A Structural Dissection Framework for Ransomware Classification through Temporal Entropy Differentials in Binary Execution Patterns

Entropy-driven execution analysis offers a pathway toward automated classification of binary threats without requiring code semantics, labeled datasets, or reverse engineering pipelines. A novel structural method based on Temporal Entropy Differentials (TED) is proposed to capture changes in byte-wise entropy across time during sandboxed execution of ransomware binaries. Matrix representations of entropy fluctuations allow projection into signal spaces that preserve temporal behaviors associated with memory encryption, key scheduling, and other operational stages. The classification model does not rely on static features, string tokens, or pretrained embeddings, and remains resilient across polymorphic samples exhibiting code obfuscation or packing. Evaluation across multiple ransomware families demonstrates consistent classification accuracy for binaries that exhibit active encryption stages with measurable entropy transitions. TED matrices offer interpretability through structural regularities, though detection sensitivity is reduced when payloads execute gradually, lack entropy volatility, or contain behaviors decoupled from encryption. Comparative analysis reveals that TED-based classification complements but does not replace methods relying on system call traces or semantic embeddings. False positives among entropy-intensive benign software indicate that further filtering or hybrid signal integration may improve performance under operational noise. Execution structure aligned with entropy morphology remains promising for classifying previously unseen ransomware variants under controlled conditions.