基于改进CNN的恶意软件分类方法

Malware Classification Method Based on Improved CNN

越来越多的恶意软件变种给网络安全带来了巨大的威胁,导致了现有基于CNN(Convolutional Neural Networks)的恶意软件分类方法的泛化能力弱和准确性不足.为了解决这些问题,本文提出了一种新的方法,即基于改进CNN的恶意软件RGB(Red Green Blue)可视化的分类方法,可以抵御变种和混淆性恶意软件.首先,提出了一种基于RGB图像的特征表示方法,该方法更加关注恶意软件的二进制和汇编信息、API信息间的语义关系,生成具有更丰富纹理信息的图像,可以挖掘恶意代码原始与变种之间更深层的依赖关系.其次,针对恶意软件的加密和混淆问题,使用坐标注意力模块(Coordinate Attention Module,CAM)获取更大范围的空间信息来强化特征.最后,结合空洞空间金字塔池化(Atrous Spatial Pyramid Pooling,ASPP)来改进CNN模型,解决因图像尺寸归一化导致的信息丢失和冗余.实验结果表明,上述方法在最近的先进方法中脱颖而出,对Kaggle数据集和DataCon数据集的准确率分别达到99.48%和97.78%.与其它方法相比,该方法对Kaggle数据集的准确率提高了0.22%,对DataCon数据集的准确率提高了0.80%.本文方法可以有效地分类恶意软件和恶意软件家族变种,具有良好的泛化能力和抗混淆能力.

The increasing variants malware bring a great threat to network security,leading to weak generalization and insufficient accuracy of existing base on the convolutional neural networks(CNN)malware classification methods.To solve these problems,an approach,namely,a classification method based on improved the CNN for malware RGB(Red Green Blue)visualization that can resist variants and obfuscation malware.Firstly,our method proposed a feature represen-tation method based on RGB image,which pays more attention to the semantic relationship between binary,assembly infor-mation and API information of malware.The generated image,with richer vein information,that can uncover deeper depen-dencies between the original and variants of the malware.Secondly,to address the problems of malware encryption and ob-fuscation,this paper uses the coordinate attention module(CAM)to obtain a larger range of the spatial information to strengthen malware features.Finally,the Atrous spatial pyramid pooling(ASPP)is combined to improve the CNN model to address the information loss and redundancy due to image size normalization.The experimental results show that the above methods stands out among the recent advanced methods with an accuracy of 99.48%and 97.78%for dataset Kaggle and da-taset DataCon.Compared with the other methods,our method had the accuracy increased by 0.22%for dataset Kaggle,and had the accuracy increased by 0.80%for dataset DataCon.Our method can effectively classify malware and variants of mal-ware families,which has excellent generalization ability and anti-obfuscation ability.