A Survey on A Unified Web-Based Platform for Ransomware Detection and Network Intrusion Analysis

Chetan Mhaske; Sarthak Dharam; Kalpesh Mali; Kalyani Zore

doi:10.20944/preprints202604.0381.v1

Submitted:

06 April 2026

Posted:

07 April 2026

You are already at the latest version

Abstract

Cyberattacks have grown in sophistication with the emergence of advanced ransomware, zero-day payloads, and complex network intrusions. Existing security systems often focus only on detection, lacking comprehensive real-time response mechanisms. This survey explores the state of the art in AI-powered network monitoring, intrusion detection and prevention, ransomware detection, automated backup and recovery, and autonomous AI-driven ransom negotiation. By analyzing recent IEEE research on ransomware recovery [1], ML-based intrusion detection [2], proactive defense [3], network traffic analysis [4], anti-ransomware vulnerabilities [5], targeted ransomware mitigation [6], and Windows forensic investigations [7], this paper presents a unified framework that integrates machine learning, local large language models (LLMs) via Ollama, and automated self-healing processes. The proposed architecture offers a scalable, privacy-preserving, and intelligent approach to modern cybersecurity challenges.

Keywords:

ransomware

;

intrusion detection

;

network monitoring

;

Ollama

;

machine learning

;

automated recovery

;

forensics

;

AI BOT

;

CICIDS2017

;

UNSW-NB15

Subject:

Computer Science and Mathematics - Security Systems

I. Introduction

Cybersecurity threats have rapidly evolved, with ransomware becoming one of the most disruptive attack vectors. Modern ransomware variants leverage professional negotiation teams, double extortion, and data exfiltration techniques. Concurrently, network intrusions employ stealthy and adaptive methods that bypass signature-based tools.

Figure 1. Proposed Cybersecurity Platform.

Recent studies emphasize the need for automated ransomware detection and recovery [1], ML-enhanced intrusion detection strategies [2], proactive cyber-attack prevention [3], packet-level inspection [4], exploiting weaknesses in anti-ransomware tools [5], targeted ransomware analysis [6], and Windows forensic event analysis [7]. However, no unified platform integrates all these capabilities under a single intelligent ecosystem.

This survey analyses existing approaches and proposes a unified AI-based defences platform featuring:

AI/ML-based network traffic monitoring
Intrusion detection and prevention system (IDPS)
Ransomware detection and prevention
AI-powered Ransom Negotiator BOT (using Ollama)
Automated backup and recovery (Self-Healing System)

II. Background and Motivation

A. Ransomware Evolution

Modern ransomware families have evolved far beyond simple encryption malware. Current strains employ multi-stage attack pipelines involving infiltration, persistence, lateral movement, privilege escalation, encryption, and extortion. Many advanced variants—such as Conti, Lock Bit, and ALPHV—use double extortion, combining file encryption with data theft. Studies in [1,3], and [6] show that ransomware executes reconnaissance operations before encryption, such as disabling security tools, terminating backup services, erasing shadow copies, and selectively targeting high-value assets.

Behavioural detection models proposed in these works emphasize the importance of monitoring indicators such as entropy spikes, abnormal file modifications, unauthorized privilege changes, and process anomalies. However, most current tools detect ransomware after encryption has already begun, leaving little time for intervention. This highlights a significant deficiency in existing systems: lack of real-time interception and fully automated pre-encryption response, which your unified platform aims to address.

B. Need for Intrusion Detection

Network intrusions pose major threats to enterprise systems, often serving as the initial entry point for ransomware deployment. Research in [2] demonstrates that ML-based intrusion detection systems significantly outperform traditional signature-based IDS by identifying previously unseen attack patterns. Their evaluation using datasets such as UNSW-NB15 proves that supervised models can capture anomalies related to DoS attacks, brute-force attempts, port scanning, and infiltration traffic.

However, studies also reveal limitations. ML-based IDS primarily detect malicious traffic but do not autonomously block or isolate compromised hosts, requiring manual administrator intervention. Meanwhile, the analysis work in [4] shows the effectiveness of deep packet inspection (DPI) for identifying malicious payloads, though such manual inspection becomes infeasible in high-throughput, real-time environments. These findings collectively highlight the need for IDS solutions that not only classify threats but also perform automated prevention, dynamic firewall rule enforcement, and adaptive remediation, all of which are incorporated into the proposed unified platform.

C. Forensics in Cyber Defence

Digital forensics plays a crucial role in both incident detection and post-attack analysis. Prajapati & Gosai [7] demonstrate that Windows event logs contain critical information that can reveal ransomware activity long before encryption begins. Events such as unusual PowerShell execution (Event ID 4104), suspicious process creation (4688), unauthorized service installation (7045), and registry modifications provide forensic fingerprints of an ongoing attack.

Although forensics is traditionally used after the attack, the study in [7] highlights that real-time forensic correlation can enable earlier detection. The challenge, however, is the volume and complexity of log data in enterprise environments. Without automated log correlation and AI-driven interpretation, organizations fail to react quickly enough. These findings support integrating forensic log analytics into a proactive, AI-enabled detection system, as adopted in your platform.

D. Motivation for a Unified Platform

A holistic analysis of studies [1,2,3,4,5,6,7] reveals that current cybersecurity solutions remain fragmented and operate in isolation. Existing research covers partial aspects such as ML-driven intrusion detection [2], ransomware behaviour monitoring [1,3], vulnerabilities in anti-malware systems [5], targeted attack analysis [6], and forensic event log detection [7]. However, no prior solution integrates:

AI-driven network monitoring
ML-based intrusion detection and automated prevention
Ransomware behavioural analytics
AI-powered negotiation capabilities (LLMs)
Automated backup and recovery workflows
Real-time forensic correlation
On-device LLMs like Ollama for privacy-preserving analysis

This fragmentation creates gaps that sophisticated attackers exploit by transitioning between network intrusion, privilege escalation, lateral movement, and ransomware deployment faster than defenders can respond.

III. Literature Review

A. Ransomware Detection & Recovery

Ransomware remains one of the most damaging cyber threats, with attackers increasingly adopting sophisticated encryption techniques, stealthy propagation, and targeted extortion strategies. Upadhyay et al. [1] present a machine-learning-assisted framework that identifies ransomware patterns based on monitored system activities and file behaviour. Although their study successfully demonstrates early detection and provides recovery support, it lacks end-to-end automation, making real-time mitigation difficult in fast-moving enterprise environments. Notably, their system does not include dynamic negotiation assistance, a growing need given the rise of human-operated ransomware.

Tang [3] expands upon proactive countermeasures, recommending early identification and blocking of suspicious entropy patterns, script execution, and privilege escalation attempts. However, Tang’s model does not integrate a real-time decision engine capable of isolating affected systems, freezing backups, or performing automated rollback during live attacks.

Cheon et al. [5] highlight a significant limitation in static or whitelist-based anti-ransomware techniques by demonstrating how attackers can bypass such defences using DLL side-loading and injection attacks. Their work underscores the need for behavioural and anomaly-based detection, since static rules and whitelists degrade rapidly against modern ransomware variants. Collectively, these studies reveal the necessity of AI-driven, behaviour-focused, self-recovering ransomware defence systems.

B. Intrusion Detection Using Machine Learning (ML)

Network intrusion detection has evolved to include machine learning models capable of identifying anomalies in real-time traffic streams. Rahman et al. [2] evaluate multiple supervised ML classifiers—including Random Forest, Decision Trees, and SVMs—using datasets such as UNSW-NB15. Their findings indicate that ML-based IDS achieve higher accuracy and lower false positives compared to signature-based systems. However, their model lacks the ability to perform automated threat isolation, preventing it from countering live intrusions without manual intervention.

Similarly, Chowhan & Saxena [4] demonstrate the usefulness of deep packet inspection (DPI) using Wireshark for detailed network forensic analysis. Their work provides insights into packet-level behaviour and threat identification but remains largely manual and dependent on user expertise, limiting scalability and automation. These studies collectively highlight that modern IDS solutions must combine ML classification with automated prevention, dynamic firewall updates, and system isolation to effectively mitigate intrusions.

C. Targeted Ransomware Behaviour

Modern ransomware families are increasingly adopting targeted attack vectors where payload behaviour is adapted based on the victim’s system profile, network topology, and privilege structure. The study by C. B. J. et al. [6] demonstrates that targeted ransomware performs pre-encryption reconnaissance to maximize damage and financial return. This includes checking for backup files, disabling security tools, deleting shadow copies, and selecting high-value directories for encryption.

Their findings support the need for adaptive AI monitoring, which adjusts detection heuristics based on evolving threat behaviour. Traditional static models are insufficient because targeted ransomware continuously modifies indicators of compromise (IOCs), making detection reliant on behavioural anomalies rather than known signatures. These insights emphasize the importance of integrating machine learning, local pattern analysis, and autonomous decision-making into next-generation ransomware defences systems.

D. Forensic Event Log Detection

Event log analysis is a critical component of post-incident investigation and early anomaly detection. Prajapati & Gosai [7] demonstrate that Windows event logs contain crucial indicators of ransomware execution, such as unexpected process creation, registry modifications, privilege escalation attempts, and suspicious file system operations. Their study highlights how correlating logs across various Windows Event IDs (e.g., 4104, 4688, 7045) can uncover ransomware indicators long before encryption begins.

Although log-based analysis is extremely valuable for forensic detection, their approach remains reactive, triggered only after malicious activity is logged. To enhance resilience, such insights must be integrated into autonomous real-time monitoring systems capable of isolating processes, alerting administrators, and initiating rollback operations. The study reinforces the importance of AI-driven log correlation, especially when combined with ML models and local LLMs for automated interpretation.

E. Gaps Identified (Expanded & Clarified)

A critical analysis of the literature reveals several gaps:

1. Lack of Automated Recovery Workflows

While [1,3], and [6] discuss detection and partial remediation, none implement self-healing mechanisms such as automated backup freezing, ransomware process termination, or full system rollback. This gap weakens the effectiveness of current ransomware defences.

2. No Local LLM Integration for Negotiation or Interpretation

None of the works [1]–[7] incorporate local large language models (LLMs) such as Ollama for:

ransomware note interpretation
negotiation guidance
log summarization
automated threat reasoning

This is essential for sensitive environments where cloud AI is not permitted.

3. IDS Lacks Real-Time Autonomous Prevention

Studies like [2] provide detection accuracy but cannot prevent or isolate intrusions automatically. This is a critical limitation because modern attacks occur within seconds.

4. Existing Ransomware Systems Are Reactive, Not Predictive

Works like [3,5], and [7] describe detection frameworks but do not include:

predictive modelling
automated risk scoring
adaptive ML policies
ransomware behaviour forecasting

These limits early-stage mitigation.

5. No Unified System Integrating All Components

Across all references, there is no single platform that integrates:

AI network monitoring
ML-based IDS
behavioural ransomware detection
automated backup & recovery
AI-based ransom negotiation
privacy-preserving local LLMs

This gap justifies the design of your proposed Unified AI-Driven Cybersecurity Platform.

IV. System Components Surveyed

A. AI/ML-Based Network Traffic Monitoring

Using ML models trained on CICIDS2017 and UNSW-NB15, the platform detects anomalies such as sudden traffic spikes, suspicious ports, and protocol deviations. Prior traffic research in [4] reinforces the importance of flow-level analysis.

B. AI-Based Intrusion Detection and Prevention

This module combines anomaly detection (autoencoders, XGBoost) with dynamic firewall rule updates. Inspired by ML IDS findings in [2], the system aims for real-time blocking and host isolation.

C. Ransomware Detection and Prevention

The system monitors:

File entropy
Rapid encryption detection
Registry tampering
Suspicious process patterns

Windows forensic insights from [7] and behavioural countermeasures in [3,6] guide this module.

D. AI Negotiator BOT (with Ollama Integration)

A key innovation is an on-device AI BOT using Ollama to:

Parse ransom notes
Extract wallet IDs
Generate negotiation messages
Predict attacker behaviour
Attempt key recovery

This protects data privacy and avoids reliance on cloud models.Research in [1,3,6] demonstrates the importance of negotiation strategies but does not propose any automated BOT.

E. Automated Data Backup and Recovery

Based on recovery principles described in [1], this module includes:

Scheduled incremental backups
Snapshot verification
Backup freeze during encryption attack
Automatic rollback using VSS or rsync
Clean file restoration with integrity checks

The system achieves a self-healing capability, filling a missing gap in all studies [1,2,3,4,5,6,7].

V. Comparative Analysis

Table 1. Comparative Analysis of Traditional Security Tools.

Feature	Traditional Tools	ML IDS	Proposed Unified Platform
Network Monitoring	Reactive	Predictive	Continuous AI Monitoring
Intrusion Detection	Signature-based	ML-based [2]	AI + Automated Prevention
Ransomware Detection	Antivirus-based	Behavioral ML [1,3]	Real-time AI + Isolation
Recovery	Manual	Semi-automatic [1]	Fully Automated Self-Healing
Negotiation	None	None	AI BOT With Ollama

VI. Conclusions

This survey analyzed state-of-the-art techniques in ransomware detection, intrusion analysis, ML-based monitoring, and forensic investigation. Existing research highlights powerful detection methods [1,2,3,4,5,6,7], but lacks unified, autonomous, and recovery-driven solutions. The proposed platform integrates AI-driven monitoring, ML classification, Ollama-powered BOT negotiation, and automated backup and recovery to form a complete self-healing cybersecurity ecosystem. This sets a new direction for intelligent, autonomous, and privacy-preserving cyber defense.

Conflicts of Interest

The authors declare no conflict of interest.

References

A. K. Upadhyay, P. Dubey, S. Gandhi and S. Jain, "Ransomware Detection And Data Recovery," 2024 International Conference on Electrical Electronics and Computing Technologies (ICEECT), Greater Noida, India, 2024, pp. 1-6. [CrossRef]
M. S. Rahman, W. Tausif Islam and M. R. Ahmed Khan, "Enhancing Cybersecurity with an Investigation into Network Intrusion Detection System Using Machine Learning," 2024 IEEE 3rd International Conference on Robotics, Automation, Artificial-Intelligence and Internet-of-Things (RAAICON), Dhaka, Bangladesh, 2024, pp. 107-110. [CrossRef]
J. Tang, "The Proactive Approach to Cyber-Attack Prevention: Countermeasures Against Ransomware," 2024 9th International Conference on Intelligent Computing and Signal Processing (ICSP), Xian, China, 2024, pp. 376-379. [CrossRef]
S. Chowhan and A. K. Saxena, "Advanced Techniques in Network Traffic Analysis: Utilizing Wireshark For In-Depth Live Data Packet Inspection And Information Capture," 2023 International Conference on Communication, Security and Artificial Intelligence (ICCSAI), Greater Noida, India, 2023, pp. 843-847. [CrossRef]
S. Cheon, G. Choi and D. Kim, "A Cheating Attack on a Whitelist-based AntiRansomware Solution and its Countermeasure," 2023 IEEE International Conference on Consumer Electronics (ICCE), Las Vegas, NV, USA, 2023, pp. 01-04. [CrossRef]
C. B. J., S. A. Kudtarkar and Mohana, "Targeted Ransomware Attacks and Detection to Strengthen Cybersecurity Strategies," 2023 Second International Conference on Automation, Computing and Renewable Systems (ICACRS), Tirunelveli, India, 2023, pp. 1039-1044. [CrossRef]
Y. Prajapati and K. Gosai, "Windows Forensic Analysis and Detection of Ransomware Attacks Using Event Logs and Tools," 2024 4th International Conference on Intelligent Technologies (CONIT), Karnataka, India, 2024, pp. 01-06. [CrossRef]

Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content.

© 2026 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (http://creativecommons.org/licenses/by/4.0/).

Copyright: This open access article is published under a Creative Commons CC BY 4.0 license, which permit the free download, distribution, and reuse, provided that the author and preprint are cited in any reuse.