Multi-neural network malicious code detection model based on depthwise separable convolution

doi:10.11772/j.issn.1001-9081.2022050716

Abstract

Abstract:

Concerning of the problems of high cost and unstable detection results of the traditional malicious code detection methods， a multi-neural network malicious code detection model based on depthwise separable convolution was proposed. By using the Depthwise Separable Convolution （DSC）， SENet （Squeeze-and-Excitation Network） channel attention mechanism and Grey Level Co-occurrence Matrix （GLCM）， three lightweight neural networks were connected with GLCM in parallel to detect malicious code families and their variants， then the detection results of multiple strong classifiers were fused via Naive Bayes classifier to improve the detection accuracy while reducing the computational cost. Experimental results on the hybrid dataset of MalVis + benign data show that the proposed model achieved the accuracy of 97.43% in the detection of malicious code families and their variants， which was 6.19 and 2.29 percentage points higher than those of ResNet50 and VGGNet models respectively， while its parameter quantity is only 68% of that of ResNet50 model and 13% of that of VGGNet model. On malimg dataset， the detection accuracy of this model achieved 99.31%. In conclusion， the proposed model has good detection effect with reduced parameters.

Key words: malicious code, neural network, depthwise separable convolution, SENet (Squeeze-and-Excitation Network), channel attention mechanism, Grey Level Co-occurrence Matrix (GLCM)

摘要：

针对传统的恶意代码检测方法存在成本过高和检测结果不稳定等问题，提出一种基于深度可分离卷积的多神经网络恶意代码检测模型。该模型使用深度可分离卷积（DSC）、SENet（Squeeze-and-Excitation Network）通道注意力机制和灰度共生矩阵（GLCM），通过三个轻型神经网络与灰度图像纹理特征分类并联检测恶意代码家族及其变种，将多个强分类器检测结果通过朴素贝叶斯分类器融合，在提高检测准确率的同时减少网络计算开销。在MalVis+良性数据的混合数据集上的实验结果表明，该模型对恶意代码家族及其变种的检测准确率达到97.43%，相较于ResNet50、VGGNet模型分别提高了6.19和2.29个百分点，而它的参数量只有ResNet50模型的68%和VGGNet模型的13%；在malimg数据集上该模型的检测准确率达到99.31%。可见，所提模型检测效果较好，且参数量也有所降低。

关键词: 恶意代码, 神经网络, 深度可分离卷积, SENet, 通道注意力机制, 灰度共生矩阵

CLC Number:

TP309.5

Ruilin JIANG, Renchao QIN. Multi-neural network malicious code detection model based on depthwise separable convolution[J]. Journal of Computer Applications, 2023, 43(5): 1527-1533.

蒋瑞林, 覃仁超. 基于深度可分离卷积的多神经网络恶意代码检测模型[J]. 《计算机应用》唯一官方网站, 2023, 43(5): 1527-1533.

Figures/Tables 15

References 26

1	国家计算机网络应急技术处理协调中心（CNCERT/CC）. 2021年上半年我国互联网网络安全监测数据分析报告［EB/OL］. ［2022-03-20］.. 10.1007/978-981-16-9229-1
	National Computer Network Emergency Response Technical Team/Coordination Center of China （CNCERT/CC）. First-half year cyberseurity report 2021 of China［EB/OL］. ［2022-03-20］.. 10.1007/978-981-16-9229-1
2	Kaspersky. IT threat evolution in Q3 2021. PC statistics［EB/OL］. （2021-11-26）［2022-03-20］..
3	CUI Z H， XUE F， CAI X J， et al. Detection of malicious code variants based on deep learning［J］. IEEE Transactions on Industrial Informatics， 2018， 14（7）： 3187-3196. 10.1109/tii.2018.2822680
4	ŞAHIN D Ö， KURAL O E， AKLEYLEK S， et al. New results on permission based static analysis for Android malware［C］// Proceedings of the 6th International Symposium on Digital Forensic and Security. Piscataway： IEEE， 2018： 1-4. 10.1109/isdfs.2018.8355377
5	LU T L， HOU S. A two-layered malware detection model based on permission for Android［C］// Proceedings of the 2018 IEEE International Conference on Computer and Communication Engineering Technology. Piscataway： IEEE， 2018： 239-243. 10.1109/ccet.2018.8542215
6	DU J R， CHEN H J， ZHONG W J， et al. A dynamic and static combined android malicious code detection model based on SVM［C］// Proceedings of the 5th International Conference on Systems and Informatics. Piscataway： IEEE， 2018： 801-806. 10.1109/icsai.2018.8599356
7	张东，张尧，刘刚，等. 基于机器学习算法的主机恶意代码检测技术研究［J］. 网络与信息安全学报， 2017， 3（7）：25-32. 10.11959/j.issn.2096-109x.2017.00179
	ZHANG D， ZHANG Y， LIU G， et al. Research on host malcode detection using machine learning［J］. Chinese Journal of Network and Information Security， 2017， 3（7）： 25-32. 10.11959/j.issn.2096-109x.2017.00179
8	王宁，王丹，陈怡西，等. 基于系统调用的智能终端恶意软件检测框架［J］. 计算机工程与设计， 2020， 41（6）：1540-1546.
	WANG N， WANG D， CHEN Y X， et al. Detection framework for intelligent terminal malware based on system call［J］. Computer Engineering and Design， 2020， 41（6）：1540-1546.
9	WEN Q K， CHOW K P. CNN based zero-day malware detection using small binary segments［J］. Forensic Science International： Digital Investigation， 2021， 38（S）： No.301128. 10.1016/j.fsidi.2021.301128
10	LIN Q G， LI N， QI Q， et al. Using API call sequences for IoT malware classification based on convolutional neural networks［J］. International Journal of Software Engineering and Knowledge Engineering， 2021， 31（4）：587-612. 10.1142/s021819402140009x
11	XU Z W， REN K R， QIN S C， et al. CDGDroid： Android malware detection based on deep learning using CFG and DFG［C］// Proceedings of the 2018 International Conference on Formal Engineering Methods， LNCS 11232. Berlin： Springer， 2018： 177-193.
12	BAKOUR K， ÜNVER H M. DeepVisDroid： android malware detection by hybridizing image-based features with deep learning techniques［J］. Neural Computing and Applications， 2021， 33（18）： 11499-11516. 10.1007/s00521-021-05816-y
13	王国栋，芦天亮，尹浩然，等. 基于CNN-BiLSTM的恶意代码家族检测技术［J］. 计算机工程与应用， 2020， 56（24）：72-77. 10.3778/j.issn.1002-8331.1911-0001
	WANG G D， LU T L， YIN H R， et al. Malicious code family detection technology based on CNN-BiLSTM［J］. Computer Engineering and Applications， 2020， 56（24）：72-77. 10.3778/j.issn.1002-8331.1911-0001
14	ČEPONIS D， GORANIN N. Investigation of dual-flow deep learning models LSTM-FCN and GRU-FCN efficiency against single-flow CNN models for the host-based intrusion and malware detection task on univariate times series data［J］. Applied Sciences， 2020， 10（7）： 2373. 10.3390/app10072373
15	LAD S S， ADAMUTHE A C. Malware classification with improved convolutional neural network model［J］. International Journal of Computer Network and Information Security， 2020， 12（6）：30-43. 10.5815/ijcnis.2020.06.03
16	CUI Z H， DU L， WANG P H， et al. Malicious code detection based on CNNs and multi-objective algorithm［J］. Journal of Parallel and Distributed Computing， 2019， 129： 50-58. 10.1016/j.jpdc.2019.03.010
17	李善玺. 基于机器学习的未知恶意代码自优化实时检测技术研究［D］. 兰州：兰州大学， 2021： 7-33. 10.24272/j.issn.2095-8137.2022.4.dwxyj202204008
	LI S X. Research on self-optimizing real-time detection technology of unknown malicious code based on machine learning［D］. Lanzhou： Lanzhou University， 2021： 7-33. 10.24272/j.issn.2095-8137.2022.4.dwxyj202204008
18	HU J， SHEN L， SUN G. Squeeze-and-excitation networks［C］// Proceedings of the 2018 IEEE/CVF Conference on Computer Vision and Pattern Recognition. Piscataway： IEEE， 2018： 7132-7141. 10.1109/cvpr.2018.00745
19	HOWARD A， SANDLER M， CHEN B， et al. Searching for MobileNetV3［C］// Proceedings of the 2019 IEEE/CVF International Conference on Computer Vision. Piscataway： IEEE， 2019： 1314-1324. 10.1109/iccv.2019.00140
20	MA N N， ZHANG X Y， ZHENG H T， et al. ShuffleNet V2： practical guidelines for efficient CNN architecture design［C］// Proceedings of the 2018 European Conference on Computer Vision， LNCS 11218. Cham： Springer， 2018： 122-138.
21	CHOLLET F. Xception： deep learning with depthwise separable convolutions［C］// Proceedings of the 2017 IEEE Conference on Computer Vision and Pattern Recognition. Piscataway： IEEE， 2017： 1800-1807. 10.1109/cvpr.2017.195
22	高振宇，杨晓梅，龚剑明，等. 图像复杂度描述方法研究［J］. 中国图象图形学报， 2010， 15（1）：129-135. 10.11834/jig.20100121
	GAO Z Y， YANG X M， GONG J M， et al. Research on image complexity description methods［J］. Journal of Image and Graphics， 2010， 15（1）：129-135. 10.11834/jig.20100121
23	蒋考林，白玮，张磊，等. 基于多通道图像深度学习的恶意代码检测［J］. 计算机应用， 2021， 41（4）：1142-1147. 10.11772/j.issn.1001-9081.2020081224
	JIANG K L， BAI W， ZHANG L， et al. Malicious code detection based on multi-channel image deep learning［J］. Journal of Computer Applications， 2021， 41（4）： 1142-1147. 10.11772/j.issn.1001-9081.2020081224
24	王博，蔡弘昊，苏旸. 基于VGGNet的恶意代码变种分类［J］. 计算机应用， 2020， 40（1）：162-167. 10.11772/j.issn.1001-9081.2019050953
	WANG B， CAI H H， SU Y. Classification of malicious code variants based on VGGNet［J］. Journal of Computer Applications， 2020， 40（1）： 162-167. 10.11772/j.issn.1001-9081.2019050953
25	梁军淼. 基于卷积神经网络的恶意代码变种检测技术研究［D］. 北京：北京工业大学， 2021： 37-51.
	LIANG J M. Research on malware variant detection technology based on convolutional neural network［D］. Beijing： Beijing University of Technology， 2021： 37-51.
26	刘薇. 基于卷积神经网络的恶意代码灰度图像分类研究［D］. 北京：北京交通大学， 2021： 17-38.
	LIU W. Research on grayscale malware image classification based on convolutional neural network［D］. Beijing： Beijing Jiaotong University， 2021： 17-38.

算法	准确率	精度	召回率	F1分数
LGBM	92.04	84.38	86.55	84.87
RF	92.11	83.99	86.43	84.61
DT	89.48	79.45	83.31	80.08
LR	77.90	70.80	64.23	77.91
SVM	69.77	59.31	58.31	56.66

算法	准确率	精度	召回率	F1分数
LGBM	92.04	84.38	86.55	84.87
RF	92.11	83.99	86.43	84.61
DT	89.48	79.45	83.31	80.08
LR	77.90	70.80	64.23	77.91
SVM	69.77	59.31	58.31	56.66

算法	Training MSE	Test MSE
LGBM	0.11	4.70
RF	0.00	7.84

算法	Training MSE	Test MSE
LGBM	0.11	4.70
RF	0.00	7.84

模型	准确率	精度	召回率	F1分数
本文模型	97.43	95.20	95.28	95.10
MobileNet-small	97.13	94.00	94.90	94.30
ShuffleNet-SE	97.00	94.73	94.20	94.00
Xception-SE	89.74	81.82	84.71	80.00
ResNet50	91.24	85.30	85.60	85.08
AlexNet	82.86	84.10	93.33	96.44
VGG16	95.14	90.46	91.07	90.62