A Malicious Code Recognition Model Fusing Image Spatial Feature Attention Mechanism

doi:10.3969/j.issn.1671-1122.2023.12.004

Abstract

Abstract:

When converted into images, malicious software exhibits two prominent characteristics. Firstly, during the visualization process, black pixels are typically added to pad the end of the file, creating a distinct separation in the image between significant features (code part) and non-significant features (filled part). Secondly, there is a semantic feature correlation among code segments that is preserved in sequential pixel conversion. While existing models for malicious code detection have achieved reasonably good recognition results to some extent, they have not been specifically designed to leverage the unique traits of malicious code. Consequently, their capability to extract deep-level features from malicious images has been relatively weak and often requires complex model architectures. Therefore, this paper proposed a novel model for detecting malicious code that addressed two key characteristics of malicious images. Firstly by transforming original malicious code into images and applying preprocessing techniques. Secondly by utilizing an FA-SA module for extracting key features along with two FA-SeA modules for capturing pixel-wise correlations. This model not only simplifies the architecture but also enhances its capability for deep-level feature extraction thereby improving detection accuracy. On the Malimg dataset, our model achieves an accuracy of 96.38%, representing a 3.56% improvement compared to previous CNN-based models. Experimental results highlight the effectiveness of designing network models based on the characteristics of malicious images with significant contributions from our proposed fusion attention module towards enhancing recognition performance.

Key words: deep learning, malicious code recognition, malicious image, attention

CLC Number:

TP309

LIU Jun, WU Zhichao, WU Jian, TAN Zhenhua. A Malicious Code Recognition Model Fusing Image Spatial Feature Attention Mechanism[J]. Netinfo Security, 2023, 23(12): 29-37.

Figures/Tables 14

References 21

[1]	SOURI A, HOSSENINI R. A State-of-the-Art Survey of Malware Detection Approaches Using Data Mining Techniques[J]. Human-Centric Computing and Information Sciences, 2018, 8(1): 1-22. doi: 10.1186/s13673-017-0124-3
[2]	YE Yanfang, LI Tao, ADJEROH D, et al. A Survey on Malware Detection Using Data Mining Techniques[J]. ACM Computing Surveys (CSUR), 2017, 50(3): 1-40.
[3]	SIMONYAN K, ZISSERMAN A. Very Deep Convolutional Networks for Large-Scale Image Recognition[EB/OL]. (2014-09-04)[2023-09-10]. https://arxiv.org/abs/1409.1556.
[4]	HE Kaiming, ZHANG Xiangyu, REN Sun, et al. Deep Residual Learning for Image Recognition[C]// IEEE. Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition. New York: IEEE, 2016: 770-778.
[5]	NATARAJ L, KARTHIKEYAN S, JACOB G, et al. Malware Images: Visualization and Automatic Classification[C]// ACM. Proceedings of the 8th International Symposium on Visualization for Cyber Security. New York: ACM, 2011: 1-7.
[6]	DOUZE M, HERVE J, HARSIMRAT S, et al. Evaluation of GIST Descriptors for Web-Scale Image Search[C]// ACM. Proceedings of the ACM International Conference on Image and Video Retrieval. New York: ACM, 2009: 1-8.
[7]	YAJAMANAM S, SELVIN V, TROIA F D, et al. Deep Learning Versus Gist Descriptors for Image-Based Malware Classification[C]// IEEE. Proceedings of the 4th International Conference on Information Systems Security and Privacy (ICISSP 2018). New York: IEEE, 2018: 553-561.
[8]	HAN K S, LIM J H, KANG B, et al. Malware Analysis Using Visualized Images and Entropy Graphs[J]. International Journal of Information Security, 2015, 14(1): 1-14. doi: 10.1007/s10207-014-0242-0 URL
[9]	BHODIA N, PRAJAPATI P, TROIA F D, et al. Transfer Learning for Image-Based Malware Classification[EB/OL]. (2019-01-21)[2023-09-10]. http://archive.ifla.org/IV/ifla64/138-161e.htm.
[10]	GAVRILUT D, CIMPOESU M, ANTON D, et al. Malware Detection Using Machine Learning[C]// IEEE. 2009 International Multiconference on Computer Science and Information Technology. New York: IEEE, 2009: 735-741.
[11]	LE Q, BOYDELL O, NAMEE B M, et al. Deep Learning at the Shallow End: Malware Classification for Non-Domain Experts[J]. Digital Investigation, 2018, 26: 118-126.
[12]	CUI Zhihua, XUE Fei, CAI Xingjuan, et al. Detection of Malicious Code Variants Based on Deep Learning[J]. IEEE Transactions on Industrial Informatics, 2018, 14(7): 3187-3196. doi: 10.1109/TII.9424 URL
[13]	TAREEN S A K, SALEEM Z. A Comparative Analysis of SIFT, SURF, KAZE, AKAZE, ORB, and BRISK[C]// IEEE. 2018 International Conference on Computing, Mathematics and Engineering Technologies (iCoMET). New York: IEEE, 2018: 1-10.
[14]	PRAJAPATI P, STAMP M. An Empirical Analysis of Image-Based Learning Techniques for Malware Classification[J]. Malware Analysis Using Artificial Intelligence and Deep Learning, 2021: 411-435.
[15]	AGARAP A F. Towards Building an Intelligent Anti-Malware System: A Deep Learning Approach Using Support Vector Machine (SVM) for Malware Classification[EB/OL]. (2017-12-31)[2023-09-10]. https://arxiv.org/abs/1801.00318.
[16]	AKHIL M R, ADITHYA K V S, HARIVARRDHAN S, et al. Malware Classification Using Deep Neural Networks: Performance Evaluation and Applications in Edge Devices[EB/OL]. (2023-08-21) [2023-09-10]. https://arxiv.org/abs/2310.06841.
[17]	SON T T, LEE C, LE-MINH H, et al. An Evaluation of Image-Based Malware Classification Using Machine Learning[C]// ICCCI. Communications in Computer and Information Science. Berlin:Springer, 2020: 125-138.
[18]	WOO S, PARK J, LEE J Y, et al. CBAM: Convolutional Block Attention Module[C]// ECCV. 15th European Conference. Berlin:Springer, 2018: 3-19.
[19]	WANG Bo, CAI Honghao, SU Yang. Classification of Malicious Code Variants Based on VGGNet[J]. Journal of Computer Applications, 2020, 40(1): 162-167. doi: 10.11772/j.issn.1001-9081.2019050953
	王博, 蔡弘昊, 苏旸. 基于VGGNet的恶意代码变种分类[J]. 计算机应用, 2020, 40(1): 162-167. doi: 10.11772/j.issn.1001-9081.2019050953
[20]	JIANG Kaolin, BAI Wei, ZHANG Lei, et al. Malicious Code Detection Based on Multi-Channel Image Deep Learning[J]. Journal of Computer Applications, 2021, 41(4): 1142-1147. doi: 10.11772/j.issn.1001-9081.2020081224
	蒋考林, 白玮, 张磊, 等. 基于多通道图像深度学习的恶意代码检测[J]. 计算机应用, 2021, 41(4): 1142-1147. doi: 10.11772/j.issn.1001-9081.2020081224
[21]	ZHANG Han, GOODFELLOW I, METAXAS D, et al. Self-Attention Generative Adversarial Networks[C]// PMRL. Proceedings of the 36th International Conference on Machine Learning. Long Beach: Curran Associates, 2019: 7354-7363.

软件类型	样本数/个	软件类型	样本数/个
Allaple.L	1591	Alueron.gen!J	198
Allaple.A	2949	Malex.gen!J	136
Yuner.A	800	Lolyda.AT	159
Lolyda.AA 1	213	Adialer.C	125
Lolyda.AA 2	184	Wintrim.BX	97
Lolyda.AA 3	123	Dialplatform.B	177
C2Lop.P	146	Dontovo.A	162
C2Lop.gen!G	200	Obfuscator.AD	142
Instantaccess	431	Agent.FYI	116
Swizzor.gen!I	132	Autorun.K	106
Swizzor.gen!E	128	Rbot!gen	158
VB.AT	408	Skintrim.N	80
Fakerean	381

模块	网络层名	层参数
Baseline Block	Input	size=(32,32,1)
	C1层	kernel=(3,3,3,128), stride=1, relu
	P1, P2层	padding=(2,2）
	Maxpool	kernel=2
	C2层	kernel=(3,3,128,64), stride=1, relu
FA-SA Block	C1层	kernel=(7,7,2,1), stride=1, sigmod
FA-SA Block	P1层	padding=(3,3）
FA-SeA Block1	C(Q)	kernel=(1,1,128,16), stride=1
	C(K)	kernel=(1,1,128,16), stride=1
	C(V)	kernel=(1,1,128,128), stride=1
FA-SeA Block2	C(Q)	kernel=(1,1,64,8), stride=1
	C(K)	kernel=(1,1,64,8), stride=1
	C(V)	kernel=(1,1,64,64), stride=1
FC1, FC2, FC3	Input	5184
FC1, FC2, FC3	Output	25

方法	基于模型	注意力模块	Acc
本文方法	Baseline	—	92.82%
	Baseline	FA-SA	93.79%
	Baseline	FA-SeA	94.58%
	Baseline	FA-SA+FA-SeA	96.38%

指标样本标签	Recall	Precision	F1
Allaple.L	98.7%	98.4%	98.5%
Allaple.A	98.8%	99.0%	98.9%
Yuner.A	100%	87.9%	93.6%
Lolyda.AA1	100%	93.5%	96.6%
Lolyda.AA2	91.9%	100%	95.8%
Lolyda.AA3	100%	100%	100%
C2LOP.P	63.3%	86.4%	73.1%
C2LOP.gen!g	92.5%	82.2%	87.0%
Instantaccess	100%	100%	100%
Swizzor.gen!E	70.4%	90.5%	79.2%
VB.AT	94.4%	65.4%	77.3%
Fakerean	100%	98.8%	99.4%
Alueron.gen!J	100%	100%	100%
Malex.gen!J	100%	100%	100%
Lolyda.AT	100%	100%	100%
Adialer.C	100%	100%	100%
Wintrim.BX	100%	100%	100%
Dialplatform.B	95.0%	100%	97.4%
Dontovo.A	100%	100%	100%
Obfuscator.AD	100%	100%	100%
Agent.FYI	100%	100%	100%
Autorun.K	0	0	—
Rbot!gen	100%	100%	100%
Skintrim.N	100%	100%	100%

方法	基于模型	Acc
文献[12]方法	Multi-layer CNN	94.50%
文献[14]方法	1d-CNN	94.54%
文献[19]方法	VGGNet	96.10%
本文方法	FA Module	96.38%