# A Kings Ransom for Encryption: Ransomware Classification using Augmented   One-Shot Learning and Bayesian Approximation

**Authors:** Amir Atapour-Abarghouei, Stephen Bonner, Andrew Stephen McGough

arXiv: 1908.06750 · 2019-08-20

## TL;DR

This paper presents a novel approach for classifying ransomware infections using only a single screenshot per variant, leveraging augmented one-shot learning and Bayesian methods to achieve high accuracy and handle unseen cases.

## Contribution

The work introduces a new post-infection ransomware classification method based on minimal data, combining data augmentation, one-shot learning, and Bayesian uncertainty for improved accuracy and robustness.

## Key findings

- Achieved up to 93.6% classification accuracy.
- Effectively identified unseen ransomware variants.
- Handled unrelated images with Bayesian uncertainty.

## Abstract

Newly emerging variants of ransomware pose an ever-growing threat to computer systems governing every aspect of modern life through the handling and analysis of big data. While various recent security-based approaches have focused on detecting and classifying ransomware at the network or system level, easy-to-use post-infection ransomware classification for the lay user has not been attempted before. In this paper, we investigate the possibility of classifying the ransomware a system is infected with simply based on a screenshot of the splash screen or the ransom note captured using a consumer camera commonly found in any modern mobile device. To train and evaluate our system, we create a sample dataset of the splash screens of 50 well-known ransomware variants. In our dataset, only a single training image is available per ransomware. Instead of creating a large training dataset of ransomware screenshots, we simulate screenshot capture conditions via carefully designed data augmentation techniques, enabling simple and efficient one-shot learning. Moreover, using model uncertainty obtained via Bayesian approximation, we ensure special input cases such as unrelated non-ransomware images and previously-unseen ransomware variants are correctly identified for special handling and not mis-classified. Extensive experimental evaluation demonstrates the efficacy of our work, with accuracy levels of up to 93.6% for ransomware classification.

## Full text

_Full body text omitted from this summary view._ Fetch the complete paper as Markdown: https://tomesphere.com/paper/1908.06750/full.md

## Figures

24 figures with captions in the complete paper: https://tomesphere.com/paper/1908.06750/full.md

## References

51 references — full list in the complete paper: https://tomesphere.com/paper/1908.06750/full.md

---
Source: https://tomesphere.com/paper/1908.06750