A deep hashing-based family malware detection method

By training a deep neural network model using deep hashing technology, generating malware hash codes, and utilizing the Hamming distance weighting formula, the problems of large sample size, high storage cost, and low recognition accuracy in existing malware detection technologies are solved, achieving efficient and accurate family identification.

CN115730312BActive Publication Date: 2026-07-07YUNNAN UNIV

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Patents(China)
Current Assignee / Owner
YUNNAN UNIV
Filing Date
2022-11-30
Publication Date
2026-07-07

AI Technical Summary

Technical Problem

Existing malware detection methods require a large number of labeled samples, resulting in high storage costs. They also have poor performance in detecting packed, encrypted, and obfuscated malware, and have low accuracy in identifying malware families.

Method used

A deep hashing-based approach is adopted. By training a deep neural network model, hash codes of malware are generated. Hamming distance and distance-weighted formulas are used for family identification. By combining the ResNet50 model and hash layer, image features are extracted and mapped into hash codes that are easy to retrieve.

Benefits of technology

It improves the accuracy of malware family identification, reduces computational and storage costs, and enables fast and efficient family identification.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN115730312B_ABST
    Figure CN115730312B_ABST
Patent Text Reader

Abstract

The application discloses a family malware detection method based on deep hash, which comprises the following steps: step one, training a deep neural network model for malware family classification and outputting a feature vector; step two, constructing a hash layer in the trained deep neural network model, inputting the feature vector of the sample output in the previous step into the hash layer, and outputting the hash code corresponding to the sample; step three, calculating the Hamming distance between the hash code of the to-be-detected sample and the hash code of the training sample, returning the sample closest to the distance and the Hamming distance corresponding to the sample, taking the distance weighting formula as the basis for judgment, and finally identifying and determining the malware family to which the to-be-detected sample belongs. The application solves the problems in the prior art, such as large amount of marked samples, high storage cost, poor detection performance for armored, encrypted and code obfuscated malicious codes, and low family software identification accuracy.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention belongs to the field of malware detection technology and relates to a method for detecting family malware based on deep hashing. Background Technology

[0002] With the booming development of the internet industry and the increasing prevalence of various internet-connected devices, a vast amount of software is widely used. While bringing convenience to people's lives, this software also harbors many threats. A diverse mix of software exists, including malicious programs such as ransomware, worms, and Trojans. These malicious programs can infiltrate internet devices in ways that are difficult for us to detect, then steal personal privacy or important data, launch ransomware attacks, and infringe on user rights. Therefore, research on malicious software is an essential part of the internet industry's development. However, different malicious programs have different principles, propagation methods, propagation purposes, and operating mechanisms, increasing the difficulty of malware detection. To analyze and study malicious software, we need to classify different types of malware, categorizing them into corresponding malware families to explore targeted solutions.

[0003] Traditional malware detection methods primarily rely on the binary stream or complete disassembled information of malware for identification. While these methods offer high accuracy, they struggle to handle malware that has been obfuscated, blocked, or packed, making them unsuitable for classification tasks. In recent years, many researchers have proposed methods using deep neural network classification models for malware classification, with the 2015 Microsoft Malware Challenge dataset being a prime example. However, these methods require a large number of labeled samples, resulting in slow speed and high storage costs.

[0004] Researchers have achieved significant results in image classification. However, most traditional classification methods suffer from high space consumption and slow speed when dealing with large-scale datasets. To address this issue, in 2016, Kevin Lin et al. proposed an effective deep learning framework to generate binary hash codes for fast image retrieval. Deep convolutional neural networks (CNNs) can effectively capture the intrinsic features of images, and the extracted features are highly accurate. Hash methods have advantages in speed and storage. Kevin Lin et al.'s approach combines the advantages of deep CNNs and hash algorithms, effectively solving the problems of traditional image classification methods. This framework extracts the feature representation of an image through a deep CNN, then maps the image feature representation into a hash code that is easy to retrieve in a hash layer. After obtaining the corresponding hash code, it performs similarity matching with the hash codes of other images in the dataset to complete image retrieval. Drawing on this idea, this invention replaces the processing object in the above framework with grayscale images of malware. By classifying grayscale images, the identification of malware families can be achieved. Compared with traditional malware family identification methods, this method can further reduce the computational and storage costs in the identification task without sacrificing accuracy. Summary of the Invention

[0005] To achieve the above objectives, this invention provides a family malware detection method based on deep hashing technology in deep neural networks, which solves the problems of large sample size, high storage cost, poor performance in detecting packed, encrypted and obfuscated malicious code, and low accuracy in identifying family malware in the existing technology.

[0006] The technical solution adopted in this invention is a method for detecting family malware based on deep hashing, comprising the following steps:

[0007] Step 1: Train a deep neural network model for classifying malware families and output feature vectors;

[0008] Step 2: Construct a hash layer in the trained deep neural network model. Input the feature vector of the sample output in the previous step into the hash layer and output the hash code corresponding to the sample.

[0009] Step 3: Calculate the Hamming distance between the hash code of the sample to be detected and the hash code of the training sample, and return the nearest sample and its corresponding Hamming distance. Use the distance weighting formula as the basis for judgment, and finally identify and determine the malware family to which the sample to be detected belongs.

[0010] Furthermore, the training model in step one specifically involves: using the grayscale image set of malware samples and their corresponding labels as the training set D, and training a deep neural network model for extracting malware family features under supervised learning.

[0011] The deep neural network model is one of the malware detection models VGG, AlexNet, and ResNet.

[0012] Furthermore, step one specifically involves: constructing the ResNet50 model structure and utilizing polarization loss. As the loss function of the deep neural network model; select a training subset D' from the training dataset of dataset D, and use the training subset D' to train the deep neural network model; determine whether the currently trained deep neural network has reached the set accuracy requirement or the maximum number of iterations. If it has, the deep neural network training is completed; if it has not, the training continues; output the feature vector output by the last layer neuron of the trained ResNet50 model.

[0013] Wherein, given malware sample x i x i The corresponding output vector t i For the sample x in advance i The target vector is defined, where m is a pre-set boundary threshold ≥ 1, C represents the length of the hash code, and the general function is used. Implemented by convolutional networks of arbitrary depth, it represents the mapping from the sample space to the classification result space; the parameters w of the deep neural network model are adjusted by minimizing the polarization loss.

[0014] Furthermore, the ResNet50 model starts with a convolutional layer and an input layer. The ResNet50 model also includes hidden layers, which consist of four blocks: 3, 4, 6, and 3 blocks in total. Each block contains three convolutional layers.

[0015] The activation function in the hidden layers of ResNet50 is the ReLU function.

[0016] Furthermore, in step two, the hash layer is a fully connected output layer containing C channels, used to replace the fully connected layer in the deep neural network model.

[0017] Furthermore, the distance weighting formula is as follows:

[0018]

[0019] Where rate represents the probability that the sample to be detected belongs to a certain family, and S is the sum of Hamming distances of all returned samples;

[0020] By comparing the probability of the sample to be detected belonging to each family, the family of malware to which the sample to be detected belongs is the one with the highest probability.

[0021] The beneficial effects of this invention are:

[0022] 1. The present invention provides a deep hash-based method for identifying malware family categories, which can efficiently and quickly identify the family category to which malware belongs.

[0023] 2. This invention integrates image retrieval technology and deep neural networks to design and implement a robust and secure deep learning model for identifying malware families, which has significant application and research value.

[0024] 3. This invention can improve the accuracy of identifying malware families, reduce detection time, and save computer storage costs. Attached Figure Description

[0025] To more clearly illustrate the technical solutions in the embodiments of the present invention or the prior art, the drawings used in the description of the embodiments or the prior art will be briefly introduced below. Obviously, the drawings described below are only some embodiments of the present invention. For those skilled in the art, other drawings can be obtained based on these drawings without creative effort.

[0026] Figure 1 This is a flowchart of a family malware detection method based on deep hashing according to an embodiment of the present invention.

[0027] Figure 2 This is a schematic diagram illustrating sample changes in the family malware detection method based on deep hashing according to an embodiment of the present invention.

[0028] Figure 3 This is a schematic diagram of the deep hash neural network structure implemented in this invention.

[0029] Figure 4 This is a network structure diagram of the ResNet50 model implemented in this invention.

[0030] Figure 5 These are grayscale image samples belonging to the same and different families of malicious code samples implemented in this invention. Detailed Implementation

[0031] The technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only some embodiments of the present invention, and not all embodiments. Based on the embodiments of the present invention, all other embodiments obtained by those skilled in the art without creative effort are within the scope of protection of the present invention.

[0032] To better illustrate the technical solution of this invention, the principle of the deep hash model for generating hash codes in this invention will be briefly explained first.

[0033] To efficiently identify the family to which malware belongs, a deep hashing model is first constructed to generate hash codes corresponding to the malware. This deep hashing model is a deep polarized network (DPN). Labeled malware grayscale images are used as the training set D for the deep hashing model, and a loss function for the deep hashing model is defined. This is called polarization loss, used to measure model performance. After training the model, optimal model parameters are obtained. The optimal model parameters for this invention are: Compared to other deep hashing models, the DPN used in this invention minimizes polarization loss, thereby minimizing intra-class similarity and maximizing inter-class similarity, thus bypassing the requirement to prepare paired labels for similar / dissimilar samples.

[0034] Secondly, this invention employs a neural network structure with ResNet50+ hash layers. By using deep convolutional networks to extract image features instead of manually created image features, it has been proven to effectively improve retrieval accuracy.

[0035] Next, the trained deep hashing model is used to generate and store the hash codes of the database samples, and simultaneously generate the hash codes of the samples to be tested. By calculating the Hamming distance between the hash codes of the samples to be tested and the hash codes of the samples in the database, the five closest samples are returned.

[0036] Finally, considering the high weight of Hamming distance as a decision criterion, and to improve the model's accuracy, a distance-weighted formula based on Hamming distance was designed as the final decision criterion. Compared to the traditional majority voting mechanism, the method of this invention has higher accuracy.

[0037] In the above process, this invention applies the image retrieval technology deep hashing to the field of malware family identification. Combined with the designed distance weighting formula, it improves the accuracy of identifying malware families using deep hashing and reduces computer storage costs and time costs.

[0038] Example 1

[0039] This invention provides a method for detecting family malware based on deep hashing technology in deep neural networks, comprising the following steps:

[0040] Step 1: Training a Deep Neural Network Model for Malware Family Classification: Using grayscale images of malware samples and their corresponding labels as the training set D, a deep neural network model for malware family feature extraction is trained under supervised learning. This completes the training of the core network model (backbone network) of the entire deep hashing model. This invention employs the high-performance ResNet50 model, which, after training, can classify given malware. The hidden layers of the ResNet50 model in this invention consist of four groups of blocks, each with 3, 4, 6, and 3 blocks respectively. Each block contains three convolutional layers. Additionally, the network begins with a convolutional layer, so the hidden layers comprise a total of (3+4+6+3)×3+1=49 convolutional layers, plus the input layer. The activation function in the ResNet50 hidden layers is the ReLU function. Unlike existing ResNet50 network models, this invention replaces the fully connected layers of the ResNet50 model with a specially designed deep hashing layer.

[0041] Step Two: Construct a hash layer. Input the feature vectors of the samples extracted in the previous step into the hash layer, and output the hash code corresponding to the sample. This invention utilizes a fully connected output layer containing C channels, called a deep hash layer, to replace the original softmax function, outputting a C-bit binary code. Through Step One and Step Two, the training of the entire deep hash model is completed.

[0042] Step 3: Calculate the Hamming distance between the hash codes of the test samples and the training samples, and return the 5 closest samples. Use the designed distance weighting formula as the basis for judgment, so as to finally identify and determine the malware family to which the given malware sample belongs.

[0043] Example 2

[0044] In this embodiment, the hash codes of the malware in all training samples are calculated using the following method:

[0045] S1.1: Set the initial input sample size (batch_size) and the number of training cycles (epochs) for the deep neural network based on the environment settings;

[0046] S1.2: Randomly initialize the model parameters and construct the ResNet50 model structure;

[0047] S1.3: Choose ReLU as the activation function in the deep neural network;

[0048] S1.4: RMSProp is chosen as the formula for calculating the gradient;

[0049] S1.5: Select a training subset D' from the training dataset of dataset D;

[0050] S1.6: A training step for a deep neural network using a training subset D';

[0051] S1.7: Forward propagation of the neural network, z = ∑w i x i +b=w1x1+…+w j x j +…+w k x k +b(where x) i Let b represent the i-th input sample, b represent the bias, and w represent the bias. i w represents the weight of the i-th neuron, z represents the output of the current neuron; j w k Let x represent the weights of the j-th and k-th neurons, respectively. j x k Let represent the j-th and k-th samples of the input, respectively.

[0052] S1.8: Regarding the loss function Calculate the derivative and update the neural network weights and biases (where the output vector corresponding to the malware sample x is the vector). t is the target vector pre-defined for malware sample x, m is a pre-defined boundary threshold ≥1, and the given malware sample distribution is P);

[0053] S1.9: Determine whether the currently trained deep neural network has reached the set accuracy requirement or the maximum number of iterations. If it has, complete the deep neural network training; otherwise, return to S1.6 to continue training.

[0054] S1.10: Input the feature maps output by the last layer of neurons in the ResNet50 model that has been trained into a hash layer with c channels to generate a binary hash code of length C.

[0055] Example 3

[0056] This invention uses a deep hashing network as its foundation to generate a binary hash code corresponding to each image, thereby improving the computer's detection speed and storage space. When identifying a new sample, the accuracy of the deep neural network model based on deep hashing is improved by calculating the Hamming distance between the sample's hash code and the hash codes in the database, combined with the distance weighting formula designed in this invention.

[0057] like Figures 1-2As shown in this embodiment, the method for detecting family malware based on deep hashing includes the following steps:

[0058] S101: Data Processing

[0059] Using grayscale images converted from the hexadecimal sequences of the original malware and their corresponding labels as the training set X, the task of generating high-quality hash codes is accomplished under supervised learning. Given a training set X = {x1, x2, ..., x...} of N images representing all M-class family software,... N}, label L = {l1, l2, ..., l M}, l i ∈{1,2,…,M} and l i Let x1, x2, ..., x3 represent malware samples belonging to the i-th family (a total of M family software), where x1, x2, ..., x3 are examples of malware samples belonging to the i-th family. N These represent the first to Nth images, respectively. The goal of deep hashing is to construct a deep neural network H(x) that can process input image x. i Mapped into a compact binary hash code b i =H(x) i ), b i ∈{0,1} C C represents the length of the hash code.

[0060] S102: Training of a Deep Hash Neural Network

[0061] The learning objective of a deep hashing model is to learn a hash mapping function that maps a real-valued data point x to a C-bit binary code b, where b ∈ H. C :={0,1} C The hash mapping function H is defined by the parameter w, b = H(x, w) = sign(H(x, w)), where the general function is... This can be implemented using convolutional networks of arbitrary depth, representing the mapping from the sample space to the classification result space. This invention uses the ResNet50 model to implement the aforementioned general function, thereby mapping a given malware sample to its corresponding family label. Polarization loss is also utilized. Define the loss function for the deep neural network model. Where, given a malware sample x... i Its corresponding output vector t i For the sample x in advance i The target vector is set, and m is a pre-set boundary threshold of ≥1; the parameters w of the deep neural network model are adjusted by minimizing the polarization loss.

[0062] Based on the optimization objective function, the deep neural network structure based on deep hashing for malware classification in this invention is as follows:Figure 3 As shown in the diagram. The entire deep hashing model structure comprises two parts: feature learning and hash code learning. The first part, feature learning, is based on the ResNet50 model, and its neural network structure is shown below. Figure 4 As shown. The feature vector output by Resent50 is subjected to global average pooling and used as the input y of the hash layer. The hash layer converts y into binary hash code using the sign function sgn(y). (Sign function...)

[0063] S201: Malware Family Detection;

[0064] After constructing a deep hash-based deep neural network, this model can map malware samples into compact binary hash codes and store them in a database. The model generates hash codes based on a loss function that reduces intra-class distance and increases inter-class distance. Therefore, the Hamming distance between hash codes obtained by samples belonging to the same family is small, while the Hamming distance between hash codes of samples belonging to different families is large. Based on this, this invention designs a weighted formula based on Hamming distance as the basis for detecting unknown malware sample families. To detect the malware family to which an unknown sample belongs, the sample to be tested is input into the deep hash model in S102 to generate a corresponding hash code. The generated hash code and the hash code stored in the database are compared and their corresponding Hamming distances are calculated. These distances are then arranged in ascending order, and the first 5 samples and their corresponding Hamming distances are returned. Let these 5 samples X = {x1, x2, x3, x4, x5}, and the labels corresponding to the 5 samples L = {l1, l2, l3, l4, l5}. The Hamming distance D of the first 5 samples... ham ={d1,d2,d3,d4,d5} (the smaller the index, the smaller the distance), define all D ham The sum is S = d1 + d2 + d3 + d4 + d5; then the probability that the sample to be detected belongs to a certain family can be represented by a weighted formula based on Hamming distance:

[0065]

[0066] Assuming l1 = l2 = 1, l3 = l4 = 2, l5 = 3, then the probabilities of the test sample belonging to classes 1, 2, and 3 are: Compare the values ​​of rate1, rate2, and rate3. The one with the highest probability is the malware family to which the sample to be detected belongs.

[0067] Example 4

[0068] In this embodiment, after the deep hashing model has been trained, the specific malware family detection method is as follows:

[0069] S301: Using the deep hashing model in the trained deep neural network, a certain malware sample x is selected as input, converted into a grayscale image, and then used as input to the deep hashing model. This input is then fed into the trained deep hashing neural network model to calculate the deep hash codes of multiple samples.

[0070] S302: Store the hash code output from the first step in the database.

[0071] S303: Sample to be tested x q The input is fed into the deep hash model to generate the corresponding hash code b. q .

[0072] S304: Calculate b q Hamming distances to all hash codes in the database.

[0073] S305: Using the 5 samples with the smallest Hamming distance returned, input them into the distance-weighted formula to obtain the sample x to be tested. q The probability of belonging to a certain malware family is calculated, and the output is the family label corresponding to the sample.

[0074] To better illustrate the technical effects of this invention, a specific example is used to conduct experimental verification, and its technical effects are compared with existing deep hashing algorithms. The dataset used in this experiment is the Maling dataset, which converts hexadecimal files of samples from 25 malware families into malware grayscale images. The distribution of this dataset is shown in Table 1, and it includes malware sample test sets and malware sample training set classification labels.

[0075] Table 1 Maling dataset

[0076]

[0077]

[0078] like Figure 5 The image shows grayscale samples of malicious code belonging to the same and different families. Each malware sample in the original training set has a corresponding classification label, totaling 25 labels, corresponding to 25 malware families (as shown in Table 1). These 25 malware families also represent the mainstream malware currently found on the network. Other types, which are less common, are discarded in this invention due to their limited number.

[0079] To demonstrate that the Deep Polarized Network (DPN) used in this invention has superior average retrieval accuracy compared to other deep hashing models in the field of image retrieval, comparative experiments were conducted between DPN and hashing algorithms such as HashNet, MIHash, GreedyHash, and MLH.

[0080] Table 2 Comparison of retrieval performance of different hash models on CIFAR10, NUS-WIDE and ImageNet100 datasets

[0081]

[0082] As can be seen from Table 2, DPN performs better. The hash codes generated using DPN can more accurately distinguish between samples of the same species and samples of different species in the Hamming space.

[0083] Table 3 Comparison of Model Accuracy with Different Top K Values

[0084] TopK 5 6 7 8 9 10 Accuracy 96.78% 96.38% 96.23% 96.12% 96.08% 95.89%

[0085] As can be seen from Table 3, when TopK=5, the accuracy is higher when the distance weighting formula is based on the 5 samples with the smallest Hamming distance.

[0086] Table 4. Comparison of accuracy rates for majority voting mechanism and weighted distance formula.

[0087] Method Majority voting Distance weighting formula Accuracy 95.56% 96.77%

[0088] As can be seen from Table 4, the distance-weighted formula designed using this invention is more reasonable than the traditional majority voting mechanism, and the model has a higher accuracy.

[0089] In summary, using this invention for malware family detection achieves high accuracy while reducing computer computing and storage costs.

[0090] The above description is merely a preferred embodiment of the present invention and is not intended to limit the scope of protection of the present invention. Any modifications, equivalent substitutions, improvements, etc., made within the spirit and principles of the present invention are included within the scope of protection of the present invention.

Claims

1. A method for detecting family malware based on deep hashing, characterized in that, Includes the following steps: Step 1: Train a deep neural network model for classifying malware families and output feature vectors; Step 2: Construct a hash layer in the trained deep neural network model. Input the feature vector of the sample output in the previous step into the hash layer and output the hash code corresponding to the sample. Step 3: Calculate the Hamming distance between the hash code of the sample to be detected and the hash code of the training sample, and return the nearest sample and its corresponding Hamming distance. Use the distance weighting formula as the basis for judgment, and finally identify and determine the malware family to which the sample to be detected belongs. Step one specifically involves: constructing the ResNet50 model structure and utilizing polarization loss. As the loss function of a deep neural network model; from the dataset Select a training subset from the training dataset Using training subsets Train the deep neural network model; determine whether the currently trained deep neural network has reached the set accuracy requirement or the maximum number of iterations. If it has, complete the deep neural network training; if not, continue training; output the feature vector output by the last layer neuron of the trained ResNet50 model. Among them, given malware sample The corresponding output vector For pre-sample The set target vector, It is a pre-set boundary threshold of ≥1. A general function to represent the length of a hash code. Implemented by convolutional networks of arbitrary depth, it represents the mapping from the sample space to the classification result space; the parameters of the deep neural network model are adjusted by minimizing the polarization loss. ; The distance-weighted formula is as follows: in, This represents the probability that the sample to be tested belongs to a certain family. The sum of Hamming distances for all returned samples; By comparing the probability of the sample to be detected belonging to each family, the family of malware to which the sample to be detected belongs is the one with the highest probability.

2. The method for detecting family malware based on deep hashing according to claim 1, characterized in that, The training model in step one specifically involves using a set of grayscale images of malware samples and their corresponding labels as the training set. The training of a deep neural network model for extracting malware family features is completed under supervised learning. The deep neural network model is a malware detection model. One of them.

3. The method for detecting family malware based on deep hashing according to claim 1, characterized in that, The ResNet50 model starts with a convolutional layer and an input layer. The ResNet50 model also includes hidden layers, which consist of four blocks: 3, 4, 6, and 3 blocks. Each block contains three convolutional layers. The activation function in the hidden layers of ResNet50 is the ReLU function.

4. The method for detecting family malware based on deep hashing according to claim 1, characterized in that, In step two, the hash layer contains... A fully connected output layer with multiple channels, used to replace the fully connected layers in a deep neural network model.