基于多通道图像深度学习的恶意代码检测

现有基于深度学习的恶意代码检测方法存在深层次特征提取能力偏弱、模型相对复杂、模型泛化能力不足等问题。同时，代码复用现象在同一类恶意样本中大量存在，而代码复用会导致代码的视觉特征相似，这种相似性可以被用来进行恶意代码检测。因此，提出一种基于多通道图像视觉特征和AlexNet神经网络的恶意代码检测方法。该方法首先将待检测的代码转化为多通道图像，然后利用AlexNet神经网络提取其彩色纹理特征并对这些特征进行分类从而检测出可能的恶意代码；同时通过综合运用多通道图像特征提取、局部响应归一化（LRN）等技术，在有效降低模型复杂度的基础上提升了模型的泛化能力。利用均衡处理后的Malimg数据集进行测试，结果显示该方法的平均分类准确率达到97.8%；相较于VGGNet方法在准确率上提升了1.8%，在检测效率上提升了60.2%。实验结果表明，多通道图像彩色纹理特征能较好地反映恶意代码的类别信息，AlexNet神经网络相对简单的结构能有效地提升检测效率，而局部响应归一化能提升模型的泛化能力与检测效果。

Malicious code detection based on multi-channel image deep learning

Existing deep learning-based malicious code detection methods have problems such as weak deep-level feature extraction capability, relatively complex model and insufficient model generalization capability. At the same time, code reuse phenomenon occurred in large number of malicious samples of the same type, resulting in similar visual features of the code. This similarity can be used for malicious code detection. Therefore, a malicious code detection method based on multi-channel image visual features and AlexNet was proposed. In the method, the codes to be detected were converted into multi-channel images at first. After that, AlexNet was used to extract and classify the color texture features of the images, so as to detect the possible malicious codes. Meanwhile, the multi-channel image feature extraction, the Local Response Normalization(LRN) and other technologies were used comprehensively, which effectively improved the generalization ability of the model with effective reduction of the complexity of the model. The Malimg dataset after equalization was used for testing, the results showed that the average classification accuracy of the proposed method was 97.8%, and the method had the accuracy increased by 1.8% and the detection efficiency increased by 60.2% compared with the VGGNet method. Experimental results show that the color texture features of multi-channel images can better reflect the type information of malicious codes, the simple network structure of AlexNet can effectively improve the detection efficiency, and the local response normalization can improve the generalization ability and detection effect of the model.