A malicious code detection method based on malicious block labeling and image processing

By performing basic block annotation and image processing on malicious code binary files, and utilizing neural networks and the Vision Transformer model, the problem of malicious content irrelevant to the classification accuracy is solved, and efficient classification of malicious code is achieved.

CN116644422BActive Publication Date: 2026-07-03HUAZHONG UNIV OF SCI & TECH

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Patents(China)
Current Assignee / Owner
HUAZHONG UNIV OF SCI & TECH
Filing Date
2023-05-23
Publication Date
2026-07-03

AI Technical Summary

Technical Problem

Existing methods for visualizing and analyzing malware suffer from insufficient classification accuracy because malicious functions are nested within non-malicious functions, and content unrelated to malicious functions affects the classification results.

Method used

The malicious code binary file is divided into basic blocks, the malicious blocks are labeled, and the malicious blocks are detected by a neural network model. After improving the contrast of the malicious blocks, they are input into the Vision Transformer model for classification.

Benefits of technology

It improves the accuracy of malicious code classification, weakens the impact of non-malicious functions on the classification results, and achieves accurate identification and classification of malicious code.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN116644422B_ABST
    Figure CN116644422B_ABST
Patent Text Reader

Abstract

The application discloses a malicious code detection method based on malicious block labeling and image processing and belongs to the malicious code detection field, which comprises the following steps: (S1) dividing a binary file of a malicious code to be detected into multiple basic blocks, detecting whether each basic block is a malicious block, and labeling a position of the malicious block in the binary file; the malicious block is a basic block related to a malicious function; (S2) converting the binary file into a grayscale image, improving local contrast of a part of the image corresponding to the malicious block in the grayscale image, and obtaining a target grayscale image; (S3) inputting the target grayscale image into a trained malicious code classification model to predict a probability of the malicious code belonging to each family category, and determining a family category with the highest probability as a family category to which the malicious code belongs. The application can enhance the influence degree of the content related to the malicious function in the malicious code on a classification result, thereby improving the accuracy of malicious code classification.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention belongs to the field of malicious code detection, and more specifically, relates to a malicious code detection method based on malicious block annotation and image processing. Background Technology

[0002] The cybersecurity industry has always been committed to preventing and combating malicious code attacks. Attackers can use malicious code to infect victim devices, thereby compromising the confidentiality and integrity of user and enterprise data resources. Therefore, accurately detecting malicious code and taking corresponding measures is of great significance for ensuring cybersecurity.

[0003] Traditionally, malware detection or classification is performed using signature-based or heuristic methods. Signature-based methods deploy signatures for different malware families and variants as prototypes, allowing newly discovered malware files to be classified accordingly, identifying the corresponding family category, and then taking appropriate countermeasures based on the characteristics of that family's malicious code. In recent years, Nataraj et al. introduced a static malware analysis technique called malware visualization, where the contents of malware binaries are represented as images. Specifically, the raw bytes of the malware binary are read as 8-bit unsigned integers and stored in a vector, which is then reformulated into a matrix and can be visualized as a grayscale image.

[0004] The aforementioned malware visualization and analysis method effectively solves the problem of malware classification. However, since the malicious function of the entire malware is nested within other non-malicious functions, meaning that a significant portion of the malware's content is unrelated to the malicious function, directly classifying the grayscale image obtained from the conversion of the entire malware binary file will result in unrelated content affecting the overall classification outcome, thus compromising the accuracy of the final classification. Summary of the Invention

[0005] To address the shortcomings and improvement needs of existing technologies, this invention provides a malicious code detection method based on malicious block annotation and image processing. The purpose is to enhance the influence of malicious function-related content in malicious code on the classification results, thereby improving the accuracy of malicious code classification and facilitating the correct recognition and analysis of unknown malicious code.

[0006] To achieve the above objectives, according to one aspect of the present invention, a malicious code detection method based on malicious block annotation and image processing is provided, comprising the following steps:

[0007] (S1) Divide the binary file of the malicious code to be detected into multiple basic blocks, and detect whether each basic block is a malicious block. Mark the location of the malicious block in the binary file; the malicious block is a basic block related to malicious function.

[0008] (S2) Convert the binary file into a grayscale image and enhance the local contrast of the part of the image corresponding to the malicious block in the grayscale image to obtain the target grayscale image;

[0009] (S3) Input the target grayscale image into the trained malware classification model to predict the probability that the malware belongs to each family category, and determine the family category with the highest probability as the family category to which the malware belongs.

[0010] Among them, the malicious code classification model is a neural network model used to predict the probability that the malicious code corresponding to the input grayscale image belongs to each family category.

[0011] Furthermore, in step (S1), for any given basic block, the method for detecting whether it is a malicious block includes:

[0012] Extract the code features of basic blocks and convert them into feature vectors; code features include structural features, arithmetic instruction features, jump instruction features, and API call features;

[0013] The feature vector is input into the pre-trained malicious block detection model, and the malicious block detection module extracts and reconstructs the features from the feature vector to obtain the reconstructed features.

[0014] If the difference between the reconstructed features and the feature vector output by the malicious block detection module is greater than a preset threshold, the basic block is determined to be a malicious block; otherwise, the basic block is determined not to be a malicious block.

[0015] The malicious block detection model is a neural network model used to extract and reconstruct features from the input basic blocks. Its training methods include:

[0016] Collect binary files unrelated to malicious functions, divide them into basic blocks, and extract the code features of the basic blocks as benign samples to obtain a benign sample set;

[0017] Initialize the malicious block detection model and train it using a benign sample set with the goal of minimizing the reconstruction loss. After training, the trained malicious block detection model is obtained.

[0018] Furthermore, the structural features include: the number of children and intermediate values ​​of the basic block; the arithmetic instruction features include the number of basic mathematical, shift, and logical operations contained in the basic block; the transfer instruction features include the number of stack operations, register operations, and port operations within the basic block; and the API call features include the number of calls to APIs related to dll, process, service, and system information within the basic block.

[0019] Furthermore, the malicious block detection model is an autoencoder model.

[0020] Furthermore, in step (S2), the local contrast of the portion of the image corresponding to the malicious block in the grayscale image is improved by limiting the contrast adaptive histogram equalization algorithm.

[0021] Furthermore, the malicious code classification model is the Vision Transformer model.

[0022] Further, in step (S2), the binary file is converted into a grayscale image, including:

[0023] Convert every 8 bits into an unsigned integer in the order of the code, and store the value in an unsigned integer vector;

[0024] Convert an unsigned integer vector into a matrix, treat each element in the matrix as a pixel, and use the value of the element as the grayscale value of the corresponding pixel to obtain a grayscale image.

[0025] According to another aspect of the present invention, a computer-readable storage medium is provided, comprising: a stored computer program; when the computer program is executed by a processor, it controls the device where the computer-readable storage medium is located to execute the malicious code detection method based on malicious block annotation and image processing provided by the present invention.

[0026] In summary, the above-described technical solutions conceived in this invention can achieve the following beneficial effects:

[0027] (1) This invention divides the binary file of the malicious code to be detected into basic blocks, detects the malicious blocks, that is, the basic blocks related to malicious functions, and marks the location of the basic blocks in the entire binary file, thereby realizing the location of the malicious blocks. In the subsequent classification based on visualization technology, the image processing of the part of the image corresponding to the malicious block in the grayscale image obtained by converting the binary file will be performed based on the location marking results of the malicious blocks to improve the local contrast of the part of the image. Based on this processing, the weight of the malicious block-related content on the classification result can be effectively increased, the influence of the malicious function-irrelevant content on the classification result can be weakened, and the accuracy of malicious code detection can be effectively improved.

[0028] (2) In a preferred embodiment of the present invention, a neural network model is used as a malicious block detection model. This model is used to extract and reconstruct features from the input basic blocks, and can realize the function of anomaly detection. This model is trained from benign samples that are unrelated to malicious functions. For benign basic blocks, the difference between the input and output of the model is small, while for malicious blocks, the difference between the input and output of the model will be large. Based on this, the present invention can accurately complete the judgment and location of malicious blocks in binary code.

[0029] (3) In a preferred embodiment of the present invention, when detecting malicious blocks, the extracted code features of the basic block include structural features, arithmetic instruction features, transfer instruction features, and API call features. The structural features include the number of children and intermediate values ​​of the basic block; the arithmetic instruction features include the number of basic mathematical, shift, and logical operations contained in the basic block; the transfer instruction features include the number of stack operations, register operations, and port operations within the basic block; and the API call features include the number of calls to APIs related to dll, process, service, and system information within the basic block. These features can comprehensively and accurately reflect the functions implemented by the basic block. The present invention uses these features as input to the malicious block detection model, which can accurately identify whether the function of the basic block is a malicious function, thereby accurately completing the detection of malicious blocks.

[0030] (4) In a preferred embodiment of the present invention, the Contrast Limited Adaptive Histogram Equalization (CLAHE) algorithm is specifically used to enhance the local contrast of the part of the image corresponding to the malicious block in the grayscale image, which can reduce the noise amplification problem while enhancing the local contrast.

[0031] (5) In a preferred embodiment of the present invention, the Vision Transformer model is specifically used to implement the malicious code classification model. The model will divide the input image into many sub-blocks and form these sub-blocks into linear embedding sequences. Then, these linear embedding sequences are used as input to the Transformer to simulate the input of phrase sequences in the NLP field. Based on this model, the present invention has a good classification effect on the grayscale image obtained by converting malicious code binary files. Attached Figure Description

[0032] Figure 1 A flowchart of a malicious code detection method based on malicious block annotation and image processing provided in an embodiment of the present invention;

[0033] Figure 2A schematic diagram illustrating the process from image generation, image processing, model training, and model validation as provided in this embodiment of the invention;

[0034] Figure 3 This is a schematic diagram of a malicious block detection model provided in an embodiment of the present invention;

[0035] Figure 4 This is a diagram illustrating the implementation process of applying contrast-limited adaptive histogram equalization to grayscale images according to an embodiment of the present invention.

[0036] Figure 5 This is a schematic diagram of the bilinear interpolation method provided in an embodiment of the present invention. Detailed Implementation

[0037] To make the objectives, technical solutions, and advantages of this invention clearer, the invention will be further described in detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative and not intended to limit the invention. Furthermore, the technical features involved in the various embodiments of this invention described below can be combined with each other as long as they do not conflict with each other.

[0038] In this invention, the terms "first," "second," etc. (if present) in the invention and the accompanying drawings are used to distinguish similar objects and are not necessarily used to describe a specific order or sequence.

[0039] To address the technical problem of low classification accuracy in existing malware detection methods due to interference from malicious content unrelated to malicious functions, this invention provides a malware detection method based on malicious block annotation and image processing. The overall idea is to locate and annotate malicious blocks in the malicious code binary file to be detected, and then perform image processing on the portion of the image corresponding to the malicious blocks in the grayscale image obtained by converting the binary file to improve local contrast. This increases the importance of malicious content related to malicious functions to the classification result, weakens the influence of malicious content unrelated to malicious functions, and improves classification accuracy.

[0040] The following is an example.

[0041] Example 1:

[0042] A malicious code detection method based on malicious block annotation and image processing, such as Figure 1 and Figure 2 As shown, it includes the following steps:

[0043] (S1) Divide the binary file of the malicious code to be detected into multiple basic blocks, and detect whether each basic block is a malicious block. Mark the location of the malicious block in the binary file; the malicious block is a basic block related to the malicious function.

[0044] A basic block is a sequentially executed sequence of instructions, consisting of only one input and one output. This embodiment effectively locates and labels malicious blocks by dividing the binary file into basic blocks and determining whether each basic block is related to malicious functionality.

[0045] Optionally, in step (S1) of this embodiment, detecting whether a given basic block is a malicious block includes the following methods:

[0046] Extract the code features of basic blocks and convert them into feature vectors; code features include structural features, arithmetic instruction features, jump instruction features, and API call features;

[0047] The feature vector is input into the pre-trained malicious block detection model, and the malicious block detection module extracts and reconstructs the features from the feature vector to obtain the reconstructed features.

[0048] If the difference between the reconstructed features and the feature vector output by the malicious block detection module is greater than a preset threshold, the basic block is determined to be a malicious block; otherwise, the basic block is determined not to be a malicious block.

[0049] The malicious block detection model is a neural network model used to extract and reconstruct features from the input basic blocks. Its training methods include:

[0050] Collect binary files unrelated to malicious functions, divide them into basic blocks, and extract the code features of the basic blocks as benign samples to obtain a benign sample set;

[0051] Initialize the malicious block detection model and train it using a benign sample set with the goal of minimizing the reconstruction loss. After training, the trained malicious block detection model is obtained.

[0052] Since the malicious block detection model extracts and reconstructs features from the input basic blocks, it can achieve the function of anomaly detection. In this embodiment, benign samples unrelated to malicious functions are used for training. Therefore, the difference between the model's input and output is small for benign basic blocks, but large for malicious blocks. Based on this, it can accurately judge and locate malicious blocks in binary code. Optionally, in this embodiment, the U-Net model is selected to implement the malicious block detection model. The U-Net model is an autoencoder model. An autoencoder is a type of artificial neural network used in semi-supervised and unsupervised learning. Its function is to learn the representation of the input information by using the input information as the learning target.

[0053] The structure of the U-Net model is as follows: Figure 3As shown, the model contains an encoder g and a decoder f. When we input an x, after passing through the entire neural network, we can obtain an output x′, that is:

[0054] f(g(x))=x′

[0055] The autoencoder uses the reconstruction loss x′-x as the loss and continuously learns to make the difference between x and x′ gradually smaller. Therefore, after learning with a large number of benign samples, the difference between x and x′ is small for benign basic blocks, while the difference will be large for malicious basic blocks. Thus, it can effectively detect potentially malicious basic blocks.

[0056] It is easy to understand that, in order to ensure the training effect of the model, this embodiment will collect a large number of binary files unrelated to malicious functions to create benign samples for training the malicious block detection model; after the malicious block detection model is trained, malicious samples will also be created using the basic blocks of malicious code that implement malicious functions to test the training effect of the trained model, so as to ensure that the detection accuracy of the detection model meets the requirements, such as... Figure 2 As shown; in addition, in other embodiments of the present invention, the malicious block detection model can also be implemented based on other models capable of feature extraction and reconstruction.

[0057] To accurately identify whether the functionality implemented by a basic block is malicious, this embodiment extracts the following code features from the basic block: Structural features specifically include the number of children and intermediate values ​​of the basic block; Arithmetic instruction features specifically include the number of basic mathematical, shift, and logical operations contained in the basic block; Transfer instruction features specifically include the number of stack operations, register operations, and port operations within the basic block; API call features specifically include the number of calls to APIs related to DLLs, processes, services, and system information within the basic block. The above four categories of 12 features considered in this embodiment can comprehensively and accurately reflect the functionality implemented by the basic block. Using these features as input to the malicious block detection model, this embodiment can accurately identify whether the functionality of a basic block is malicious, thereby accurately completing the detection of malicious blocks. In practical applications, the BinaryNinja tool can be directly used to extract the code features of the basic block.

[0058] After step (S1), this embodiment can accurately locate and mark malicious blocks in binary files. Based on this, this embodiment also includes the following steps:

[0059] (S2) Convert the binary file into a grayscale image and enhance the local contrast of the part of the image corresponding to the malicious block in the grayscale image to obtain the target grayscale image.

[0060] In this embodiment, the specific method for converting a binary file into a grayscale image is as follows:

[0061] Convert every 8 bits into an unsigned integer in the order of the code, and store the value in an unsigned integer vector;

[0062] Convert an unsigned integer vector into a matrix, treat each element in the matrix as a pixel, and use the value of the element as the grayscale value of the corresponding pixel to obtain a grayscale image.

[0063] It is easy to understand that during the grayscale conversion process, the value range of the 8-bit unsigned integer corresponding to each pixel is 0 to 255, which corresponds to the grayscale value of the pixel, 0 to 255, where 0 corresponds to black and 255 corresponds to white.

[0064] Based on the annotation results of step (S1), the portion of the image corresponding to the malicious block in the converted grayscale image can be located. Image processing techniques can then be used to improve the local contrast of this portion of the image. As a preferred implementation, this embodiment specifically uses the Contrast Limited Adaptive Histogram Equalization (CLAHE) algorithm to improve the local contrast of the portion of the image corresponding to the malicious block in the grayscale image. This can improve local contrast while reducing noise amplification. The process of improving local contrast based on CLAHE is as follows: Figure 4 As shown, it includes the following steps:

[0065] (S21) Based on the location of the malicious block in the image, take a local regular image and determine to divide the local image into non-overlapping sub-blocks of equal size;

[0066] (S22) Calculate the sub-block histogram based on the image;

[0067] (S23) Calculate clipLimit based on the sub-block histogram provided in sub-operation S22;

[0068] (S24) Extract the pixels that exceed the clipLimit value from the grayscale histogram of each sub-block image, and redistribute the extracted pixels evenly to each grayscale level.

[0069] (S25) Use bilinear interpolation to reconstruct the grayscale values ​​of pixels and finally achieve histogram equalization.

[0070] like Figure 5 As shown, the horizontal axis of each pixel in the grayscale image represents the current pixel value, and the vertical axis represents the transformed pixel value. After dividing the image into blocks using the above method, the grayscale transformation function used for equalization of each sub-block is different. The steps include:

[0071] 1) First, based on the pixel values, the entire graphic area can be divided into three types of areas: A, B, and C, which represent the four corner areas, the edge areas, and the center areas, respectively.

[0072] 2) Analyze each pixel in the image to determine which region it belongs to. Different processing methods are used for pixels in different regions.

[0073] 3) If a pixel belongs to region A, then no interpolation operation should be performed on that pixel; the grayscale transformation function should be applied directly for grayscale transformation.

[0074]

[0075] Where cdf(x) represents the cumulative distribution of pixel value x in the subimage. min With CDF max These represent the minimum and maximum values ​​in the cumulative pixel distribution of the sub-image, respectively. L represents the total number of gray levels, typically 256.

[0076] 4) If a pixel belongs to a class B region, then label the transformation functions corresponding to the adjacent class A regions of that pixel as follows: and Take two points M and N belonging to the two A-class regions, such that MN is on the same horizontal line as the pixel. Label the pixels at points M and N as x1 and x2 respectively. Then apply a linear interpolation transformation to this pixel:

[0077]

[0078] 5) If the pixel belongs to the C-class region, refer to... Figure 4 For point P in the given information, apply the bilinear interpolation transformation:

[0079]

[0080]

[0081]

[0082] After image processing by CLAHE, methods such as isometric scaling and sampling are applied to unify the image size.

[0083] After the above steps (S2), the malicious code binary file is converted into a grayscale image, and the local contrast of the image corresponding to the malicious block is effectively improved. Based on this, this embodiment further includes:

[0084] (S3) Input the target grayscale image into the trained malware classification model to predict the probability that the malware belongs to each family category, and determine the family category with the highest probability as the family category to which the malware belongs; wherein, the malware classification model is a neural network model, used to predict the probability that the malware corresponding to the input grayscale image belongs to each family category;

[0085] In this preferred embodiment, the malicious code classification model is the VisionTransformer model.

[0086] The Transformer, proposed by Google in 2017, is an end-to-end NLP model. This model abandons the traditional sequential RNN structure and adopts a self-attention mechanism to enable parallel training and the acquisition of global information. The Vision Transformer can be seen as a graphical version of the Transformer. With minimal modifications, the standard Transformer model is directly transferred to the image domain to become the Vision Transformer model. The Vision Transformer model segments the input image into many sub-blocks and forms these sub-blocks into linear embedding sequences. These linear embedding sequences are then used as input to the Transformer to simulate word sequence input in the NLP domain. In the application scenario of this embodiment, based on this model, it has good classification performance for grayscale images converted from malicious code binary files.

[0087] It should be noted that other image classification models can also be used if the classification accuracy meets the requirements.

[0088] In summary, this embodiment locates malicious blocks in malicious code binary files and then enhances the local contrast of the malicious block portion in the image, which can effectively improve the accuracy of classification.

[0089] Example 2:

[0090] A computer-readable storage medium includes: a stored computer program; when the computer program is executed by a processor, it controls the device where the computer-readable storage medium is located to execute the malicious code detection method based on malicious block annotation and image processing provided in Embodiment 1 above.

[0091] Those skilled in the art will readily understand that the above description is merely a preferred embodiment of the present invention and is not intended to limit the present invention. Any modifications, equivalent substitutions, and improvements made within the spirit and principles of the present invention should be included within the scope of protection of the present invention.

Claims

1. A method for malicious code detection based on malicious block labeling and image processing, characterized by, Includes the following steps: (S1) Divide the binary file of the malicious code to be detected into multiple basic blocks, and detect whether each basic block is a malicious block. Mark the location of the malicious block in the binary file; the malicious block is a basic block related to malicious function. In step (S1), for any given basic block, the method for detecting whether it is a malicious block includes: Extract the code features of the basic blocks and convert them into feature vectors; the code features include structural features, arithmetic instruction features, jump instruction features, and API call features; The feature vector is input into the trained malicious block detection model, which extracts and reconstructs the feature vector to obtain the reconstructed features. If the difference between the reconstructed features output by the malicious block detection model and the feature vector is greater than a preset threshold, the basic block is determined to be a malicious block; otherwise, the basic block is determined not to be a malicious block. The malicious block detection model is a neural network model used to extract and reconstruct features from the input basic blocks. Its training methods include: Collect binary files unrelated to malicious functions, divide them into basic blocks, and extract the code features of the basic blocks as benign samples to obtain a benign sample set; Initialize the malicious block detection model and train it using the benign sample set with the goal of minimizing the reconstruction loss. After training, the trained malicious block detection model is obtained. The structural features include: the number of children and intermediate values ​​of the basic block; the arithmetic instruction features include the number of basic mathematical, shift, and logical operations contained in the basic block; the transfer instruction features include the number of stack operations, register operations, and port operations within the basic block; and the API call features include the number of calls to APIs related to dll, process, service, and system information within the basic block. (S2) Convert the binary file into a grayscale image and increase the local contrast of the part of the image corresponding to the malicious block in the grayscale image to obtain the target grayscale image; (S3) Input the target grayscale image into the trained malicious code classification model to predict the probability that the malicious code to be detected belongs to each family category, and determine the family category with the highest probability as the family category to which the malicious code to be detected belongs; The malicious code classification model is a neural network model used to predict the probability that the malicious code corresponding to the input grayscale image belongs to each family category.

2. The method of claim 1, wherein the method comprises: The malicious block detection model is an autoencoder model.

3. The method of claim 1 or 2, wherein the method comprises: In step (S2), the local contrast of the portion of the image corresponding to the malicious block in the grayscale image is improved by limiting the contrast adaptive histogram equalization algorithm.

4. The method of claim 1 or 2, wherein the method comprises: The malicious code classification model is the Vision Transformer model.

5. The method of claim 1 or 2, wherein the malicious code detection method based on a malicious block tagging and image processing is characterized by, In step (S2), converting the binary file into a grayscale image includes: Convert every 8 bits into an unsigned integer in the order of the code, and store the value in an unsigned integer vector; The unsigned integer vector is converted into a matrix, each element in the matrix is taken as a pixel, and the numerical value of the element is taken as the gray value of the corresponding pixel, to obtain the gray image.

6. A computer-readable storage medium, characterized in that, The method comprises the following steps: A computer program stored in the computer readable storage medium is executed by a processor to control a device where the computer readable storage medium is located to execute the malicious code detection method based on malicious block labeling and image processing according to any one of claims 1-5.