Search papers, labs, and topics across Lattice.
This paper presents an auditable ransomware detection framework that combines deep reinforcement learning with multi-shard SISA to enable privacy-compliant unlearning of sensitive data. By employing a Double Deep Q-Network (DDQN) for reward-guided detection, the system effectively balances high detection performance with the ability to selectively remove learned samples, addressing critical privacy regulations like GDPR and CCPA. Experimental results show that the framework achieves an F1 score of 0.9925 and maintains minimal utility degradation during unlearning, significantly improving efficiency compared to full retraining.
Achieving near-perfect ransomware detection while ensuring compliance with privacy regulations through efficient and auditable unlearning methods.
Ransomware poses an escalating cybersecurity threat as attackers continuously modify behavioral patterns to evade static defenses. Although existing machine learning-based detectors often achieve strong predictive performance, they generally assume fixed training data and do not support the selective removal of previously learned samples. This limitation conflicts with privacy regulations such as the GDPR and CCPA, which require the removal of sensitive user data upon request. To address this challenge, we propose an auditable ransomware detection and unlearning framework that integrates deep reinforcement learning with multi-shard SISA retraining. In the proposed system, a Double Deep Q-Network (DDQN) learns a reward-guided detection policy from behavioral features under asymmetric security costs, while multi-shard SISA enables privacy-compliant selective sample removal through shard-level retraining. The framework was evaluated using four criteria: utility preservation, oracle-based forgetting validation, membership inference auditing, and computational efficiency. On a balanced Windows 11 behavioral dataset comprising 2,000 samples and 103 features, the baseline DDQN detector achieved an F1 score of 0.9925 and an AUC of 0.9983. The experimental results show that single-shard unlearning maintains minimal utility degradation and low oracle disagreement, whereas moderate shard counts (M = 5-10) provide the best efficiency-performance trade-off, reducing retraining time to 5-30 s compared with 80-330 s for full retraining. In addition, the membership inference scores remain close to 0.5 across most configurations, indicating limited privacy leakage after unlearning. These findings demonstrate that a privacy-compliant ransomware detection framework can jointly achieve high detection performance, auditable deletion verification, and efficient sample removal.