Abstract
The use of multi-threading and file prioritization methods has accelerated the speed at which ransomware encrypts files. To minimize file loss during the ransomware attack, detecting file modifications at the earliest execution stage is considered very important. To achieve this, selecting files as traps and monitoring changes to them is a practical way to deal with modern ransomware variants. This approach minimizes overhead on the endpoint, facilitating early identification of ransomware. This paper evaluates various machine learning-based trap selection methods for reducing file loss, detection delay, and endpoint overhead. We specifically examine non-parametric clustering methods such as Affinity Propagation, Gaussian Mixture Models, Mean Shift, and Optics to assess their effectiveness in trap selection for ransomware detection. These methods select M files from a directory with N files (M<N) and use them as traps. In order to address the shortcomings of existing machine learning-based trap selection methods, we propose APFO (Affinity Propagation with File Order). This method is an improvement upon existing non-parametric clustering-based trap selection methods, and it helps to reduce the amount of file loss and detection delay encountered. APFO demonstrates a minimal file loss percentage of 0.32 contemporary ransomware variants, including rapid encryption variants of lock-bit, AvosLocker, and Babuk.