This paper presents HyperDtct, a hypervisor-based framework for detecting ransomware by monitoring system call behavior from outside the guest operating system. Rather than relying on in-guest agents or signature-based methods, both of which can be evaded by modern ransomware, HyperDtct observes system activities at the hypervisor level, making it resistant to tampering and capable of detecting previously unseen threats. The authors focus on how ransomware exhibits distinctive system call patterns when encrypting user files. HyperDtct records these sequences through the hypervisor and extracts behavioral features that capture file-access intensity, read/write operations, and other filesystem-related activity. By modeling normal system behavior and comparing it with suspicious deviations, the framework can identify ransomware in its early stages before extensive damage occurs. The detection process uses machine-learning classifiers trained on labeled system call data collected from benign applications and real ransomware samples. Because the hypervisor records calls transparently, the approach provides visibility into application behavior without modifying the guest OS or relying on user privileges. The paper also shows, through tables and figures illustrating system architecture and feature extraction, how HyperDtct structures its data pipeline from raw system calls to detection output.
A key strength of HyperDtct is its platform independence: by operating at the virtualization layer, it works across different operating systems and does not require integration into the guest environment. The evaluation results in the paper demonstrate that the framework achieves high detection accuracy with low false-positive rates, while introducing minimal overhead to normal system operation. Overall, the work highlights the potential of hypervisor-based monitoring as a robust, tamper-resistant defense mechanism against ransomware. By using system call patterns as a behavioral signal, HyperDtct provides an early-warning capability aligned with the needs of modern virtualized infrastructures and cloud environments.
HyperDtct Hypervisor-Based Ransomware Detection using System Calls