Malicious code classification method based on improved MobileNetV2

doi:10.11772/j.issn.1001-9081.2022060931

Journal of Computer Applications ›› 2023, Vol. 43 ›› Issue (7): 2217-2225.DOI: 10.11772/j.issn.1001-9081.2022060931

• Cyber security • Previous Articles

Malicious code classification method based on improved MobileNetV2

Bona XUAN, Jin LI(), Yafei SONG, Zexuan MA

Air and Missile Defense College，Air Force Engineering University，Xi’an Shaanxi 710051，China

Received:2022-06-28 Revised:2022-08-27 Accepted:2022-09-05 Online:2022-11-25 Published:2023-07-10
Contact: Jin LI
About author:XUAN Bona， born in 1991， M. S. candidate. Her research interests include network security and defense， malware code classification.
LI Jin， born in 1971， Ph. D.， associate professor. His research interests include network security of ground to air missile command control system.
SONG Yafei， born in 1987， Ph. D.， associate professor. His research interests include intelligent information processing.
MA Zexuan， born in 1998， M. S. candidate. His research interests include network intrusion detection.
Supported by:
National Natural Science Foundation of China(61876189)

基于改进MobileNetV2的恶意代码分类方法

轩勃娜, 李进(), 宋亚飞, 马泽煊

空军工程大学防空反导学院，西安 710051

通讯作者: 李进
作者简介:轩勃娜（1991—），女，陕西咸阳人，硕士研究生，主要研究方向：网络安全防御、恶意代码分类；
李进（1971—），男，陕西西安人，副教授，博士，主要研究方向：地空导弹指挥控制系统网络安全；
宋亚飞（1987—），男，河南汝州人，副教授，博士，主要研究方向：智能信息处理；
马泽煊（1998—），男，河北保定人，硕士研究生，主要研究方向：网络入侵检测。
基金资助:
国家自然科学基金资助项目(61876189)

Abstract

Abstract:

Aiming at the problems of insufficient accuracy， high prediction time cost and weak ability against obfuscation of the traditional malicious code classification methods， a malicious code classification method based on improved MobileNetV2 was proposed. Firstly， aiming at the problems of malicious code encryption and obfuscation， the Coordinate Attention （CA） method was used to introduce a wider range of spatial locations to enhance malicious code image features. Then， aiming at the problem of high training cost caused by training from scratch， the Transfer Learning （TL） was used to improve the MobileNetV2 learning method to increase the ability against obfuscation. Finally， aiming at the large computational load and slow convergence of traditional deep learning networks， the MobileNetV2 lightweight convolutional network model was used， and Ranger21 was combined to improve the training method to promote rapid convergence. Experimental results show that the above-mentioned method has the accuracy achieved 99.26% and 96.98% for Malimg dataset and DataCon dataset. The method has the accuracy increased by 1.49% and the detection efficiency increased by 45.31% on the Malimg dataset compared with the AlexNet method， and has the accuracy increased by 1.14% on the DataCon dataset compared with the ensemble learning method. It can be seen that the improved MobileNetV2 based malicious code classification method can improve the generalization ability， ability against obfuscation and classification efficiency of the model.

Key words: network security, malicious code classification, Transfer Learning (TL), MobileNetV2, Coordinate Attention (CA), Ranger21 optimization algorithm

摘要：

针对传统恶意代码分类方法存在的精度不足、预测时间成本高和抗混淆能力弱等问题，提出一种基于改进MobileNetV2的恶意代码分类方法。首先，针对恶意代码加密和混淆等问题，使用坐标注意力（CA）方法引入更大范围的空间位置来增强恶意代码图像的特征；然后，针对从头开始训练导致的训练成本过高的问题，使用迁移学习（TL）来改进MobileNetV2的学习方式以提升抗混淆能力；最后，针对传统深度学习网络计算量大和收敛慢的问题，使用MobileNetV2轻量化卷积网络模型，并结合Ranger21改进训练方式以促进网络迅速收敛。实验结果表明：上述方法对Malimg数据集和DataCon数据集的准确率分别达到了99.26%和96.98%。在malimg数据集相较于AlexNet方法在准确率上平均提升了1.49%，检测效率上平均提升了45.31%；在DataCon数据集相较于集成学习方法准确率平均提升了1.14%。可见，基于改进MobileNetV2的恶意代码分类方法可以提升模型的泛化能力、抗混淆能力与分类效率。

关键词: 网络安全, 恶意代码分类, 迁移学习, MobileNetV2, 坐标注意力, Ranger21优化算法

CLC Number:

TP309.5

Bona XUAN, Jin LI, Yafei SONG, Zexuan MA. Malicious code classification method based on improved MobileNetV2[J]. Journal of Computer Applications, 2023, 43(7): 2217-2225.

轩勃娜, 李进, 宋亚飞, 马泽煊. 基于改进MobileNetV2的恶意代码分类方法[J]. 《计算机应用》唯一官方网站, 2023, 43(7): 2217-2225.

Figures/Tables 19

References 25

1	奇安信.奇安信发布《2020上半年网络安全应急响应分析报告》［EB/OL］. （2020-08-18）［2022-04-20］. .
	QiAnXin. QiAnXin releases Analysis report on network security emergency response in the first half of 2020［EB/OL］. （2020-08-18）［2022-04-20］. .
2	CONTI G， BRATUS S， SHUBINA A， et al. Automated mapping of large binary objects using primitive fragment type classification［J］. Digital Investigation， 2010， 7（S）： S3-S12. 10.1016/j.diin.2010.05.002
3	NATARAJ L， YEGNESWARAN V， PORRAS P， et al. A comparative assessment of malware classification using binary texture analysis and dynamic analysis ［C］// Proceedings of the 4th ACM Workshop on Security and Artificial Intelligence. New York： ACM， 2011： 21-30. 10.1145/2046684.2046689
4	NATARAJ L， KARTHIKEYAN S， JACOB G， et al. Malware images： visualization and automatic classification ［C］// Proceedings of the 8th International Symposium on Visualization for Cyber Security. New York： ACM， 2011： No.4. 10.1145/2016904.2016908
5	CUI Z H， DU L， WANG P H， et al. Malicious code detection based on CNNs and multi-objective algorithm［J］. Journal of Parallel and Distributed Computing， 2019， 129： 50-58. 10.1016/j.jpdc.2019.03.010
6	GIBERT D， MATEU C， PLANES J， et al. Using convolutional neural networks for classification of malware represented as images［J］. Journal of Computer Virology and Hacking Techniques， 2019， 15（1）： 15-28. 10.1007/s11416-018-0323-0
7	VASAN D， ALAZAB M， WASSAN S， et al. IMCFN： image-based malware classification using fine-tuned convolutional neural network architecture［J］. Computer Networks， 2020， 171： No.107138. 10.1016/j.comnet.2020.107138
8	VERMA V， MUTTOO S K， SINGH V B. Multiclass malware classification via first-and second-order texture statistics［J］. Computers and Security， 2020， 97： No.101895. 10.1016/j.cose.2020.101895
9	杨望，高明哲，蒋婷.一种基于多特征集成学习的恶意代码静态检测框架［J］.计算机研究与发展， 2021， 58（5）： 1021-1034. 10.7544/issn1000-1239.2021.20200912
	YANG W， GAO M Z， JIANG T. A malicious code static detection framework based on multi-feature ensemble learning［J］. Journal of Computer Research and Development， 2021， 58（5）： 1021-1034. 10.7544/issn1000-1239.2021.20200912
10	奇安信. DataCon数据集［DB/OL］. ［2022-04-25］. .
	QiAnXin. DataCon datasets［DB/OL］. ［2022-04-25］. .
11	MAKANDAR A， PATROT A. Malware class recognition using image processing techniques ［C］// Proceedings of the 2017 International Conference on Data Management， Analytics and Innovation. Piscataway： IEEE， 2017： 76-80. 10.1109/icdmai.2017.8073489
12	邱克帆. PE恶意代码智能变异方法的研究与实现［D］.天津：南开大学， 2020： 26-40.
	QIU K F. Research and implementation of PE malware intelligent mutation［D］. Nanjing： Nankai University， 2020： 26-40.
13	FUCHS F B， WORRALL D E， FISCHER V， et al. SE （3） -Transformers： 3D roto-translation equivariant attention networks ［C］// Proceedings of the 34th International Conference on Neural Information Processing Systems. Red Hook， NY： Curran Associates Inc.， 2020： 1970-1981.
14	WOO S， PARK J， LEE J Y， et al. CBAM： convolutional block attention module ［C］// Proceedings of the 2018 European Conference on Computer Vision， LNCS 11211. Cham： Springer， 2018： 3-19.
15	HOU Q B， ZHOU D Q， FENG J S. Coordinate attention for efficient mobile network design ［C］// Proceedings of the 2021 IEEE/CVF Conference on Computer Vision and Pattern Recognition. Piscataway： IEEE， 2021： 13708-13717. 10.1109/cvpr46437.2021.01350
16	CHEN L. Deep transfer learning for static malware classification［EB/OL］. （2018-12-18）［2022-04-23］. . 10.36227/techrxiv.17259806
17	SANDLER M， HOWARD A， ZHU M L， et al. MobileNetV2： inverted residuals and linear bottlenecks ［C］// Proceedings of the 2018 IEEE/CVF Conference on Computer Vision and Pattern Recognition. Piscataway： IEEE， 2018： 4510-4520. 10.1109/cvpr.2018.00474
18	WANG W， LI Y T， ZOU T， et al. A novel image classification approach via Dense-MobileNet models［J］. Mobile Information Systems， 2020， 2020： No.7602384. 10.1155/2020/7602384
19	CHENG S L， WANG L J， DU A Y. Asymmetric coordinate attention spectral-spatial feature fusion network for hyperspectral image classification［J］. Scientific Reports， 2021， 11： No.17408. 10.1038/s41598-021-97029-5
20	KIM J H， ON K W， LIM W， et al. Hadamard product for low-rank bilinear pooling［EB/OL］. （2017-03-26）［2022-04-23］. .
21	ZHUANG F Z， QI Z Y， DUAN K Y， et al. A comprehensive survey on transfer learning［J］. Proceedings of the IEEE， 2021， 109（1）： 43-76. 10.1109/jproc.2020.3004555
22	WRIHT L， DEMEURE N. Ranger21： a synergistic deep learning optimizer［EB/OL］. （2021-08-07）［2022-04-23］. .
23	LOSHCHILOV I， HUTTER F. Decoupled weight decay regularization［EB/OL］. （2019-01-04）［2022-04-23］. .
24	ZHANG M R， LUCAS J， HINTON G， et al. Lookahead optimizer： k steps forward， 1 step back ［C］// Proceedings of the 33rd International Conference on Neural Information Processing Systems. Red Hook， NY： Curran Associates Inc.， 2019： 9597-9608. 10.1515/9781618110770
25	蒋考林，白玮，张磊，等.基于多通道图像深度学习的恶意代码检测［J］.计算机应用， 2021， 41（4）： 1142-1147. 10.11772/j.issn.1001-9081.2020081224
	JIANG K L， BAI W， ZHANG L， et al. Malicious code detection based on multi-channel image deep learning［J］. Journal of Computer Applications， 2021， 41（4）： 1142-1147. 10.11772/j.issn.1001-9081.2020081224

输入长度	操作	e	c	n	s
2 562×3	Conv2d	—	16	1	2
1 122×16	Bottleneck	1	16	1	2
562×16	Bottleneck	3	24	1	2
282×24	Bottleneck	3	24	2	1
142×40	Bottleneck	6	48	4	1
72×96	Bottleneck	6	96	2	2
72×96	Conv2d，1×1	6	576	1	1
72×576	Avgpool 7×7	—	—	1	1
72×576	Conv2d，1×1	—	1 028	1	1
8×1×256	Avgpool 8×8	—	1 028	1	1
8×1×256	Avgpool 8×8	—	1 028	1	1
16×1×256	Concate	—	1 028	1	1
16×1×256	Conv2d，1×1	—	1 028	1	1
16×1×40	BatchNorm+Relu	—	1 028	1	1
12×1 280	Multiply，8×8	—	1 028	1	1
12×1 280	Conv2d，1×1	—	1 028	1	1
12×1 280	Dropout	—	1 028	1	1
12×1 280	Conv2d，1×1	—	class	1	1

输入长度	操作	e	c	n	s
2 562×3	Conv2d	—	16	1	2
1 122×16	Bottleneck	1	16	1	2
562×16	Bottleneck	3	24	1	2
282×24	Bottleneck	3	24	2	1
142×40	Bottleneck	6	48	4	1
72×96	Bottleneck	6	96	2	2
72×96	Conv2d，1×1	6	576	1	1
72×576	Avgpool 7×7	—	—	1	1
72×576	Conv2d，1×1	—	1 028	1	1
8×1×256	Avgpool 8×8	—	1 028	1	1
8×1×256	Avgpool 8×8	—	1 028	1	1
16×1×256	Concate	—	1 028	1	1
16×1×256	Conv2d，1×1	—	1 028	1	1
16×1×40	BatchNorm+Relu	—	1 028	1	1
12×1 280	Multiply，8×8	—	1 028	1	1
12×1 280	Conv2d，1×1	—	1 028	1	1
12×1 280	Dropout	—	1 028	1	1
12×1 280	Conv2d，1×1	—	class	1	1

样本大小/KB	宽度/像素
（0，6］	32
（6， 20］	64
（20， 46］	128
（46， 80］	256
（80，160］	384
（160， 800］	512
（800， 1 200］	1 024
（1 200，76 900］	2 048

样本大小/KB	宽度/像素
（0，6］	32
（6， 20］	64
（20， 46］	128
（46， 80］	256
（80，160］	384
（160， 800］	512
（800， 1 200］	1 024
（1 200，76 900］	2 048

图片尺寸/像素	准确率/%	召回率/%	精确率/%	F₁/%
32×32	93.14	92.49	93.00	93.36
64×64	93.68	93.01	93.13	93.08
128×128	94.84	94.01	94.09	94.28
256×256	96.98	96.94	95.88	96.69

Malicious code classification method based on improved MobileNetV2

基于改进MobileNetV2的恶意代码分类方法

RichHTML

PDF

Knowledge

Abstract

Cite this article

share this article

Figures/Tables 19

References 25

Related Articles 15

Recommended Articles

Metrics

模型	训练方式	准确率
Resnet50	预训练	91.90
Resnet50	微调	94.40
Destnet169	预训练	93.41
Destnet169	微调	94.61
InceptionV3	预训练	91.41
InceptionV3	微调	92.88
MobileNetV2	预训练	92.97
MobileNetV2	微调	95.30
本文模型	预训练	94.39
本文模型	微调	96.98

方法	评价参数/%				网络深度	参数量	图片尺寸/像素
方法	准确率	召回率	精确率	F₁	网络深度	参数量	图片尺寸/像素
TL-Resnet50	94.40	94.40	94.67	94.22	168	25 636 712	256×256
TL-Destnet169	94.61	94.61	94.31	94.53	169	14 307 880	256×256
TL-InceptionV3	92.88	92.48	92.61	92.51	126	22 910 480	256×256
TL-MobileNetV2	95.30	95.23	95.41	95.28	88	2 259 265	256×256
CATM	96.98	96.94	95.88	96.69	92	2 357 984	256×256

优化器	准确率	召回率	精确率	F₁
CATM-Adam	96.66	96.21	95.58	95.86
CATM-Ranger21	96.98	96.94	95.88	96.69

方法	特征	准确率/%	召回率/%	精确率/%	F₁/%	耗时/ms	同一个家族的变种准确率/%
方法	特征	准确率/%	召回率/%	精确率/%	F₁/%	耗时/ms	Swizzor.gen！E	Swizzor.gen！I
文献［5］方法	灰度图	94.50	94.50	94.60	94.50	20.3	71.00	62.00
文献［6］方法	灰度图	98.48	96.56	95.80	95.80	—	88.00	82.00
文献［8］方法	直方图+GLCM	98.58	98.06	98.04	98.05	—	—	—
文献［7］方法	灰度图	98.27	98.25	98.19	98.20	—	88.00	82.00
文献［7］方法	RGB	98.82	98.85	98.81	98.75	—	85.00	74.00
文献［25］方法	AlexNet+RGB	97.80	97.80	98.00	97.80	9.3	97.00	80.00
本文方法	灰度图	99.26	98.99	99.14	99.11	6.4	90.00	86.00

方法	特征	准确率/%	召回率/%	精确率/%	F₁/%	耗时/ms	图片尺寸/像素
文献［9］方法	多种特征	95.89	89.84	—	88.55	—	256×256
DataCon比赛^［10］方法	灰度图	96.80	96.42	96.26	97.38	—	512×512
本文方法	灰度图	96.98	96.94	95.88	96.69	7.2	256×256

[1]	Qun WANG, Quan YUAN, Fujuan LI, Lingling XIA. Review of zero trust network and its key technologies [J]. Journal of Computer Applications, 2023, 43(4): 1142-1150.
[2]	Wenju LI, Gan ZHANG, Liu CUI, Wanghui CHU. Lightweight traffic sign recognition model based on coordinate attention [J]. Journal of Computer Applications, 2023, 43(2): 608-614.
[3]	Dawei ZHANG, Xuchong LIU, Wei ZHOU, Zhuhui CHEN, Yao YU. Real-time traffic sign detection algorithm based on improved YOLOv3 [J]. Journal of Computer Applications, 2022, 42(7): 2219-2226.
[4]	Xiayang SHI, Fengyuan ZHANG, Jiaqi YUAN, Min HUANG. Detection of unsupervised offensive speech based on multilingual BERT [J]. Journal of Computer Applications, 2022, 42(11): 3379-3385.
[5]	WANG Yue, JIANG Yiming, LAN Julong. Intrusion detection based on improved triplet network and K-nearest neighbor algorithm [J]. Journal of Computer Applications, 2021, 41(7): 1996-2002.
[6]	ZHANG Quanlong, WANG Huaibin. Intrusion detection model based on combination of dilated convolution and gated recurrent unit [J]. Journal of Computer Applications, 2021, 41(5): 1372-1377.
[7]	LI Huihui, YAN Kun, ZHANG Lixuan, LIU Wei, LI Zhi. Circular pointer instrument recognition system based on MobileNetV2 [J]. Journal of Computer Applications, 2021, 41(4): 1214-1220.
[8]	TANG Yanqiang, LI Chenghai, SONG Yafei. Network security situation prediction based on improved particle swarm optimization and extreme learning machine [J]. Journal of Computer Applications, 2021, 41(3): 768-773.
[9]	HANG Mengxin, CHEN Wei, ZHANG Renjie. Abnormal flow detection based on improved one-dimensional convolutional neural network [J]. Journal of Computer Applications, 2021, 41(2): 433-440.
[10]	CHENG Xiaohui, NIU Tong, WANG Yanjun. Wireless sensor network intrusion detection system based on sequence model [J]. Journal of Computer Applications, 2020, 40(6): 1680-1684.
[11]	DENG Xiong, WANG Hongchun. Face liveness detection algorithm based on deep learning and feature fusion [J]. Journal of Computer Applications, 2020, 40(4): 1009-1015.
[12]	WANG Bo, CAI Honghao, SU Yang. Classification of malicious code variants based on VGGNet [J]. Journal of Computer Applications, 2020, 40(1): 162-167.
[13]	CHI Yaping, MO Chongwei, YANG Yintan, CHEN Chunxia. Design and implementation of intrusion detection model for software defined network architecture [J]. Journal of Computer Applications, 2020, 40(1): 116-122.
[14]	WANG Jiaxin, FENG Yi, YOU Rui. Network security measurment based on dependency relationship graph and common vulnerability scoring system [J]. Journal of Computer Applications, 2019, 39(6): 1719-1727.
[15]	DU Junxiong, CHEN Wei, LI Xueyan. Contextual authentication method based on device fingerprint of Internet of Things [J]. Journal of Computer Applications, 2019, 39(2): 464-469.