A Few-Shot Meta-Learning based Siamese Neural Network using Entropy Features for Ransomware Classification

TL;DR

This paper introduces a few-shot meta-learning Siamese neural network that uses entropy features from ransomware binaries to effectively detect and classify ransomware with limited data, outperforming traditional methods.

Contribution

The paper presents a novel meta-learning based Siamese network utilizing entropy features for ransomware classification, addressing data scarcity issues in malware detection.

Findings

Achieved weighted F1-score exceeding 86%

Effective in classifying ransomware with limited samples

Utilizes entropy features for fine-grained signature detection

Abstract

Ransomware defense solutions that can quickly detect and classify different ransomware classes to formulate rapid response plans have been in high demand in recent years. Though the applicability of adopting deep learning techniques to provide automation and self-learning provision has been proven in many application domains, the lack of data available for ransomware (and other malware)samples has been raised as a barrier to developing effective deep learning-based solutions. To address this concern, we propose a few-shot meta-learning based Siamese Neural Network that not only detects ransomware attacks but is able to classify them into different classes. Our proposed model utilizes the entropy feature directly extracted from ransomware binary files to retain more fine-grained features associated with different ransomware signatures. These entropy features are used further to train and optimize our model using a pre-trained network (e.g. VGG-16) in a meta-learning fashion. This approach generates more accurate weight factors, compared to feature images are used, to avoid the bias typically associated with a model trained with a limited number of training samples. Our experimental results show that our proposed model is highly effective in providing a weighted F1-score exceeding the rate>86% compared