Computer Science ›› 2019, Vol. 46 ›› Issue (12): 132-137.doi: 10.11896/jsjkx.181102171

• Information Security • Previous Articles     Next Articles

Attention Mechanism Based Detection of Malware Call Sequences

ZHANG Lan, LAI Yao, YE Xiao-jun   

  1. (School of Software,Tsinghua University,Beijing 100084,China)
  • Received:2018-11-25 Online:2019-12-15 Published:2019-12-17

Abstract: Typical machine learning approaches,which learn a classifier based on hand crafted features,are not sufficiently robust.Attackers can reorder the malware code or insert useless code to avoid detection.Aiming at the problems of the large number of malware,confusion technology progress and the cost of artificially constructed feature in the Internet environment,this paper proposed a different malware detection approach G2ATTbased on API call sequence and attention mechanism in natural language process.First,dynamic API call sequences are extracted by using the sandbox environment and split them into several subsequences by using a sliding window.Then,the concept of multi-instance learning and attention mechanism are introduced to design the hierarchical feature extraction neural networks.Recurrent neural networks are used for API-level features.Two attention mechanism are combined to extract window-level features and sequence-level features.Then,those sequence-level features are used for malware detection.Ultimately,the model is trained and used to detect malware.The experimental results based on real dataset show that the window-level feature extraction layer learns effectively attention scores in the subsequences.In addition,the sequence-level feature extraction layer improves the performance of malware detection model on precision and recall by calculating attention scores across the subsequences.G2ATT achieves 98.19% on detection accuracy rate,98.78% on precision rate,97.60% on recall rate and 99% on AUC (Area Under the Curve of ROC),which improves by 10% compared with othermachine learning approaches based on API call sequences on detection accuracy.

Key words: Malware detection, Deep learning, Attention mechanism, API

CLC Number: 

  • TP309.5
[1] HU G,VENUGOPAL D.A malware signature extraction and detection method applied to mobile networks[C]//IEEE Internationl Conference on Performance,Computing,and Communications Conference,2007(IPCCC 2007).IEEE,2007:19-26.
[2] ZHU P B.Research on malware detection using machine lear- ning[D].Beijing:Beijing University of Posts and Telecommani Cations,2018.(in Chinese)朱鹏博.基于机器学习算法的恶意代码检测技术研究[D].北京:北京邮电大学,2018.
[3] WANG R,FENG D G,YANG Y,et al.Semantics-Based Mal- ware Behavior Signature Extraction and Detection Method[J].Journal of Software,2012,23(2):378-393.(in Chinese)王蕊,冯登国,杨轶,等.基于语义的恶意代码行为特征提取及检测方法[J].软件学报,2012,23(2):378-393.
[4] BAHDANAU D,CHO K,BENGIO Y.Neural machine translation by jointly learning to align and translate[J].arXiv:1409.0473,2014.
[5] SAXE J,BERLIN K.Deep neural network based malware detection using two dimensional binary program features[C]//2015 10th International Conference on Malicious and Unwanted Software (MALWARE).IEEE,2015:11-20.
[6] ARP D,SPREITZENBARTH M,HUBNER M,et al.DREBIN:Effective and Explainable Detection of Android Malware in Your Pocket[C]//Network and Distributed System Security Sympo-sium.San Diego,CA,2014,14:23-26.
[7] NATARAJ L,KARTHIKEYAN S,JACOB G,et al.Malware images:visualization and automatic classification[C]//Procee-dings of the 8th International Symposium on Visualization for Cyber Security.ACM,2011:4.
[8] KOLOSNJAJI B,ZARRAS A,WEBSTER G,et al.Deep lear- ning for classification of malware system call sequences[C]//Australasian Joint Conference on Artificial Intelligence.Cham:Springer,2016:137-149.
[9] XU J Y,SUNG A H,CHAVEZ P,et al.Polymorphic malicious executable scanner by API sequence analysis[C]//Fourth International Conference on Hybrid Intelligent Systems,2004(HIS’04).IEEE,2004:378-383.
[10] TOBIYAMA S,YAMAGUCHI Y,SHIMADA H,et al.Malware detection with deep neural network using process behavior[C]//2016 IEEE 40th Annual Computer Software and Applications Conference (COMPSAC).IEEE,2016,2:577-582.
[11] ROSENBERG I,SHABTAI A,ROKACH L,et al.Generic Black-Box End-to-End Attack Against State of the Art API Call Based Malware Classifiers[C]//International Symposium on Research in Attacks,Intrusions,and Defenses.Cham:Springer,2018:490-510.
[12] ZHOU P,SHI W,TIAN J,et al.Attention-based bidirectional long short-term memory networks for relation classification[C]//Proceedings of the 54th Annual Meeting of the Association for Computational Linguistics.IEEE,2016:207-212
[13] LIN Y,SHEN S,LIU Z,et al.Neural relation extraction with selective attention over instances[C]//Proceedings of the 54th Annual Meeting of the Association for Computational Linguistics.IEEE,2016:2124-2133.
[14] CHO K,VAN MERRIENBOER B,GULCEHRE C,et al. Learning Phrase Representations using RNN Encoder-Decoder for Statistical Machine Translation[J].arXiv:1406.1078.
[15] DIEDERIK K,BA J.Adam:A method for stochastic optimization[J].arXiv:1412.6980,2014.
[16] SRIVASTAVA N,HINTON G,KRIZHEVSKY A,et al.Dropout:A Simple Way to Prevent Neural Networks from Overfitting[J].Journal of Machine Learning Research,2014,15(1):1929-1958.
[17] PASCANU R,STOKES J W,SANOSSIAN H,et al.Malware classification with recurrent networks[C]//2015 IEEE International Conference on Acoustics,Speech and Signal Processing (ICASSP).IEEE,2015:1916-1920.
[1] ZHAO Jia-qi, WANG Han-zheng, ZHOU Yong, ZHANG Di, ZHOU Zi-yuan. Remote Sensing Image Description Generation Method Based on Attention and Multi-scale Feature Enhancement [J]. Computer Science, 2021, 48(1): 190-196.
[2] LIU Yang, JIN Zhong. Fine-grained Image Recognition Method Combining with Non-local and Multi-region Attention Mechanism [J]. Computer Science, 2021, 48(1): 197-203.
[3] WANG Rui-ping, JIA Zhen, LIU Chang, CHEN Ze-wei, LI Tian-rui. Deep Interest Factorization Machine Network Based on DeepFM [J]. Computer Science, 2021, 48(1): 226-232.
[4] YU Wen-jia, DING Shi-fei. Conditional Generative Adversarial Network Based on Self-attention Mechanism [J]. Computer Science, 2021, 48(1): 241-246.
[5] TONG Xin, WANG Bin-jun, WANG Run-zheng, PAN Xiao-qin. Survey on Adversarial Sample of Deep Learning Towards Natural Language Processing [J]. Computer Science, 2021, 48(1): 258-267.
[6] WANG Run-zheng, GAO Jian, HUANG Shu-hua, TONG Xin. Malicious Code Family Detection Method Based on Knowledge Distillation [J]. Computer Science, 2021, 48(1): 280-286.
[7] DING Yu, WEI Hao, PAN Zhi-song, LIU Xin. Survey of Network Representation Learning [J]. Computer Science, 2020, 47(9): 52-59.
[8] HE Xin, XU Juan, JIN Ying-ying. Action-related Network:Towards Modeling Complete Changeable Action [J]. Computer Science, 2020, 47(9): 123-128.
[9] YE Ya-nan, CHI Jing, YU Zhi-ping, ZHAN Yu-liand ZHANG Cai-ming. Expression Animation Synthesis Based on Improved CycleGan Model and Region Segmentation [J]. Computer Science, 2020, 47(9): 142-149.
[10] DENG Liang, XU Geng-lin, LI Meng-jie, CHEN Zhang-jin. Fast Face Recognition Based on Deep Learning and Multiple Hash Similarity Weighting [J]. Computer Science, 2020, 47(9): 163-168.
[11] PAN Zu-jiang, LIU Ning, ZHANG Wei, WANG Jian-yong. MTHAM:Multitask Disease Progression Modeling Based on Hierarchical Attention Mechanism [J]. Computer Science, 2020, 47(9): 185-189.
[12] BAO Yu-xuan, LU Tian-liang, DU Yan-hui. Overview of Deepfake Video Detection Technology [J]. Computer Science, 2020, 47(9): 283-292.
[13] ZHAO Wei, LIN Yu-ming, WANG Chao-qiang, CAI Guo-yong. Opinion Word-pairs Collaborative Extraction Based on Dependency Relation Analysis [J]. Computer Science, 2020, 47(8): 164-170.
[14] YUAN Ye, HE Xiao-ge, ZHU Ding-kun, WANG Fu-lee, XIE Hao-ran, WANG Jun, WEI Ming-qiang, GUO Yan-wen. Survey of Visual Image Saliency Detection [J]. Computer Science, 2020, 47(7): 84-91.
[15] WANG Wen-dao, WANG Run-ze, WEI Xin-lei, QI Yun-liang, MA Yi-de. Automatic Recognition of ECG Based on Stacked Bidirectional LSTM [J]. Computer Science, 2020, 47(7): 118-124.
Viewed
Full text


Abstract

Cited

  Shared   
  Discussed   
[1] LEI Li-hui and WANG Jing. Parallelization of LTL Model Checking Based on Possibility Measure[J]. Computer Science, 2018, 45(4): 71 -75 .
[2] SUN Qi, JIN Yan, HE Kun and XU Ling-xuan. Hybrid Evolutionary Algorithm for Solving Mixed Capacitated General Routing Problem[J]. Computer Science, 2018, 45(4): 76 -82 .
[3] ZHANG Jia-nan and XIAO Ming-yu. Approximation Algorithm for Weighted Mixed Domination Problem[J]. Computer Science, 2018, 45(4): 83 -88 .
[4] WU Jian-hui, HUANG Zhong-xiang, LI Wu, WU Jian-hui, PENG Xin and ZHANG Sheng. Robustness Optimization of Sequence Decision in Urban Road Construction[J]. Computer Science, 2018, 45(4): 89 -93 .
[5] SHI Wen-jun, WU Ji-gang and LUO Yu-chun. Fast and Efficient Scheduling Algorithms for Mobile Cloud Offloading[J]. Computer Science, 2018, 45(4): 94 -99 .
[6] ZHOU Yan-ping and YE Qiao-lin. L1-norm Distance Based Least Squares Twin Support Vector Machine[J]. Computer Science, 2018, 45(4): 100 -105 .
[7] LIU Bo-yi, TANG Xiang-yan and CHENG Jie-ren. Recognition Method for Corn Borer Based on Templates Matching in Muliple Growth Periods[J]. Computer Science, 2018, 45(4): 106 -111 .
[8] GENG Hai-jun, SHI Xin-gang, WANG Zhi-liang, YIN Xia and YIN Shao-ping. Energy-efficient Intra-domain Routing Algorithm Based on Directed Acyclic Graph[J]. Computer Science, 2018, 45(4): 112 -116 .
[9] CUI Qiong, LI Jian-hua, WANG Hong and NAN Ming-li. Resilience Analysis Model of Networked Command Information System Based on Node Repairability[J]. Computer Science, 2018, 45(4): 117 -121 .
[10] SHI Chao, XIE Zai-peng, LIU Han and LV Xin. Optimization of Container Deployment Strategy Based on Stable Matching[J]. Computer Science, 2018, 45(4): 131 -136 .