Journal of Frontiers of Computer Science and Technology ›› 2021, Vol. 15 ›› Issue (4): 670-681.DOI: 10.3778/j.issn.1673-9418.2004069

• Network and Information Security • Previous Articles     Next Articles

Research on Application of Attention-CNN in Malware Detection

MA Dan, WAN Liang, CHENG Qiqin, SUN Zhiqiang   

  1. 1. College of Computer Science and Technology, Guizhou University, Guiyang 550025, China
    2. Institute of Computer Software and Theory, Guizhou University, Guiyang 550025, China
  • Online:2021-04-01 Published:2021-04-02

Attention-CNN在恶意代码检测中的应用研究

马丹万良程琪芩孙志强   

  1. 1. 贵州大学 计算机科学与技术学院,贵阳 550025
    2. 贵州大学 计算机软件与理论研究所,贵阳 550025

Abstract:

The attack of malware has become one of the most major threats to the Internet. What??s more, the existing malware data are huge and have multiple features. In order to extract the characteristics better and master the behaviors of malware, Attention-CNN malware detection model based on attention mechanism is proposed. Firstly, the Attention-CNN is constructed by combining convolutional neural network (CNN) and the attention mechanism. Secondly, the malwares are transformed into gray-scale images as the input of the detection model. The attention maps and detection results corresponding to the malware are obtained by training and testing the Attention-CNN model. Eventually, the important byte sequences extracted from the attention map are used for manual analysis to reveal the behaviors of malware. Experimental results show that, Attention-CNN can get better detection results than SVM (support vector machine), random forest, J48.trees and CNN without attention mechanism. Meanwhile, Attention-CNN improves the detection accuracy by 4.3 percentage points compared with vsNet. Moreover, the important byte sequences extracted from the attention map can effectively reduce the burden of manual analysis and obtain the relevant behaviors of malware, and make up for the non-interpretability of malware detection in the form of gray-scale image.

Key words: malware detection, convolutional neural network (CNN), attention mechanism, byte sequences, manual analysis

摘要:

恶意代码攻击已经成为互联网最重要的威胁之一,并且现存的恶意代码数据庞大,特征多样。为了更好地提取恶意代码特征以及掌握恶意代码的行为,提出了基于注意力机制的Attention-CNN恶意代码检测模型。首先结合卷积神经网络(CNN)和注意力机制,构建了Attention-CNN恶意代码检测模型;然后将恶意代码转化为灰度图像作为模型输入,通过对Attention-CNN模型训练及测试得到恶意代码对应的注意力图以及检测结果;最终将从恶意代码注意力图中提取的重要字节序列用于人工分析,以揭示恶意代码的相关行为。实验结果表明,相比于支持向量机(SVM)、随机森林、J48.trees以及未结合注意力机制的CNN,Attention-CNN取得了更好的检测效果。相比于vsNet,Attention-CNN在准确率方面提高了4.3个百分点。并且从注意力图中提取的重要字节序列能够有效减轻人工分析的负担,获取恶意代码的相关行为,同时弥补了灰度图形式的恶意代码检测的不可解释性。

关键词: 恶意代码检测, 卷积神经网络(CNN), 注意力机制, 字节序列, 人工分析