Shuo Wang,Jian Wang,Yafei Song,Song Li

DOI: https://doi.org/10.1155/2021/1070586

IF: 3.12

2021-12-14

Computational Intelligence and Neuroscience

Abstract:The increasing volume and types of malwares bring a great threat to network security. The malware binary detection with deep convolutional neural networks (CNNs) has been proved to be an effective method. However, the existing malware classification methods based on CNNs are unsatisfactory to this day because of their poor extraction ability, insufficient accuracy of malware classification, and high cost of detection time. To solve these problems, a novel approach, namely, multiscale feature fusion convolutional neural networks (MFFCs), was proposed to achieve an effective classification of malware based on malware visualization utilizing deep learning, which can defend against malware variants and confusing malwares. The approach firstly converts malware code binaries into grayscale images, and then, these images will be normalized in size by utilizing the MFFC model to identify malware families. Comparative experiments were carried out to verify the performance of the proposed method. The results indicate that the MFFC stands out among the recent advanced methods with an accuracy of 98.72% and an average cost of 5.34 milliseconds on the Malimg dataset. Our method can effectively identify malware and detect variants of malware families, which has excellent feature extraction capability and higher accuracy with lower detection time.

mathematical & computational biology,neurosciences

Dongzhi Cao,Xinglan Zhang,Yang Cao,Yuehan Wang,Weixin Liu

DOI: https://doi.org/10.1504/ijwmc.2020.109235

2020-01-01

International Journal of Wireless and Mobile Computing

Abstract:With the development of society, network security has received more and more attention. Malicious code has also grown, causing network security vulnerabilities and increasing threats to internet security. Therefore, the detection of malicious code becomes very important. However, there are some problems in the current research on malicious code detection, for example, tedious feature extraction and unbalanced data, which is far from the effect people want to achieve. To address these problems, in this paper, we propose a novel malicious code detection and fine-grained classification model by using convolutional neural networks and swarm intelligence algorithms. We converted the binary executable files of malicious codes into greyscale images and then used convolution neural networks to detect and classify malicious codes. In addition, we employed swarm intelligence algorithms to achieve fine-grained classification on unbalanced data in different malicious code families. We conducted a series of experiments on the real malware dataset from Vision Research Lab. The experimental results demonstrated that the proposed solution is effective for fine-grained classification of malicious codes.

Zhihua Cui,Lei Du,Penghong Wang,Xingjuan Cai,Wensheng Zhang

DOI: https://doi.org/10.1016/j.jpdc.2019.03.010

IF: 4.542

2019-01-01

Journal of Parallel and Distributed Computing

Abstract:An increasing amount of malicious code causes harm on the internet by threatening user privacy as one of the primary sources of network security vulnerabilities. The detection of malicious code is becoming increasingly crucial, and current methods of detection require much improvement. This paper proposes a method to advance the detection of malicious code using convolutional neural networks (CNNs) and intelligence algorithm. The CNNs are used to identify and classify grayscale images converted from executable files of malicious code. Non-dominated Sorting Genetic Algorithm II (NSGA-II) is then employed to deal with the data imbalance of malware families. A series of experiments are designed for malware image data from Vision Research Lab. The experimental results demonstrate that the proposed method is effective, maintaining higher accuracy and less loss.

Lixia Zhang,Tianxu Liu,Kaihui Shen,Cheng Chen

2024-10-12

Abstract:With the rapid advancement of Internet technology, the threat of malware to computer systems and network security has intensified. Malware affects individual privacy and security and poses risks to critical infrastructures of enterprises and nations. The increasing quantity and complexity of malware, along with its concealment and diversity, challenge traditional detection techniques. Static detection methods struggle against variants and packed malware, while dynamic methods face high costs and risks that limit their application. Consequently, there is an urgent need for novel and efficient malware detection techniques to improve accuracy and robustness. This study first employs the minhash algorithm to convert binary files of malware into grayscale images, followed by the extraction of global and local texture features using GIST and LBP algorithms. Additionally, the study utilizes IDA Pro to decompile and extract opcode sequences, applying N-gram and tf-idf algorithms for feature vectorization. The fusion of these features enables the model to comprehensively capture the behavioral characteristics of malware. In terms of model construction, a CNN-BiLSTM fusion model is designed to simultaneously process image features and opcode sequences, enhancing classification performance. Experimental validation on multiple public datasets demonstrates that the proposed method significantly outperforms traditional detection techniques in terms of accuracy, recall, and F1 score, particularly in detecting variants and obfuscated malware with greater stability. The research presented in this paper offers new insights into the development of malware detection technologies, validating the effectiveness of feature and model fusion, and holds promising application prospects.

Cryptography and Security,Artificial Intelligence

Jun Li,Shengao Liu,Yan Niu,Hui Zhang

DOI: https://doi.org/10.1109/ICISCE50968.2020.00088

2020-01-01

Abstract:Traditional malicious code classification technology faces a challenge to do with increasingly deformed malicious code, whose problems include having low detection rate and being time-consuming. In order to solve the above-mentioned problems, the traditional malicious code classification technology combines feature extraction of texture fingerprints on the image with the deep learning neural netwo...

Zhihua Cui,Fei Xue,Xingjuan Cai,Yang Cao,Gai-ge Wang,Jinjun Chen

DOI: https://doi.org/10.1109/tii.2018.2822680

IF: 12.3

2018-07-01

IEEE Transactions on Industrial Informatics

Abstract:With the development of the Internet, malicious code attacks have increased exponentially, with malicious code variants ranking as a key threat to Internet security. The ability to detect variants of malicious code is critical for protection against security breaches, data theft, and other dangers. Current methods for recognizing malicious code have demonstrated poor detection accuracy and low detection speeds. This paper proposed a novel method that used deep learning to improve the detection of malware variants. In prior research, deep learning demonstrated excellent performance in image recognition. To implement our proposed detection method, we converted the malicious code into grayscale images. Then, the images were identified and classified using a convolutional neural network (CNN) that could extract the features of the malware images automatically. In addition, we utilized a bat algorithm to address the data imbalance among different malware families. To test our approach, we conducted a series of experiments on malware image data from Vision Research Lab. The experimental results demonstrated that our model achieved good accuracy and speed as compared with other malware detection models.

automation & control systems,computer science, interdisciplinary applications,engineering, industrial

Gaoning Shen,Zhixiang Chen,Hui Wang,Heng Chen,Shuqi Wang

DOI: https://doi.org/10.1016/j.cose.2022.102761

2022-08-01

Abstract:Malicious code has become an important factor threatening network security. Single feature-based malicious code detection methods have achieved good detection results, but when faced with some similar malicious code families, the detection effect is often poor. To address this concern, we propose a feature fusion-based malicious code detection with dual attention mechanism and Bi-directional Long Short-Term Memory (BiLSTM). The dual attention mechanism module gives different focuses on the channel and space of feature maps to extract local texture features of malicious code grayscale images. At the same time, the BiLSTM module extracts global texture structure features of malicious code grayscale images, and fuse local texture features with global texture features, which can not only reflect the detailed characteristics of malicious code, but also retain the overall structural characteristics. Finally, we use the focal loss function to reduce the impact of data imbalance. The experimental results show that our feature fusion approach has a better detection effect compared with the single feature approach, especially in the detection of similar malicious code families.

computer science, information systems

Sicong Li,Jian Wang,Yafei Song,Shuo Wang

DOI: https://doi.org/10.1007/s10489-024-05707-4

2024-01-01

Abstract:As malicious code attacks continue to evolve, attackers leverage techniques like packing and code obfuscation to generate numerous variants, challenging traditional detection methods. Addressing the limitations of current deep learning-based malicious code classification approaches in feature extraction and accuracy, this paper introduces an innovative RGB visualization detection method based on a hybrid multi-head attention mechanism. Initially, a feature representation method utilizing RGB images is introduced. This approach focuses on semantic relationships between a malware’s binary information, assembly details, and API data, generating images with richer textural information. This technique effectively uncovers the deep dependencies between the original and variant versions of malicious code, providing stronger support for subsequent classification tasks. Furthermore, to tackle the issues of malware encryption and obfuscation, a deep neural network framework is adopted, incorporating a modular design philosophy and integrating a multi-head attention mechanism. This design not only enhances the expressiveness of critical features but also helps the model better focus on key aspects of the malicious code, thereby improving classification accuracy. Through comparative experiments and in-depth analysis, the effectiveness and superiority of the proposed RGB visualization method and MSA-ResNet model in the field of malicious code variant classification are validated. The accuracy rates achieved on the Kaggle and DataCon datasets are 99.49

Qianfeng Chu,Gongshen Liu,Xinyu Zhu

DOI: https://doi.org/10.1049/cje.2019.11.005

IF: 1.019

2020-01-01

Chinese Journal of Electronics

Abstract:The malicious code brings a serious security threat. Researchers have found that many new types of malicious code are variants of the existing one.The homology classification of the unknown malicious code can find its corresponding family in which all the code share inherent similarities from the database, so that the defenders can make rapid response and processing.We use the algorithm of malicious code visualization to translate the homology classification problem into the image classification problem. A convolution neural network for malicious code image is constructed. We train it to complete the malicious code homology classification on two different datasets. The results show that our work outperforms most of existing work with the accuracy of 98.60%.

Chenghua Tang,Chen Zhou,Min Hu,Mengmeng Yang,Baohua Qiang

DOI: https://doi.org/10.1109/trustcom56396.2022.00013

2022-01-01

Abstract:Using the features of malicious family to detect malicious code can improve the analysis efficiency and reduce the workload. Aiming at the problems of low efficiency and low accuracy of classifiers in analyzing and detecting malicious code using traditional machine learning, a new malicious family identification method 2MFI-FT is proposed. Firstly, the more comprehensive and essential features of malicious code are obtained by extracting local feature information, assembly instruction set information and visible string information. Secondly, in order to solve the problem of inconsistent images generated by feature sequences, different feature grayscale images are fused into a multi-channel mapping feature image (2MFI) based on the signature matrix. Thirdly, in view of the high cost of collecting and labeling enough data, a classification model with high recognition accuracy and strong generalization ability is realized, based on the fine-tuned Convolutional Neural Network (CNN). The regularization technique is also used to improve the robustness of the model. It is tested on Microsoft Malware Classification Challenge dataset. The experimental results show that the proposed 2MFI method for multi-channel feature image visualization has good identification effect and low time consumption when used as the input of the network model. At the same time, the 2MFI-FT method combined with fine-tuned CNN can accurately identify malicious families, and the accuracy on small training sets and large training sets can reach about 98.25% and 99.68% respectively, which provides a feasible solution for effective identification of malicious families.

Haojun Wang,Haixia Long,Ailan Wang,Tianyue Liu,Haiyan Fu

DOI: https://doi.org/10.1109/access.2021.3090464

IF: 3.9

2021-01-01

IEEE Access

Abstract:Network security has become a growing concern within the popularity and development of the Internet. Malicious code is one of the main threats to network security. Different types of malicious code have different functions and cause different harms. Therefore, improving the detection efficiency and recognition accuracy of malicious code is becoming an urgent problem to be solved. While traditional machine learning methods for malicious code detection largely depend on hand-designed features with experts' knowledge of the domain or focus on the images which come from malicious code binary files. These methods spend too much time on feature extraction. With the emergence of a large amount of malicious code data, the efficiency of traditional machine learning algorithms is getting worse and worse. In this paper, a workflow based on deep learning is proposed to detect and classify malicious codes. This workflow adopts a convolutional neural network (CNN) and the regularization algorithms to classify malicious code with N_gram semantic feature as input of the model. The convolutional neural network can automatically extract the features of malicious code while avoiding the need for manual feature selection. Regularization algorithms not only speed up the training process of the deep model but also improve the generalization ability in the case of effective prevention of over-fitting of the model. The proposed method is compared with the state-of-the-art methods and other deep learning models. Experimental results show that our workflow can improve the accuracy and efficiency of malicious code classification.

Dongzhi Cao,Xinglan Zhang,Zhenhu Ning,Jianfeng Zhao,Fei Xue,Yongli Yang

DOI: https://doi.org/10.1145/3297156.3297246

2018-01-01

Abstract:With the rapid development of the Internet, people have variety in their life style. While the Internet is developing rapidly, some malware has also been generated, and the number of malicious codes grows exponentially, which seriously affects the security of the Internet. In the prevention of malicious code, the accurate classification of malicious code is the most critical components. At present, researchers mainly focus on static detection and dynamic detection to study malicious code variant detection schemes. In the study of malicious code classification, this paper first analyzes the limitations of static detection and dynamic detection, then employs convolution neural networks to classify and identify malicious code, and finally implements an efficient malicious code detection system based on convolutional neural networks. Our malware detection model realizes the idea of automatic detection of malicious code variants. Experimental results demonstrated that the proposed malicious code detection system is efficient.

Wenbo Zhang,Yongxin Feng,Guangjie Han,Hongbo Zhu,Xiaobo Tan

DOI: https://doi.org/10.3390/s22228739

IF: 3.9

2022-11-13

Sensors

Abstract:It is critical to detect malicious code for the security of the Internet of Things (IoT). Therefore, this work proposes a malicious code detection algorithm based on the novel feature fusion–malware image convolutional neural network (FF-MICNN). This method combines a feature fusion algorithm with deep learning. First, the malicious code is transformed into grayscale image features by image technology, after which the opcode sequence features of the malicious code are extracted by the n-gram technique, and the global and local features are fused by feature fusion technology. The fused features are input into FF-MICNN for training, and an appropriate classifier is selected for detection. The results of experiments show that the proposed algorithm exhibits improvements in its detection speed, the comprehensiveness of features, and accuracy as compared with other algorithms. The accuracy rate of the proposed algorithm is also 0.2% better than that of a detection algorithm based on a single feature.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

Ziyue Wang,Weizheng Wang,Yaoqi Yang,Zhaoyang Han,Dequan Xu,Chunhua Su

DOI: https://doi.org/10.1002/int.23094

IF: 8.993

2022-10-27

International Journal of Intelligent Systems

Abstract:Malicious code attacks have severely hindered the current development of the Internet technologies. Once the devices are infected with virus, the damages to companies and users are unpredictable. Although researchers have developed malware detection methods, the analysis result still cannot achieve the desired accuracy due to complicated malicious code families and fast‐growing variants. In this paper, to solve this problem, we combine Convolutional Neural Networks (CNNs) with Generative Adversarial Networks (GANs) to design an efficient and accurate malware detection method. First, we implement a code visualization method and utilize GAN to generate more samples of malicious code variants in the role of data augmentation. Then, the lightweight AlexNet originated from CNN to classify malware families. Finally, simulation experiments are conducted to evaluate that our CNN plus GAN model can achieve a higher classification accuracy (i.e., 97.78%) compared with some related work.

computer science, artificial intelligence

Yanli Shao,Yang Lu,Dan Wei,Jinglong Fang,Feiwei Qin,Bin Chen

DOI: https://doi.org/10.1155/2022/3301718

2022-07-08

Wireless Communications and Mobile Computing

Abstract:Edge computing is a feasible solution for effectively collecting and processing data in industrial Internet of Things (IIoT) systems, and edge security is an important guarantee for edge computing. Fast and accurate classification of malicious code in the whole lift cycle of edge computing is of great significance, which can effectively prevent malicious code from attacking wireless sensor networks and ensure the stable and secure transmission of data in smart devices. Considering that there is a large amount of code reuse in the same malicious code family, making their visual feature similar, many studies use visualization technology to assist malicious code classification. However, traditional malicious code visual classification schemes have the problems such as single image source, weak ability of deep-level feature extraction, and lack of attention to key image details. Therefore, an innovative malicious code visual classification method based on a deep residual network and hybrid attention mechanism for edge security is proposed in this study. Firstly, the malicious code visualization scheme integrates the bytecode file and assembly file of the malware and converts them into a four-channel RGBA image to fully represent malicious code feature information without increasing the computational complexity. Secondly, a hybrid attention mechanism is introduced into the deep residual network to construct an effective classification model, which extracts image texture features of malicious code from two dimensions of the channel and spatial to improve the classification performance. Finally, the experimental results on the BIG2015 and Malimg datasets show that the proposed scheme is feasible and effective and can be widely applied used in various malicious code classification issues, and the classification accuracy rate is relatively higher than the existing better-performing malicious code classification methods.

computer science, information systems,telecommunications,engineering, electrical & electronic

Jianyi Liu,Yansheng Qu,Jiaqi Li,Yunxiao Wang,Jing Zhang,Hongshan Yin

DOI: https://doi.org/10.1109/ccis53392.2021.9754597

2021-01-01

Abstract:Malicious code and its derivative code have become a major threat to network security. At present, some methods transform malicious code into images and use deep learning to classify families. However, these family classification methods based on deep learning has a problem that the malicious code images need to be uniformly scaled before model training, which may result in the loss of potential malicious code image features. This paper proposes a malicious code classification network based on spatial pyramid pooling and deep residual network. The network can accept malicious code images of any size as input, and solve the problem that neural network input requires uniform image size. The experimental results show that the classification accuracy of this paper is 99.09%, and the recall is 96.69%, which is 2% higher than other methods on the same dataset.

Danish Vasan,Mamoun Alazab,Sobia Wassan,Hamad Naeem,Babak Safaei,Qin Zheng

DOI: https://doi.org/10.1016/j.comnet.2020.107138

IF: 5.493

2020-01-01

Computer Networks

Abstract:The volume, type, and sophistication of malware is increasing. Deep convolutional neural networks (CNNs) have lately proven their effectiveness in malware binary detection through image classification. In this paper, we propose a novel classifier to detect variants of malware families and improve malware detection using CNN-based deep learning architecture, called IMCFN (Image-based Malware Classification using Fine-tuned Convolutional Neural Network Architecture). Differing from existing solutions, we propose a new method for multiclass classification problems. Our proposed method converts the raw malware binaries into color images that are used by the fine-tuned CNN architecture to detect and identify malware families. Our method previously trained with the ImageNet dataset (≥10 million) and utilized the data augmentation to handle the imbalance dataset during the fine-tuning process. For evaluations, an extensive experiment was conducted using 2 datasets: Malimg malware dataset (9,435 samples), and IoT- android mobile dataset (14,733 malware and 2,486 benign samples). Empirical evidence has shown that the IMCFN stands out among the deep learning models including other CNN models with an accuracy of 98.82% in Malimg malware dataset and more than 97.35% for IoT-android mobile dataset. Furthermore, it demonstrates that colored malware dataset performed better in terms of accuracy than grayscale malware images. We compared the performance of IMCFN with the three architectures VGG16, ResNet50 and Google's InceptionV3. We found that our method can effectively detect hidden code, obfuscated malware and malware family variants with little run-time. Our method is resilient to straight forward obfuscation technique commonly used by hackers to disguise malware such as encryption and packing.

Tianyue Liu,Hongqi Zhang,Haixia Long

DOI: https://doi.org/10.1109/icfeict57213.2022.00065

2022-01-01

Abstract:Malicious software detection is the initial and primary step for any network-based security system. Machine learning algorithm has become one of the main methods. Due to the high computational complexity and low computational accuracy of traditional machine learning algorithms, an improved deep learning method is proposed in this paper, Convolution Neural Network (CNN) with Batch Normalization and Inception-Residual network (BIR-CNN). Firstly, a new method is designed to feature extraction. Each vector value of each sample is aggregated, using the functions mean, median, standard deviation, skew, and kurtosis, resulting in a 5-dimension feature for each vector. Secondly, the supervised neural BIR-CNN method is adopted to detect malicious software. Convolution layers and an Inception-Residual network are used in the model to improve its capacity for learning. Batch normalization helps hasten model training while preventing over-fitting. Finally, research is done using network traffic that is accessible to the general public data set CICAndMal2017 and evaluated against three conventional algorithms for CNN and algorithms, and the BIR-CNN model obtains an accuracy of 0.97 and the AUC (Area Under Curve) of 0.99. Therefore, utilizing deep learning for the detection of dangerous software, BIR-CNN can be employed.

Jianbin Mai,Chunjie Cao,Qian Wu

DOI: https://doi.org/10.1007/978-3-030-73671-2_7

2021-01-01

Abstract:Being able to detect malware variants is an important problem due to the rapid development and the security threats of new malware variations. Machine learning methods are currently one of the most popular malware variant detection methods, however, most of these methods only use single type of features (e.g. opcode) and shallow learning algorithms (e.g. SVM), which also makes these methods have demonstrated poor detection accuracy and low detection speeds. In this paper, we propose a method that combines multiple features of malware with deep learning methods to optimize the detection of malware variants. To implement the proposed method, we use Deep Convolutional Neural Network (DCNN) and Information Gain (IG) to extract effective features from the grayscale map and disassembly file mapped from the malware, respectively. Then we construct a fusion feature space by combining the different types of extracted features and use it to train a Multilayer Perceptron (MLP) to obtain results. The experimental results demonstrated that our method achieved good accuracy as compared with other common malware detection methods.

Yumeng Wu,Jianjun Zeng,Zhenjiang Zhang,Wei Li,Zhiyuan Zhang,Yang Zhang

DOI: https://doi.org/10.1007/978-3-031-31275-5_12

2023-01-01

Abstract:With the rapid development of Internet of things, cloud computing, edge computing and other technologies, malicious code attacks users and even enterprises more and more frequently with the help of software and system security vulnerabilities, which poses a serious threat to network security. The traditional static or dynamic malicious code detection technology is difficult to solve the problem of high-speed iteration and camouflage of malicious code. The detection method based on machine learning algorithm and data mining idea depends on manual feature extraction, and can not automatically and effectively extract the deeper features of malicious code. In view of the traditional malicious code detection methods and the related technologies of deep learning, this paper integrates deep learning into the dynamic malicious code detection system, and proposes a malicious code detection system based on convolutional neural network.