Class-Aware Hierarchical Feature Clustering for High-Dimensional Complex Ransomware Detection

High-dimensional ransomware detection datasets are challenging for machine learning due to sparsity, nonlinearity, and heterogeneous feature distributions. Conventional dimensionality reduction often overlooks class-conditional correlations and fails to preserve semantic distinctions between static and dynamic behaviors. To address this problem, we propose a correlation-driven, class-aware hierarchical feature clustering framework that mainly groups features into ransomwarespecific, benign-specific, and shared clusters, with model-optimized thresholds. Static opcode features and dynamic features are kept in separate partitions, ensuring preservation of behavioral semantics. Experimental evaluation on balanced datasets shows that the framework reduces dimensionality while improving interpretability and efficiency. Random Forest training time decreased by 70.7% and misclassification of ransomware samples dropped by 2.07%. The derived feature clusters provided clear semantic separation: encryption and anti-analysis routines were isolated as ransomware-specific, while process and registry management features were grouped as benignware-specific. Models trained on the reduced set achieved higher Cohen's Kappa, lower log loss, and more balanced accuracy across classes, demonstrating the effectiveness of the proposed framework for robust and interpretable ransomware detection.