Ransomware core capability, unauthorized encryption, demands controls that identify and block malicious cryptographic activity without disrupting legitimate use. We present a probabilistic, risk-based access control architecture that couples machine learning inference with mandatory access control to regulate encryption on Linux in real time. The system builds a specialized dataset from the native ftrace framework using the function_graph tracer, yielding high-resolution kernel-function execution traces augmented with resource and I/O counters. These traces support both a supervised classifier and interpretable rules that drive an SELinux policy via lightweight booleans, enabling context-sensitive permit/deny decisions at the moment encryption begins. Compared to approaches centered on sandboxing, hypervisor introspection, or coarse system-call telemetry, the function-level tracing we adopt provides finer behavioral granularity than syscall-only telemetry while avoiding the virtualization/VMI overhead of sandbox-based approaches. Our current user-space prototype has a non-trivial footprint under burst I/O; we quantify it and recognize that a production kernel-space solution should aim to address this. We detail dataset construction, model training and rule extraction, and the run-time integration that gates file writes for suspect encryption while preserving benign cryptographic workflows. During evaluation, the two-layer composition retains model-level detection quality while delivering rule-like responsiveness; we also quantify operational footprint and outline engineering steps to reduce CPU and memory overhead for enterprise deployment. The result is a practical path from behavioral tracing and learning to enforceable, explainable, and risk-proportionate encryption control on production Linux systems.

翻译：勒索软件的核心能力——未经授权的加密行为要求采用既能识别并阻断恶意加密活动又不干扰合法使用的控制机制。我们提出了一种基于概率的风险驱动访问控制架构，该架构将机器学习推理与强制访问控制相结合，在Linux系统上实时管控加密操作。该系统利用原生ftrace框架中的函数图追踪器构建专用数据集，生成带有资源与I/O计数器增强的高分辨率内核函数执行轨迹。这些轨迹同时支撑监督式分类器与可解释规则，通过轻量级布尔变量驱动SELinux策略，在加密启动的瞬间实现上下文敏感的许可/拒绝决策。相较于基于沙箱、虚拟机监控器自省或粗粒度系统调用遥测的解决方案，我们采用的函数级追踪在避免沙箱方法所涉及的虚拟化/虚拟机自省开销的同时，提供了比纯系统调用遥测更细粒度的行为观察维度。当前用户空间原型在突发I/O场景下存在显著性能开销，我们对此进行了量化评估，并认识到生产级内核空间解决方案应致力于解决该问题。本文详细阐述了数据集构建、模型训练与规则提取，以及运行时集成机制——该机制在保障良性加密工作流的前提下拦截可疑加密的文件写入操作。评估表明，双层架构在保留模型级检测质量的同时实现了类规则的响应速度；我们还量化了运行开销，并提出了降低CPU与内存负载的工程优化步骤以支持企业部署。最终成果为生产级Linux系统提供了一条从行为追踪与学习到可执行、可解释且风险比例适中的加密管控的实践路径。