Classification of malicious code variants based on VGGNet
WANG Bo1,2, CAI Honghao3, SU Yang1,2
1. College of Cryptographic Engineering, Engineering College of PAP, Xi'an Shaanxi 710086, China; 2. Key Laboratory of Network and Information Security under the Armed Police Force(Engineering College of PAP), Xi'an Shaanxi 710086, China; 3. College of Information Engineering, Engineering College of PAP, Xi'an Shaanxi 710086, China
Abstract:Aiming at the phenomenon that code reuse is common in the same malicious code family, a malicious sample classification method using code reuse features was proposed. Firstly, the binary sequence of file was split into the values of RGB three-color channels, converting malicious samples into color images. Then, these images were used to generate a malicious sample classification model based on VGG convolutional neural network. Finally, during training process of model, to solve the problems of overfitting and gradient vanishing as well as high computation overhead, the random dropout algorithm was utilized. This method achieves 96.16% average classification accuracy on the 9342 samples from 25 families in Malimg dataset and can effectively classify the malicious code samples. Experimental results show that compared with grayscale images, converting binary files into color images can emphasize the image features more significantly, especially for the files with repetitive short data segments in binary sequences. And, using a training set with more obvious features, neural networks can generate a classification model with better performance. Since the preprocessing operation is simple and the classification result response is fast, the method is suitable for the scene with high real-time requirements such as rapid classification of large-scale malicious samples.
王博, 蔡弘昊, 苏旸. 基于VGGNet的恶意代码变种分类[J]. 计算机应用, 2020, 40(1): 162-167.
WANG Bo, CAI Honghao, SU Yang. Classification of malicious code variants based on VGGNet. Journal of Computer Applications, 2020, 40(1): 162-167.
[1] Symantec. Internet security threat report[EB/OL].[2017-04-17].https://pages.cobweb.com/acton/ct/15730/s-02c4-1705/Bct/l-0170/l-0170:11/ct25_1/1?sid=TV2%3AxBhBdhisn. [2] ANDERSON B, LANE T, HASH C. Malware phylogenetics based on the multiview graphical lasso[C]//Proceedings of the 2014 International Symposium on Intelligent Data Analysis, LNCS 8819. Cham:Springer, 2014:1-12. [3] ALAZAB M. Profiling and classifying the behavior of malicious codes[J]. Journal of Systems and Software, 2015, 100:91-102. [4] YOO I. Visualizing windows executable viruses using self-organizing maps[C]//Proceedings of the 2004 ACM Workshop on Visualization and Data Mining for Computer Security. New York:ACM, 2004:82-89. [5] HAN K S, LIM J H, KANG B, et al. Malware analysis using visualized images and entropy graphs[J]. International Journal of Information Security, 2015,14(1):1-14. [6] 任卓君,陈光. 熵可视化方法在恶意代码分类中的应用[J]. 计算机工程, 2017, 43(9):167-171. (REN Z J, CHEN G. Application of entropy visualization method in malware classification[J]. Computer Engineering, 2017, 43(9):167-171.) [7] NATARAJ L, KARTHIKEYAN S, JACOB G, et al. Malware images:visualization and automatic classification[C]//Proceedings of the 8th International Symposium on Visualization for Cyber Security. New York:ACM, 2011:No.4. [8] CUI Z, XUE F, CAI X, et al. Detection of malicious code variants based on deep learning[J]. IEEE Transactions on Industrial Informatics, 2018,14(7):3187-3196. [9] SIMONYAN K, ZISSERMAN A. Very deep convolutional networks for large-scale image recognition[EB/OL].[2015-04-10].https://arxiv.org/pdf/1409.1556.pdf. [10] KINGMA D P, BA J L. Adam:a method for stochastic optimization[EB/OL].[2017-01-30].https://arxiv.org/pdf/1412.6980.pdf. [11] HINTON G E, SRIVASTAVA N, KRIZHEVSKY A, et al. Improving neural networks by preventing co-adaptation of feature detectors[EB/OL].[2012-07-03].https://arxiv.org/pdf/1207.0580v1.pdf. [12] SRIVASTAVA N, HINTON G, KRIZHEVSKY A, et al. Dropout:a simple way to prevent neural networks from overfitting[J]. Journal of Machine Learning Research, 2014, 15:1929-1958. [13] TIELEMAN T, HINTON G. Lecture 6.5-rmsprop:divide the gradient by a running average of its recent magnitude[J]. Neural Networks for Machine Learning, 2012, 4:26-30. [14] PARK H, AMARI S I, FUKUMIZU K. Adaptive natural gradient learning algorithms for various stochastic models[J]. Neural Networks, 2000, 13(7):755-764. [15] PAPA G, BIANCHI P, CLÉMENÇON S. Adaptive sampling for incremental optimization using stochastic gradient descent[C]//Proceedings of the 2015 International Conference on Algorithmic Learning Theory, LNCS 9355. Cham:Springer, 2015:317-331.