To enhance the efficiency of incident response triage operations, it is not cost-effective to defend all systems equally in a complex cyber environment. Instead, prioritizing the defense of critical functionality and the most vulnerable systems is desirable. Threat intelligence is crucial for guiding SOC analysts' focus toward specific system activity and provides the primary contextual foundation for interpreting security alerts. This paper explores novel approaches for improving incident response triage operations, including ransomware attacks and zero-day malware. This solution for rapid prioritization of different ransomware has been raised to formulate fast response plans to minimize socioeconomic damage from the massive growth of ransomware attacks in recent years; it can also be extended to other incident responses. To address this concern, we propose a ransomware triage approach that can rapidly classify and prioritize different ransomware classes. We utilize a pre-trained ResNet18 network based on Siamese Neural Network (SNN) to reduce the biases in weight and parameters. In addition, our approach uses the entropy features directly obtained from the binary ransomware files to improve feature representation, resilient to obfuscation noise, and computationally less expensive, which evaluation also shows that this classification part of our proposed approach achieves the accuracy exceeding ....and outperforms other similar classification performance. This new triage strategy based on Task memory with meta-learning evaluates the level of similarity matching across ransomware classes to identify any risky and unknown ransomware (e.g., zero-day attacks) so that a defense of those that support critical functionality can be conducted.

翻译：为提高事件响应分类操作的效率，在复杂的网络环境中对所有系统进行同等防御并不经济。相反，优先保护关键功能系统和最脆弱的系统更为可取。威胁情报对于引导安全运营中心分析人员关注特定系统活动至关重要，并为解释安全警报提供主要的上下文基础。本文探索了改进事件响应分类操作的新方法，涵盖勒索软件攻击和零日恶意软件。针对近年来勒索软件攻击的大规模增长，我们提出了一种快速优先处理不同勒索软件的解决方案，以制定快速响应计划，最大限度减少社会经济损失；该方法也可扩展至其他事件响应。为解决这一问题，我们提出了一种可快速分类和优先处理不同勒索软件类别的分类方法。基于孪生神经网络（SNN）的预训练ResNet18网络用于减少权重和参数的偏差。此外，我们的方法直接利用从勒索软件二进制文件中提取的熵特征来改善特征表示，该特征对混淆噪声具有鲁棒性，且计算成本更低。评估表明，我们提出的分类部分准确率超过……，优于其他类似分类性能。这种基于元学习的任务记忆新型分类策略通过评估勒索软件类别间的相似度匹配水平，可识别任何高风险和未知勒索软件（例如零日攻击），从而对支持关键功能的系统实施防御。