面向恶意代码检测的深度注意力网络架构

doi:10.3969/j.issn.1671-1122.2025.08.003

摘要/Abstract

摘要：

针对恶意代码变种激增导致传统检测方法效能不足的问题，文章提出一种基于混合多尺度注意力网络的恶意代码分类架构MSA-ResNet。该架构通过双线性插值算法实现图像尺寸标准化，有效保留易混淆恶意代码家族的纹理特征，并结合动态数据增强策略优化输入多样性。在网络架构中，将多尺度注意力模块嵌入ResNet50残差块末端，构建跨尺度特征交互机制，使特征点关联距离缩短，注意力收敛速度提升。实验结果表明，架构在Malimg数据集上实现99.47%的准确率与99.46%的宏平均F1分数，较传统ResNet50架构提升1.95%，参数量仅增加15%。与现有最优方法相比，分类精度提升0.49%，且对Obfuscator.AD等复杂恶意代码变种检测有效。

关键词: 恶意代码可视化, 卷积神经网络, 多尺度注意力机制, 图像尺寸归一化算法, 特征融合

Abstract:

To address the performance limitations of traditional detection methods caused by the proliferation of malware variants, this paper proposed a Hybrid Multi-Scale Attention Network MSA-ResNet for malware classification. The framework employed a bilinear interpolation algorithm to standardize image sizes while effectively preserving texture features of easily confusable malware families, combined with dynamic data augmentation to optimize input diversity. In the network architecture, a Multi-scale Attention Module was embedded at the end of ResNet50 residual blocks to establish cross-scale feature interaction, reducing feature point correlation distances and improving attention convergence speed. Experimental results demonstrate that the model achieves 99.47% accuracy and 99.46% macro-average F1-score on the Malimg dataset, outperforming the baseline ResNet50 by 1.95% with only a 15% increase in parameters. Compared to state-of-the-art methods, it improves classification accuracy by 0.49% and shows effectiveness in detecting complex variants like Obfuscator.AD.

Key words: malicious code visualization, convolutional neural network, multi-headed attention mechanism, image size normalization algorithm, feature fusion

中图分类号:

TP309

李思聪, 王飞, 魏子令, 陈曙晖. 面向恶意代码检测的深度注意力网络架构[J]. 信息网络安全, 2025, 25(8): 1208-1222.

LI Sicong, WANG Fei, WEI Ziling, CHEN Shuhui. Deep Attention Network Architecture for Malicious Code Detection[J]. Netinfo Security, 2025, 25(8): 1208-1222.

图/表 23

图1

图2

表1

图3

图4

图5

图6

图7

图8

图9

表2

表3

图10

表4

表5

图11

表6

图12

表7

图13

表8

图14

表9

参考文献 48

[1]	China Internet Network Information Centre. The 55th Statistical Report on the Development of the Internet in China[EB/OL]. (2025-01-17)[2025-04-15]. https://www.cnnic.net.cn/.
	中国互联网络信息中心. 第55次《中国互联网络发展状况统计报告》[EB/OL]. (2025-01-17)[2025-04-15]. https://www.cnnic.net.cn/.
[2]	National Computer Network Emergency Response Technical Team/Coordination Center of China (CNCERT/CC). 2021 First Half Year China Internet Network Security Monitoring Data Analysis Report[EB/OL]. (2021-06-30)[2025-04-15]. https://www.cert.org.cn/.
	国家计算机网络应急技术处理协调中心(CNCERT/CC). 2021年上半年我国互联网网络安全监测数据分析报告[EB/OL]. (2021-06-30)[2025-04-15]. https://www.cert.org.cn/.
[3]	DAMODARAN A, TROIA F D, VISAGGIO C A, et al. A Comparison of Static, Dynamic, and Hybrid Analysis for Malware Detection[J]. Journal of Computer Virology and Hacking Techniques, 2017, 13: 1-12.
[4]	ALAZAB M. Profiling and Classifying the Behavior of Malicious Codes[J]. Journal of Systems and Software, 2015, 100: 91-102.
[5]	WANG Shuo, WANG Jian, WANG Ya'nan, et al. A Fast Malicious Code Detection Method Based on Feature Fusion[J]. Acta Electronica Sinica, 2023, 51(1): 57-66. doi: 10.12263/DZXB.20211701
	王硕, 王坚, 王亚男, 等. 一种基于特征融合的恶意代码快速检测方法[J]. 电子学报, 2023, 51(1):57-66. doi: 10.12263/DZXB.20211701
[6]	CONTI G, BRATUS S, SHUBINA A, et al. Automated Mapping of Large Binary Objects Using Primitive Fragment Type Classification[J]. Digital Investigation, 2010, 7: 3-12.
[7]	NATARAJ L, KARTHIKEYAN S, JACOB G, et al. Malware Images: Visualization and Automatic Classification[C]// ACM. The 8th International Symposium on Visualization for Cyber Security. New York: ACM, 2011: 1-7.
[8]	HAN Xiaoguang, QU Wu, YAO Xuanxia, et al. Research on Malicious Code Variants Detection Based on Texture Fingerprint[J]. Journal on Communications, 2014, 35(8): 125-136. doi: 10.3969/j.issn.1000-436x.2014.08.016
	韩晓光, 曲武, 姚宣霞, 等. 基于纹理指纹的恶意代码变种检测方法研究[J]. 通信学报, 2014, 35(8):125-136. doi: 10.3969/j.issn.1000-436x.2014.08.016
[9]	NATARAJ L, YEGNESWARAN V, PORRAS P, et al. A Comparative Assessment of Malware Classification Using Binary Texture Analysis and Dynamic Analysis[C]// ACM. The 4th ACM Workshop on Security and Artificial Intelligence. New York: ACM, 2011: 21-30.
[10]	WANG Jialai, ZHANG Chao, QI Xuyan, et al. A Survey of Intelligent Malware Detection on Windows Platform[J]. Journal of Computer Research and Development, 2021, 58(5): 977-994.
	汪嘉来, 张超, 戚旭衍, 等. Window平台恶意软件智能检测综述[J]. 计算机研究与发展, 2021, 58(5):977-994.
[11]	REN Zhuojun, CHEN Guang, LU Wenke. Malware Visualization Methods Based on N-Gram Features[J]. Acta Electronica Sinica, 2019, 47(10): 2108-2115. doi: 10.3969/j.issn.0372-2112.2019.10.012
	任卓君, 陈光, 卢文科. 基于N-gram特征的恶意代码可视化方法[J]. 电子学报, 2019, 47(10):2108-2115. doi: 10.3969/j.issn.0372-2112.2019.10.012
[12]	NATARAJ L, MANJUNATH B S. SPAM: Signal Processing to Analyze Malware[J]. IEEE Signal Processing Magazine, 2016, 33(2): 105-117. doi: 10.1109/MSP.2015.2507185
[13]	KANCHERLA K, MUKKAMALA S. Image Visualization Based Malware Detection[C]// IEEE. 2013 IEEE Symposium on Computational Intelligence in Cyber Security. New York: IEEE, 2013: 40-44.
[14]	LIU Yashu, WANG Zhihai, YAN Hanbing, et al. Method of Anti-Confusion Texture Feature Descriptor for Malware Images[J]. Journal on Communications, 2018, 39(11): 44-53. doi: 10.11959/j.issn.1000-436x.2018227
	刘亚姝, 王志海, 严寒冰, 等. 抗混淆的恶意代码图像纹理特征描述方法[J]. 通信学报, 2018, 39(11):44-53. doi: 10.11959/j.issn.1000-436x.2018227
[15]	NAEEM H, GUO Bing, NAEEM M R, et al. Identification of Malicious Code Variants Based on Image Visualization[J]. Computers & Electrical Engineering, 2019, 76: 225-237.
[16]	LU Xidong, DUAN Zhemin, QIAN Yekui, et al. Malicious Code Classification Method Based on Deep Forest[J]. Journal of Software, 2020, 31(5): 1454-1464.
	卢喜东, 段哲民, 钱叶魁, 等. 一种基于深度森林的恶意代码分类方法[J]. 软件学报, 2020, 31(5):1454-1464.
[17]	GIBERT D, MATEU C, PLANES J, et al. Using Convolutional Neural Networks for Classification of Malware Represented as Images[J]. Journal of Computer Virology and Hacking Techniques, 2019, 15(1): 15-28.
[18]	VASAN D, ALAZAB M, WASSAN S, et al. IMCFN: Image-Based Malware Classification Using Fine-Tuned Convolutional Neural Network Architecture[EB/OL]. (2025-01-17)[2025-04-15].https://www.cnnic.net.cn/.
[19]	KABANGA E K, KIM C H. Malware Images Classification Using Convolutional Neural Network[J]. Journal of Computer and Communications, 2018, 6(1): 153-158.
[20]	CUI Zhihua, XUE Fei, CAI Xingjuan, et al. Detection of Malicious Code Variants Based on Deep Learning[J]. IEEE Transactions on Industrial Informatics, 2018, 14(7): 3187-3196.
[21]	CUI Zhihua, DU Lei, WANG Penghong, et al. Malicious Code Detection Based on CNNs and Multi-Objective Algorithm[J]. Journal of Parallel and Distributed Computing, 2019, 129: 50-58. doi: 10.1016/j.jpdc.2019.03.010
[22]	HE Kaiming, ZHANG Xiangyu, REN Shaoqing, et al. Deep Residual Learning for Image Recognition[C]// IEEE. 2016 IEEE Conference on Computer Vision and Pattern Recognition. New York: IEEE, 2016: 770-778.
[23]	ZHANG Chenjia, ZHU Lei, CHEN Pu, et al. Individual Recognition Method of Communication Emitter Based on Attention Mechanism[J]. Communications Technology, 2021, 54(7): 1594-1600.
	张宸嘉, 朱磊, 陈璞, 等. 基于注意力机制的通信辐射源个体识别方法[J]. 通信技术, 2021, 54(7):1594-1600.
[24]	ZHOU Chenchao, CHEN Qun, LI Zhanhuai, et al. Evaluation Object Category Determination Based on Attention and Two-Way LSTM[J]. Journal of Northwestern Polytechnical University, 2019, 37 (3): 558-564.
	周陈超, 陈群, 李战怀, 等. 基于注意力和双向LSTM的评价对象类别判定[J]. 西北工业大学学报, 2019, 37(3):558-564.
[25]	VASWANI A, SHAZEER N, PARMAR N, et al. Attention All You Need[C]// Neural Information Processing Systems. The 31st International Conference on Neural Information Processing Systems. New York: Curran Associates, 2017: 6000-6010.
[26]	RONEN R, RADU M, FEUERSTEIN C, et al. Microsoft Malware Classification Challenge[EB/OL]. (2018-02-22)[2025-04-15]. https://arxiv.org/abs/1802.10135.
[27]	LI Qi, MI Jiaxin, LI Weishi, et al. CNN-Based Malware Variants Detection Method for Internet of Things[J]. IEEE Internet of Things Journal, 2021, 8(23): 16946-16962. doi: 10.1109/JIOT.2021.3075694
[28]	SUDHAKAR S K. MCFT-CNN: Malware Classification with Fine-Tuning Convolution Neural Networks Using Traditional and Transfer Learning in the Internet of Things[J]. Future Generation Computer Systems, 2021, 125: 334-351.
[29]	VINAYAKUMAR R, ALAZAB M, SOMAN K P, et al. Robust Intelligent Malware Detection Using Deep Learning[J]. IEEE Access, 2019, 7: 46717-46738. doi: 10.1109/ACCESS.2019.2906934
[30]	VENKATRAMAN S, ALAZAB M, VINAYAKUMAR R. A Hybrid Deep Learning Image-Based Analysis for Effective Malware Detection[J]. Journal of Information Security and Applications, 2019, 47: 377-389.
[31]	NAEEM H, GUO Bing, ULLAH F, et al. A Cross-Platform Malware Variant Classification Based on Image Representation[J]. KSII Transactions on Internet and Information Systems, 2019, 13(7): 3756-3777.
[32]	VERMA V, MUTTOO S K, SINGH V B. Multiclass Malware Classification via First- and Second-Order Texture Statistics[EB/OL]. (2020-10-01)[2025-04-15]. https://doi.org/10.1016/j.cose.2020.101895.
[33]	ROSELINE S A, GEETHA S, KADRY S, et al. Intelligent Vision-Based Malware Detection and Classification Using Deep Random Forest Paradigm[J]. IEEE Access, 2020, 8: 206303-206324.
[34]	NAEEM H, ULLAH F, NAEEM M R, et al. Malware Detection in Industrial Internet of Things Based on Hybrid Image Visualization and Deep Learning Model[EB/OL]. (2020-08-01)[2025-04-15]. https://doi.org/10.1016/j.adhoc.2020.102154.
[35]	ANANDH V, VINOD P, MENON V G. Malware Visualization and Detection Using DenseNets[J]. Personal and Ubiquitous Computing, 2021, 28: 153-169.
[36]	WANG Changguang, ZHAO Ziqiu, WANG Fangwei, et al. A Novel Malware Detection and Family Classification Scheme for IoT Based on DEAM and DenseNet[EB/OL]. (2021-01-05)[2025-04-15]. https://doi.org/10.1155/2021/6658842.
[37]	MOUSSAS V, ANDREATOS A. Malware Detection Based on Code Visualization and Two-Level Classification[EB/OL]. (2021-03-11)[2025-04-15]. https://doi.org/10.3390/info12030118.
[38]	SUDHAKAR, KUMAR S. MCFT-CNN: Malware Classification with Fine-Tuned Convolution Neural Networks Using Traditional and Transfer Learning in the Internet of Things[J]. Future Generation Computer Systems, 2021, 125: 334-351.
[39]	KUMAR S, JANET B. DTMIC: Deep Transfer Learning for Malware Image Classification[EB/OL]. (2022-02-01)[2025-04-15]. https://doi.org/10.1016/j.jisa.2021.103063.
[40]	VU D L, NGUYEN T K, NGUYEN T V, et al. A Convolutional Transformation Network for Malware Classification[C]// IEEE. 2019 6th NAFOSTED Conference on Information and Computer Science. New York: IEEE, 2019: 234-239.
[41]	LE Quan, BOYDELL O, MAC N B, et al. Deep Learning at the Shallow End: Malware Classification for Non-Domain Experts[J]. Digital Investigation, 2018, 26: 118-126.
[42]	QIAO Yanchen, JIANG Qingshan, JIANG Zhenchao, et al. A Multi-Channel Visualization Method for Malware Classification Based on Deep Learning[C]// IEEE. 2019 18th IEEE International Conference on Trust, Security and Privacy in Computing and Communications/13th IEEE International Conference on Big Data Science and Engineering. New York: IEEE, 2019: 757-762.
[43]	CHEN Jun, GUO Shize, MA Xin, et al. SLAM: A Malware Detection Method Based on Sliding Local Attention Mechanism[EB/OL]. (2020-09-25)[2025-04-15]. https://doi.org/10.1155/2020/6724513.
[44]	HUO Xuan, LI Ming, ZHOU Zhihua. Control Flow Graph Embedding Based on Multi-Instance Decomposition for Bug Localization[C]// AAAI. The AAAI Conference on Artificial Intelligence. Menlo Park: AAAI, 2020: 4223-4230.
[45]	MOON H J, BU S J, CHO S B. Directional Graph Transformer-Based Control Flow Embedding for Malware Classification[C]// Springer. Intelligent Data Engineering and Automated Learning-IDEAL 2021: 22nd International Conference. Heidelberg: Springer, 2021: 426-436.
[46]	BURNAEV E, SMOLYAKOV D. One-Class SVM with Privileged Information and Its Application to Malware Detection[C]// IEEE. 2016 IEEE 16th International Conference on Data Mining Workshops. New York: IEEE, 2016: 273-280.
[47]	NARAYANAN B N, DJANEYE-BOUNDJOU O, KEBEDE T M. Performance Analysis of Machine Learning and Pattern Recognition Algorithms for Malware Classification[C]// IEEE. 2016 IEEE National Aerospace and Electronics Conference (NAECON) and Ohio Innovation Summit (OIS). New York: IEEE, 2016: 338-342.
[48]	SHAO Yanli, LU Yang, WEI Dan, et al. Malicious Code Classification Method Based on Deep Residual Network and Hybrid Attention Mechanism for Edge Security[EB/OL]. (2022-01-01)[2025-04-15]. https://doi.org/10.1155/2022/3301718.

文件大小/KB	宽度/像素
<10	32
10 ~30	64
30 ~60	128
60 ~100	256
100 ~200	384
200 ~500	512
500 ~1000	768
>1000	1024

家族名称	标签编号	样本数/个	类型
Allaple.A Allaple.L VB.AT Yuner.A	3	2824	Worm
	4	1491
	23	383
	25	775
Autorun.K	6	81	Worm: AutoIT
Alueron.gen!J C2LOP.gen!g C2LOP.P Malex.gen!J Skintrim.N	5	173	Trojan
	7	175
	8	121
	17	111
	20	55
Adialer.C Dialplatform.B Instantaccess	1	97	Dialer
	9	152
	12	356
Lolyda.AA1 Lolyda.AA2 Lolyda.AA3 Lolyda.AT	13	153	PWS
	14	159
	15	98
	16	134
Dontovo.A Obfuscator.AD Swizzor.gen!E Swizzor.gen!I Wintrim.BX	10	137	Trojan Downloader
	18	117
	21	103
	22	107
	24	72
Fakerean	11	306	Rogue
Agent.FYI	2	91	Backdoor
Rbot!gen	19	133	Backdoor

家族名称	标签编号	样本数/个	类型
Ramnit	1	1541	Worm
Lollipop	2	2478	Adware
Kelihos_ver3	3	2942	Backdoor
Vundo	4	474	Trojan
Simda	5	42	Backdoor
Tracur	6	751	TrojanDownloader
Kelihos_ver1	7	398	Backdoor
Obfuscator.ACY	8	1228	各种混淆代码
Gatak	9	1013	Backdoor

参数量	准确率	精确率	召回率	F1值	Parameters
32×32	84.28%	83.44%	84.27%	82.82%	0.31×10⁶
64×64	94.22%	93.08%	94.22%	93.26%	0.35×10⁶
128×128	98.61%	98.61%	98.60%	98.60%	0.50×10⁶
256×256	99.47%	99.49%	99.47%	99.46%	1.11×10⁶
512×512	99.04%	99.18%	99.04%	99.06%	3.58×10⁶

优化器	准确率	精确率	召回率	F1值
Adagrade	97.20%	96.26%	97.20%	96.68%
Adamax	97.67%	96.71%	97.67%	97.13%
Adam	98.32%	98.38%	98.32%	98.30%
NAdam	99.00%	99.08%	99.00%	99.01%
RAdam	99.47%	99.49%	99.47%	99.46%