Ransomware Datection using Graph Neural Networks Enhanced by Large Language Models
This thesis investigates the detection and classification of Android ransomware using Graph Neural Networks (GNNs) on Graphs with node features derived from Large Language Model Embeddings.
Motivation
Android ransomware continues to evolve, demanding robust detection methods that go beyond signature-based approaches. By modelling app behaviour as a graph of function calls, we can capture structural patterns that distinguish malicious from benign applications.
Key Finding
Baseline GNN models (GIN, GCN, GAT) achieve up to 98% accuracy on standard random train/test splits. However, Leave-One-Family-Out (LOFO) evaluation reveals that models fail to generalise to unseen ransomware families, with recall dropping to near zero.