融合MAML和CBAM的安卓恶意应用家族分类模型

doi:10.3778/j.issn.1002-8331.2110-0492

摘要/Abstract

摘要： 为满足对新兴安卓恶意应用家族的快速检测需求，提出一种融合MAML（model-agnostic meta-learning）和CBAM（convolutional block attention module）的安卓恶意应用家族分类模型MAML-CAS。将安卓恶意应用样本集中的DEX文件可视化为灰度图，并构建任务集；融合混合域注意力机制CBAM，设计两个具有同等结构的卷积神经网络，分别作为基学习器和元学习器，这两个学习器在自动提取任务集中样本特征的同时，可从通道和空间两个维度来增强关键特征表达；利用元学习方法MAML对两个学习器进行训练，其中基学习器完成特定恶意家族分类任务的属性学习，元学习器则学习不同任务的共性；在两个学习器训练完成后，MAML-CAS将获得初始化参数，在面对新的安卓恶意应用家族分类任务时，不需要重新训练，只需要少量样本就可以快速迭代；利用训练完成的基学习器提取安卓恶意应用家族特征，并利用SVM进行恶意家族分类。实验结果表明，MAML-CAS模型对新兴小样本安卓恶意应用家族具有良好的检测效果，检测速度较快，并具有较好的稳定性。

关键词: 安卓恶意应用家族分类, MAML, CBAM, 卷积神经网络, 支持向量机

Abstract: To meet the demand for fast detection of emerging Android malicious application families, it proposes a classification model MAML-CAS that fuses MAML（model-agnostic meta-learning） and CBAM（convolutional block attention module） for Android malicious application families. The DEX files in the sample set of Android malicious apps are visualized as grayscale maps and a task set is constructed; then two convolutional neural networks with equal structure are designed as the base learner and meta-learner respectively by fusing CBAM, which can enhance the key feature representation in both channel and space dimensions while automatically extracting the sample features in the task set; then the meta-learning method is used to MAML is used to train the two learners, where the base learner learns the attributes of a specific malicious family classification task and the meta-learner learns the commonalities of different tasks; after the training of the two learners is completed, MAML-CAS will obtain the initialization parameters, and when faced with a new Android malicious app family classification task, no retraining is required, and only a small number of samples are needed for fast iteration; finally, using the trained base learner is finally used to extract Android malicious app family features and perform malicious family classification using SVM. The experimental results show that the MAML-CAS model has good detection effect on emerging small-sample Android malicious application families, with faster detection speed and better stability.

Key words: Android malicious application family classification, model-agnostic meta-learning, convolutional block attention module, convolutional neural network, support vector machine

苏庆, 林佳锐, 黄海滨, 黄剑锋. 融合MAML和CBAM的安卓恶意应用家族分类模型[J]. 计算机工程与应用, 2023, 59(2): 271-279.

SU Qing, LIN Jiarui, HUANG Haibin, HUANG Jianfeng. Android Malicious Application Family Classification Model Incorporating MAML and CBAM[J]. Computer Engineering and Applications, 2023, 59(2): 271-279.

参考文献

[1] WU Q，LI M，ZHU X，et al.MVIIDroid：a multiple view information integration approach for Android malware detection and family identification[J].IEEE MultiMedia，2020，27（4）：48-57.
[2] HAN W.MalDAE：detecting and explaining malware based on correlation and fusion of static and dynamic characteristics[J].Computers & Security，2019，83：208-233.
[3] GARCIA J，HAMMAD M，MALEK S.Lightweight，obfuscation-resilient detection and family identification of Android malware[J].ACM Transactions on Software Engineering and Methodology，2018，26（3）：1-29.
[4] TüRKER S，CAN A B.AndMFC：Android malware family classification framework[C]//2019 IEEE 30th International Symposium on Personal，Indoor and Mobile Radio Communications（PIMRC Workshops），2019：1-6.
[5] 蒋晨.基于深度学习的安卓恶意软件检测技术研究[D].长沙：湖南大学，2018.
JIANG C.Research on Android malware detection technology based on deep learning[D].Changsha：Hunan University，2018.
[6] 杨昭.基于对抗式生成网络的恶意代码检测研究[D].武汉：华中科技大学，2019.
YANG S.Research on malicious code detection based on adversarial generation network[D].Wuhan：Huazhong University of Science and Technology，2019.
[7] CHEN Y M，YANG C H，CHEN G C.Using generative adversarial networks for data augmentation in Android malware detection[C]//2021 IEEE Conference on Dependable and Secure Computing（DSC），2021：1-8.
[8] 张伯安.安卓恶意软件家族多分类方案研究[D].北京：北京邮电大学，2019.
ZHANG B A.Research on multi classification scheme of Android malware family[D].Beijing：Beijing University of Posts and Telecommunications，2019.
[9] 黄啸晨.安卓恶意应用检测及其恶意家族多分类技术研究[D].西安：西安电子科技大学，2020.
HUANG X C.Research on Android malicious application detection and its malicious family multi classification technology[D].Xi’an：Xidian University，2020.
[10] FINN C.Learning to learn with gradients[D].Berkeley：University of California，2018.
[11] VINYALS O，BLUNDELL C，LILLICRAP T，et al.Matching networks for one shot learning[C]//Proceedings of the 30th International Conference on Neural Information Processing Systems（NIPS’16），2016：3637-3645.
[12] SNELL J，SWERSKY K，ZEMEL R.Prototypical networks for few-shot learning[C]//Proceedings of the 31st International Conference on Neural Information Processing Systems（NIPS’17），2017：4080-4090.
[13] 林华智.基于小样本学习的安卓恶意应用检测模型研究[D].广州：广东工业大学，2021.
LIN H Z.A malicious application testing model of Android based on small sample learning[D].Guangzhou：Guangdong University of Technology，2021.
[14] KRIZHEVSKY A，SUTSKEVER I，HINTON G E，et al.ImageNet classification with deep convolutional neural networks[J].Communications of the ACM，2017，60（6）：84-90.
[15] BAHDANAU D，CHO K，BENGIO Y.Neural machine translation by jointly learning to align and translate[J].arXiv：1409.0473v7，2014.
[16] WOO S，PARK J，LEE J Y，et al.CBAM：convolutional block attention module[C]//Proceedings of the European Conference on Computer Vision（ECCV），2018：3-19.
[17] FINN C，ABBEEL P，LEVINE S.Model-agnostic meta-learning for fast adaptation of deep networks[C]//Proceedings of the 34th International Conference on Machine Learning，2017：1126-1135.
[18] SUNG F，YANG Y，ZHANG L，et al.Learning to compare：relation network for few-shot learning[C]//2018 IEEE/CVF Conference on Computer Vision and Pattern Recognition，2018：1199-1208.
[19] RAVI S，LAROCHELLE H.Optimization as a model for few-shot learning[C]//Proceedings of the International Conference on Learning Representations，Toulon，France，2017.

[20] LI D，WANG Z，XUE Y.Fine-grained Android malware detection based on deep learning[C]//2018 IEEE Conference on Communications and Network Security（CNS），2018：1-2.

[21] WANG W，ZHAO M，WANG J.Effective android malware detection with a hybrid model based on deep autoencoder and convolutional neural network[J].Journal of Ambient Intelligence and Humanized Computing，2019，10（8）：3035-3043.