Research on Application of Attention-CNN in Malware Detection

doi:10.3778/j.issn.1673-9418.2004069

Abstract

Abstract:

The attack of malware has become one of the most major threats to the Internet. What??s more, the existing malware data are huge and have multiple features. In order to extract the characteristics better and master the behaviors of malware, Attention-CNN malware detection model based on attention mechanism is proposed. Firstly, the Attention-CNN is constructed by combining convolutional neural network (CNN) and the attention mechanism. Secondly, the malwares are transformed into gray-scale images as the input of the detection model. The attention maps and detection results corresponding to the malware are obtained by training and testing the Attention-CNN model. Eventually, the important byte sequences extracted from the attention map are used for manual analysis to reveal the behaviors of malware. Experimental results show that, Attention-CNN can get better detection results than SVM (support vector machine), random forest, J48.trees and CNN without attention mechanism. Meanwhile, Attention-CNN improves the detection accuracy by 4.3 percentage points compared with vsNet. Moreover, the important byte sequences extracted from the attention map can effectively reduce the burden of manual analysis and obtain the relevant behaviors of malware, and make up for the non-interpretability of malware detection in the form of gray-scale image.

Key words: malware detection, convolutional neural network (CNN), attention mechanism, byte sequences, manual analysis

摘要：

恶意代码攻击已经成为互联网最重要的威胁之一，并且现存的恶意代码数据庞大，特征多样。为了更好地提取恶意代码特征以及掌握恶意代码的行为，提出了基于注意力机制的Attention-CNN恶意代码检测模型。首先结合卷积神经网络（CNN）和注意力机制，构建了Attention-CNN恶意代码检测模型；然后将恶意代码转化为灰度图像作为模型输入，通过对Attention-CNN模型训练及测试得到恶意代码对应的注意力图以及检测结果；最终将从恶意代码注意力图中提取的重要字节序列用于人工分析，以揭示恶意代码的相关行为。实验结果表明，相比于支持向量机（SVM）、随机森林、J48.trees以及未结合注意力机制的CNN，Attention-CNN取得了更好的检测效果。相比于vsNet，Attention-CNN在准确率方面提高了4.3个百分点。并且从注意力图中提取的重要字节序列能够有效减轻人工分析的负担，获取恶意代码的相关行为，同时弥补了灰度图形式的恶意代码检测的不可解释性。

关键词: 恶意代码检测, 卷积神经网络（CNN）, 注意力机制, 字节序列, 人工分析

MA Dan, WAN Liang, CHENG Qiqin, SUN Zhiqiang. Research on Application of Attention-CNN in Malware Detection[J]. Journal of Frontiers of Computer Science and Technology, 2021, 15(4): 670-681.

马丹, 万良, 程琪芩, 孙志强. Attention-CNN在恶意代码检测中的应用研究[J]. 计算机科学与探索, 2021, 15(4): 670-681.

References

[1] RiSing. 2019 China information security report[EB/OL]. [2020-04-28]. http://it.rising.com.cn/dongtai/19507.html.
瑞星. 2019年上半年中国网络安全报告[EB/OL]. [2020-04-28]. http://it.rising.com.cn/dongtai/19507.html.
[2] MOSER A, KRüGEL C, KIRDA E. Exploring multiple execution paths for malware analysis[C]//Proceedings of the 2007 IEEE Symposium on Security and Privacy, Oakland, May 20-23, 2007. Washington: IEEE Computer Society, 2007: 231-245.
[3] SEBASTIO S, BARANOV E, BIONDI F, et al. Optimizing symbolic execution for malware behavior classification[J]. Computers & Security, 2020, 93: 101775.
[4] FARHADI M R, FUNG B C M, CHARLAND P, et al. BinClone: detecting code clones in malware[C]//Proceedings of the 8th International Conference on Software Security and Reliability, San Francisco, Jun 30-Jul 2, 2014. Piscataway: IEEE, 2014: 78-87.
[5] GAO D B, REITER M K, SONG X D. BinHunt: automatically finding semantic differences in binary programs[C]//LNCS 5308: Proceedings of the 10th International Conference on Information and Communications Security, Birmingham, Oct 20-22, 2008. Berlin, Heidelberg: Springer, 2008: 238-255.
[6] GUO Y T, FAN W Q. Feature collection and selection in malware classification[C]//Proceedings of the 2019 International Conference on Artificial Intelligence and Advanced Manufacturing, Dublin, Oct 17-19, 2019. New York: ACM, 2019: 1-5.
[7] NATARAJ L, KARTHIKEYAN S, JACOB G, et al. Malware images: visualization and automatic classification[C]//Proceedings of the 2011 International Symposium on Visualization for Cyber Security, Pittsburgh, Jul 20, 2011. New York:ACM, 2011: 4.
[8] AHMADI M, ULYANOV D, SEMENOV S, et al. Novel feature extraction, selection and fusion for effective malware family classification[C]//Proceedings of the 6th ACM Conference on Data and Application Security and Privacy, New Orleans, Mar 9-11, 2016. New York: ACM, 2016: 183-194.
[9] KRIZHEVSKY A, SUTSKEVER I, HINTON G. ImageNet classification with deep convolutional neural networks[C]//Proceedings of the 26th Annual Conference on Neural Information Processing Systems, Lake Tahoe, Dec 3-6, 2012. Red Hook: Curran Associates, 2012: 1106-1114.
[10] HINTON G, DENG L, YU D, et al. Deep neural networks for acoustic modeling in speech recognition: the shared views of four research groups[J]. IEEE Signal Processing Magazine, 2012, 29(6): 82-97.
[11] YU B, XU Z B, LI C H. Latent semantic analysis for text categorization using neural network[J]. Knowledge Based Systems, 2008, 21(8): 900-904.
[12] LONG T Y, WAN L, DING H W. Application research of autoencoder network in malicious JavaScript code detection[J]. Journal of Frontiers of Computer Science and Technology, 2019, 13(12): 2073-2084.
龙廷艳, 万良, 丁红卫. 自编码网络在JavaScript恶意代码检测中的应用研究[J]. 计算机科学与探索, 2019, 13(12): 2073-2084.
[13] CUI Z H, XUE F, CAI X J, et al. Detection of malicious code variants based on deep learning[J]. IEEE Transactions on Industrial Informatics, 2018, 14(7): 3187-3196.
[14] VASAN D, ALAZAB M, WASSAN S, et al. Image-based malware classification using ensemble of CNN architectures (IMCEC)[J]. Computers & Security, 2020, 92: 101748.
[15] NI S, QIAN Q, ZHANG R. Malware identification using visualization images and deep learning[J]. Computers & Security, 2018, 77: 871-885.
[16] WANG F, JIANG M Q, QIAN C, et al. Residual attention network for image classification[C]//Proceedings of the 2017 IEEE Conference on Computer Vision and Pattern Recognition, Honolulu, Jul 21-26, 2017. Washington: IEEE Computer Society, 2017: 6450-6458.
[17] LECUN Y, BENGIO Y, HINTON G. Deep learning[J]. Nature, 2015, 521(7553): 436.
[18] GU J X, WANG Z H, KUEN J, et al. Recent advances in convolutional neural networks[J]. Pattern Recognition, 2018, 77: 354-377.
[19] LIN Z, FENG M, SANTOS C N, et al. A structured self-attentive sentence embedding[J]. arXiv:1703.03130, 2017.
[20] HEAVEN V X. VX Heaven virus collection[EB/OL]. [2020-04-28]. http://vxheaven.org.
[21] VYAS R, LUO X, MCFARLAND N, et al. Investigation of malicious portable executable file detection on the network using supervised learning techniques[C]//Proceedings of the 2017 IFIP/IEEE Symposium on Integrated Network and Service Management, Lisbon, May 8-12, 2017. Piscataway:IEEE, 2017: 941-946.
[22] DAM K H T, TOUILI T. Learning malware using generalized graph kernels[C]//Proceedings of the 13th International Conference on Availability, Reliability and Security, Hamburg, Aug 27-30, 2018. New York: ACM, 2018: 1-6.
[23] DOVOM E M, AZMOODEH A, DEHGHANTANHA A, et al. Fuzzy pattern tree for edge malware detection and categorization in IoT[J]. Journal of Systems Architecture: Embedded Software Design, 2019, 97: 1-7.
[24] GOEL S, BAYKAL A, PON D. Botnets: the anatomy of a case[J]. Journal of Information Systems Security, 2006, 1(3): 1-12.
[25] GARCíA-CERVIGóN M, LLINàS M M. Browser function calls modeling for banking malware detection[C]//Proceedings of the 7th International Conference on Risks and Security of Internet and Systems, Cork, Oct 10-12, 2012. Washington: IEEE Computer Society, 2012: 1-7.