计算机科学

计算机科学 ›› 2021, Vol. 48 ›› Issue (1): 280-286.doi: 10.11896/jsjkx.200900099

• 信息安全 • 上一篇    下一篇

基于知识蒸馏的恶意代码家族检测方法

王润正1, 高见1,2, 黄淑华1,2, 仝鑫1   

  1. 1 中国人民公安大学信息网络安全学院 北京 100038
    2 安全防范与风险评估公安部重点实验室 北京 102623
  • 收稿日期:2020-09-13 修回日期:2020-11-10 出版日期:2021-01-15 发布日期:2021-01-15
  • 通讯作者: 高见(gaojian@ppsuc.edu.cn)
  • 作者简介:root@righte0us.cc
  • 基金资助:
    国家重点研发计划;国家社会科学基金重点项目(20AZD114);公安部科技强警基础工作2020专项(2020GABJC01);中国人民公安大学中央基本科研业务费项目(2019JKF218)

Malicious Code Family Detection Method Based on Knowledge Distillation

WANG Run-zheng1, GAO Jian1,2, HUANG Shu-hua1,2, TONG Xin1   

  1. 1 College of Information and Cyber Security,People's Public Security University of China,Beijing 100038,China
    2 Key Laboratory of Safety Precautions and Risk Assessment,Beijing 102623,China
  • Received:2020-09-13 Revised:2020-11-10 Online:2021-01-15 Published:2021-01-15
  • About author:WANG Run-zheng,born in 1996,postgraduate,is a member of China Computer Federation.His main research interests include cyber security and malware.
    GAO Jian,born in 1982,Ph.D.His main research interests include cyber security,malware and botnet.
  • Supported by:
    National Key R&D Program of China,Key Program of the National Social Science Foundation of China(20AZD114),2020 Special Project of Science and Technology Strengthening Police of Ministry of Public Security(2020GABJC01) and Basic Scien-tific Research Operating Expenses of the People's Public Security University of China(2019JKF218).

PDF (PC)

1097

摘要: 近年来,恶意代码变种层出不穷,恶意软件更具隐蔽性和持久性,亟需快速有效的检测方法来识别恶意样本。针对现状,文中提出了一种基于知识蒸馏的恶意代码家族检测方法,该模型通过逆向反编译恶意样本,利用恶意代码可视化技术将二进制文本转为图像,以此避免对传统特征工程的依赖。在教师网络模型中采用残差网络,在提取图像纹理深层次特征的同时,引入通道域注意力机制,根据通道权重的变化,来提取图像中的关键信息。为了加快对待检测样本的识别效率,解决基于深度神经网络检测模型参数量大和计算资源消耗严重等问题,使用教师网络模型来指导学生网络模型训练,实验结果表明学生网络在降低模型复杂度的同时,保持了恶意代码家族的检测效果,有利于对批量样本的检测和移动端的部署。

关键词: 残差网络, 恶意家族, 知识蒸馏, 注意力机制

Abstract: In recent years,the variety of malicious code emerges in an endless stream,and malware is more covert and persistent.It is urgent to identify malicious samples by rapid and effective detection methods.Aiming at the present situation,a method of malicious code family detection based on knowledge distillation is proposed.The model decompiles malicious samples in reverse and transforms binary text into images by malicious code visualization technology,so as to avoid dependence on traditional feature engineering.In the teacher network model,residual network is used to extract the deep-seated features of image texture,and channel domain attention mechanism is introduced to extract the key information from the image according to the change of channel weight.In order to speed up the identification efficiency of the samples to be tested and solve the problems of large parameters and serious consumption of computing resources based on deep neural network detection model,the teacher network model is used to guide the training of the student network model.The results show that the student network maintains the detection effect of malicious code family on the basis of reducing the complexity of the model.It is conducive to the detection of batch samples and the deployment of mobile terminal.

Key words: Attention mechanism, Knowledge distillation, Malicious family, Residual network

中图分类号: 

  • TP309
[1] CHEN J J,PENG B Z,WU P Z.Method for detecting malicious code based on dynamic behavior and machine learning[J/OL].Computer Engineering.[2020-06-06].https://doi.org/10.19678/j.issn.1000-3428.0056409.
[2] ZHAO C R,ZHANG W J,FANG Y,et al.Malware detection based on semantic API dependency graph[J].Journal of Sichuan University(Natural Science Edition),2020,57(3):488-494.
[3] MOHANASRUTHI V,CHAKRABORTY A,THANUDAS B,et al.An Efficient Malware Detection Technique using Complex Network-based Approach[C]//2020 National Conference on Communications (NCC).2020.
[4] NARAYANAN B N,DAVULURU V S P.Ensemble Malware Classification System using Deep Neural Networks[J].Electro-nics,2020,9(5):721.
[5] HU J W,CHE X,ZHOU M,et al.Incremental clustering me-thod based on Gaussian mixture model to identify malware family[J].Journal on Communications,2019,40(6):148-159.
[6] ZENG Y Q,ZHANG L L,ZHANG R N,et al.Malware Family Classification Model Based on MobileNet[J].Computer Engineering,2020,46(4):162-168.
[7] SUN B W,ZHANG P,CHENG M Y,et al.Malware detection method based on enhanced code images[J].Journal of Tsinghua University(Science and Technology),2020,60(5):386-392.
[8] VASAN D,ALAZAB M,WASSAN S,et al.Image-Based Malware Classification using Ensemble of CNN Architectures(IMCEC)[J].Computers & Security,2020,92:101748.
[9] GHOUTI L.Malware Classification Using Compact Image Features and Multiclass Support Vector Machines[J].IET Information Security,2020,14(4):419-429.
[10] JAIN M,ANDREOPOULOS W,STAMP M.Convolutionalneural networks and extreme learning machines for malware classification[J].Journal of Computer Virology and Hacking Techniques,2020,16(3):229-244.
[11] REN Z J,CHEN G,LU W K.Malware visualization methods based on deep convolution neural networks[J].Multimedia Tools and Applications,2020,79(3):1-19.
[12] COHEN A,NISSIM N,ELOVICI Y.MalJPEG:Machine Learning Based Solution for the Detection of Malicious JPEG Images[J].IEEE Access,2020,8:19997-20011.
[13] AZAB A,KHASAWNEH M.MSIC:Malware Spectrogram Image Classification[J].IEEE Access,2020,8:102007-102021.
[14] CHEN J,JIA X,ZHAO C,et al.Using the Rgb Image of Machine Code to Classify the Malware[C]// 2020 IEEE 5th International Conference on Cloud Computing and Big Data Analytics (ICCCBDA).IEEE,2020.
[15] HINTON G,VINYALS O,DEAN J.Distilling the Knowledgein a Neural Network[J].Computer Ence,2015,14(7):38-39.
[16] FURLANELLO T,LIPTON Z C,TSCHANNEN M,et al.Born again neural networks [C]// International Conference on Machine Learning.2018:1607-1616.
[17] GAO M Y,SHEN Y J,LI Q Q,et al.Residual knowledge distillation [EB/OL].(2020-02-21)[2020-07-04].https://arxiv.org/pdf/2002.09168.pdf.
[18] NATARAJ L,KARTHIKEYAN S,JACOB G,et al.Malwareimages:visualization and automatic classification[C]//Procee-dings of the 8th International Symposium on Visualization for Cyber Security.New York,USA:ACM Press,2011:1-7.
[19] HE K,ZHANG X,REN S,et al.Deep residual learning for image recognition[C]//Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition.2016:770-778.
[20] HU J,SHEN L,ALBANIE S,et al.Squeeze-and-Excitation Networks[J].IEEE Transactions on Pattern Analysis and Machine Intelligence,2020,42(8):2011-2023.
[21] RONEN R,RADU M,FEUERSTEIN C,et al.Microsoft Mal-ware Classification Challenge[EB/OL].[2018-02-22].https://arxiv.org/pdf/1802.10135.pdf.
[1] 周芳泉, 成卫青.
基于全局增强图神经网络的序列推荐
Sequence Recommendation Based on Global Enhanced Graph Neural Network
计算机科学, 2022, 49(9): 55-63. https://doi.org/10.11896/jsjkx.210700085
[2] 戴禹, 许林峰.
基于文本行匹配的跨图文本阅读方法
Cross-image Text Reading Method Based on Text Line Matching
计算机科学, 2022, 49(9): 139-145. https://doi.org/10.11896/jsjkx.220600032
[3] 周乐员, 张剑华, 袁甜甜, 陈胜勇.
多层注意力机制融合的序列到序列中国连续手语识别和翻译
Sequence-to-Sequence Chinese Continuous Sign Language Recognition and Translation with Multi- layer Attention Mechanism Fusion
计算机科学, 2022, 49(9): 155-161. https://doi.org/10.11896/jsjkx.210800026
[4] 熊丽琴, 曹雷, 赖俊, 陈希亮.
基于值分解的多智能体深度强化学习综述
Overview of Multi-agent Deep Reinforcement Learning Based on Value Factorization
计算机科学, 2022, 49(9): 172-182. https://doi.org/10.11896/jsjkx.210800112
[5] 饶志双, 贾真, 张凡, 李天瑞.
基于Key-Value关联记忆网络的知识图谱问答方法
Key-Value Relational Memory Networks for Question Answering over Knowledge Graph
计算机科学, 2022, 49(9): 202-207. https://doi.org/10.11896/jsjkx.220300277
[6] 汪鸣, 彭舰, 黄飞虎.
基于多时间尺度时空图网络的交通流量预测模型
Multi-time Scale Spatial-Temporal Graph Neural Network for Traffic Flow Prediction
计算机科学, 2022, 49(8): 40-48. https://doi.org/10.11896/jsjkx.220100188
[7] 王馨彤, 王璇, 孙知信.
基于多尺度记忆残差网络的网络流量异常检测模型
Network Traffic Anomaly Detection Method Based on Multi-scale Memory Residual Network
计算机科学, 2022, 49(8): 314-322. https://doi.org/10.11896/jsjkx.220200011
[8] 姜梦函, 李邵梅, 郑洪浩, 张建朋.
基于改进位置编码的谣言检测模型
Rumor Detection Model Based on Improved Position Embedding
计算机科学, 2022, 49(8): 330-335. https://doi.org/10.11896/jsjkx.210600046
[9] 朱承璋, 黄嘉儿, 肖亚龙, 王晗, 邹北骥.
基于注意力机制的医学影像深度哈希检索算法
Deep Hash Retrieval Algorithm for Medical Images Based on Attention Mechanism
计算机科学, 2022, 49(8): 113-119. https://doi.org/10.11896/jsjkx.210700153
[10] 孙奇, 吉根林, 张杰.
基于非局部注意力生成对抗网络的视频异常事件检测方法
Non-local Attention Based Generative Adversarial Network for Video Abnormal Event Detection
计算机科学, 2022, 49(8): 172-177. https://doi.org/10.11896/jsjkx.210600061
[11] 闫佳丹, 贾彩燕.
基于双图神经网络信息融合的文本分类方法
Text Classification Method Based on Information Fusion of Dual-graph Neural Network
计算机科学, 2022, 49(8): 230-236. https://doi.org/10.11896/jsjkx.210600042
[12] 张颖涛, 张杰, 张睿, 张文强.
全局信息引导的真实图像风格迁移
Photorealistic Style Transfer Guided by Global Information
计算机科学, 2022, 49(7): 100-105. https://doi.org/10.11896/jsjkx.210600036
[13] 曾志贤, 曹建军, 翁年凤, 蒋国权, 徐滨.
基于注意力机制的细粒度语义关联视频-文本跨模态实体分辨
Fine-grained Semantic Association Video-Text Cross-modal Entity Resolution Based on Attention Mechanism
计算机科学, 2022, 49(7): 106-112. https://doi.org/10.11896/jsjkx.210500224
[14] 徐鸣珂, 张帆.
Head Fusion:一种提高语音情绪识别的准确性和鲁棒性的方法
Head Fusion:A Method to Improve Accuracy and Robustness of Speech Emotion Recognition
计算机科学, 2022, 49(7): 132-141. https://doi.org/10.11896/jsjkx.210100085
[15] 孟月波, 穆思蓉, 刘光辉, 徐胜军, 韩九强.
基于向量注意力机制GoogLeNet-GMP的行人重识别方法
Person Re-identification Method Based on GoogLeNet-GMP Based on Vector Attention Mechanism
计算机科学, 2022, 49(7): 142-147. https://doi.org/10.11896/jsjkx.210600198
Viewed
Full text


Abstract

Cited
  Shared   
  Discussed   
No Suggested Reading articles found!
渝ICP备16013121号-4
地址:重庆市渝北区洪湖西路18号    邮编:401121  
电话:023-63500828(编辑部) 023-67039612(会议/专题) 023-67039623(财务/发票)
E-mail:jsjkx12@163.com
本系统由北京玛格泰克科技发展有限公司设计开发