基于多维特征融合的恶意代码分类方法

doi:10.19678/j.issn.1000-3428.0252241

摘要/Abstract

摘要：

在计算机安全领域, 恶意代码防护一直是重要的研究课题。随着计算机技术的快速发展, 恶意代码的种类和形式不断演变, 传统特征工程方法在处理复杂恶意样本时特征维度单一, 致使表征能力不足, 无法精准识别各类恶意代码。其他基于特征融合的恶意代码分类方法在特征提取过程中依赖专家经验进行手工特征设计, 而多模态深度学习模型可解释性不足, 计算开销大。针对上述问题, 提出一种新的特征融合方法, 该方法应用于Windows PE文件的恶意代码分类, 通过整合行为特征、结构特征及纹理特征, 并采用LightGBM作为分类器完成对恶意代码的分类。实验结果表明, 该方法在Microsoft恶意软件分类挑战赛数据集上的测试准确率为99.90%, 对数损失为0.005 7, 在Bazaar数据集上的测试准确率为98.97%, 对数损失为0.042 0。所提方法能够全面、准确地表征恶意代码, 其通过融合多维特征, 为恶意代码检测提供了一种有效的解决方案, 具有重要的理论意义和实际的应用价值。

关键词: 恶意代码, 特征融合, 特征工程, 多模态, LightGBM

Abstract:

Malicious code protection is an important research topic in computer security. With the rapid development of computer technology, the types and forms of malicious codes continue to evolve. Traditional feature engineering methods have a single feature dimension when dealing with complex malicious samples, resulting in insufficient representation ability and inability to accurately identify various types of malicious code. Malicious code classification methods based on feature fusion rely on expert experience in manual feature design during feature extraction, whereas multimodal deep learning models have insufficient interpretability and a high computational overhead. A new feature fusion method is proposed to address the aforementioned issues and applied to the classification of malicious code in Windows PE files. By integrating behavioral, structural, and textural features, LightGBM is used as a classifier to complete the classification of the malicious code. The experimental results show that the testing accuracy of this method on the Microsoft Malicious Software Classification Challenge dataset is 99.90% with a logarithmic loss of 0.005 7. The testing accuracy on the Bazaar dataset is 98.97%, with a logarithmic loss of 0.042 0. The proposed method can comprehensively and accurately characterize malicious code. By integrating multidimensional features, the method provides an effective solution for malicious code detection, which has important theoretical significance and practical application value.

Key words: malicious code, feature fusion, feature engineering, multimodal, LightGBM

冯帅, 高见. 基于多维特征融合的恶意代码分类方法[J]. 计算机工程, 2025, 51(12): 232-243.

FENG Shuai, GAO Jian. Malicious Code Classification Method Based on Multidimensional Feature Fusion[J]. Computer Engineering, 2025, 51(12): 232-243.

https://www.ecice06.com/CN/Y2025/V51/I12/232

图/表 14

图1 基于融合特征的恶意代码检测框架

Fig.1 Malicious code detection framework based on fusion features

图2 同家族的恶意样本文件可视化对比

Fig.2 Visual comparison of malicious sample files from the same family

图3 恶意样本.asm文件可视化

Fig.3 Malicious sample.asm file visualization

图4 Microsoft数据集分布情况

Fig.4 Distribution of Microsoft dataset

图5 Bazaar数据集分布情况

Fig.5 Distribution of Bazaar dataset

图6 Bazaar数据集上分类结果的混淆矩阵

Fig.6 Confusion matrix of classification results on Bazaar dataset

图7 Microsoft数据集上分类结果的混淆矩阵

Fig.7 Confusion matrix of classification results on Microsoft dataset

图8 Microsoft数据集中的特征重要性排名

Fig.8 Feature importance ranking in the Microsoft dataset

图9 Bazaar数据集中的特征重要性排名

Fig.9 Feature importance ranking in the Bazaar dataset

参考文献 32

1	NARAYANAN B N, DJANEYE-BOUNDJOU O, KEBEDE T M. Performance analysis of machine learning and pattern recognition algorithms for malware classification[C]//Proceedings of the IEEE National Aerospace and Electronics Conference (NAECON) and Ohio Innovation Summit (OIS). Washington D.C., USA: IEEE Press, 2016: 338-342.
2	VASAN D , ALAZAB M , WASSAN S , et al. IMCFN: image-based malware classification using fine-tuned convolutional neural network architecture. Computer Networks, 2020, 171, 107138. doi: 10.1016/j.comnet.2020.107138
3	YUAN B G , WANG J F , LIU D , et al. Byte-level malware classification based on Markov images and deep learning. Computers & Security, 2020, 92, 101740.
4	SHAUKAT K , LUO S H , VARADHARAJAN V . A novel deep learning-based approach for malware detection. Engineering Applications of Artificial Intelligence, 2023, 122, 106030. doi: 10.1016/j.engappai.2023.106030
5	LIN W C , YEH Y R . Efficient malware classification by binary sequences with one-dimensional convolutional neural networks. Mathematics, 2022, 10 (4): 608. doi: 10.3390/math10040608
6	ZHANG X L , WU K H , CHEN Z G , et al. MalCaps: a capsule network based model for the malware classification. Processes, 2021, 9 (6): 929. doi: 10.3390/pr9060929
7	XIAO M , GUO C , SHEN G W , et al. Image-based malware classification using section distribution information. Computers & Security, 2021, 110, 102420.
8	ÇAYR A , VNAL U , DAĞ H S . Random CapsNet forest model for imbalanced malware type classification task. Computers & Security, 2021, 102, 102133.
9	YAN J Q, YAN G H, JIN D. Classifying malware represented as control flow graphs using deep graph convolutional neural network[C]//Proceedings of the 49th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN). Washington D.C., USA: IEEE Press, 2019: 52-63.
10	ASLAN O , YILMAZ A A . A new malware classification framework based on deep learning algorithms. IEEE Access, 2021, 9, 87936- 87951. doi: 10.1109/ACCESS.2021.3089586
11	WANG H M , ZHAO Y T , WANG Z J . Doc2vec-GRU: a behavior classifcation method for malicious code. International Journal of Network Security, 2024, 26 (3): 467- 476.
12	YESIR S, SOGUKPINAR I. Malware detection and classification using fastText and BERT[C]//Proceedings of the 9th International Symposium on Digital Forensics and Security (ISDFS). Washington D.C., USA: IEEE Press, 2021: 1-6.
13	KUMAR P S, UMI SALMA B, MISHRA I, et al. Malware detection classification using recurrent neural network[C]//Proceedings of the 2nd International Conference on Technological Advancements in Computational Sciences (ICTACS). Washington D.C., USA: IEEE Press, 2022: 876-880.
14	GIBERT D , MATEU C , PLANES J . HYDRA: a multimodal deep learning framework for malware classification. Computers & Security, 2020, 95, 101873.
15	GIBERT D , PLANES J , MATEU C , et al. Fusing feature engineering and deep learning: a case study for malware classification. Expert Systems with Applications, 2022, 207, 117957. doi: 10.1016/j.eswa.2022.117957
16	SEONGKYU Y, HAENGROK O, DONGIL S, et al. Automatic malicious code classifcation system through static analysis using machine learning[EB/OL]. [2024-02-05]. https://pdfs.semanticscholar.org/da97/387be1ae641c0f262e5ba9f5b011d372c5c0.pdf.
17	YOUSUF M I , ANWER I , RIASAT A , et al. Windows malware detection based on static analysis with multiple features. PeerJ Computer Science, 2023, 9, e1319. doi: 10.7717/peerj-cs.1319
18	ULLAH F , SRIVASTAVA G , ULLAH S . A malware detection system using a hybrid approach of multi-heads attention-based control flow traces and image visualization. Journal of Cloud Computing, 2022, 11 (1): 75. doi: 10.1186/s13677-022-00349-8
19	SINGH J , SINGH J . Detection of malicious software by analyzing the behavioral artifacts using machine learning algorithms. Information and Software Technology, 2020, 121, 106273. doi: 10.1016/j.infsof.2020.106273
20	KIM J Y , CHO S B . Obfuscated malware detection using deep generative model based on global/local features. Computers & Security, 2022, 112, 102501.
21	熊其冰, 郭洋, 王世豪. 基于多特征融合和增强模型的恶意代码检测方法. 通信技术, 2023, 56 (5): 640- 646.
	XIONG Q B , GUO Y , WANG S H . Malicious code detection method based on multi-feature fusion and enhanced model. Communications Technology, 2023, 56 (5): 640- 646.
22	李梦, 刘万平, 黄东. 基于特征融合的恶意代码检测. 计算机工程与设计, 2024, 45 (12): 3568- 3574.
	LI M , LIU W P , HUANG D . Malicious code detection based on feature fusion. Computer Engineering and Design, 2024, 45 (12): 3568- 3574.
23	王硕, 王坚, 王亚男, 等. 一种基于特征融合的恶意代码快速检测方法. 电子学报, 2023, 51 (1): 57- 66.
	WANG S , WANG J , WANG Y N , et al. A fast malicious code detection method based on feature fusion. Acta Electronica Sinica, 2023, 51 (1): 57- 66.
24	YAN H , ZHANG J , TANG Z G , et al. Malware classification method based on feature fusion. International Journal of Information Security, 2025, 24 (2): 97. doi: 10.1007/s10207-025-01013-3
25	XUAN B N , LI J , SONG Y F . BiTCN-TAEfficientNet malware classification approach based on sequence and RGB fusion. Computers & Security, 2024, 139, 103734.
26	ALESSANDRO P, MARIAN M, WILL C, et al. Microsoft malware classification challenge (BIG 2015)[EB/OL]. [2024-02-05]. https://www.kaggle.com/c/malware-classification.
27	MalwareBazaar. Malware samples repository[EB/OL]. [2024-02-05]. https://bazaar.abuse.ch/.
28	KOONCE B. ResNet50[C]//Proceedings of International Conference on Convolutional Neural Networks with Swift for Tensorflow. Berkeley, CA: Apress, 2021: 63-72.
29	OJALA T, PIETIKAINEN M, HARWOOD D. Performance evaluation of texture measures with classification based on Kullback discrimination of distributions[C]//Proceedings of the 12th International Conference on Pattern Recognition. Washington D.C., USA: IEEE Press, 1994: 582-585.
30	HARALICK R M , SHANMUGAM K , DINSTEIN I . Textural features for image classification. IEEE Transactions on Systems, Man, and Cybernetics, 1973, 3 (6): 610- 621.
31	ZHANG Y N, HUANG Q J, MA X J, et al. Using multi-features and ensemble learning method for imbalanced malware classification[C]//Proceedings of the IEEE Trustcom/BigDataSE/ISPA. Washington D.C., USA: IEEE Press, 2016: 965-973.
32	MENG Q. LightGBM: a highly efficient gradient boosting decision tree[EB/OL]. [2024-02-05]. https://proceedings.neurips.cc/paper_files/paper/2017/file/6449f44a102fde848669bdd9eb6b76fa-Paper.pdf.

[1]	曾碧卿, 姚勇涛, 谢梁琦, 陈鹏飞, 邓会敏, 王瑞棠. 结合局部感知与多层次注意力的多模态方面级情感分析[J]. 计算机工程, 2025, 51(9): 80-90.
[2]	马跃, 黄周睿, 周雯, 许艺瀚. 基于感受野注意力的轻量化林火检测算法[J]. 计算机工程, 2025, 51(9): 350-361.
[3]	闫建红, 刘芝妍, 王震. 融合时空注意力机制的多尺度卷积车辆轨迹预测[J]. 计算机工程, 2025, 51(8): 406-414.
[4]	陈晓雷, 王荣. 多分支多尺度点云补全网络[J]. 计算机工程, 2025, 51(8): 330-340.
[5]	马满福, 陈嘉豪, 李勇, 张聪. 基于改进GAT的多特征融合谣言检测模型MFLAN[J]. 计算机工程, 2025, 51(8): 181-189.
[6]	刘春霞, 孟吉星, 潘理虎, 龚大立. 融合RGB与IR图像的遥感小目标检测方法[J]. 计算机工程, 2025, 51(7): 326-338.
[7]	栾孟娜, 郑秋梅, 王风华. 基于DMC-YOLO的交通标志实时检测算法[J]. 计算机工程, 2025, 51(7): 90-99.
[8]	周莎, 车生兵, 考友琛, 张旭, 郭甚驿. 基于特征选择和时空特征的网络入侵检测[J]. 计算机工程, 2025, 51(7): 223-231.
[9]	沙宇洋, 陆京涛, 杜浩凡, 翟小兵, 孟维宇, 廉旭, 罗刚, 李克峰. 适用于导盲场景的多尺度特征融合轻量化道路图像分割算法[J]. 计算机工程, 2025, 51(7): 314-325.
[10]	李毅, 徐慧英, 朱信忠, 黄晓, 王舒梦, 李悉钰. 基于YOLOv5n模型改进的口罩检测算法: Mask-YOLO[J]. 计算机工程, 2025, 51(6): 297-310.
[11]	曹蓓, 赵奎. 基于双重情感和多特征融合的虚假新闻检测[J]. 计算机工程, 2025, 51(6): 193-203.
[12]	李白芽. 基于CNN-Transformer的电子喉镜病灶及器官分割网络[J]. 计算机工程, 2025, 51(6): 327-337.
[13]	刘凯, 任洪逸, 李蓥, 季怡, 刘纯平. 基于交叉模态注意力特征增强的医学视觉问答[J]. 计算机工程, 2025, 51(6): 49-56.
[14]	郑诚, 李鹏飞. 基于双超图神经网络特征融合的文本分类[J]. 计算机工程, 2025, 51(6): 127-135.
[15]	徐永刚, 孙琦烜, 李凡甲, 程健维, 戴佳俊. 基于扩展时间和时空特征融合图卷积网络的骨架行为识别[J]. 计算机工程, 2025, 51(4): 281-292.

选择文件类型/文献管理软件名称

选择包含的内容