| 引用本文: |
-
邓钰洋,芦天亮,马远声,康琦,王文浩.基于多尺度ResNet和多层异构图神经网络的恶意代码检测框架[J].信息安全学报,已采用 [点击复制]
- DengYuyang,LuTianliang,Mayuansheng,Kangqi,Wangwenhao.Malware Detection Framework Based on Multi-scale ResNet and Multi-layer Heterogeneous Graph Neural Networks[J].Journal of Cyber Security,Accept [点击复制]
|
|
| 摘要: |
| 针对传统恶意代码检测方法在特征表达能力和鲁棒性方面的固有缺陷,本文提出了一种基于多尺度ResNet和多层异构图神经网络的恶意代码检测方法。随着恶意代码变种数量的爆炸式增长和对抗攻击技术的不断演进,传统单一尺度的卷积神经网络难以同时捕获局部细节特征和全局结构信息,而浅层图神经网络在建模复杂行为关系时表达能力受限,难以应对日益复杂的威胁态势。该方法在数据处理部分通过Nataraj矢量化方法将恶意代码转换为灰度图像,并引入图像增强技术提升特征表达能力;设计多尺度ResNet模块采用不同尺寸的卷积核并行提取多粒度的静态特征,通过多尺度局部卷积、字节序列相关性分析和梯度幅值识别边界三个并行分支实现特征融合,同时采用FGSM(FastGradientSign Method, FGSM)对抗样本生成技术进行数据增强以提升模型鲁棒性;然后构建多层异构图神经网络对API调用、内存操作、网络通信和系统事件等动态行为进行层次化建模,通过类型感知注意力机制动态调整不同节点类型的权重,并引入跨层连接机制学习深层次的节点表示和关系模式;最后采用自适应特征融合策略整合静态图像特征和动态行为特征,实现多模态信息的有效整合。本文构建了包含8种恶意代码类型及正常样本的综合数据集,并设计了时间概念漂移和对抗样本概念漂移两类鲁棒性评估实验。实验结果表明,该方法在恶意代码检测任务中达到了95.2%的准确率,在时间漂移场景下性能仅下降1.4个百分点,在混合对抗攻击下仍能维持85.7%的检测准确率。消融实验验证了多尺度特征提取和异构图网络各模块的有效性。该方法通过多尺度特征提取与异构图神经网络的有机融合,有效解决了单一特征表示的局限性和概念漂移问题,为恶意代码检测提供了新的技术路径。 |
| 关键词: 恶意代码检测 多尺度ResNet 异构图神经网络 概念漂移 特征融合 |
| DOI: |
| 投稿时间:2025-08-18修订日期:2025-11-04 |
| 基金项目:公安部科技计划项目 |
|
| Malware Detection Framework Based on Multi-scale ResNet and Multi-layer Heterogeneous Graph Neural Networks |
|
DengYuyang1,2,3, LuTianliang1,2,3, Mayuansheng4, Kangqi1,2,3, Wangwenhao1,2,3
|
| (1.People'2.'3.s Public Security University of China;4.Security Corps of the Beijing Municipal Public Security Bureau) |
| Abstract: |
| To address the inherent deficiencies of traditional malware detection methods in feature representation capability and robustness, this paper proposes a malware detection method based on multi-scale ResNet and multi-layer heterogeneous graph neural networks. With the explosive growth of malware variants and the continuous evolution of adversarial attack techniques, traditional single-scale convolutional neural networks struggle to simultaneously capture local detail features and global structural information, while shallow graph neural networks have limited expressive power in modeling complex behavioral relationships, making it difficult to cope with increasingly sophisticated threat landscapes. In the data processing phase, this method converts malware into grayscale images through the Nataraj vectorization method and introduces image enhancement techniques to improve feature representation capability. It designs a multi-scale ResNet module that employs convolutional kernels of different sizes to extract multi-granularity static features in parallel, achieving feature fusion through three parallel branches: multi-scale local convolution, byte sequence correlation analysis, and gradient magnitude boundary identification, while utilizing FGSM (Fast Gradient Sign Method) adversarial sample generation technique for data augmentation to enhance model robustness. Then it constructs a multi-layer heterogeneous graph neural network to hierarchically model dynamic behaviors such as API calls, memory operations, network communications, and system events, dynamically adjusting the weights of different node types through a type-aware attention mechanism and introducing cross-layer connection mechanisms to learn deep node representations and relational patterns. Finally, an adaptive feature fusion strategy is adopted to integrate static image features and dynamic behavioral features, achieving effective integration of multi-modal information. This paper constructs a comprehensive dataset containing 8 types of malware and benign samples, and designs two types of robustness evaluation experiments: temporal concept drift and adversarial sample concept drift. Experimental results demonstrate that this method achieves 95.2% accuracy in malware detection tasks, with only a 1.4 percentage point performance decrease under temporal drift scenarios and maintains 85.7% detection accuracy under hybrid adversarial attacks. Ablation experiments validate the effectiveness of each module in multi-scale feature extraction and heterogeneous graph networks. This method effectively addresses the limitations of single feature representation and concept drift issues through the organic fusion of multi-scale feature extraction and heterogeneous graph neural networks, providing a new technical approach for malware detection. |
| Key words: malware detection multi-scale ResNet heterogeneous graph neural networks concept drift feature fusion |
