基于注意力与门控机制的多特征融合恶意软件检测方法

doi:10.11959/j.issn.2096-109x.2024002

摘要/Abstract

摘要：

随着网络技术的飞速发展，恶意软件及其变种的数量不断增加，这使得恶意软件的检测成为网络安全领域面临的一大挑战。然而，现有的单一特征恶意软件检测方法在样本信息的表示上存在不足，而对于采用多特征的检测方法，它们在特征融合方面存在局限，未能有效地学习和理解特征内部及特征间的复杂关联，这些问题都会导致检测效果不佳。提出了一种基于多模态特征融合的恶意软件检测方法—— MFAGM。通过处理数据集的.asm和.bytes文件，成功提取了两种类型的3种关键特征（操作码统计序列、API序列和灰度图像特征），实现了从多个角度全面地表征样本信息。为了更好地融合这些多模态特征，设计了一个特征融合模块 SA-JGmu。该模块不仅采用自注意力机制捕获特征之间的内部依赖关系，还利用门控机制增强了不同特征的交互性，并巧妙地引入了权重跳跃连接以进一步优化模型的表示能力。最终，基于MMCC（Microsoft malware classification challenge）数据集的实验结果显示，MFAGM在恶意软件检测任务上与其他方法相比，达到了更高的准确率和F1分数。

关键词: 恶意软件检测, 深度学习, 特征融合, 多模态学习, 静态分析

Abstract:

With the rapid development of network technology, the number and variety of malware have been increasing, posing a significant challenge in the field of network security.However, existing single-feature malware detection methods have proven inadequate in representing sample information effectively.Moreover, multi-feature detection approaches also face limitations in feature fusion, resulting in an inability to learn and comprehend the complex relationships within and between features.These limitations ultimately lead to subpar detection results.To address these issues, a malware detection method called MFAGM was proposed, which focused on multimodal feature fusion.By processing the .asm and .bytes files of the dataset, three key features belonging to two types (opcode statistics sequences, API sequences, and grey-scale image features) were successfully extracted.This comprehensive characterization of sample information from multiple perspectives aimed to improve detection accuracy.In order to enhance the fusion of these multimodal features, a feature fusion module called SA-JGmu was designed.This module utilized the self-attention mechanism to capture internal dependencies between features.It also leveraged the gating mechanism to enhance interactivity among different features.Additionally, weight-jumping links were introduced to further optimize the representational capabilities of the model.Experimental results on the Microsoft malware classification challenge dataset demonstrate that MFAGM achieves higher accuracy and F1 scores compared to other methods in the task of malware detection.

Key words: malware detection, deep learning, feature fusion, multimodal learning, static analysis

中图分类号:

TP309.5

陈仲元, 张建标. 基于注意力与门控机制的多特征融合恶意软件检测方法[J]. 网络与信息安全学报, 2024, 10(1): 123-135.

Zhongyuan CHEN, Jianbiao ZHANG. Multi-feature fusion malware detection method based on attention and gating mechanisms[J]. Chinese Journal of Network and Information Security, 2024, 10(1): 123-135.

图/表 12

图1

图2

图3

图4

图5

图6

图7

图8

表1

表2

图9

表3

参考文献 35

[1]	BlackBerry. Global threat intelligence report[R]. 2023-11.
[2]	HAN W J , XUE J F , WANG Y ,et al. MalDAE:detecting and explaining malware based on correlation and fusion of static and dynamic characteristics[J]. Computers ＆ Security, 2019,83: 208-233.
[3]	KORCZYNSKI D , YIN H . Capturing malware propagations with code injections and code-reuse attacks[C]// Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security. 2017: 1691-1708.
[4]	RIZVI S K J , ASLAM W , SHAHZAD M ,et al. PROUD-MAL:static analysis-based progressive framework for deep unsupervised malware classification of windows portable executable[J]. Complex＆ Intelligent Systems, 2022,(2022): 1-13.
[5]	JOHNSON S , GOWTHAM R , NAIR A R . Ensemble model ransomware classification:a static analysis-based approach[M]// Inventive Computation and Information Technologies: Proceedings of ICICIT 2021. 2021: 153-167.
[6]	LOI N , BORILE C , UCCI D . Towards an automated pipeline for detecting and classifying malware through machine learning[J]. ArXiv Preprint arXiv:2106.05625, 2021.
[7]	BARBI S , BARBIERI F , MARINELLI S ,et al. Phase change material-sand mixtures for distributed latent heat thermal energy storage:Interaction and performance analysis[J]. Renewable Energy, 2021,169: 1066-1076.
[8]	CHANAJITT R , PFAHRINGER B , GOMES H M ,et al. Multiclass malware classification using either static opcodes or dynamic API calls[C]// Proceedings of Australasian Joint Conference on Artificial Intelligence. 2022: 427-441.
[9]	JING C , WU Y , CUI C Y . Ensemble dynamic behavior detection method for adversarial malware[J]. Future Generation Computer Systems, 2022,130: 193-206.
[10]	LI C , LV Q J , LI N ,et al. A novel deep framework for dynamic malware detection based on API sequence intrinsic features[J]. Computers ＆ Security, 2022,116:102686.
[11]	AFIANIAN A , NIKSEFAT S , SADEGHIYAN B ,et al. Malware dynamic analysis evasion techniques:a survey[J]. ACM Computing Surveys (CSUR), 2019,52(6): 1-28.
[12]	LEBBIE M , PRABHU S R , AGRAWAL A K . Comparative analysis of dynamic malware analysis tools[C]// Proceedings of the International Conference on Paradigms of Communication,Computing and Data Sciences:PCCDS 2021. 2021: 359-368.
[13]	GAO X W , HU C Z , SHAN C ,et al. Malware classification for the cloud via semi-supervised transfer learning[J]. Journal of Information Security and Applications, 2020,55:102661.
[14]	GIBERT D , MATEU C , PLANES J . A hierarchical convolutional neural network for malware classification[C]// Proceedings of 2019 International Joint Conference on Neural Networks (IJCNN). 2019: 1-8.
[15]	DU J , RAZA S H , AHMAD M ,et al. Digital forensics as advanced ransomware pre-attack detection algorithm for endpoint data protection[J]. Security and Communication Networks, 2022,(2022): 1-16.
[16]	KIM T G , KANG B J , BHO M ,et al. A multimodal deep learning method for android malware detection using various features[J]. IEEE Transactions on Information Forensics and Security, 2018,14(3): 773-788.
[17]	GIBERT D , MATEU C , PLANES J . HYDRA:a multimodal deep learning framework for malware classification[J]. Computers ＆ Security, 2020,95: 101873.
[18]	GIBERT D , MATEU C , PLANES J ,et al. Using convolutional neural networks for classification of malware represented as images[J]. Journal of Computer Virology and Hacking Techniques, 2019,(15): 15-28.
[19]	NARAYANAN B N , DJANEYE-BOUNDJOU O , KEBEDE T M . Performance analysis of machine learning and pattern recognition algorithms for malware classification[C]// Proceedings of 2016 IEEE National Aerospace and Electronics Conference (NAECON) and Ohio Innovation Summit (OIS). 2016: 338-342.
[20]	WOJNOWICZ M , CHISHOLM G , WOLFF M ,et al. Wavelet decomposition of software entropy reveals symptoms of malicious code[J]. Journal of Innovation in Digital Ecosystems, 2016,3(2): 130-140.
[21]	GIBERT D , MATEU C , PLANES J ,et al. Classification of malware by using structural entropy on convolutional neural networks[C]// Proceedings of the AAAI Conference on Artificial Intelligence. 2018,32(1).
[22]	RAFF E , BARKER J , SYLVESTER J ,et al. Malware detection by eating a whole exe[C]// Proceedings of Workshops at the Thirty-second AAAI Conference on Artificial Intelligence. 2018.
[23]	LE Q , BOYDELL O , MAC NAMEE B ,et al. Deep learning at the shallow end:malware classification for non-domain experts[J]. Digital Investigation, 2018,26: S118-S126.
[24]	GIBERT D , MATEU C , PLANES J . An end-to-end deep learning architecture for classification of malware’s binary content[C]// Proceedings of International Conference on Artificial Neural Networks. 2018: 383-391.
[25]	YOUSEFI-AZAR M , VARADHARAJAN V , HAMEY L ,et al. Autoencoder-based feature learning for cyber security applications[C]// 2017 International Joint Conference on Neural Networks (IJCNN). 2017: 3854-3861.
[26]	AHMADI M , ULYANOV D , SEMENOV S ,et al. Novel feature extraction,selection and fusion for effective malware family classification[C]// Proceedings of the Sixth ACM Conference on Data and Application Security and Privacy. 2016: 183-194.
[27]	MCLAUGHLIN N , MARTINEZ DEL RINCON J , KANG B J ,et al. Deep android malware detection[C]// Proceedings of the Seventh ACM on Conference on Data and Application Security and Privacy. 2017: 301-308.
[28]	MAYS M , DRABINSKY N , BRANDLE S . Feature Selection for Malware Classification[C]// MAICS. 2017: 165-170.
[29]	RONEN R , RADU M , FEUERSTEIN C ,et al. Microsoft malware classification challenge[J]. ArXiv Preprint arXiv:1802.10135, 2018.
[30]	GIBERT D . PE parser:a python package for portable executable files processing[J]. Software Impacts, 2022,13:100365.
[31]	GIBERT D , PLANES J , MATEU C ,et al. Fusing feature engineering and deep learning:a case study for malware classification[J]. Expert Systems with Applications, 2022,207:117957.
[32]	BILAR D . Statistical structures:fingerprinting malware for classification and analysis[J]. Proceedings of Black Hat Federal 2006, 2006.
[33]	KIM Y . Convolutional neural networks for sentence classification[J]. ArXiv Preprint arXiv:1408.5882, 2014.
[34]	VASWANI A , SHAZEER N , PARMAR N ,et al. Attention is all you need[J]. Advances in Neural Information Processing Systems, 2017,30.
[35]	AREVALO J , SOLORIO T , MONTES-Y-GOMEZ M , ,et al. Gated multimodal units for information fusion[J]. ArXiv Preprint arXiv:1702.01992, 2017.

家族	数量/个	类别
Ramnit	1 541	蠕虫
Lollipop	2 478	广告软件
Kelihos_ver3	2 942	后门
Vundo	475	木马
Simda	42	后门
Tracur	751	木马下载器
Kelihos_ver1	398	后门
Obfuscator.ACY	1 228	混淆的恶意软件
Gatak	1 013	后门

模型	准确率	F1分数	精确率	召回率
API网络	97.29%	85.71%	85.14%	86.38%
Opcode网络	98.02%	97.39%	98.08%	96.81%
Image网络	96.50%	93.26%	93.86%	92.76%
MFAGM的完整模型	99.17%	99.03%	99.03%	99.02%

模型	准确率	F1分数	精确率	召回率
-A	98.94%	98.26%	97.75%	98.82%
-O	97.75%	93.99%	92.69%	96.52%
-I	98.85%	97.17%	95.89%	98.87%
-SA	98.71%	96.72%	95.63%	98.45%
-JGmu	98.99%	97.62%	97.64%	97.60%
-JC	99.03%	98.30%	97.69%	98.99%
-SA-JGmu	98.34%	98.08%	98.10%	98.11%
All	99.17%	99.03%	99.03%	99.02%