Class-Aware Hierarchical Feature Clustering for High-Dimensional Complex Ransomware Detection

Büşra Çalişkan

doi:10.1109/ICDMW69685.2025.00162

Class-Aware Hierarchical Feature Clustering for High-Dimensional Complex Ransomware Detection

Büşra Çalişkan^*

^*Corresponding author for this work

Department of Computer Engineering

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

Abstract

High-dimensional ransomware detection datasets are challenging for machine learning due to sparsity, nonlinearity, and heterogeneous feature distributions. Conventional dimensionality reduction often overlooks class-conditional correlations and fails to preserve semantic distinctions between static and dynamic behaviors. To address this problem, we propose a correlation-driven, class-aware hierarchical feature clustering framework that mainly groups features into ransomwarespecific, benign-specific, and shared clusters, with model-optimized thresholds. Static opcode features and dynamic features are kept in separate partitions, ensuring preservation of behavioral semantics. Experimental evaluation on balanced datasets shows that the framework reduces dimensionality while improving interpretability and efficiency. Random Forest training time decreased by 70.7% and misclassification of ransomware samples dropped by 2.07%. The derived feature clusters provided clear semantic separation: encryption and anti-analysis routines were isolated as ransomware-specific, while process and registry management features were grouped as benignware-specific. Models trained on the reduced set achieved higher Cohen's Kappa, lower log loss, and more balanced accuracy across classes, demonstrating the effectiveness of the proposed framework for robust and interpretable ransomware detection.

Original language	English
Title of host publication	Proceedings - 25th IEEE International Conference on Data Mining Workshops, ICDMW 2025
Publisher	IEEE Computer Society
Pages	1366-1372
Number of pages	7
ISBN (Electronic)	9798331581329
DOIs	https://doi.org/10.1109/ICDMW69685.2025.00162
Publication status	Published - 2025
Event	25th IEEE International Conference on Data Mining Workshops, ICDMW 2025 - Washington, United States Duration: 12 Nov 2025 → 15 Nov 2025

Publication series

Name	IEEE International Conference on Data Mining Workshops, ICDMW
ISSN (Print)	2375-9232
ISSN (Electronic)	2375-9259

Conference

Conference	25th IEEE International Conference on Data Mining Workshops, ICDMW 2025
Country/Territory	United States
City	Washington
Period	12/11/25 → 15/11/25

Bibliographical note

Publisher Copyright:
© 2025 IEEE.

Keywords

correlation analysis
cybersecurity
dimensionality reduction
feature clustering
hierarchical clustering
Ransomware detection

Access to Document

10.1109/ICDMW69685.2025.00162

Cite this

@inproceedings{c52dca10d30b461b99941aa940e25b9a,

title = "Class-Aware Hierarchical Feature Clustering for High-Dimensional Complex Ransomware Detection",

abstract = "High-dimensional ransomware detection datasets are challenging for machine learning due to sparsity, nonlinearity, and heterogeneous feature distributions. Conventional dimensionality reduction often overlooks class-conditional correlations and fails to preserve semantic distinctions between static and dynamic behaviors. To address this problem, we propose a correlation-driven, class-aware hierarchical feature clustering framework that mainly groups features into ransomwarespecific, benign-specific, and shared clusters, with model-optimized thresholds. Static opcode features and dynamic features are kept in separate partitions, ensuring preservation of behavioral semantics. Experimental evaluation on balanced datasets shows that the framework reduces dimensionality while improving interpretability and efficiency. Random Forest training time decreased by 70.7\% and misclassification of ransomware samples dropped by 2.07\%. The derived feature clusters provided clear semantic separation: encryption and anti-analysis routines were isolated as ransomware-specific, while process and registry management features were grouped as benignware-specific. Models trained on the reduced set achieved higher Cohen's Kappa, lower log loss, and more balanced accuracy across classes, demonstrating the effectiveness of the proposed framework for robust and interpretable ransomware detection.",

keywords = "correlation analysis, cybersecurity, dimensionality reduction, feature clustering, hierarchical clustering, Ransomware detection",

author = "B{\"u}{\c s}ra {\c C}ali{\c s}kan",

note = "Publisher Copyright: {\textcopyright} 2025 IEEE.; 25th IEEE International Conference on Data Mining Workshops, ICDMW 2025 ; Conference date: 12-11-2025 Through 15-11-2025",

year = "2025",

doi = "10.1109/ICDMW69685.2025.00162",

language = "English",

series = "IEEE International Conference on Data Mining Workshops, ICDMW",

publisher = "IEEE Computer Society",

pages = "1366--1372",

booktitle = "Proceedings - 25th IEEE International Conference on Data Mining Workshops, ICDMW 2025",

address = "United States",

}

Çalişkan, B 2025, Class-Aware Hierarchical Feature Clustering for High-Dimensional Complex Ransomware Detection. in Proceedings - 25th IEEE International Conference on Data Mining Workshops, ICDMW 2025. IEEE International Conference on Data Mining Workshops, ICDMW, IEEE Computer Society, pp. 1366-1372, 25th IEEE International Conference on Data Mining Workshops, ICDMW 2025, Washington, United States, 12/11/25. https://doi.org/10.1109/ICDMW69685.2025.00162

Class-Aware Hierarchical Feature Clustering for High-Dimensional Complex Ransomware Detection. / Çalişkan, Büşra.
Proceedings - 25th IEEE International Conference on Data Mining Workshops, ICDMW 2025. IEEE Computer Society, 2025. p. 1366-1372 (IEEE International Conference on Data Mining Workshops, ICDMW).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - Class-Aware Hierarchical Feature Clustering for High-Dimensional Complex Ransomware Detection

AU - Çalişkan, Büşra

PY - 2025

Y1 - 2025

N2 - High-dimensional ransomware detection datasets are challenging for machine learning due to sparsity, nonlinearity, and heterogeneous feature distributions. Conventional dimensionality reduction often overlooks class-conditional correlations and fails to preserve semantic distinctions between static and dynamic behaviors. To address this problem, we propose a correlation-driven, class-aware hierarchical feature clustering framework that mainly groups features into ransomwarespecific, benign-specific, and shared clusters, with model-optimized thresholds. Static opcode features and dynamic features are kept in separate partitions, ensuring preservation of behavioral semantics. Experimental evaluation on balanced datasets shows that the framework reduces dimensionality while improving interpretability and efficiency. Random Forest training time decreased by 70.7% and misclassification of ransomware samples dropped by 2.07%. The derived feature clusters provided clear semantic separation: encryption and anti-analysis routines were isolated as ransomware-specific, while process and registry management features were grouped as benignware-specific. Models trained on the reduced set achieved higher Cohen's Kappa, lower log loss, and more balanced accuracy across classes, demonstrating the effectiveness of the proposed framework for robust and interpretable ransomware detection.

AB - High-dimensional ransomware detection datasets are challenging for machine learning due to sparsity, nonlinearity, and heterogeneous feature distributions. Conventional dimensionality reduction often overlooks class-conditional correlations and fails to preserve semantic distinctions between static and dynamic behaviors. To address this problem, we propose a correlation-driven, class-aware hierarchical feature clustering framework that mainly groups features into ransomwarespecific, benign-specific, and shared clusters, with model-optimized thresholds. Static opcode features and dynamic features are kept in separate partitions, ensuring preservation of behavioral semantics. Experimental evaluation on balanced datasets shows that the framework reduces dimensionality while improving interpretability and efficiency. Random Forest training time decreased by 70.7% and misclassification of ransomware samples dropped by 2.07%. The derived feature clusters provided clear semantic separation: encryption and anti-analysis routines were isolated as ransomware-specific, while process and registry management features were grouped as benignware-specific. Models trained on the reduced set achieved higher Cohen's Kappa, lower log loss, and more balanced accuracy across classes, demonstrating the effectiveness of the proposed framework for robust and interpretable ransomware detection.

KW - correlation analysis

KW - cybersecurity

KW - dimensionality reduction

KW - feature clustering

KW - hierarchical clustering

KW - Ransomware detection

UR - https://www.scopus.com/pages/publications/105035393329

U2 - 10.1109/ICDMW69685.2025.00162

DO - 10.1109/ICDMW69685.2025.00162

M3 - Conference contribution

AN - SCOPUS:105035393329

T3 - IEEE International Conference on Data Mining Workshops, ICDMW

SP - 1366

EP - 1372

BT - Proceedings - 25th IEEE International Conference on Data Mining Workshops, ICDMW 2025

PB - IEEE Computer Society

T2 - 25th IEEE International Conference on Data Mining Workshops, ICDMW 2025

Y2 - 12 November 2025 through 15 November 2025

ER -

Class-Aware Hierarchical Feature Clustering for High-Dimensional Complex Ransomware Detection

Abstract

Publication series

Conference

Bibliographical note

Keywords

Access to Document

Other files and links

Fingerprint

Cite this