基于MobileNet的恶意软件家族分类模型

现有基于卷积神经网络(CNN)的恶意代码分类方法存在计算资源消耗较大的问题.为降低分类过程中的计算量和参数量,构建基于恶意代码可视化和轻量级CNN模型的恶意软件家族分类模型.将恶意软件可视化为灰度图,以灰度图的相似度表示同一家族的恶意软件在代码结构上的相似性,利用灰度图训练带有深度可分离卷积的神经网络模型MobileNet v2,自动提取纹理特征,并采用Softmax分类器对恶意代码进行家族分类.实验结果表明,该模型对恶意代码分类的平均准确率为99.32%,较经典的恶意代码可视化模型高出2.14个百分点.     

一种基于压缩感知理论的纹理分类方法

针对传统纹理分类方法计算复杂的问题,本文基于bag-of-words模型提出了一种简单、新奇的纹理分类方法。在特征提取阶段,使用NSCT滤波器对局部图像块进行映射投影,然后通过观测矩阵提取其随机测量值特征;在纹理分类阶段,直接将随机特征嵌入到bag-of-words环境,并且直接在压缩域内进行学习和分类。利用纹理图像的稀疏性,本文提出的特征提取方法简单,并且在性能和复杂度上都优于传统特征提取方法。最后使用CUReT数据库进行数值试验,并与patch、patch-MRF、MR8、LBP四种最经典的方法进行比对,本文方法在分类精度以及实时性上有重要的改进。     

彩色印刷套准识别方法研究

套准状态的自动识别是实现套印偏差在线检测的关键一步,研究了套印标志图像的特征提取方法,在图像颜色特征提取方面,提出了一种接近人的视觉模型（HSI）的颜色特征提取方法,减少了光照的影响;在图像纹理特征提取方面,将灰度共生矩阵在0°、45°、90°和135°四个方向上的特征参数求均值作为最终参数,抑制了方向分量,使得到的纹理特征与方向无关。设计了最小距离分类器进行分类识别,并应用不同距离测度进行分类对比实验,分类实验结果表明：提出的方法可行,基于纹理特征参数的分类效果优于颜色特征的分类。     

基于深度学习可视化的恶意软件家族分类

计算机网络技术的快速发展,导致恶意软件数量不断增加。针对恶意软件家族分类问题,提出一种基于深度学习可视化的恶意软件家族分类方法。该方法采用恶意软件操作码特征图像生成的方式,将恶意软件操作码转化为可直视的灰度图像。使用递归神经网络处理操作码序列,不仅考虑了恶意软件的原始信息,还考虑了将原始代码与时序特征相关联的能力,增强分类特征的信息密度。利用SimHash将原始编码与递归神经网络的预测编码融合,生成特征图像。基于相同族的恶意代码图像比不同族的具有更明显相似性的现象,针对传统分类模型无法解决自动提取分类特征的问题,使用卷积神经网络对特征图像进行分类。实验部分使用10?868个样本（包含9个恶意家族）对深度学习可视化进行有效性验证,分类精度达到98.8%,且能够获得有效的、信息增强的分类特征。     

基于Attention-DenseNet-BC的恶意软件家族分类方法

恶意软件是互联网最严重的威胁之一.现存的恶意软件数据庞大,特征多样.卷积神经网络具有自主学习的特点,可以用来解决恶意软件特征提取复杂、特征选择困难的问题.但卷积神经网络连续增加网络层数会引起梯度消失,导致网络性能退化、分类准确率较低.针对此问题,提出了一种适用于恶意软件图像检测的Attention-DenseNet-BC模型.首先结合DenseNet-BC网络和注意力机制(attention mechanism)构建了Attention-DenseNet-BC模型,然后将恶意软件图像作为模型的输入,通过对模型进行训练和测试得到检测结果.实验结果表明,相比其他深度学习模型,Attention-DenseNet-BC模型可以取得更好的分类结果.在Malimg公开数据集上该模型取得了较高的分类精确率.     

基于多通道图像深度学习的恶意代码检测

现有基于深度学习的恶意代码检测方法存在深层次特征提取能力偏弱、模型相对复杂、模型泛化能力不足等问题。同时,代码复用现象在同一类恶意样本中大量存在,而代码复用会导致代码的视觉特征相似,这种相似性可以被用来进行恶意代码检测。因此,提出一种基于多通道图像视觉特征和AlexNet神经网络的恶意代码检测方法。该方法首先将待检测的代码转化为多通道图像,然后利用AlexNet神经网络提取其彩色纹理特征并对这些特征进行分类从而检测出可能的恶意代码;同时通过综合运用多通道图像特征提取、局部响应归一化（LRN）等技术,在有效降低模型复杂度的基础上提升了模型的泛化能力。利用均衡处理后的Malimg数据集进行测试,结果显示该方法的平均分类准确率达到97.8%;相较于VGGNet方法在准确率上提升了1.8%,在检测效率上提升了60.2%。实验结果表明,多通道图像彩色纹理特征能较好地反映恶意代码的类别信息,AlexNet神经网络相对简单的结构能有效地提升检测效率,而局部响应归一化能提升模型的泛化能力与检测效果。     

灰度共生矩阵纹理特征提取的Matlab实现

图像的特征提取是图像的识别和分类、基于内容的图像检索、图像数据挖掘等研究内容的基础性工作,其中图像的纹理特征对描述图像内容具有重要意义,纹理特征提取已成为目前图像领域研究的热点。文中深入研究了基于灰度共生矩阵（GLCM）的纹理特征提取方法,给出了基于Matlab的简便实现代码,分析了共生矩阵各个构造参数对构造共生矩阵的影响。分析结果对优化灰度共生矩阵的构造、实现基于灰度共生矩阵（GLCM）的特定图像的纹理特征提取等都具有重要参考意义。     

高斯颜色模型在瓷片图像分类中的应用

由于RGB颜色空间不能很好贴近人的视觉感知,同时也缺少对空间结构的描述,因此采用兼顾颜色信息和空间信息的高斯颜色模型以获取更全面的特征,提出了一种基于高斯颜色模型和多尺度滤波器组的彩色纹理图像分类法,用于瓷器碎片图像的分类。首先将原始图像的RGB颜色空间转换到高斯颜色模型;再用正规化多尺度LM滤波器组对高斯颜色模型的3个通道构造滤波图像,并借助主成分分析寻找主特征图,接着选取各通道的最大高斯拉普拉斯和最大高斯响应图像,与特征图联合构成特征图像组用以进行参数提取;最后以支持向量机作为分类器进行学习和分类。实验结果表明,与基于灰度的、基于RGB模型的和基于RGB_bior 4.4小波的方法相比,本文方法具有更好的分类结果,其中在Outex纹理图像库上获得的分类准确率为96.7%,在瓷片图像集上获得的分类准确率为94.2%。此方法可推广应用到其他彩色纹理分类任务。     

融合多特征与随机森林的纹理图像分类方法

针对单一纹理特征与单一分类器对失真纹理图像分类识别率差的问题,提出了一种融合多特征与随机森林的纹理图像分类方法。利用改进的方向梯度直方图(HOG)特征提取方法以及局部二值模式(LBP)图像的灰度共生矩阵进行特征提取;将提取的特征矩阵级联组成一个新的特征矩阵,利用主成分分析法进行降维融合处理;降维融合后的特征矩阵输入随机森林,通过融合投票得到最终的识别率。在KTH-TIPS失真纹理图像库上进行对比实验,结果表明:采用融合多特征与随机森林的分类方法提高了失真纹理图像的分类正确率,且具有更好的实时性。     

基于中值-游程共生矩阵的纹理特征提取

提出了一种基于中值-游程共生矩阵模型的纹理特征提取方法.该方法利用了图像的灰度信息和等灰度游程长度信息,通过计算图像的中值矩阵和游程矩阵,从而计算出中值-游程共生矩阵,来提取图像的特征.仿真结果表明,该方法能有效地分割出纹理图像上区域特性不同的纹理,且分割效果优于等灰度游程矩阵和灰度共生矩阵.     

基于感知哈希算法和特征融合的恶意代码检测方法

在当前的恶意代码家族检测中,通过恶意代码灰度图像提取的局部特征或全局特征无法全面描述恶意代码,针对这个问题并为提高检测效率,提出了一种基于感知哈希算法和特征融合的恶意代码检测方法。首先,通过感知哈希算法对恶意代码灰度图样本进行检测,快速划分出具体恶意代码家族和不确定恶意代码家族的样本,实验测试表明约有67%的恶意代码能够通过感知哈希算法检测出来。然后,对于不确定恶意代码家族样本再进一步提取局部特征局部二值模式（LBP）与全局特征Gist,并利用二者融合后的特征通过机器学习算法对恶意代码样本进行分类检测。最后,对于25类恶意代码家族检测的实验结果表明,相较于仅用单一特征,使用LBP与Gist的融合特征时的检测准确率更高,并且所提方法与仅采用机器学习的检测算法相比分类检测效率更高,检测速度提高了93.5%。     

Abstracting minimal security-relevant behaviors for malware analysis

Dynamic behavior-based malware analysis and detection is considered to be one of the most promising ways to combat with the obfuscated and unknown malwares. To perform such analysis, behavioral feature abstraction plays a fundamental role, because how to specify program formally to a large extend determines what kind of algorithm can be used. In existing research, graph-based methods keep a dominant position in specifying malware behaviors. However, they restrict the detection algorithm to be chosen from graph mining algorithm. In this paper, we build a complete virtual environment to capture malware behaviors, especially that to stimulate network behaviors of a malware. Then, we study the problem of abstracting constant behavioral features from API call sequences and propose a minimal security-relevant behavior abstraction way, which absorbs the advantages of prevalent graph-based methods in behavior representation and has the following advantages: first API calls are aggregated by data dependence, therefore it is resistent to redundant data and is a kind of more constant feature. Second, API call arguments are also abstracted particularly, this further contributes to common and constant behavioral features of malware variants. Third, it is a moderate degree aggregation of a small group of API calls with a constructing criterion that centering on an independent operation on a sensitive resource. Fourth, it is very easy to embed the extracted behaviors in a high dimensional vector space, so that it can be processed by almost all of the prevalent statistical learning algorithms. We then evaluate these minimal security-relevant behaviors in three kinds of test, including similarity comparison, clustering and classification. The experimental results show that our method has a capacity in distinguishing malwares from different families and also from benign programs, and it is useful for many statistical learning algorithms.     

Attention-based convolutional neural network deep learning approach for robust malware classification

Recently, transforming windows files into images and its analysis using machine learning and deep learning have been considered as a state-of-the art works for malware detection and classification. This is mainly due to the fact that image-based malware detection and classification is platform independent, and the recent surge of success of deep learning model performance in image classification. Literature survey shows that convolutional neural network (CNN) deep learning methods are successfully employed for image-based windows malware classification. However, the malwares were embedded in a tiny portion in the overall image representation. Identifying and locating these affected tiny portions is important to achieve a good malware classification accuracy. In this work, a multi-headed attention based approach is integrated to a CNN to locate and identify the tiny infected regions in the overall image. A detailed investigation and analysis of the proposed method was done on a malware image dataset. The performance of the proposed multi-headed attention-based CNN approach was compared with various non-attention-CNN-based approaches on various data splits of training and testing malware image benchmark dataset. In all the data-splits, the attention-based CNN method outperformed non-attention-based CNN methods while ensuring computational efficiency. Most importantly, most of the methods show consistent performance on all the data splits of training and testing and that illuminates multi-headed attention with CNN model's generalizability to perform on the diverse datasets. With less number of trainable parameters, the proposed method has achieved an accuracy of 99% to classify the 25 malware families and performed better than the existing non-attention based methods. The proposed method can be applied on any operating system and it has the capability to detect packed malware, metamorphic malware, obfuscated malware, malware family variants, and polymorphic malware. In addition, the proposed method is malware file agnostic and avoids usual methods such as disassembly, de-compiling, de-obfuscation, or execution of the malware binary in a virtual environment in detecting malware and classifying malware into their malware family.     

A graph mining approach for detecting unknown malwares

Nowadays malware is one of the serious problems in the modern societies. Although the signature based malicious code detection is the standard technique in all commercial antivirus softwares, it can only achieve detection once the virus has already caused damage and it is registered. Therefore, it fails to detect new malwares (unknown malwares). Since most of malwares have similar behavior, a behavior based method can detect unknown malwares. The behavior of a program can be represented by a set of called API's (application programming interface). Therefore, a classifier can be employed to construct a learning model with a set of programs' API calls. Finally, an intelligent malware detection system is developed to detect unknown malwares automatically. On the other hand, we have an appealing representation model to visualize the executable files structure which is control flow graph (CFG). This model represents another semantic aspect of programs. This paper presents a robust semantic based method to detect unknown malwares based on combination of a visualize model (CFG) and called API's. The main contribution of this paper is extracting CFG from programs and combining it with extracted API calls to have more information about executable files. This new representation model is called API-CFG. In addition, to have fast learning and classification process, the control flow graphs are converted to a set of feature vectors by a nice trick. Our approach is capable of classifying unseen benign and malicious code with high accuracy. The results show a statistically significant improvement over n-grams based detection method.     

一种基于多特征集成学习的恶意代码静态检测框架

伴随着互联网的普及和5G通信技术的快速发展,网络空间所面临的威胁日益增大,尤其是恶意软件的数量呈指数型上升,其所属家族的变种爆发式增加.传统的基于人工签名的恶意软件的检测方式速度太慢,难以处理每天数百万计新增的恶意软件,而普通的机器学习分类器的误报率和漏检率又明显过高.同时恶意软件的加壳、混淆等对抗技术对该情况造成了更大的困扰.基于此,提出一种基于多特征集成学习的恶意软件静态检测框架.通过提取恶意软件的非PE(Portable Executable)结构特征、可见字符串与汇编码序列特征、PE结构特征以及函数调用关系5部分特征,构建与各部分特征相匹配的模型,采用Bagging集成和Stacking集成算法,提升模型的稳定性,降低过拟合的风险.然后采取权重策略投票算法对5部分集成模型的输出结果做进一步聚合.经过测试,多特征多模型聚合的检测准确率可达96.99%,该结果表明:与其他静态检测方法相比,该方法具有更好的恶意软件鉴别能力,对加壳、混淆等恶意软件同样具备较高的识别率.     

深度可分离卷积在Android恶意软件分类的应用研究

传统机器学习在恶意软件分析上需要复杂的特征工程,不适用于大规模的恶意软件分析。为提高在Android恶意软件上的检测效率,将Android恶意软件字节码文件映射成灰阶图像,综合利用深度可分离卷积（depthwise separable convolution,DSC）和注意力机制提出基于全局注意力模块（GCBAM）的Android恶意软件分类模型。从APK文件中提取字节码文件,将字节码文件转换为对应的灰阶图像,通过构建基于GCBAM的分类模型对图像数据集进行训练,使其具有Android恶意软件分类能力。实验表明,该模型对Android恶意软件家族能有效分类,在获取的7 630个样本上,分类准确率达到98.91%,相比机器学习算法在准确率、召回率等均具有较优效果。     

Android恶意软件的多特征协作决策检测方法

由于智能手机使用率持续上升促使移动恶意软件在规模和复杂性方面发展更加迅速。作为免费和开源的系统,目前Android已经超越其他移动平台成为最流行的操作系统,使得针对Android平台的恶意软件数量也显著增加。针对Android平台应用软件安全问题,提出了一种基于多特征协作决策的Android恶意软件检测方法,该方法主要通过对Android 应用程序进行分析、提取特征属性以及根据机器学习模型和分类算法判断其是否为恶意软件。通过实验表明,使用该方法对Android应用软件数据集进行分类后,相比其他分类器或算法分类的结果,其各项评估指标均大幅提高。因此,提出的基于多特征协作决策的方式来对Android恶意软件进行检测的方法可以有效地用于对未知应用的恶意性进行检测,避免恶意应用对用户所造成的损害等。     

Detecting android malware using an improved filter based technique in embedded software

The technological advancements have led to evolution of sophisticated devices called smartphones. By providing extensive capabilities, they are becoming more and more popular. The Android based smartphones are preferred furthermore, due to their open-source nature. This has also led to the development of large number of malwares targeting these smartphones. Thus to protect the devices, some countermeasures are needed. Machine learning methods have gained popularity in detection of malware. This work proposes a malware detection technique in Android devices based on static analysis carried out using the Manifest files extracted from the apk files. The feature selection is performed using the proposed KNN based Relief algorithm and detection of malware is done using the proposed optimized SVM algorithm. The proposed method achieves a True Positive Rate greater than 0.70 and much reduced False Positive Rate values were obtained, with the values of False Positive Rate being very close to zero. The proposed KNN based feature selection is found to select better features in comparison with some popular existing feature selection techniques. The proposed optimized SVM technique achieves a performance that is on par with the performance of Neural Networks.     

改进的基于DNN的恶意软件检测方法

当前基于深度学习的恶意软件检测技术由于模型结构及样本预处理方式不够合理等原因,大多存在泛化性较差的问题,即训练好的恶意软件检测模型对不属于训练样本集的恶意软件或新出现的恶意软件的检出效果较差。提出一种改进的基于深度神经网络（Deep Neural Network,DNN）的恶意软件检测方法,使用多个全连接层构建恶意软件检测模型,并引入定向Dropout正则化方法,在模型训练过程中对神经网络中的权重进行剪枝。在Virusshare和lynx-project样本集上的实验结果表明,与同样基于DNN的恶意软件检测模型DeepMalNet相比,改进方法对恶意PE样本集的平均预测概率提高0.048,对被加壳的正常PE样本集的平均预测概率降低0.64。改进后的方法具有更好的泛化能力,对模型训练样本集外的恶意软件的检测效果更好。     

基于PE静态结构特征的恶意软件检测方法

针对现有检测方法的不足,提出了一种通过挖掘PE文件结构信息来检测恶意软件的方法,并用最新的PE格式恶意软件进行了实验。结果显示,该方法以99.1%的准确率检测已知和未知的恶意软件,评价的重要指标AUC值是0.998,已非常接近最优值1,高于现有的静态检测方法。同时,与其他方法相比,该检测方法的处理时间和系统开销也是较少的,对采用加壳和混淆技术的恶意软件也保持稳定有效,已达到了实时部署使用要求。此外,现有的基于数据挖掘的检测方法在特征选择时存在过度拟合数据的情况,而该方法在这方面具有较强的鲁棒性。