Experiments

First baseline experiment. Train GIN on the internal_only FCG dataset using a standard stratified 70/15/15 train/val/test split to establish a performance reference for graph-based ransomware detection.

Train GIN on the full_fcg dataset (all methods, internal + external) to compare with the internal_only result from Experiment 02.

Train GCN on the internal_only dataset to compare GNN architectures. Same hyperparameters and data split as GIN experiments.

Train GCN on the full_fcg dataset to complete the GCN comparison across both graph representations.

Train GAT on the internal_only dataset to complete the three-model architecture comparison (GIN, GCN, GAT).

Train GAT on the full_fcg dataset to complete the 3-model x 2-dataset baseline grid.

4-fold cross-validation of GIN on internal_only to verify that the strong baseline result from Experiment 02 is not due to a lucky train/test split. Each fold uses a different 25% of the data as the test set.

Hold out simplelocker and wipelocker families entirely from training. Test whether GIN can detect ransomware families it has never seen during training. These two families were chosen as the first holdout test.

Hold out wannalocker and blackroselucy families from training. Same setup as Experiment 10 but with different held-out families to test whether generalisation depends on which families are excluded.

Full leave-one-family-out (LOFO) evaluation of GIN on internal_only. Trains 6 separate models, each time holding out one ransomware family entirely, to systematically measure whether the baseline can detect ransomware families not seen during training.