# Behavioral Archetypes of Ransomware in Active Directory Environments

This repository contains the data and code used in the paper:

"Behavioral Archetypes of Ransomware in Active Directory Environments"

The study analyzes early-stage ransomware behavior in Active Directory (AD) environments using Windows Event Logs. Event sequences are modeled as temporal behavioral patterns and analyzed using Dynamic Time Warping (DTW) and HDBSCAN clustering to identify recurring behavioral archetypes across ransomware families.

## Repository Contents

analysis.ipynb  
Jupyter notebook containing the full analysis pipeline, including data preprocessing, temporal binning, DTW distance computation, clustering, and visualization.

dataset.zip  
Compressed dataset containing Windows Event Logs collected from controlled ransomware execution runs in an Active Directory testbed.

## Dataset

The dataset consists of Windows Event Logs collected from controlled ransomware executions in a virtualized AD environment.

It includes:
- 156 ransomware runs
- 9 ransomware families
- 5 benign baseline runs

Each log record contains fields such as timestamp, event ID, machine type (server/victim), log type (security/system/application), run identifier, and ransomware family.

## Usage

1. Extract the dataset

unzip Data_file.zip

2. Open and run the notebook

AD_HDBSCAN.ipynb

The notebook reproduces the preprocessing, temporal modeling, clustering, and analysis presented in the paper.

## Disclaimer

All experiments were conducted in a controlled research environment. No ransomware binaries are included in this repository.


#Citation 
If you use this dataset or code, please cite the associated papers: <to be updated when available in IEEE explorer>

Bhandary, P., Nicholas, C.
Behavioral Archetypes of Ransomware in Active Directory Environments.
IEEE, 2026.