Research On Detection And Classification Method Of Malware Based On Capsule Network

Malware detection has always been one of the important topics in the field of network security research.Especially with the rapid development of Internet,mobile network and Internet of Things technologies,a large amount of malicious code and its variants enter the cyberspace every day,seriously threatening the security of the network.How to detect malware efficiently and accurately has wide application prospects and great practical value.Malicious code has many types,is distributed in different operating systems,and is highly concealed.The current malware detection methods have some problems,such as:signature-based detection methods need to manually set rules to identify different types of malicious code,it is difficult to identify new types of malicious code;detection methods based on static analysis are easily bypassed by obfuscation techniques;dynamic analysis and detection methods based on behavior take up more resources and have low efficiency.In response to the above problems,this paper uses deep learning technology to design and implement a classification framework for malware detection based on capsule networks.The framework introduces a malware visualization method to improve the detection efficiency;the use of capsule networks for image feature extraction and classification training improves the detection accuracy,and also solves the problem of poor training of small samples in deep neural networks.On this basis,a set of malware detection prototype system that can be applied on Android smart operating system is designed and implemented.The main work and innovations of this article include:1.In terms of image recognition classification research,an image recognition classification model?Capsule_Image?based on capsule networks is proposed.The model uses the"capsule"as a high-level feature storage unit for the problem of poor recognition of the multi-target spatial position in the image by the convolutional neural network.Compared with the convolutional neural network,it improves the ability to extract image feature information;the capsule network has a strong ability to recognize the spatial relationship between targets in the image,and iterative dynamic routing protocol algorithm is used for network training and classification.This is a good solution to the problem that when the number of samples is insufficient,deep neural network training is prone to overfitting and poor classification results.In addition,in order to reduce the amount of calculation,the image samples are down-sampled to a fixed format size,and in order to increase the quality of the input samples,the image samples are subjected to image enhancement preprocessing operations.Experiments on the image data set NWPU-RESISC45 show that Capsule_Image shows obvious advantages in classification accuracy and training loss compared to the CNN-based GoogLeNet,ResNet,and ResNeXt models.The accuracy rate can reach more than 98%,the training loss can be reduced to less than0.1,the classification accuracy rate of the above three types of models is 97.8%,and the minimum training loss is 0.3.2.In terms of malware detection and classification research,a malware detection and classification framework?ColCaps?based on capsule networks is designed.The framework aims at the problem that the feature extraction model in the malware detection method based on the machine learning classification algorithm is too complicated and inefficient.It uses visualization technology to convert the malware file into a color RGB three-channel image,which can effectively Complex feature extraction of compiled files and dynamic behavior is converted into relatively simple feature extraction of static images,which reduces the design complexity of the detection model.The capsule network with stronger recognition ability between the spatial relationship between the entities in the image and the rotated object is used for training and detection,which improves the detection ability of the malware.When the samples of the new malware are insufficient,the training detection effect of the framework is better than that of the CNN model.Experiments show that the classification accuracy of the framework on the Drebin dataset reaches 98.2%,which is a significant improvement over the DREBIN^[71]model,the classification accuracy on the Microsoft dataset reaches 95.2%.The detection rate of unknown software has reached 99.3%?Android?and 96.5%?Windows?respectively,compared with the CNN model based on gray-scale image texture^[64],the detection rate of Android malware has been increased by 20%,and it is also higher than R2-D2^[74]detection method accuracy increased by 5%.3.In terms of research on Android operating platform malware detection technology,a capsule network-based malware detection system for Android smart mobile terminals is implemented.This system applies the theory of deep learning technology to practice,realizes the malware detection task on the terminal of the Android system,and effectively protects the security of the software system.The system is designed based on the Java language and uses the TensorFlow framework to train the model.In order to reduce the occupation of computing resources on the Android device system,it uses a front-end terminal detection and back-end server training mode.The system as a whole has high operating efficiency and occupies less system resources.It can follow the filling of training samples to train and update PB files in time to further improve the timeliness of detection.In the real environment test,the detection accuracy rate can reach 98%.