融合注意力机制的恶意代码家族分类研究

doi:10.3778/j.issn.1673-9418.2009066

摘要/Abstract

摘要：

近年来，随着恶意代码家族变种的多样化和混淆等对抗手段的不断加强，传统的恶意代码检测方法难以取得较好的分类效果。鉴于此，提出了一种融合注意力机制的恶意代码家族分类模型。首先，使用逆向反汇编工具获取恶意样本的各区段特征，并利用可视化技术将各区段转化为RGB彩色图像的各通道；其次，引入通道域和空间域注意力机制来构建基于混合域注意力机制的深度可分离卷积网络，从通道和空间两个维度提取恶意样本的图像纹理特征；最后，选取九类恶意代码家族对模型进行训练和测试。实验结果表明，使用单一区段特征对恶意代码家族分类的准确率较低，采用融合特征能够有效地区分各类恶意代码家族，同时该模型相比于传统的神经网络模型取得了更好的分类效果，模型的分类准确率达到了98.38%。

关键词: 恶意家族, 多分类, 混合域注意力机制, 深度可分离卷积, 融合特征

Abstract:

In recent years, with the diversification of malicious code family and the enhancement of confounding countermeasures, traditional detection methods for malicious code are difficult to achieve good classification effect. Therefore, a malicious code family classification model combining attention mechanism is proposed. Firstly, this paper uses the reverse disassembly tool to obtain the features of each section of the malicious sample, and uses visualization technology to convert each section into each channel of RGB color image. Secondly, the channel domain and spatial domain attention mechanism are introduced to build the depthwise separable convolution network based on the mixed domain attention mechanism, and the image texture features of the malicious samples are extracted from the channel and space dimensions. Finally, nine categories of malicious code family are selected to train and test the model. The experimental result shows that the accuracy of the classification of malicious code family by a single section feature is lower than that by fusion feature, which can effectively distinguish various types of malicious code family. Compared with traditional neural network models, the proposed model achieves better classification effect and the classification accuracy of the model reaches 98.38%.

Key words: malicious family, multiclassification, mixed domain attention mechanism, depthwise separable convolution, fusion feature

王润正, 高见, 仝鑫, 杨梦岐. 融合注意力机制的恶意代码家族分类研究[J]. 计算机科学与探索, 2021, 15(5): 881-892.

WANG Runzheng, GAO Jian, TONG Xin, YANG Mengqi. Research on Malicious Code Family Classification Combining Attention Mechanism[J]. Journal of Frontiers of Computer Science and Technology, 2021, 15(5): 881-892.

参考文献

[1] JEON S, MOON J. Malware-detection method with a con-volutional recurrent neural network using opcode sequences[J]. Information Sciences, 2020, 535: 1-15.
[2] KAKISIM A G, NAR M, SOGUKPINAR I. Metamorphic malware identification using engine-specific patterns based on co-opcode graphs[J]. Computer Standards & Interfaces, 2020, 71: 103443.
[3] ZHANG J X, QIN Z, YIN H, et al. A feature-hybrid malware variants detection using CNN based opcode embedding and BPNN based API embedding[J]. Computers & Security, 2019, 84: 376-392.
[4] LU X F, JIANG F S, ZHOU X, et al. ASSCA: API sequence and statistics features combined architecture for malware detection[J]. Computer Networks, 2019, 157: 99-111.
[5] AMER E, ZELINKA I. A dynamic windows malware detec-tion and prediction method based on contextual understand-ing of API call sequence[J]. Computers & Security, 2020, 92: 101760.
[6] HUANG K M, ZHANG L, ZHAO K, et al. Malware detec-tion based on longest frequent API sequence[J]. Journal of Sichuan University (Natural Science Edition), 2020, 57(4): 681-688.
黄琨茗, 张磊, 赵奎, 等. 基于最长频繁序列挖掘的恶意代码检测[J]. 四川大学学报(自然科学版), 2020, 57(4): 681-688.
[7] ZHENG R, WANG Q Y, FU J M, et al. A novel malware classification model based on deep learning[J]. Journal of Cyber Security, 2020, 5(1): 1-9.
郑锐, 汪秋云, 傅建明, 等. 一种基于深度学习的恶意软件家族分类模型[J]. 信息安全学报, 2020, 5(1): 1-9.
[8] ZHAO C R, ZHANG W J, FANG Y, et al. Malware detec-tion based on semantic API dependency graph[J]. Journal of Sichuan University (Natural Science Edition), 2020, 57(3): 488-494.
赵翠镕, 张文杰, 方勇, 等. 基于语义API依赖图的恶意代码检测[J]. 四川大学学报(自然科学版), 2020, 57(3): 488-494.
[9] ZHANG L, LAI Y, YE X J. Attention mechanism based detection of malware call sequences[J]. Computer Science, 2019, 46(12): 132-137.
张岚, 来耀, 叶晓俊. 基于注意力机制的恶意软件调用序列检测[J]. 计算机科学, 2019, 46(12): 132-137.
[10] NATARAJ L, KARTHIKEYAN S, JACOB G, et al. Malware images: visualization and automatic classification[C]//Proceed-ings of the 8th International Symposium on Visualization for Cyber Security, Pittsburgh, Jul 20, 2011. New York: ACM, 2011: 1-7.
[11] VASAN D, ALAZAB M, WASSAN S, et al. IMCFN: image-based malware classification using fine-tuned convolutional neural network architecture[J]. Computer Networks, 2020, 171: 107138.
[12] FU J W, XUE J F, WANG Y, et al. Malware visualization for fine-grained classification[J]. IEEE Access, 2018, 6: 14510-14523.
[13] YAKURA H, SHINOZAKI S, NISHIMURA R, et al. Neural malware analysis with attention mechanism[J]. Computers & Security, 2019, 87: 101592.
[14] LU X D, DUAN Z M, QIAN Y K, et al. Malicious code classification method based on deep forest[J]. Journal of Software, 2020, 31(5): 1454-1464.
卢喜东, 段哲民, 钱叶魁, 等. 一种基于深度森林的恶意代码分类方法[J]. 软件学报, 2020, 31(5): 1454-1464.
[15] XIAO G, LI J, CHEN Y, et al. MalFCS: an effective malware classification framework with automated feature extraction based on deep convolutional neural networks[J]. Journal of Parallel and Distributed Computing, 2020, 141: 49-58.
[16] YUAN B G, WANG J F, LIU D, et al. Byte-level malware classification based on Markov images and deep learning[J]. Computers & Security, 2020, 92: 101740.
[17] CHOLLET F. Xception: deep learning with depthwise separ-able convolutions[C]//Proceedings of the 2017 IEEE Con-ference on Computer Vision and Pattern Recognition, Hono-lulu, Jul 21-26, 2017. Washington: IEEE Computer Society, 2017: 1800-1807.
[18] HOWARD A G, ZHU M L, CHEN B, et al. MobileNets: efficient convolutional neural networks for mobile vision applications[J]. arXiv:1704.04861, 2017．
[19] WOO S, PARK J, LEE J Y, et al. CBAM: convolutional block attention module[C]//LNCS 11211: Proceedings of the 15th European Conference on Computer Vision, Munich, Sep 8-14, 2018. Berlin, Heidelberg: Springer, 2018: 3-19.
[20] SEBASTIáN M, RIVERA R, KOTZIAS P, et al. AVclass: a tool for massive malware labeling[C]//LNCS 9854: Proceed-ings of the 19th International Symposium on Research in Attacks, Intrusions, and Defenses, Paris, Sep 19-21, 2016. Berlin, Heidelberg: Springer, 2016: 230-253.