
  • AUC: 0.7574
  • F1-Score: 0.2939
Random Forest + TCN
  • AUC: 0.8223
  • F1-Score: 0.6525
TCN-enhanced models showed significant gains in recall and reduced false negatives, particularly for stealth ransomware.

Why It Matters

Stealth ransomware mimics legitimate telemetry, making static detection insufficient. By learning how risk evolves over time, the system detects threats earlier and more reliably—without requiring high computational power. This modular, interpretable architecture is well-suited for real-time deployment in constrained medical devices.

Conclusion

This work introduces a novel way to leverage machine learning outputs not just as predictions, but as inputs to temporal models. The two-phase design enables better visibility of ransomware progression, especially for attacks that are slow, hidden, or intermittent. The framework offers a lightweight, deployable solution for secure IoMT environments and can be extended to other time-critical infrastructures. ➡️ Download the full PDF
On this page
Introduction
Core Idea
Experimental Setup
Model Performance (AUC scores)
Why It Matters
Conclusion