A method, system, and electronic device for classifying malicious code
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Patents(China)
- Current Assignee / Owner
- SICHUAN UNIV
- Filing Date
- 2023-10-11
- Publication Date
- 2026-06-30
AI Technical Summary
[0002]传统的恶意代码分类方法主要是提取恶意代码的静态特征用于签名,虽然速度较快但是面对大量的恶意代码变体,其方法准确率较低
[0017] The malicious code classification method provided by this invention is based on an improved MobileVit model that extracts features from processed images and performs multi-classification to obtain malicious code classification results. With a significant reduction in the number of parameters, it not only increases the model's global representation ability of malicious code, but also increases attention to a few malicious code families while maintaining the overall good classification accuracy of existing CNN models.
Smart Images

Figure CN117407875B_ABST
Abstract
Description
Technical Field
[0001] This invention relates to the field of electronic digital data processing technology, and in particular to a method, system and electronic device for classifying malicious code. Background Technology
[0002] Traditional malware classification methods primarily extract static features of malware for signature purposes. While fast, these methods suffer from low accuracy when faced with a large number of malware variants. Some existing classification methods are based on Convolutional Neural Networks (CNNs) malware models. Although these methods offer improved accuracy, they are limited by the inherent characteristics of CNNs, failing to capture the contextual information of the malware, resulting in continued low classification efficiency. Furthermore, they do not address the bias towards the majority class or the neglect of the minority class in malware classification models. Summary of the Invention
[0003] To address the aforementioned problems in existing technologies, this invention provides a malicious code classification method, system, and electronic device based on an improved MobileVit model.
[0004] To achieve the above objectives, the present invention provides the following solution:
[0005] A method for classifying malicious code, comprising:
[0006] Retrieve the opcode sequence, imported functions, and data from the PE file;
[0007] The opcode sequence, the import function, and the data are mapped to different channels of an RGB image to generate an image.
[0008] The generated image is normalized and standardized to obtain a processed image;
[0009] The processed image is input into the improved MobileVit model to extract features and perform multi-classification to obtain the malicious code classification result.
[0010] Optionally, the opcode sequence, the import function, and the data are mapped to different channels of the RGB image to generate the image, specifically:
[0011] The opcode sequence is mapped to the R channel of the RGB image, the import function is mapped to the G channel, and the data is mapped to the B channel of the RGB image to generate the image.
[0012] Optionally, the improved MobileVit model is constructed from the MobileVit model;
[0013] In the improved MobileVit model, when the Transformer encoder performs self-attention calculation, it makes each patch perform a self-attention calculation on each of the different feature sequences generated by each patch.
[0014] The loss function in the MobileVit model is improved to the Focal loss method;
[0015] The improved MobileVit model uses a fully connected softmax layer to classify the extracted features.
[0016] According to specific embodiments provided by the present invention, the present invention discloses the following technical effects:
[0017] The malicious code classification method provided by this invention is based on an improved MobileVit model that extracts features from processed images and performs multi-classification to obtain malicious code classification results. With a significant reduction in the number of parameters, it not only increases the model's global representation ability of malicious code, but also increases attention to a few malicious code families while maintaining the overall good classification accuracy of existing CNN models.
[0018] The present invention also provides the following corresponding implementation structures:
[0019] A malicious code classification system, applied to the malicious code classification method provided above; the system includes:
[0020] The data processing module is used to disassemble PE files to obtain the opcode sequence, import function table, and data in the PE files;
[0021] The image generation module is used to map the opcode sequence, the import function, and the data to different channels of an RGB image to generate an image.
[0022] The image processing module is used to normalize and standardize the generated image to obtain a processed image;
[0023] The code classification module is used to input the processed image into the improved MobileVit model to extract features and perform multi-classification to obtain malicious code classification results. In the improved MobileVit model, the Transformer encoder performs self-attention calculations on different feature sequences generated by each patch. The loss function in the improved MobileVit model is the Focal loss method. The improved MobileVit model uses a softmax fully connected layer to classify the extracted features.
[0024] An electronic device, comprising:
[0025] Memory, used to store computer programs;
[0026] A processor, connected to the memory, is used to retrieve and execute the computer program to implement the malicious code classification method provided above.
[0027] Optionally, the memory is a computer-readable storage medium.
[0028] Since the technical effects achieved by the two implementation structures provided by this invention are the same as those achieved by the malicious code classification method provided by this invention, they will not be described in detail here. Attached Figure Description
[0029] To more clearly illustrate the technical solutions in the embodiments of the present invention or the prior art, the drawings used in the embodiments will be briefly introduced below. Obviously, the drawings described below are only some embodiments of the present invention. For those skilled in the art, other drawings can be obtained based on these drawings without creative effort.
[0030] Figure 1 Flowchart of the malicious code classification method provided by the present invention;
[0031] Figure 2 An implementation framework diagram of the malicious code classification method provided by the present invention;
[0032] Figure 3 A schematic diagram of the malicious code visualization method provided by the present invention;
[0033] Figure 4 A structural diagram of the improved Transformer encoder provided by the present invention;
[0034] Figure 5 This is a schematic diagram of Focal loss provided by the present invention. Detailed Implementation
[0035] The technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only some embodiments of the present invention, and not all embodiments. Based on the embodiments of the present invention, all other embodiments obtained by those skilled in the art without creative effort are within the scope of protection of the present invention.
[0036] The purpose of this invention is to provide a malicious code classification method, system, and electronic device with fewer parameters, which can maintain classification efficiency while having better generalization ability, and can also effectively alleviate the problem of low attention to small sample sets in the field of malicious code classification, and has strong practicality.
[0037] To make the above-mentioned objects, features and advantages of the present invention more apparent and understandable, the present invention will be further described in detail below with reference to the accompanying drawings and specific embodiments.
[0038] like Figure 1 As shown, the malicious code classification method provided by the present invention includes:
[0039] Step 100: Obtain the opcode sequence, imported functions, and data from the PE file.
[0040] Step 101: Map the opcode sequence, imported functions, and data to different channels of the RGB image to generate the image. Specifically, the opcode of the malicious code PE file can be mapped to the R channel of the RGB image, the imported functions to the G channel, and the data contained in the PE file to the B channel.
[0041] Step 102: Normalize and standardize the generated image to obtain the processed image.
[0042] Step 103: Input the processed image into the improved MobileVit model to extract features and perform multi-class classification to obtain the malware classification result. The improved MobileVit model uses a Transformer encoder structure where each feature sequence consists of pixels at the same position in different patches of the original image. During self-attention calculation on the input Embeddedpatches, the number of self-attention calculations is increased by having each feature sequence perform self-attention calculations with each other. The calculated feature sequences are then residually connected to the original sequences and passed to the next network layer. The improved MobileVit model uses the cost-sensitive Focal loss method as its loss function. Finally, a fully connected softmax layer is used to classify the extracted features.
[0043] Furthermore, such as Figure 2 The diagram shown illustrates a framework for malware classification based on an improved MobileVit model. It primarily includes data preprocessing and an improved MobileVit model structure. The input is image data, and the output is malware classification categories. Figure 3 The diagram illustrates a method for visualizing malicious PE files. This invention, based on the characteristics of malicious code, retains more of the malicious features, which facilitates subsequent feature extraction. For example... Figure 4The diagram shows the improved Transformer encoder structure. The input vector consists of pixels at the same position in different patches of the original image. It first normalizes the input vector, then performs self-attention calculation on each feature vector, and then performs residual connections with the original vector. After further normalization, the input is fed into a multilayer perceptron, and another residual connection is performed. This operation increases the model's ability to represent the input image. Figure 5 The diagram shown illustrates Focal loss, where the output of MobileVit is defined as Z1, Z2…Z… c , Figure 5 In this context, C represents the number of categories, and Z represents the number of categories. i Let represent the probability that the model predicts the i-th class. The output of the softmax function is used as the input to the Focal Loss method. The loss is calculated based on the true label and predicted probability of each sample, resulting in the following loss function: Wherein, γ and α c These are the adjustment factor and the balancing factor. Using this method, the sensitivity to small classification datasets can be increased.
[0044] In summary, this invention uses an improved MobileVit model, which improves the efficiency of malware classification and pays more attention to minority class sample sets.
[0045] Furthermore, the present invention also provides the following implementation structure:
[0046] A malicious code classification system, applied to the malicious code classification method provided above. The system includes:
[0047] The data processing module is used to disassemble PE files to obtain the opcode sequence, import function table, and data in the PE files.
[0048] The image generation module is used to map opcode sequences, imported functions, and data to different channels of an RGB image to generate an image.
[0049] The image processing module is used to normalize and standardize the generated images to obtain processed images.
[0050] The code classification module is used to extract features from processed images input into the improved MobileVit model and perform multi-classification to obtain malicious code classification results. Specifically, in the improved MobileVit model, the Transformer encoder performs self-attention calculations on different feature sequences generated by each patch. The improved MobileVit model uses the Focal loss method as its loss function. Finally, the improved MobileVit model employs a softmax fully connected layer to classify the extracted features.
[0051] An electronic device, comprising:
[0052] Memory is used to store computer programs.
[0053] A processor, connected to memory, is used to retrieve and execute computer programs to implement the malicious code classification method provided above.
[0054] Furthermore, when the computer program in the aforementioned memory is implemented as a software functional unit and sold or used as an independent product, it can be stored in a computer-readable storage medium. Based on this understanding, the technical solution of the present invention, in essence, or the part that contributes to the prior art, or a part of the technical solution, can be embodied in the form of a software product. This computer software product is stored in a storage medium and includes several instructions to cause a computer device (which may be a personal computer, server, or network device, etc.) to execute all or part of the steps of the methods described in the various embodiments of the present invention. The aforementioned storage medium includes various media capable of storing program code, such as USB flash drives, portable hard drives, read-only memory, random access memory, magnetic disks, or optical disks.
[0055] The various embodiments in this specification are described in a progressive manner, with each embodiment focusing on its differences from other embodiments. Similar or identical parts between embodiments can be referred to interchangeably. For the systems disclosed in the embodiments, since they correspond to the methods disclosed in the embodiments, the descriptions are relatively simple; relevant parts can be referred to the method section.
[0056] This document uses specific examples to illustrate the principles and implementation methods of the present invention. The descriptions of the above embodiments are only for the purpose of helping to understand the method and core ideas of the present invention. Furthermore, those skilled in the art will recognize that, based on the ideas of the present invention, there will be changes in the specific implementation methods and application scope. Therefore, the content of this specification should not be construed as a limitation of the present invention.
Claims
1. A method for classifying malicious code, characterized in that, include: Retrieve the opcode sequence, imported functions, and data from the PE file; The method of mapping the opcode sequence, the import function, and the data to different channels of an RGB image to generate an image includes: mapping the opcode sequence to the R channel of an RGB image, mapping the import function to the G channel, and mapping the data to the B channel of an RGB image to generate the image. The generated image is normalized and standardized to obtain a processed image; The processed image is input into the improved MobileVit model to extract features and perform multi-classification to obtain the malware classification result; wherein, the improved MobileVit model is constructed from the MobileVit model; In the improved MobileVit model, when the Transformer encoder performs self-attention calculation, it makes each patch perform a self-attention calculation on each of the different feature sequences generated by the patch. The loss function in the MobileVit model is improved to the Focal loss method; The improved MobileVit model uses a fully connected softmax layer to classify the extracted features.
2. A malicious code classification system, characterized in that, The system is applied to the malicious code classification method as described in claim 1; the system includes: The data processing module is used to disassemble PE files to obtain the opcode sequence, import function table, and data in the PE files; The image generation module is used to map the opcode sequence, the import function, and the data to different channels of an RGB image to generate an image. The image processing module is used to normalize and standardize the generated image to obtain a processed image; The code classification module is used to input the processed image into the improved MobileVit model to extract features and perform multi-classification to obtain malicious code classification results. In the improved MobileVit model, the Transformer encoder performs self-attention calculations on different feature sequences generated by each patch. The loss function in the improved MobileVit model is the Focal loss method. The improved MobileVit model uses a softmax fully connected layer to classify the extracted features.
3. An electronic device, characterized in that, include: Memory, used to store computer programs; A processor, connected to the memory, is configured to retrieve and execute the computer program to implement the malicious code classification method as described in claim 1.
4. The electronic device according to claim 3, characterized in that, The memory is a computer-readable storage medium.