基于注意力机制的恶意软件调用序列检测

doi:10.11896/jsjkx.181102171

摘要/Abstract

摘要： 传统的机器学习方法通过构造特征来学习分类器,面对嵌入大量反检测功能的恶意软件不具有鲁棒性。攻击者通过打乱恶意软件代码或插入无关代码来逃避检测。针对互联网环境下恶意软件数目众多、混淆技术进步、人工构造特征成本高等问题,文中提出一种基于循环神经网络和注意力机制的恶意软件检测方法(G2ATT)。首先,在沙盒环境下运行软件获取其动态调用序列(API),并通过滑动窗口划分得到窗口子序列;其次,引入多示例学习和注意力机制来构建层次化特征抽取的深度神经网络,使用循环神经网络抽取API特征,结合两个注意力机制分别抽取窗口特征和序列特征,并使用序列特征检测恶意软件;最后,使用真实数据训练网络,以便使用得到的模型对未知恶意软件进行检测。基于真实数据集的实验结果表明,窗口特征抽取层和序列特征抽取层能够有效学习窗口内和窗口间的注意力权重,从而更好地描绘序列的特征,提升模型的查准率和查全率。G2ATT对未知恶意软件检测的准确率达到98.19%,查准率达到98.78%,查全率达到97.60%,AUC (Area Under the Curve of ROC)达到99%,比基于API调用序列的SVM、随机森林、朴素贝叶斯等方法的准确率提高了10%以上。

关键词: 调用序列, 恶意样本检测, 深度学习, 注意力机制

Abstract: Typical machine learning approaches,which learn a classifier based on hand crafted features,are not sufficiently robust.Attackers can reorder the malware code or insert useless code to avoid detection.Aiming at the problems of the large number of malware,confusion technology progress and the cost of artificially constructed feature in the Internet environment,this paper proposed a different malware detection approach G2ATTbased on API call sequence and attention mechanism in natural language process.First,dynamic API call sequences are extracted by using the sandbox environment and split them into several subsequences by using a sliding window.Then,the concept of multi-instance learning and attention mechanism are introduced to design the hierarchical feature extraction neural networks.Recurrent neural networks are used for API-level features.Two attention mechanism are combined to extract window-level features and sequence-level features.Then,those sequence-level features are used for malware detection.Ultimately,the model is trained and used to detect malware.The experimental results based on real dataset show that the window-level feature extraction layer learns effectively attention scores in the subsequences.In addition,the sequence-level feature extraction layer improves the performance of malware detection model on precision and recall by calculating attention scores across the subsequences.G2ATT achieves 98.19% on detection accuracy rate,98.78% on precision rate,97.60% on recall rate and 99% on AUC (Area Under the Curve of ROC),which improves by 10% compared with othermachine learning approaches based on API call sequences on detection accuracy.

Key words: API, Attention mechanism, Deep learning, Malware detection

中图分类号:

TP309.5

张岚, 来耀, 叶晓俊. 基于注意力机制的恶意软件调用序列检测[J]. 计算机科学, 2019, 46(12): 132-137. https://doi.org/10.11896/jsjkx.181102171

ZHANG Lan, LAI Yao, YE Xiao-jun. Attention Mechanism Based Detection of Malware Call Sequences[J]. Computer Science, 2019, 46(12): 132-137. https://doi.org/10.11896/jsjkx.181102171

参考文献

[1]HU G,VENUGOPAL D.A malware signature extraction and detection method applied to mobile networks[C]//IEEE Internationl Conference on Performance,Computing,and Communications Conference,2007(IPCCC 2007).IEEE,2007:19-26.
[2]ZHU P B.Research on malware detection using machine lear- ning[D].Beijing:Beijing University of Posts and Telecommani Cations,2018.(in Chinese)
朱鹏博.基于机器学习算法的恶意代码检测技术研究[D].北京:北京邮电大学,2018.
[3]WANG R,FENG D G,YANG Y,et al.Semantics-Based Mal- ware Behavior Signature Extraction and Detection Method[J].Journal of Software,2012,23(2):378-393.(in Chinese)
王蕊,冯登国,杨轶,等.基于语义的恶意代码行为特征提取及检测方法[J].软件学报,2012,23(2):378-393.
[4]BAHDANAU D,CHO K,BENGIO Y.Neural machine translation by jointly learning to align and translate[J].arXiv:1409.0473,2014.
[5]SAXE J,BERLIN K.Deep neural network based malware detection using two dimensional binary program features[C]//2015 10th International Conference on Malicious and Unwanted Software (MALWARE).IEEE,2015:11-20.
[6]ARP D,SPREITZENBARTH M,HUBNER M,et al.DREBIN:Effective and Explainable Detection of Android Malware in Your Pocket[C]//Network and Distributed System Security Sympo-sium.San Diego,CA,2014,14:23-26.
[7]NATARAJ L,KARTHIKEYAN S,JACOB G,et al.Malware images:visualization and automatic classification[C]//Procee-dings of the 8th International Symposium on Visualization for Cyber Security.ACM,2011:4.
[8]KOLOSNJAJI B,ZARRAS A,WEBSTER G,et al.Deep lear- ning for classification of malware system call sequences[C]//Australasian Joint Conference on Artificial Intelligence.Cham:Springer,2016:137-149.
[9]XU J Y,SUNG A H,CHAVEZ P,et al.Polymorphic malicious executable scanner by API sequence analysis[C]//Fourth International Conference on Hybrid Intelligent Systems,2004(HIS’04).IEEE,2004:378-383.
[10]TOBIYAMA S,YAMAGUCHI Y,SHIMADA H,et al.Malware detection with deep neural network using process behavior[C]//2016 IEEE 40th Annual Computer Software and Applications Conference (COMPSAC).IEEE,2016,2:577-582.
[11]ROSENBERG I,SHABTAI A,ROKACH L,et al.Generic Black-Box End-to-End Attack Against State of the Art API Call Based Malware Classifiers[C]//International Symposium on Research in Attacks,Intrusions,and Defenses.Cham:Springer,2018:490-510.
[12]ZHOU P,SHI W,TIAN J,et al.Attention-based bidirectional long short-term memory networks for relation classification[C]//Proceedings of the 54th Annual Meeting of the Association for Computational Linguistics.IEEE,2016:207-212
[13]LIN Y,SHEN S,LIU Z,et al.Neural relation extraction with selective attention over instances[C]//Proceedings of the 54th Annual Meeting of the Association for Computational Linguistics.IEEE,2016:2124-2133.
[14]CHO K,VAN MERRIENBOER B,GULCEHRE C,et al. Learning Phrase Representations using RNN Encoder-Decoder for Statistical Machine Translation[J].arXiv:1406.1078.
[15]DIEDERIK K,BA J.Adam:A method for stochastic optimization[J].arXiv:1412.6980,2014.
[16]SRIVASTAVA N,HINTON G,KRIZHEVSKY A,et al.Dropout:A Simple Way to Prevent Neural Networks from Overfitting[J].Journal of Machine Learning Research,2014,15(1):1929-1958.
[17]PASCANU R,STOKES J W,SANOSSIAN H,et al.Malware classification with recurrent networks[C]//2015 IEEE International Conference on Acoustics,Speech and Signal Processing (ICASSP).IEEE,2015:1916-1920.

相关文章 15

[1]	周芳泉, 成卫青. 基于全局增强图神经网络的序列推荐 Sequence Recommendation Based on Global Enhanced Graph Neural Network 计算机科学, 2022, 49(9): 55-63. https://doi.org/10.11896/jsjkx.210700085
[2]	戴禹, 许林峰. 基于文本行匹配的跨图文本阅读方法 Cross-image Text Reading Method Based on Text Line Matching 计算机科学, 2022, 49(9): 139-145. https://doi.org/10.11896/jsjkx.220600032
[3]	周乐员, 张剑华, 袁甜甜, 陈胜勇. 多层注意力机制融合的序列到序列中国连续手语识别和翻译 Sequence-to-Sequence Chinese Continuous Sign Language Recognition and Translation with Multi- layer Attention Mechanism Fusion 计算机科学, 2022, 49(9): 155-161. https://doi.org/10.11896/jsjkx.210800026
[4]	徐涌鑫, 赵俊峰, 王亚沙, 谢冰, 杨恺. 时序知识图谱表示学习 Temporal Knowledge Graph Representation Learning 计算机科学, 2022, 49(9): 162-171. https://doi.org/10.11896/jsjkx.220500204
[5]	熊丽琴, 曹雷, 赖俊, 陈希亮. 基于值分解的多智能体深度强化学习综述 Overview of Multi-agent Deep Reinforcement Learning Based on Value Factorization 计算机科学, 2022, 49(9): 172-182. https://doi.org/10.11896/jsjkx.210800112
[6]	饶志双, 贾真, 张凡, 李天瑞. 基于Key-Value关联记忆网络的知识图谱问答方法 Key-Value Relational Memory Networks for Question Answering over Knowledge Graph 计算机科学, 2022, 49(9): 202-207. https://doi.org/10.11896/jsjkx.220300277
[7]	汤凌韬, 王迪, 张鲁飞, 刘盛云. 基于安全多方计算和差分隐私的联邦学习方案 Federated Learning Scheme Based on Secure Multi-party Computation and Differential Privacy 计算机科学, 2022, 49(9): 297-305. https://doi.org/10.11896/jsjkx.210800108
[8]	朱承璋, 黄嘉儿, 肖亚龙, 王晗, 邹北骥. 基于注意力机制的医学影像深度哈希检索算法 Deep Hash Retrieval Algorithm for Medical Images Based on Attention Mechanism 计算机科学, 2022, 49(8): 113-119. https://doi.org/10.11896/jsjkx.210700153
[9]	孙奇, 吉根林, 张杰. 基于非局部注意力生成对抗网络的视频异常事件检测方法 Non-local Attention Based Generative Adversarial Network for Video Abnormal Event Detection 计算机科学, 2022, 49(8): 172-177. https://doi.org/10.11896/jsjkx.210600061
[10]	闫佳丹, 贾彩燕. 基于双图神经网络信息融合的文本分类方法 Text Classification Method Based on Information Fusion of Dual-graph Neural Network 计算机科学, 2022, 49(8): 230-236. https://doi.org/10.11896/jsjkx.210600042
[11]	汪鸣, 彭舰, 黄飞虎. 基于多时间尺度时空图网络的交通流量预测模型 Multi-time Scale Spatial-Temporal Graph Neural Network for Traffic Flow Prediction 计算机科学, 2022, 49(8): 40-48. https://doi.org/10.11896/jsjkx.220100188
[12]	王剑, 彭雨琦, 赵宇斐, 杨健. 基于深度学习的社交网络舆情信息抽取方法综述 Survey of Social Network Public Opinion Information Extraction Based on Deep Learning 计算机科学, 2022, 49(8): 279-293. https://doi.org/10.11896/jsjkx.220300099
[13]	郝志荣, 陈龙, 黄嘉成. 面向文本分类的类别区分式通用对抗攻击方法 Class Discriminative Universal Adversarial Attack for Text Classification 计算机科学, 2022, 49(8): 323-329. https://doi.org/10.11896/jsjkx.220200077
[14]	姜梦函, 李邵梅, 郑洪浩, 张建朋. 基于改进位置编码的谣言检测模型 Rumor Detection Model Based on Improved Position Embedding 计算机科学, 2022, 49(8): 330-335. https://doi.org/10.11896/jsjkx.210600046
[15]	侯钰涛, 阿布都克力木·阿布力孜, 哈里旦木·阿布都克里木. 中文预训练模型研究进展 Advances in Chinese Pre-training Models 计算机科学, 2022, 49(7): 148-163. https://doi.org/10.11896/jsjkx.211200018

Metrics

Viewed

Full text

Abstract

Cited

Shared

Discussed