Malware Image Detection Method Based on MobileNetV2_AD

doi:10.19678/j.issn.1000-3428.0253229

Abstract

Abstract: To address the problem of exponential growth in malware and variants, and the limited capability of traditional detection methods to identify unknown threats, this paper proposes a MobileNetV2_AD detection method combining "multimodal visualization + lightweight" approaches. The main feature is the fusion of multi-source semantic visual information, representing byte entropy, disassembled instruction streams, and API call sequences as RGB three-channel images to achieve "one image integrating three domains." This reveals the complementary discriminative patterns of different semantic modalities in the image space, offering finer-grained feature extraction compared to grayscale images. Secondly, the lightweight backbone with strong scale perception incorporates Atrous Spatial Pyramid Pooling (ASPP) into MobileNetV2, enhancing the model's receptive field and multi-scale feature extraction capabilities. Additionally, a "category-feature" dual decoupled distillation approach is employed, using ResNeXt50 as the teacher model to simultaneously transfer macro classification logic and micro feature distributions. This resolves the "precision-generalization" trade-off issue in lightweight student models, resulting in an 11.7% increase in F1 score on unknown family samples after distillation. Finally, cross-dataset performance validation is conducted on the Kaggle (400 GB) and DataCon (latest attack-defense competition) public benchmarks, achieving accuracy rates of 96.41% and 98.68% respectively for MobileNetV2_AD, which is 6.31% and 4.21% higher than the original MobileNetV2. The inference speed reaches 280 samples per second, meeting the real-time detection requirements of terminal devices. The experimental results demonstrate that the proposed method significantly improves malware detection effectiveness in resource-constrained scenarios, providing an effective technical solution for cybersecurity defense.

摘要： 针对恶意软件数量及变种指数级增长，且传统检测方法对未知威胁识别能力有限的问题，提出结合“多模态图像化+轻量化”的MobileNetV2_AD检测方法。主要特点是多源语义视觉融合，将字节熵、反汇编指令流与API 调用序列表征为RGB三通道图像，实现“一图融三域”，揭示不同语义模态在图像空间的互补判别规律，较灰度图挖掘特征粒度更细；其次，轻量骨架强尺度感知，在MobileNetV2中植入空洞空间金字塔池化(ASPP)，提升模型感受野，增强多尺度特征提取能力。并且采用“类别-特征”双解耦蒸馏，以ResNeXt50为教师，将宏观分类逻辑与微观特征分布同步迁移，解决轻量学生“精度-泛化”跷跷板难题，蒸馏后学生模型在未知家族样本上F1提升11.7%。最后，进行跨数据集性能验证，在Kaggle（400 GB）与DataCon（最新攻防赛）双公开基准上，MobileNetV2_AD准确率分别达96.41%与98.68%，较原始MobileNetV2提升6.31%与4.21%，且推理速度达280样本/秒，满足终端实时检测需求。实验结果表明，所提方法在资源受限场景下，显著提升了恶意软件检测效果，为网络安全防护提供了有效的技术方案。

LUO Yangxia, YAO Yuanle, LI Xiaoyu, Zhao Jinlong. Malware Image Detection Method Based on MobileNetV2_AD[J]. Computer Engineering, doi: 10.19678/j.issn.1000-3428.0253229.

罗养霞, 姚元乐, 李晓雨, 赵金龙. 基于MobileNetV2_AD的恶意软件图像检测方法[J]. 计算机工程, doi: 10.19678/j.issn.1000-3428.0253229.

/ Recommend / Download Citations

URL: https://www.ecice06.com/EN/10.19678/j.issn.1000-3428.0253229

References

[1] 2025 AV-TEST. Malware Statistics & Trends Report[EB/OL]. (2025-01-26) [2025-01-26]. https://www. av-test .org /en/statistics/malware/.
[2] Gartner. Gartner Forecasts Global Information Security Spending to Grow 15 Percent in 2025[EB/OL]. [2024-08-28]. https://www.gartner.com/en/newsroom/press-relea-ses/2024-08-28-gartner-forecasts-global-information-security-spending-to-grow-15-percent-in-2025.
[3] Admass S W, Munaye Y Y, Diro A A. Cyber security: State of the art, challenges and future directions[J]. Cyber Security and Applications, 2024, 2100031.
[4] 谢丽霞, 魏晨阳, 杨宏宇, 等. 基于图像化方法的恶意软件检测与分类综述[J].计算机学报, 2025, 48(03): 650-674. XIE L X, WEI C Y, YANG H Y, et al. Review on malware detection and classification using imaging-based methods[J]. Chinese Journal of Computers, 2025, 48(03): 650-674.
[5] 陈佳捷, 彭伯庄, 吴佩泽. 基于动态行为和机器学习的恶意代码检测方法[J]. 计算机工程, 2021, 47(03): 166-173. CHEN JJ, PENG B Z, WU P Z. Malicious code detection method based on dynamic behavior and machine learning[J]. Computer Engineering, 2021, 47(03): 166-173.
[6] LIU L, WANG B, YU B, et al. Automatic malware classification and new malware detection using machine learning [J]. Frontiers of Information Technology & Electronic Engineering, 2017, 18(09): 1336-1348.
[7] AHMAD F, NOR B A, AHMAD K, et al. A method to search for optimal features in Android malware detection using static analysis and genetic search[J]. Frontiers of Information and Electronic Engineering, 2018(6): 712-737.
[8] CUI Z H, XUE F, CAI X J, et al. Detection of malicious code variants based on deep learning[J]. IEEE Transactions on Industrial Informatics, 2018, 14(7): 3187-3196. DOI: 10.1109/TII.2018.2822680.
[9] FENG P, MA J, LI T, et al. Android Malware Detection via Graph Representation Learning[J/OL]. Mobile Information Systems, 2021, 2021: 1-14.
[10] XING X F, JIN X, ELAHI H, et al. A malware detection approach using autoencoder in deep learning[J]. IEEE Access, 2022, 10: 25696-25706. DOI: 10.1109/ACCESS.2022.3155695.
[11] 陈小寒, 魏书宁, 覃正泽. 基于深度学习可视化的恶意软件家族分类[J]. 计算机工程与应用, 2021, 57(22): 131-138. CHEN X H, WEI S N, QIN Z Z. Malware family classification based on deep learning visualization[J]. Computer Engineering and Applications, 2021, 57(22): 131-138.
[12] DHANYA K A, VINOD P, YERIMA S Y, et al. Obfuscated malware detection in IoT Android applications using Markov images and CNN[J]. IEEE Systems Journal, 2023, 17(2): 2756-2766. DOI: 10.1109/JSYST.2023.3238678.
[13] 轩勃娜, 李进, 宋亚飞, 等. 基于改进MobileNetV2的恶意代码分类方法[J]. 计算机应用, 2023, 43(07): 2217-2225. XUAN B N, LI J, SONG Y F, et al. Malicious code classification method based on improved MobileNetV2[J]. Journal of Computer Applications, 2023, 43(07): 2217-2225.
[14] WANG F W, SHI X P, YANG F, et al. MalSort: Lightweight and efficient image-based malware classification using masked self-supervised framework with Swin Transformer[J]. Journal of Information Security and Applications, 2024, 83: 103784. DOI: 10.1016/j.jisa.2024.103784.
[15] 王发明, 倪昕东, 张旗, 等. 基MobileNetV2-CBAM的机收场景下冬小麦成熟期在线分类识别方法[J]. 农业机械学报, 2024, 55(S1): 71-80+100. WANG F M, NI X D, ZHANG Q, et al. Online classification and identification method of winter wheat maturity under mechanical harvesting scenario based on MobileNetV2-CBAM[J]. Transactions of the Chinese Society for Agricultural Machinery, 2024, 55(S1): 71-80+100.
[16] 王伟杰, 曹嘉璇, 李阳, 等. 基于改进MobileNetV2的医疗废物智能分类研究[J/OL]. 智能计算机与应用, 1-9. (2024-12-26) [2025-03-17]. https://doi.org/ 10.20169/ j.issn.2095-2163.24121205. WANG W J, CAO J X, LI Y, et al. Research on intelligent classification of medical waste based on an improved MobileNetV2 model[J/OL]. Intelligent Computer and Applications, 1-9. (2024-12-26) [2025-03-17]. https:// doi.org/ 10.20169/j.issn.2095-2163.24121205.
[17] 张志, 尹昱凯, 孙奕灵, 等. 基于多模态特征融合的Android恶意软件检测模型研究[J/OL]. 计算机工程, 1-12(2024-12-20)[2025-03-20]. https://doi.org/10.19678/j.issn.1000-3428.0070175. ZHANG Z, YI Y K, SUN Y L, et al. Research of Android malware detection system based on multi-modal feature fusion[J/OL]. Computer Engineering, 1-12(2024-12-20)[2025-03-20]. https://doi.org/10.19678/j.issn.1000-3428.0070175.
[18] 杨宏宇, 张宇沛, 张良, 等. 基于API分组重构与图像表示的恶意软件检测分类[J]. 信息安全学报, 2024, 9(05): 110-126. YANG H Y, ZHANG Y P, ZHANG L, et al. Malware detection and classification based on API block reconstruction and image representation[J]. Journal of Cyber Security, 2024, 9(05): 110-126.
[19] 李鉴秋, 刘万平, 黄东, 等. 基于多模态融合的动态恶意软件检测方法[J]. 计算机科学, 2024, 51(S2): 946-952. LI J Q, LIU W P, HUANG D, et al. Multimodal fusion based dynamic malware detection[J]. Computer Science, 2024, 51(S2): 946-952.
[20] 刘兵, 史伟峰, 刘明明, 等. 融合知识蒸馏与记忆机制的无监督工业缺陷检测[J]. 中国图象图形学报, 2025, 30(03): 660-671. LIU B, SHI W F, LIU M M, et al. Unsupervised industrial defect detection by integrating knowledge distillation and memory mechanism[J]. Journal of image and graphics, 2025, 30(03): 660-671.
[21] RONEN R， RADU M， FEUERSTEIN C， et al. Microsoft malware classification challenge[EB/OL］. (2015-02-04)［2025-12-25］.https：//www. kaggle. com/competitions/ malware-classifi⁃cation/data.
[22] 奇安信技术研究院. DataCon: 面向安全研究的多领域大规模竞赛开放数据[EB/OL]. (2020-08-25) [2025-12-25]. https://datacon.qianxin.com/opendata. Qi An Xin Technology Research Institute. DataCon: Multi-domain large-scale competition open data for security research[EB/OL]. (2020-08-25) ［2025-12-25］. https://datacon.qianxin.com/opendata.
[23] 包世龙, 许倩倩, 杨智勇, 等.面向AUC优化的高效对抗训练[J/OL].计算机学报,1-23(2025-03-19)[2025-03-22].http://kns.cnki.net/kcms/detail/11.1826.TP.20250319.1009.006.html. BAO S N, XU Q Q, YANG Z Y, et al. Efficient adversarial training for AUC optimization[J/OL]. Chinese journal of computers,1-23(2025-03-19)[2025-03-22]. http://kns. cnki.et/ kcms/detail/11.1826.TP.20250319.1009.006.html.
[24] 范志鹏, 李军, 刘宇强, 等. 基于灰度纹理指纹的恶意代码分类[J]. 科学技术与工程, 2020, 20(29): 12014-12020. FAN Z P, LI J, LIU Y Q, et al. Classification of Malware Based on Gray Texture Fingerprint[J]. Science Technology and Engineering, 2020, 20(29): 12014-12020.
[25] 卢丰, 王晨. 基于图像特征的恶意代码识别研究[J]. 电子设计工程, 2021, 29(23): 147-151+157. LU F, WANG C. Research on malicious code recognition based on image features[J]. Electronic Design Engineering, 2021, 29(23): 147-151+157.
[26] KIM J Y, BU S J, CHO S B. Zero-day malware detection using transferred generative adversarial networks based on deep autoencoders[J]. Information Sciences, 2018, 460-461: 83-102.
[27] Yousefi-Azar M, Varadharajan V, Hamey L, et al. Autoencoder-based feature learning for cyber security applications[C]//2017 International joint conference on neural networks (IJCNN). IEEE, 2017: 3854-3861.
[28] 杨望, 高明哲, 蒋婷. 一种基于多特征集成学习的恶意代码静态检测框架[J]. 计算机研究与发展, 2021, 58(05): 1021-1034. YANG W, GAO M Z, JIANG T. A malicious code static detection frame work based on muti-feature ensemble learning [J]. Journal of Computer Research and Development, 2021, 58(05): 1021-1034.
[29] ZOU B H, CAO C J, WANG L J, et al. FACILE: A capsule network with fewer capsules and richer hierarchical information for malware image classification[J]. Computers & Security, 2024, 137: 103606.
[30] 李思聪, 王坚, 宋亚飞, 等. TriCh-LKRepNet: 融合三通道映射与结构重参数化的大核卷积恶意代码分类网络[J]. 电子学报, 2024, 52(7): 2331-2340. LI S C, WANG J, SONG Y F, et al. TriCh-LKRepNet: A large kernel convolutional malicious code classification network for structure reparameterisation and triple-channel mapping[J]. Acta Electronica Sinica, 2024, 52(7): 2331-2340.
[31] WANG F W, SHI X P, YANG F, et al. MalSort: Lightweight and efficient image-based malware classification using masked self-supervised framework with Swin Transformer[J]. Journal of Information Security and Applications, 2024, 83: 103784.
[32]王金伟, 陈正嘉, 谢雪, 等. 基于Ngram-TFIDF的深度恶意代码可视化分类方法[J]. 通信学报, 2024, 45 (06): 160-175. WANG J W, CHEN Z J, XIE X, et al. Visual classification method of deep malicious code based on Ngram-TFIDF [J]. Journal of Communications, 2024, 45 (06): 160-175.

Please choose a citation manager

Content to export