Computer Engineering and Applications ›› 2023, Vol. 59 ›› Issue (2): 271-279.DOI: 10.3778/j.issn.1002-8331.2110-0492

• Network, Communication and Security • Previous Articles     Next Articles

Android Malicious Application Family Classification Model Incorporating MAML and CBAM

SU Qing, LIN Jiarui, HUANG Haibin, HUANG Jianfeng   

  1. School of Computers, Guangdong University of Technology, Guangzhou 510006, China
  • Online:2023-01-15 Published:2023-01-15

融合MAML和CBAM的安卓恶意应用家族分类模型

苏庆,林佳锐,黄海滨,黄剑锋   

  1. 广东工业大学 计算机学院,广州 510006

Abstract: To meet the demand for fast detection of emerging Android malicious application families, it proposes a classification model MAML-CAS that fuses MAML(model-agnostic meta-learning) and CBAM(convolutional block attention module) for Android malicious application families. The DEX files in the sample set of Android malicious apps are visualized as grayscale maps and a task set is constructed; then two convolutional neural networks with equal structure are designed as the base learner and meta-learner respectively by fusing CBAM, which can enhance the key feature representation in both channel and space dimensions while automatically extracting the sample features in the task set; then the meta-learning method is used to MAML is used to train the two learners, where the base learner learns the attributes of a specific malicious family classification task and the meta-learner learns the commonalities of different tasks; after the training of the two learners is completed, MAML-CAS will obtain the initialization parameters, and when faced with a new Android malicious app family classification task, no retraining is required, and only a small number of samples are needed for fast iteration; finally, using the trained base learner is finally used to extract Android malicious app family features and perform malicious family classification using SVM. The experimental results show that the MAML-CAS model has good detection effect on emerging small-sample Android malicious application families, with faster detection speed and better stability.

Key words: Android malicious application family classification, model-agnostic meta-learning, convolutional block attention module, convolutional neural network, support vector machine

摘要: 为满足对新兴安卓恶意应用家族的快速检测需求,提出一种融合MAML(model-agnostic meta-learning)和CBAM(convolutional block attention module)的安卓恶意应用家族分类模型MAML-CAS。将安卓恶意应用样本集中的DEX文件可视化为灰度图,并构建任务集;融合混合域注意力机制CBAM,设计两个具有同等结构的卷积神经网络,分别作为基学习器和元学习器,这两个学习器在自动提取任务集中样本特征的同时,可从通道和空间两个维度来增强关键特征表达;利用元学习方法MAML对两个学习器进行训练,其中基学习器完成特定恶意家族分类任务的属性学习,元学习器则学习不同任务的共性;在两个学习器训练完成后,MAML-CAS将获得初始化参数,在面对新的安卓恶意应用家族分类任务时,不需要重新训练,只需要少量样本就可以快速迭代;利用训练完成的基学习器提取安卓恶意应用家族特征,并利用SVM进行恶意家族分类。实验结果表明,MAML-CAS模型对新兴小样本安卓恶意应用家族具有良好的检测效果,检测速度较快,并具有较好的稳定性。

关键词: 安卓恶意应用家族分类, MAML, CBAM, 卷积神经网络, 支持向量机