计算机工程与应用 ›› 2023, Vol. 59 ›› Issue (2): 271-279.DOI: 10.3778/j.issn.1002-8331.2110-0492

• 网络、通信与安全 • 上一篇    下一篇

融合MAML和CBAM的安卓恶意应用家族分类模型

苏庆,林佳锐,黄海滨,黄剑锋   

  1. 广东工业大学 计算机学院,广州 510006
  • 出版日期:2023-01-15 发布日期:2023-01-15

Android Malicious Application Family Classification Model Incorporating MAML and CBAM

SU Qing, LIN Jiarui, HUANG Haibin, HUANG Jianfeng   

  1. School of Computers, Guangdong University of Technology, Guangzhou 510006, China
  • Online:2023-01-15 Published:2023-01-15

摘要: 为满足对新兴安卓恶意应用家族的快速检测需求,提出一种融合MAML(model-agnostic meta-learning)和CBAM(convolutional block attention module)的安卓恶意应用家族分类模型MAML-CAS。将安卓恶意应用样本集中的DEX文件可视化为灰度图,并构建任务集;融合混合域注意力机制CBAM,设计两个具有同等结构的卷积神经网络,分别作为基学习器和元学习器,这两个学习器在自动提取任务集中样本特征的同时,可从通道和空间两个维度来增强关键特征表达;利用元学习方法MAML对两个学习器进行训练,其中基学习器完成特定恶意家族分类任务的属性学习,元学习器则学习不同任务的共性;在两个学习器训练完成后,MAML-CAS将获得初始化参数,在面对新的安卓恶意应用家族分类任务时,不需要重新训练,只需要少量样本就可以快速迭代;利用训练完成的基学习器提取安卓恶意应用家族特征,并利用SVM进行恶意家族分类。实验结果表明,MAML-CAS模型对新兴小样本安卓恶意应用家族具有良好的检测效果,检测速度较快,并具有较好的稳定性。

关键词: 安卓恶意应用家族分类, MAML, CBAM, 卷积神经网络, 支持向量机

Abstract: To meet the demand for fast detection of emerging Android malicious application families, it proposes a classification model MAML-CAS that fuses MAML(model-agnostic meta-learning) and CBAM(convolutional block attention module) for Android malicious application families. The DEX files in the sample set of Android malicious apps are visualized as grayscale maps and a task set is constructed; then two convolutional neural networks with equal structure are designed as the base learner and meta-learner respectively by fusing CBAM, which can enhance the key feature representation in both channel and space dimensions while automatically extracting the sample features in the task set; then the meta-learning method is used to MAML is used to train the two learners, where the base learner learns the attributes of a specific malicious family classification task and the meta-learner learns the commonalities of different tasks; after the training of the two learners is completed, MAML-CAS will obtain the initialization parameters, and when faced with a new Android malicious app family classification task, no retraining is required, and only a small number of samples are needed for fast iteration; finally, using the trained base learner is finally used to extract Android malicious app family features and perform malicious family classification using SVM. The experimental results show that the MAML-CAS model has good detection effect on emerging small-sample Android malicious application families, with faster detection speed and better stability.

Key words: Android malicious application family classification, model-agnostic meta-learning, convolutional block attention module, convolutional neural network, support vector machine