Research On Malware Detection Based On Attention Mechanism And Visualization

With the continuous development of the Internet in recent years,many new challenges and problems have arisen in the field of network security.Among them,the number of malware has been increasing sharply year by year,showing the characteristics of variety,quantity,rapid iteration and obfuscation,which has caused great losses to enterprises and individuals.The traditional malware detection method requires manual feature screening and extraction,and the detection efficiency is low,and it is even impossible to make accurate detection when facing the obfuscated malware.In order to solve these problems,further optimize the feature extraction method and improve the accuracy and efficiency of malware detection,this thesis proposes a malware detection method based on attention mechanism and visualization.The images processed by using visualization methods are used as input features of the detection model,and the detection performance of the model is improved by building a deep learning detection model incorporating attention mechanism to improve the ability to capture features for different dimensions.The main work of this thesis is as follows:(1)To solve the problems of low feature extraction capability,anti-obfuscation capability and detection performance of traditional malware detection methods,this thesis firstly proposes a malware detection model SE-MHSA with fused attention mechanism.The model converts binary codes of malicious samples into grayscale maps and uses Res Net50 as the input features,and by combining the channel attention mechanism and multi-head attention mechanism input data from three perspectives of channel,local,and global for feature extraction to improve the feature capture capability of the model and optimize the performance of the model.By conducting experiments on the public dataset Malimg and the obfuscated dataset Virusshare-packed,the model SE-MHSA used in this thesis achieves higher accuracy and has better detection performance with stronger generalization and antiobfuscation capability in the face of obfuscated samples compared with other methods.(2)A multi-view-based malware detection model is proposed to solve the problem of missing location features caused by the compression and deformation of source data in the malware detection model based on the binary file visualization method.The model uses both grayscale images of the binary file visualization method and binary images of the assembly file visualization method as model input features,and constructs a dual-branch feature extraction channel to improve the feature capture capability of the model.For the deep learning model,the channel attention mechanism module in the SE-MHSA module is replaced with the ECANet module,and a one-dimensional convolution is used to reduce the side effects of the fully connected layer due to dimensionality reduction,and a local crosschannel interaction method without dimensionality reduction is used to reduce the number of parameters of the model and improve the accuracy and efficiency of the model.Experimental results conducted on the publicly available datasets Datacon and Virussharepacked show that the model has better detection capability and detection efficiency compared to other models.