This work addresses the challenge of efficiently implementing machine unlearning in reinforcement learning–based ransomware detection to meet privacy compliance requirements. It introduces, for the first time, the SISA (Sharded, Isolated, Sliced, and Aggregated) framework into this domain, proposing a privacy-aware unlearning mechanism. By integrating Deep Q-Network (DQN) and Double DQN agents with a cost-sensitive reward design and Q-score confidence evaluation, the approach requires retraining only a single shard when deleting 5% of the training data. Experimental results demonstrate that the method significantly reduces retraining overhead while maintaining detection fidelity, with F1-score degradation limited to no more than 0.05%. Notably, Double DQN exhibits superior stability, achieving efficient, low-impact data removal without compromising high-performance ransomware detection.

Ransomware detection systems increasingly rely on behavior-based machine learning to address evolving attack strategies. However, emerging privacy compliance, data governance, and responsible AI deployment demand not only accurate detection but also the ability to efficiently remove the influence of specific training samples without retraining the models from scratch. In this study, we present a privacy-aware machine unlearning evaluation framework for reinforcement learning (RL)-based ransomware detection built on Sharded, Isolated, Sliced, and Aggregated (SISA) training. The framework enables efficient data deletion by retraining only the affected model shards rather than the entire detector, reducing the retraining cost while preserving detection performance. We conduct a controlled comparative study using value-based RL agents, including Deep Q-Network (DQN) and Double Deep Q-Network (DDQN), under identical experimental settings with a cost-sensitive reward design and 5-fold cross-validation on Windows 11 ransomware dataset. Detection confidence is evaluated using a continuous Q-score margin, enabling ROC-AUC analysis beyond binary predictions. For unlearning, the dataset is partitioned into five shards with majority-vote aggregation, and a fast-unlearning path is evaluated by deleting 5% of the samples from a single shard and retraining only that shard. Results show that SISA-based unlearning incurs negligible utility degradation (<= 0.05 percent F1 drop) while substantially reducing retraining time relative to full SISA retraining. DDQN exhibits slightly improved stability and lower utility loss than DQN, while both agents maintain near identical in-distribution performance after unlearning. These findings indicate that SISA provides an efficient unlearning mechanism for RL-based ransomware detection, supporting privacy-aware deployment without compromising security effectiveness.