File Integrity Monitor

Why Traditional FIM Isn't Enough

Traditional File Integrity Monitoring (FIM) works on a simple principle: hash a file, store the hash, periodically re-hash and compare. If the hash changes, something happened. Alert someone.

This approach has a critical blind spot: it tells you something changed, but not whether the change is malicious. A config file update, a log rotation, and a ransomware encryption event all look the same — "hash mismatch." In production environments where thousands of files change legitimately every hour, this creates alert fatigue that renders the system useless.

Hybrid Detection: Hashing + Behavioral Analysis

My approach combines SHA-256 cryptographic hashing with behavioral pattern analysis. Instead of treating every change as equal, the system evaluates the context of changes:

Rate of change: Ransomware typically modifies files much faster than any legitimate process. If 50+ files change within a 2-second window, that's a signal.
Entropy analysis: Encrypted files have near-maximum Shannon entropy (~7.99 bits/byte for a 256-byte block). A sudden entropy spike in a previously low-entropy file strongly suggests encryption.
Extension patterns: Many ransomware families append characteristic extensions (.encrypted, .locked, .crypto). Pattern matching on rename events catches these.
Directory traversal patterns: Ransomware often moves systematically through directory trees. Detecting breadth-first or depth-first traversal patterns across rapid file modifications is a strong indicator.

Real-Time Monitoring with Chokidar

I used Chokidar (a Node.js filesystem watcher) for event-driven monitoring rather than polling. This gives sub-second detection latency compared to the typical 5-60 minute scanning intervals of traditional FIM tools.

Every filesystem event — create, modify, delete, rename — flows through a processing pipeline that computes the behavioral features in real-time. Socket.io pushes alerts to the React dashboard with under 500ms end-to-end latency from file modification to visual alert.

Design choice: I chose event-driven over polling because ransomware can encrypt thousands of files in seconds. A 5-minute polling interval means you discover the damage after it's done. Event-driven monitoring gives you a window to respond.

Automated Rollback

Detection without response is just observation. The system implements policy-driven automated rollback:

High-confidence ransomware detection triggers automatic file restoration from shadow copies
Medium-confidence events quarantine changed files and alert the operator
Low-confidence events are logged for audit review

The confidence scoring is based on a weighted combination of the behavioral signals. I tuned the weights through simulation — running 500+ attack scenarios against the system and optimizing for an acceptable false-positive rate.

Results: 96.3% Detection Accuracy

Across 500+ simulated attack scenarios (including custom ransomware simulators, rapid file encryption scripts, and real-world ransomware behavior replays from sandboxed samples):

96.3% true positive detection rate
<500ms detection latency
2.1% false positive rate (legitimate batch operations occasionally triggered medium-confidence alerts)
80% faster incident response compared to manual detection workflows

Lessons Learned

The biggest challenge wasn't building the detection — it was managing false positives. Software updates, build processes, and database operations all create file modification patterns that can resemble malicious activity. Context-aware whitelisting (understanding which processes are expected to modify which files) was essential.

Takeaway: Security monitoring is fundamentally an information-quality problem. The value isn't in detecting more — it's in detecting accurately, with context, fast enough to act.