CN-120744918-B - Malicious code detection method and system based on improvement GhostNetV2

Abstract

The invention discloses a malicious code detection method, a malicious code detection system and a malicious code detection medium based on an improvement GhostNetV2, which relate to the technical field of network information security, and the method comprises the following steps of extracting binary files of android software codes to be detected and converting the binary files into RGB images; the method comprises the steps of performing image enhancement processing on an RGB image by using a local orthobalancing algorithm, converting the RGB image into a single-channel image, extracting corresponding image texture features, and inputting the image texture features into a trained lightweight malicious software detection model of an improved GhostNetV for detection to obtain a detection result. According to the method, image enhancement is carried out through local orthographic equalization, so that the detection precision is effectively improved, the improved lightweight deep learning model is adopted to detect malicious software, the parameter number is reduced, the detection efficiency is improved, and the detection performance and the robustness are enhanced.

Inventors

• GAO CAIXIA
• GAO CHUNQIN
• GUO XIANFENG

Assignees

• 西南民族大学

Dates

Publication Date

20260512

Application Date

20250623

Claims (8)

1. 1. A malicious code detection method based on improvement GhostNetV2, comprising: extracting binary files of android software codes to be detected, and converting the binary files into RGB images; Performing image enhancement processing on the RGB image by using a local square equalization algorithm; converting the RGB image into a single-channel image, and extracting corresponding image texture features; Inputting the image texture features into a trained lightweight malicious software detection model of the improvement GhostNetV to detect, so as to obtain a detection result; The method further comprises the steps of constructing a lightweight malicious software detection model of the improvement GhostNetV, and specifically comprises the following steps: adopting PReLU activating functions to replace the ReLU activating functions; In bottleneck module GhostNetV, a first Ghost module is parallel to the DFC, in a second Ghost module, a first set of features is generated by common convolution, a second set of features is obtained by performing cheap operation on the first set, and channel shuffling is performed on the first set of features and the second set of features; The size of the convolution kernel is intelligently selected by adopting the high-efficiency channel attention module, and the range of local cross-channel interaction is determined so as to adapt to feature mapping of different scales.
2. 2. The method according to claim 1, wherein the specific method for converting the binary file into the RGB image comprises: Reading a data sequence in the binary file according to one group of 8 bits, and converting the data sequence into decimal unsigned integers; taking the integer as a gray value, wherein the gray value is in the range of 0 to 255; And dynamically mapping to different RGB color spaces according to the interval distribution of the gray values to obtain an RGB image.
3. 3. The method according to claim 2, wherein the specific method for performing image enhancement processing on the RGB image using the local-square-equalization algorithm comprises: Sliding the RGB image by using a sliding window of 8x8, and dividing the RGB image into a plurality of overlapped partial windows; Counting the pixel values in each window, and calculating the number of pixels of each gray level; calculating a cumulative distribution function of each gray level in the local area according to the histogram; calculating a mapping function of each gray level according to the distribution function; Mapping the pixel value of each pixel in the local area by using a mapping function to obtain an enhanced pixel value; applying local histogram equalization on the whole RGB image in a sliding window manner; And integrating the enhanced pixel values of all the local areas to obtain a final enhanced image.
4. 4. The method of claim 1, wherein the image texture features are extracted using a Gabor filter.
5. 5. A malicious code detection system based on improvement GhostNetV2, for implementing the method of any one of claims 1-4, the system comprising a code imaging module, an image enhancement module, a texture feature extraction module, and a detection module; The code imaging module is used for extracting binary files of the android software codes to be detected and converting the binary files into RGB images; The image enhancement module is used for carrying out image enhancement processing on the RGB image by using a local orthographic equalization algorithm; The texture feature extraction module is used for converting the RGB image into a single-channel image and extracting corresponding image texture features; The detection module is used for inputting the image texture characteristics into a trained lightweight malicious software detection model of the improvement GhostNetV to detect, so as to obtain a detection result; The lightweight malware detection model of improvement GhostNetV2 includes PReLU activation function module, a Ghost module with channel shuffling, and an efficient channel attention module.
6. 6. The system of claim 5, wherein the code imaging module includes an image conversion unit, the image conversion unit is configured to read a data sequence in the binary file according to one group of 8 bits, convert the data sequence into decimal unsigned integers, take the integers as gray values, take the gray values as a range of 0 to 255, and dynamically map the gray values to different RGB color spaces according to interval distribution of the gray values, so as to obtain an RGB image.
7. 7. The system of claim 6, wherein the image enhancement module includes an enhancement processing unit configured to slide on the RGB image using an 8 x 8 sliding window, divide the RGB image into a plurality of overlapping partial windows, count pixel values in each window, calculate a number of pixels for each gray level, calculate a cumulative distribution function for each gray level in a partial region based on the histogram, calculate a mapping function for each gray level based on the distribution function, map pixel values for each pixel in the partial region using the mapping function, obtain enhanced pixel values, apply partial histogram equalization on the entire RGB image in a sliding window manner, integrate the enhanced pixel values for all the partial regions, and obtain the final enhanced image.
8. 8. A computer readable storage medium, characterized in that the computer readable storage medium stores a computer program comprising program instructions which, when executed by a processor, cause the processor to perform the method of any of claims 1-4.

Description

Malicious code detection method and system based on improvement GhostNetV2 Technical Field The invention relates to the technical field of network information security, in particular to a malicious code detection method and system based on improvement GhostNetV < 2 >. Background Currently, malware detection methods rely mainly on decompilation techniques. These methods typically extract their features by decompiling malware and benign software, and train these features using artificial intelligence models to identify and classify the malware. However, the existing decompilation-based malicious software detection method has some remarkable problems that (1) a malicious software developer adopts protection measures such as a shell adding technology and a decompilation means to prevent decompilation from failing, and (2) the decompilation process needs to consume a large amount of computing resources and time, and especially for complex application programs, the efficiency is low. To overcome these problems, in recent years, image-based malware detection methods are becoming an emerging research direction. According to the method, the executable file (such as the dex file) of the android application program is converted into the image, so that the complexity of traditional decompilation is avoided, and the detection efficiency is improved. Research shows that the image can effectively represent the structure and the characteristics of the program, decompilation is not needed, and the efficiency is higher. Currently, image-based malware detection methods have made some progress. For example, ding et al convert the. Dex file into a gray scale image and classify the malware using Convolutional Neural Network (CNN) to achieve an accuracy of 95.6%, singh et al propose a classification method based on gray co-occurrence matrix (GLCM) and Local Binary Pattern (LBP) features with an accuracy of 93.24%. In addition, there are studies on improving the detection accuracy of malicious software by using RGB images, which can store different types of code information in R, G and B channels respectively, so as to improve the detection accuracy. Wang et al have an accuracy of up to 97.84% by converting DEX and XML files into RGB images and classifying using multiple classes of features. While these approaches have achieved good results in traditional malware detection, image-based malware detection approaches also face new challenges with the advent of resistance samples (e.g., modifying image textures or attacking the classifier itself to bypass detection). Malware developers can bypass existing detection models through carefully designed antagonistic perturbations, thereby reducing detection accuracy. Thus, current image-based malware detection techniques still have a number of problems. In particular, a malware developer can generate an antagonistic sample by fine-tuning an input image, so that the detection effect is greatly reduced. To address this challenge, there is a need to develop new detection methods that not only can effectively identify traditional malware, but also can enhance resistance to resistant samples. Disclosure of Invention The invention aims to provide a malicious code detection method, a malicious code detection system and a malicious code detection medium based on an improvement GhostNetV so as to solve the technical problems in the prior art. The invention is realized by the following technical scheme: In a first aspect, a malicious code detection method based on improvement GhostNetV2 provided by an embodiment of the present invention includes: extracting binary files of android software codes to be detected, and converting the binary files into RGB images; Performing image enhancement processing on the RGB image by using a local square equalization algorithm; converting the RGB image into a single-channel image, and extracting corresponding image texture features; and inputting the image texture features into a trained lightweight malicious software detection model of the improvement GhostNetV to detect, so as to obtain a detection result. In a second aspect, the embodiment of the invention provides a malicious code detection system based on improvement GhostNetV2, which comprises a code imaging module, an image enhancement module, a texture feature extraction module and a detection module; The code imaging module is used for extracting binary files of the android software codes to be detected and converting the binary files into RGB images; The image enhancement module is used for carrying out image enhancement processing on the RGB image by using a local orthographic equalization algorithm; The texture feature extraction module is used for converting the RGB image into a single-channel image and extracting corresponding image texture features; the detection module is used for inputting the image texture features into a trained lightweight malicious software detection model of the improvement Gh