An Explainable Hybrid Attention–Temporal Ensemble Framework For Early Ransomware Detection in Hospitality Information Systems Using Kernel-Level File I/O Behaviour

Abstract

Ransomware attacks increasingly threaten hospitality information systems such as property management software, booking platforms, payment gateways, and guest data repositories, disrupting operations and compromising sensitive information before traditional defenses respond. This study proposes an explainable Hybrid Attention–Temporal Ensemble (HATE) framework for early ransomware detection tailored to hotel IT environments. Kernel-level file I/O events are captured using Windows Event Tracing (ETW) within a sandbox simulating realistic hospitality workloads. The logs are pre-processed and encoded into behavioural features, then analysed using three complementary deep learning models: a Temporal Fusion Transformer for time-dependent patterns, a Graph Attention Network for relational event structures, and an Informer Transformer for long behavioural sequences. Soft voting combines predictions into a final ransomware probability score. SHAP, LIME, and Integrated Gradients provide global and local interpretability. Experiments show 97.8% detection, 98.1% recall, and a 2.1% false positive rate, identifying ransomware within the first 30 file I/O operations for proactive mitigation.