A Ransomware Triage Approach using a Task Memory based on Meta-Transfer Learning Framework

Solutions for rapid prioritization of different ransomware have been raised to formulate fast response plans to minimize socioeconomic damage from the massive growth of ransomware attacks in recent years. To address this concern, we propose a ransomware triage approach that can rapidly classify and prioritize different ransomware classes. Our Siamese Neural Network (SNN) based approach utilizes a pre-trained ResNet18 network in a meta-learning fashion to reduce the biases in weight and parameter calculations typically associated with a machine learning model trained with a limited number of training samples. Instead of image features typically used as inputs to many existing machine learning-based triage applications, our approach uses the entropy features directly obtained from the ransomware binary files to improve feature representation, resilient to obfuscation noise, and computationally less expensive. Our triage approach can classify ransomware samples into the correct classes if the ransomware features significantly match known ransomware profiles. Our evaluation shows that this classification part of our proposed approach achieves the accuracy exceeding 88% and outperforms other similar classification only machine learning-based approaches. In addition, we offer a new triage strategy based on the normalized and regularized weight ratios that evaluate the level of similarity matching across ransomware classes to identify any risky and unknown ransomware (e.g., zero-day attacks) so that a rapid further analysis can be conducted