针对恶意软件的高鲁棒性检测模型研究

doi:10.3969/j.issn.1671-1122.2024.08.005

摘要/Abstract

摘要：

近年来，恶意软件对网络空间安全的危害日益增大，为了应对网络环境中大规模的恶意软件检测任务，研究者提出了基于机器学习、深度学习的自动化检测方法。然而，这些方法需要在特征工程上耗费较多的时间，导致检测效率较低；同时，恶意软件对抗样本的存在也影响着这些方法做出正确的判断，对网络安全造成了危害。为此，文章提出一种鲁棒性较强的恶意软件检测方法MDCAM。该方法首先基于代码可视化技术分析了不同家族恶意软件以及恶意软件对抗样本的特征，并在此基础上构建了融合改进ConvNeXt网络、混合域注意力机制与FocalLoss函数的检测模型，显著提升了检测模型的综合能力及鲁棒性。

关键词: 恶意软件检测, 深度学习, 对抗样本

Abstract:

In recent years, malware has become increasingly harmful to the security of cyberspace. In order to cope with large-scale malware detection tasks in the network environment, researchers have proposed automatic detection methods based on machine learning and deep learning. However, these methods need to spend more time on feature engineering, resulting in low detection efficiency. At the same time, the existence of malware countersamples also affects these methods to make correct judgments, causing harm to information security. Therefore, this paper proposed a robust malware detection method (MDCAM). This method firstly analyzed the characteristics of different families of malware and malware adversarial examples based on code visualization technology, and then builded a detection model that integrated improved ConvNeXt network, mixed domain attention mechanism and FocalLoss function, which significantly improved the comprehensive ability and robustness of the detection model.

Key words: malware detection, deep learning, adversarial examples

中图分类号:

TP309

徐茹枝, 张凝, 李敏, 李梓轩. 针对恶意软件的高鲁棒性检测模型研究[J]. 信息网络安全, 2024, 24(8): 1184-1195.

XU Ruzhi, ZHANG Ning, LI Min, LI Zixuan. Research on a High Robust Detection Model for Malicious Software[J]. Netinfo Security, 2024, 24(8): 1184-1195.

图/表 22

图1

图2

表1

图3

图4

图5

图6

图7

图8

图9

表2

表3

图10

表4

表5

图11

表6

图12

图13

图14

图15

表7

参考文献 35

[1]	AV-TEST. Malware Statistics & Trends Report[EB/OL]. (2024-05-01)[2024-05-20]. https://www.av-test.org/en/statistics/malware/.
[2]	GLOBAL STATS. Desktop Operating System Market Share Worldwide[EB/OL]. (2024-05-04)[2024-05-20]. https://gs.statcounter.com/os-market-share/desktop/worldwide.
[3]	CNCERT/CC. 2020 China Internet Cyber Security Report[EB/OL]. (2021-07-21)[2024-05-12]. https://www.cert.org.cn/publish/main/46/2021/20210721130944504525772/20210721130944504525772_.html, 2020
	国家计算机网络应急技术处理协调中心. 2020年中国互联网网络安全报告[EB/OL]. (2021-07-21)[2024-05-12]. https://www.cert.org.cn/publish/main/46/2021/20210721130944504525772/20210721130944504525772_.html, 2020
[4]	SHU Longhui, DONG Shi, SU Huadong, et al. Android Malware Detection Methods Based on Convolutional Neural Network: A Survey[J]. IEEE Transactions on Emerging Topics in Computational Intelligence, 2023, 7(5): 1330-1350.
[5]	KOLOSNJAJI B, ZARRAS A, WEBSTER G, et al. Deep Learning for Classification of Malware System Call Sequences[C]// Australasian AI Community. Australasian Joint Conference on Artificial Intelligence. Hobart: Australasian AI Community, 2016: 137-149.
[6]	RAFF E, BARKER J, SYLVESTER J, et al. Malware Detection by Eating a Whole EXE[C]// AAAI. Workshops at the Thirty-Second AAAI Conference on Artificial Intelligence. Menlo Park: AAAI, 2018: 268-276.
[7]	GIBERT D, MATEU C, PLANES J. The Rise of Machine Learning for Detection and Classification of Malware: Research Developments, Trends and Challenges[J]. Journal of Network and Computer Applications, 2020, 153: 102526-102530.
[8]	GOODFELLOW I J, SHLENS J, SZEGEDY C. Explaining and Harnessing Adversarial Examples[EB/OL]. (2014-12-20)[2024-03-15]. https://arxiv.org/abs/1412.6572.
[9]	CASTRO R L, SCHMITT C, DREO G. Aimed: Evolving Malware with Genetic Programming to Evade Detection[C]// IEEE. 18th IEEE International Conference on Trust, Security And Privacy in Computing and Communications/13th IEEE International Conference on Big Data Science and Engineering (TrustCom/BigDataSE). New York: IEEE, 2019: 240-247.
[10]	BERNARDI M L, CIMITILE M, DISTANTE D, et al. Dynamic Malware Detection and Phylogeny Analysis Using Process Mining[J]. International Journal of Information Security, 2019, 18(3): 257-284.
[11]	DAVID B, FILIOL E, GALLIENNE K. Structural Analysis of Binary Executable Headers for Malware Detection Optimization[J]. Journal of Computer Virology and Hacking Techniques, 2017, 13(2): 87-93.
[12]	KIRAT D, VIGNA G. Malgene: Automatic Extraction of Malware Analysis Evasion Signature[C]// ACM. Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security (CCS). New York: ACM, 2015: 769-780.
[13]	SCHULTZ M G, ESKIN E, ZADOK F, et al. Data Mining Methods for Detection of New Malicious Executables[C]// IEEE. Proceedings of 2001 IEEE Symposium on Security and Privacy. New York: IEEE, 2000: 38-49.
[14]	MOSKOVITCH R, STOPEL D, FEHER C, et al. Unknown Malcode Detection via Text Categorization and the Imbalance Problem[C]// IEEE. 2008 IEEE International Conference on Intelligence and Security Informatics. New York: IEEE, 2008: 156-161.
[15]	GALAL H S, MAHDY Y B, ATIEA M A. Behavior-Based Features Model for Malware Detection[J]. Journal of Computer Virology and Hacking Techniques, 2016, 12(2): 59-67.
[16]	RABADI D, TEO S G. Advanced Windows Methods on Malware Detection and Classification[C]// IEEE. Annual Computer Security Applications Conference (ACSAC). New York: IEEE, 2020: 54-68.
[17]	ZHANG Zhaoqi, QI Panpan, WANG Wei. Dynamic Malware Analysis with Feature Engineering and Feature Learning[C]// AAAI. Proceedings of the AAAI Conference on Artificial Intelligence (AAAI). Menlo Park: AAAI, 2020, 34(1): 1210-1217.
[18]	RAGHURAMAN C, SURESH S, SHIVSHANKAR S, et al. Static and Dynamic Malware Analysis Using Machine Learning[C]// Springer. Proceedings of the First International Conference on Sustainable Technologies for Computational Intelligence. Heidelberg: Springer, 2020: 793-806.
[19]	ANDERSON H S, ROTH P. Ember: An Open Dataset for Training Static Pe Malware Machine Learning Models[EB/OL]. (2018-04-12)[2024-05-07]. https://arxiv.org/abs/1804.04637.
[20]	SAXE J, BERLIN K. Deep Neural Network Based Malware Detection Using Two Dimensional Binary Program Features[C]// IEEE. 2015 10th International Conference on Malicious and Unwanted Software (MALWARE). New York: IEEE, 2015, 20: 11-20.
[21]	ATHIWARATKUN B, STOKES J W. Malware Classification with LSTM and GRU Language Models and a Character-Level CNN[C]// IEEE. 2017 IEEE International Conference on Acoustics, Speech and Signal Processing (ICASSP). New York: IEEE, 2017: 2482-2486.
[22]	DONG Shi, SHU Longhui, NIE Shan. Android Malware Detection Method Based on CNN and DNN Bybrid Mechanism[J]. IEEE Transactions on Industrial Informatics, 2024, 20(5): 7744-7753.
[23]	NAEEM H, CHENG Xiaochun, ULLAH F, et al. A Deep Convolutional Neural Network Stacked Ensemble for Malware Threat Classification in Internet of Things[J]. Journal of Circuits, Systems and Computers, 2022, 31(17): 1-21.
[24]	NAEEM H, DONG Shi, FALANA O J, et al. Development of a Deep Stacked Ensemble with Process Based Volatile Memory Forensics for Platform Independent Malware Detection and Classification[J]. Expert Systems with Applications, 2023, 223: 119952-119957.
[25]	HEMALATHA J, ROSELINE S A, GEETHA S, et al. An Efficient Densenet-Based Deep Learning Model for Malware Detection[J]. Entropy, 2021, 23(3): 344-345.
[26]	WANG Changguang, ZHAO Ziqiu, WANG Fangwei, et al. A Novel Malware Detection and Family Classification Scheme for IoT Based on DEAM and DenseNet[J]. Security and Communication Networks, 2021, 2021(11): 1-16.
[27]	LIU Zhuang, MAO Hanzi, WU C Y, et al. A Convnet for the 2020s[C]// IEEE. Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition. New York: IEEE, 2022: 11976-11986
[28]	WOO S, PARK J, LEE J Y, et al. Cbam: Convolutional Block Attention Module[C]// Springer. Proceedings of the European Conference on Computer Vision (ECCV). Heiderberg: Springer, 2018: 3-19.
[29]	LIN T Y, GOYAL P, GIRSHICK R, et al. Focal Loss for Dense Object Detection[C]// IEEE. Proceedings of the IEEE International Conference on Computer Vision. New York: IEEE, 2017: 2980-2988.
[30]	HU Jie, SHEN Li, SUN Gang. Squeeze-and-Excitation Networks[C]// IEEE. Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition. New York: IEEE, 2018: 7132-7141.
[31]	HOU Qibin, ZHOU Daquan, FENG Jieshi. Coordinate Attention for Efficient Mobile Network Design[C]// IEEE. Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition. New York: IEEE, 2021: 13713-13722.
[32]	RAFF E, BARKER J, SYLVESTER J, et al. Malware Detection by Eating a Whole Exe[C]// AAAI. Workshops at the Thirty-Second AAAI Conference on Artificial Intelligence. Menlo Park: AAAI, 2018: 268-276.
[33]	DEMETRIO L, BIGGIO B, LAGORIO G, et al. Functionality-Preserving Black-Box Optimization of Adversarial Windows Malware[J]. IEEE Transactions on Information Forensics and Security, 2021, 16: 3469-3478.
[34]	NISI D, GRAZIANO M, FRATANTONIO Y, et al. Lost in the Loader: The Many Faces of the Windows PE File Format[C]// ACM. Proceedings of the 24th International Symposium on Research in Attacks, Intrusions and Defenses. New York: ACM, 2021: 177-192.
[35]	ANDERSON H S, ROTH P. Ember: An Open Dataset for Training Static Pe Malware Machine Learning Models[EB/OL]. (2018-04-12)[2024-05-07]. https://arxiv.org/abs/1804.04637.

文件大小/KB	图像宽度/像素
<10	32
10~30	64
30~60	128
60~100	256
100~200	384
200~500	512
500~1000	768
>1000	1024

卷积核大小	精确率	召回率	F1值	准确率
3?3	96.13%	97.03%	96.58%	98.30%
5?5	95.85%	96.72%	96.28%	98.20%
7?7	95.45%	96.52%	95.98%	98.16%
9?9	96.94%	94.10%	95.50%	98.25%

Stage	精确率	召回率	F1值	准确率
3,3,9,3	96.13%	97.03%	96.58%	98.30%
3,3,3	98.24%	98.31%	98.27%	98.39%
3,9,3	98.28%	98.31%	98.29%	98.43%
3,3,9	98.38%	98.16%	98.26%	98.39%
9,3,3	98.36%	98.34%	98.34%	98.53%
9,3,3+FocalLoss	98.40%	98.37%	98.38%	98.57%

位置	精确率	召回率	F1值	准确率
1	98.52%	98.32%	98.42%	98.57%
2	98.55%	98.25%	98.40%	98.62%
3	98.65%	98.38%	98.51%	98.76%

方法	精确率	召回率	F1值	准确率	Flops/次
Baseline	98.40%	98.37%	98.38%	98.57%	4.7395
Baseline+SE	95.97%	96.61%	96.26%	98.25%	4.7507
Baseline+CA	98.37%	96.83%	97.59%	98.39%	4.7540
Baseline +CBAM	98.65%	98.38%	98.51%	98.76%	5.1865
MDCAM(本文)	98.71%	98.62%	98.67%	98.76%	4.7589