基于CBAM-GLU-ISF的多模态融合恶意软件检测方法

doi:10.3778/j.issn.1002-8331.2406-0300

摘要/Abstract

摘要： 恶意软件普遍结合代码混淆技术，基于单特征的检测方法特征信息受限，相对多特征检测方法存在检测准确率偏低的问题。不同模态之间潜在的关联性信息可以提高检测效果上限，目前的多特征检测方法在特征融合时缺乏对特征之间关联性的建模，导致其检测准确率欠佳。为了更全面地表征恶意软件并提高检测精度，提出一种基于卷积神经网络CNN和门控线性单元GLU的多模态融合恶意软件检测方法CBAM-GLU-ISF。以恶意软件两种模态：灰度图和字节序列为分析对象，在卷积神经网络中添加卷积块注意力模块（CBAM），结合通道注意力和空间注意力实现对灰度图的关键特征提取。字节序列是软件在计算机上最直接的表示，门控线性单元结合加性注意力机制（additive attention）在高效地捕获长序列依赖关系的基础上，实现对字节序列关键特征的提取。多模态特征融合模块（ISF）对并行特征提取网络的两种模态特征进行融合，挖掘利用两种模态特征之间存在的关联性信息，将恶意软件表征为一个更全面的多模态特征。最后，通过检测层完成恶意软件识别。实验结果表明，所提方法检测准确率达到99.1%，AUC达到了99.8%，对比现有工作中的单特征和多特征检测算法有明显提升，验证了该方法的有效性。

关键词: 恶意软件检测, 多模态融合, 卷积神经网络（CNN）, 卷积块注意力模块, 门控线性单元（GLU）

Abstract: Malware generally uses code obfuscation technology. The detection method based on single-feature has limited feature information and has lower detection accuracy than the multi-feature detection method. The potential correlation information between different modalities can improve the upper limit of the detection effect. The current multi-feature detection method lacks modeling of the correlation between features when merging features, resulting in subpar detection accuracy. In order to more comprehensively characterize malware and improve detection accuracy, a multimodal fusion malware detection method CBAM-GLU-ISF based on convolutional neural network(CNN) and gated linear unit (GLU) is proposed. Taking the two modalities of malware： grayscale image and byte sequence as the analysis objects, first, the convolutional block attention module (CBAM) is added to the convolutional neural network to extract the key features of the grayscale image by combining channel attention and spatial attention. The byte sequence is the most direct representation of software on the computer, and the gated linear unit combined with the additive attention mechanism can extract the key features of the byte sequence on the basis of efficiently capturing the long sequence dependency. Then, the multimodal feature fusion module (ISF) fuses the two modal features of the parallel feature extraction network, exploits the correlation information between the two modal features, and represents the malware as a more comprehensive multimodal feature. Finally, malware identification is done through the detection layer. Experimental results show that the detection accuracy of the proposed method reaches 99.1%, and the AUC reaches 99.8%. Compared with the single-feature and multi-feature detection algorithms in existing work, the proposed method shows a significant improvement in accuracy, verifying the effectiveness of the method.

Key words: malware detection, multimodal fusion, convolutional neural network(CNN), convolutional block attention module, gated linear unit(GLU)

彭飞鸿, 刘万平, 黄东. 基于CBAM-GLU-ISF的多模态融合恶意软件检测方法[J]. 计算机工程与应用, 2025, 61(20): 306-314.

PENG Feihong, LIU Wanping, HUANG Dong. Multimodal Fusion Malware Detection Method Based on CBAM-GLU-ISF[J]. Computer Engineering and Applications, 2025, 61(20): 306-314.

参考文献

[1] 康昊, 沈学东, 王军. 从永恒之蓝勒索病毒事件浅谈企业网络安全[J]. 网络安全技术与应用, 2020(10): 141-142.
KANG H, SHEN X D, WANG J. A brief discussion on enterprise network security from the Eternal Blue ransomware incident [J]. Network Security Technology and Application, 2020(10): 141-142.
[2] LIU W, ZHONG S. Web malware spread modelling and optimal control strategies[J]. Scientific Reports, 2017, 7: 42308.
[3] OZ H, ARIS A, LEVI A, et al. A survey on ransomware: evolution, taxonomy, and defense solutions[J]. ACM Computing Surveys, 2022, 54(11): 1-37.
[4] SHALAGINOV A, BANIN S, DEHGHANTANHA A, et al. Machine learning aided static malware analysis: a survey and tutorial[J]. arXiv:1808.01201, 2018.
[5] NATARAJ L, KARTHIKEYAN S, JACOB G, et al. Malware images: visualization and automatic classification[C]//Proceedings of the 8th International Symposium on Visualization for Cyber Security. New York: ACM, 2011: 1-7.
[6] RAFF E, BARKER J, SYLVESTER J, et al. Malware detection by eating a whole EXE[C]//Proceedings of the 32nd AAAI Conference on Artificial Intelligence, 2018: 268-276.
[7] 汪嘉来, 张超, 戚旭衍, 等. Windows平台恶意软件智能检测综述[J]. 计算机研究与发展, 2021, 58(5): 977-994.
WANG J L, ZHANG C, QI X Y, et al. A survey of intelligent malware detection on Windows platform[J]. Journal of Computer Research and Development, 2021, 58(5): 977-994.
[8] SENEVIRATNE S, SHARIFFDEEN R, RASNAYAKA S, et al. Self-supervised vision transformers for malware detection[J]. IEEE Access, 2022, 10: 103121-103135.
[9] VASAN D, ALAZAB M, WASSAN S, et al. Image-based malware classification using ensemble of CNN architectures (IMCEC)[J]. Computers & Security, 2020, 92: 101748.
[10] KUMAR S, JANET B. DTMIC: deep transfer learning for malware image classification[J]. Journal of Information Security and Applications, 2022, 64: 103063.
[11] JIAN Y F, KUANG H B, REN C L, et al. A novel framework for image-based malware detection with a deep neural network[J]. Computers & Security, 2021, 109: 102400.
[12] RAFF E, FLESHMAN W, ZAK R, et al. Classifying sequences of extreme length with constant memory applied to malware detection[C]//Proceedings of the AAAI Conference on Artificial Intelligence, 2021: 9386-9394.
[13] REZAEI T, MANAVI F, HAMZEH A. A PE header-based met-hod for malware detection using clustering and deep embedding techniques[J]. Journal of Information Security and Applications, 2021, 60: 102876.
[14] HOU Z H, LI X Y, LI L H, et al. An end-to-end raw bytes based malware classifier via self-attention residual convolutional network[C]//Proceedings of the IEEE 8th International Conference on Computer and Communications. Piscataway: IEEE, 2022: 1666-1670.
[15] RUSTAM F, ASHRAF I, JURCUT A D, et al. Malware dete-ction using image representation of malware data and transfer learning[J]. Journal of Parallel and Distributed Computing, 2023, 172: 32-50.
[16] CHAGANTI R, RAVI V, PHAM T D. A multi-view feature fusion approach for effective malware classification using deep learning[J]. Journal of Information Security and Applic-ations, 2023, 72: 103402.
[17] GIBERT D, MATEU C, PLANES J. HYDRA: a multimodal deep learning framework for malware classification[J]. Computers & Security, 2020, 95: 101873.
[18] DAUPHIN Y N, FAN A, AULI M, et al. Language modeling with gated convolutional networks[C]//Proceedings of the International Conference on Machine Learning, 2017: 933-941.
[19] BAHDANAU D, CHO K, BENGIO Y. Neural machine transl-ation by jointly learning to align and translate[C]//Proceedings of the International Conference on Learning Representations, 2014: 4453-4462.
[20] WOO S, PARK J, LEE J Y, et al. CBAM: convolutional block attention module[C]//Proceedings of the European Conference on Computer Vision. Cham: Springer International Publishing, 2018: 3-19.
[21] JEON J, JEONG B, BAEK S, et al. Hybrid malware detection based on Bi-LSTM and SPP-Net for smart IoT[J]. IEEE Transactions on Industrial Informatics, 2022, 18(7): 4830-4837.
[22] JHA S, PRASHAR D, LONG H V, et al. Recurrent neural network for detecting malware[J]. Computers & Security, 2020, 99: 102037.
[23] LIU Z, SHEN Y, LAKSHMINARASIMHAN V B, et al. Efficient low-rank multimodal fusion with modality-specific factors[C]//Proceedings of the 56th Annual Meeting of the Association for Computational Linguistics. Stroudsburg: ACL, 2018: 2247-2256.
[24] WANG W Y, TRAN D, FEISZLI M. What makes training multi-modal classification networks hard?[C]//Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition. Piscataway: IEEE, 2020: 12692-12702.
[25] JOYCE R J, AMLANI D, NICHOLAS C, et al. MOTIF: a malware reference dataset with ground truth family labels[J]. Computers & Security, 2023, 124: 102921.
[26] GEORGE A L. DikeDataset—a dataset with labeled benign and malicious files [EB/OL]. (2021-03-12)[2023-12-21]. https://github.com/iosifache/DikeDataset.
[27] MERCALDO F, MARTINELLI F, SANTONE A. Image-based malware detection through a deep neuro-fuzzy model[C]//Proceedings of the IEEE International Conference on Fuzzy Systems. Piscataway: IEEE, 2023: 1-7.
[28] GAO Y, HASEGAWA H, YAMAGUCHI Y, et al. Malware detection by control-flow graph level representation learning with graph isomorphism network[J]. IEEE Access, 2022, 10: 111830-111841.
[29] WEI C X, LI Q, GUO D, et al. Toward identifying APT malware through API system calls[J]. Security and Communication Networks, 2021, 2021: 8077220.
[30] KRČÁL M, ŠVEC O, BÁLEK M, et al. Deep convolutional malware classifiers can learn from raw executables and labels only[C]//Proceedings of the International Conference on Lea-rning Representations, 2018.