Cross-layer ransomware detection framework for SDN using HMM, LSTM, and Bayesian inference

Ransomware continues to pose a serious threat to endpoint computers as well as network systems, especially in Software Defined Networks (SDN) environments where programmability and centralized control offer novel attack surfaces. In this paper, a cross-layer detection model for ransomware is introduced that integrates host-based behavioral modeling using Hidden Markov Models (HMM), anomaly detection at flow level using Long Short-Term Memory (LSTM) networks, and probabilistic fusion through Bayesian inference. By correlating host and SDN layer anomalies, the system enhances early-stage detection and reduces false positives. A variational Bayesian approximation technique is utilized for decision score stabilization under ambiguous conditions. The model is evaluated with new ransomware datasets and obtains a range between 97.5%-99.92% F1-score across three benchmark datasets with less than 50 ms latency for detection. The hybrid framework gives a promising direction for real-time threat detection in resilient programmable networks.