Research On Malware Family Detection Method Based On Feature Fusion

Malware is an application that is forced to be installed on the user's computer or other terminal and is difficult to uninstall without explicitly prompting the user or without the user's consent.This brings serious harm for the national security,social order,and people's property.In recent years,malware has shown an explosive growth trend,and malware variants have emerged in an endless stream.And malware detection is one of the necessary means to ensure Internet security.Therefore,it is important to detect malware and its family.The opcode and the texture features of the same malware family show some similarities in malware execution and code structure,and them can be used to distinguish the families to which each malware sample belongs.Therefore,we fully research the opcode and the texture feature,then selected the opcode and the texture feature as the main feature.And the deep learning model is used to detect the malware and its variants.The main work of this paper is as follows:(1)Aiming at the problem that the manual feature engineering can't extract the deep features of malware in traditional malicious code classification method,a malware classification method based on Long Short Term Memory model(LSTM)is proposed.Firstly,we extract the operation code sequence from the decompiled.ASM file,and use the N-gram algorithm to represent the logical sequence of the operation code sequence appearing in the malware.Then we input the processed opcode vector feature space to train the LSTM model and automatically extract the operation code features.Finaly,deep features are used to classify malware.The experimental results show that the proposed model has an average classification accuracy of 98.9%,which is superior to the machine learning methods such as SVM,KNN,RF.(2)In order to solve the problem of too many parameters and excessive calculation of the current malware classification method based on convolutional neural network,a malware classification method based on lightweight convolutional neural network is proposed by using texture features.The grayscale image is used to extract and describe the texture features.The model is built by the convolutional neural network MobileNet v2,and we used the self-learning mechanism to train the model and learn the deep texture features.The appropriate classifier is selected to divide the malware into its own.family.Compared with other methods in the experiment,it is proved that the performance of this method is better than that of machine learning,and superior to other methods which adopted Convolutional Neural Network.(3)A classification method of malware family with feature fusion is proposed.We combined opcode features and texture features,and used the fused feature data to train the deep learning model LSTM,and optimize the LSTM network structure to improve the generalization ability.By comparing the classification results of single features and fusion features,it is proved that the feature fusion malware family classification method has good classification performance.