基于异构特征协同的轻量化恶意软件分类方法

陈治国; 赵攀; 谢雪; 郑文鑫; 王金伟

doi:10.11959/j.issn.1000-436x.TXXB260078

您当前的位置：

首页 >

文章列表页 >

基于异构特征协同的轻量化恶意软件分类方法

更新时间：2026-04-09

- 基于异构特征协同的轻量化恶意软件分类方法
- Lightweight malware classification method based on heterogeneous feature collaboration
- 通信学报 2026年
- 作者机构：
  
  1.南京信息工程大学计算机学院、网络空间安全学院，江苏南京 210044
  2.中国航天系统科学与工程研究院，北京 100037
  3.奇安信科技集团股份有限公司盘古事业部，北京 100044
  4.南开大学密码与网络空间安全学院，天津 300071
- 作者简介：
  
  [ "陈治国（1988− ），男，江苏南京人，博士，副教授，主要研究方向为信息安全、分布式算法、云计算和虚拟现实。" ]
  谢雪，xiexue2008@163.com
- 基金信息：
  
  国家自然科学基金资助项目(62102190)
- DOI：10.11959/j.issn.1000-436x.TXXB260078
  中图分类号： TP309
- 收稿：2026-02-03，
  
  修回：2026-04-08，
  
  录用：2026-04-09，
- 稿件说明：
移动端阅览
陈治国, 赵攀, 谢雪, 等. 基于异构特征协同的轻量化恶意软件分类方法[J/OL]. 通信学报, 2026.

CHEN Zhiguo, ZHAO Pan, XIE Xue, et al. Lightweight malware classification method based on heterogeneous feature collaboration[J/OL]. Journal on Communications, 2026.
陈治国, 赵攀, 谢雪, 等. 基于异构特征协同的轻量化恶意软件分类方法[J/OL]. 通信学报, 2026. DOI： 10.11959/j.issn.1000-436x.TXXB260078.

CHEN Zhiguo, ZHAO Pan, XIE Xue, et al. Lightweight malware classification method based on heterogeneous feature collaboration[J/OL]. Journal on Communications, 2026. DOI： 10.11959/j.issn.1000-436x.TXXB260078.

摘要

针对静态恶意软件分类中单一特征覆盖信息不足，以及多特征融合模型计算复杂度高、部署受限的问题，本文提出一种面向资源受限场景的轻量化多特征协同建模方法，结合操作码序列与静态API调用信息，从指令执行结构与系统交互两个维度刻画恶意软件行为特征。在操作码分支中，采用多尺度残差建模以强化对局部指令模式和长程依赖的表征能力；针对API高维特征稀疏与冗余问题，在API分支提出三元组语义链表示方法，将离散调用细化为结构化功能信息，增强高层功能语义表达和冗余抑制；在分类阶段引入位置感知多头自注意力机制，对两类特征进行动态融合与联合建模，在保证分类精度的同时有效控制模型规模。实验表明，该方法在BIG2015和企业级PE数据集上分别达到99.53%和99.4%的准确率，模型总浮点运算量为30.2 MFLOPs，为资源受限场景下的恶意软件分类提供了高精度、低开销的解决方案。

Abstract

To address the limited information coverage of single-feature static malware classification and the high cost of multi-feature fusion models

this paper proposes a lightweight collaborative method for resource-constrained scenarios. The method integrates opcode sequences and static API calls to characterize malware from instruction execution and system interaction perspectives. A multi-scale residual module is used in the opcode branch to capture local patterns and long-range dependencies

while a triplet semantic chain is introduced in the API branch to convert discrete calls into structured functional information

reducing sparsity and redundancy. A position-aware multi-head self-attention mechanism is then employed to dynamically fuse the two features for joint modeling

achieving high accuracy with low model co1mplexity. Experiments on the BIG2015 and enterprise-level PE datasets achieve accuracies of 99.53% and 99.4%

respectively

with only 30.2 MFLOPs

demonstrating a high-accuracy and low-overhead solution for malware classification in resource-constrained environments.

关键词

Keywords

references

Aboaoja F A , Zainal A , Ghaleb F A , et al . Malware detection issues, challenges, and future directions: A survey [J ] . Applied Sciences , 2022 , 12 ( 17 ): 8482 .

AV-TEST . Website [EB/OL ] . Available : https://portal.av-atlas.org/malware https://portal.av-atlas.org/malware .

Gandotra E , Bansal D , Sofat S . Malware analysis and classification: A survey [J ] . Journal of Information Security , 2014 , 5 ( 2 ): 56 - 64 .

Elhadi A A E , Maarof M A , Barry B I A , et al . Enhancing the detection of metamorphic malware using call graphs [J ] . Computers & Security , 2014 , 46 : 62 - 78 .

Shabtai A , Moskovitch R , Feher C , et al . Detecting unknown malicious code by applying classification techniques on opcode patterns [J ] . Security Informatics , 2012 , 1 ( 1 ): 1 - 22 .

Shaid S Z M , Maarof M A . Malware behaviour visualization [J ] . Jurnal Teknologi , 2014 , 70 ( 5 ): 25 - 33 .

Kakisim A G , Gulmez S , Sogukpinar I . Sequential opcode embedding-based malware detection method [J ] . Computers & Electrical Engineering , 2022 , 98 : 107703 .

Khalilian A , Nourazar A , Vahidi-Asl M , et al . G3MD: Mining frequent opcode sub-graphs for metamorphic malware detection of existing families [J ] . Expert Systems with Applications , 2018 , 112 : 15 - 33 .

Li C , Cheng Z , Zhu H , et al . DMalNet: Dynamic malware analysis based on API feature engineering and graph learning [J ] . Computers & Security , 2022 , 122 : 102872 .

Gibert D , Mateu C , Planes J . HYDRA: A multimodal deep learning framework for malware classification [J ] . Computers & Security , 2020 , 95: 101873..

Chen T , Zeng H , Lv M , et al . CTIMD: Cyber threat intelligence enhanced malware detection using API call sequences with parameters [J ] . Computers & Security , 2024 , 136 : 103518 .

Li C , Lv Q , Li N , et al . A novel deep framework for dynamic malware detection based on API sequence intrinsic features [J ] . Computers & Security , 2022 , 116 : 102686 .

Yuan C , Cai J , Tian D , et al . Towards time evolved malware identification using two-head neural network [J ] . Journal of Information Security and Applications , 2022 , 65 : 103098 .

Jeon S , Moon J . Malware-detection method with a convolutional recurrent neural network using opcode sequences [J ] . Information Sciences , 2020 , 535 : 1 - 15 .

Sewak M , Sahay S K , Rathore H . LSTM hyper-parameter selection for malware detection: Interaction effects and hierarchical selection approach [C ] // 2021 International Joint Conference on Neural Networks (IJCNN) . IEEE , 2021 : 1 - 9 .

Hao J , Luo S , Pan L . EII-MBS: Malware family classification via enhanced adversarial instruction behavior semantic learning [J ] . Computers & Security , 2022 , 122 : 102905 .

Darem A , Abawajy J , Makkar A , et al . Visualization and deep-learning-based malware variant detection using opcode-level features [J ] . Future Generation Computer Systems , 2021 , 125 : 314 - 323 .

Shaukat K , Luo S , Varadharajan V . A novel method for improving the robustness of deep learning-based malware detectors against adversarial attacks [J ] . Engineering Applications of Artificial Intelligence , 2022 , 116 : 105461 .

Demirkıran F , Çayır A , Ünal U , et al . An ensemble of pre-trained transformer models for imbalanced multiclass malware classification [J ] . Computers & Security , 2022 , 121 : 102846 .

Vinayakumar R , Alazab M , Soman K P , et al . Robust intelligent malware detection using deep learning [J ] . IEEE Access , 2019 , 7 : 46717 - 46738 .

Huo D , Li X , Li L , et al . The application of 1D-CNN in Microsoft malware detection [C ] // 2022 7th International Conference on Big Data Analytics (ICBDA) . IEEE , 2022 : 181 - 187 .

Do Xuan C , Huong D T . A new approach for APT malware detection based on deep graph network for endpoint systems [J ] . Applied Intelligence , 2022 , 52 ( 12 ): 14005 - 14024 .

Bensaoud A , Kalita J . CNN-LSTM and transfer learning models for malware classification based on opcodes and API calls [J ] . Knowledge-Based Systems , 2024 , 290 : 111543 .

Xuan B , Li J , Song Y . BiTCN-TAEfficientNet malware classification approach based on sequence and RGB fusion [J ] . Computers & Security , 2024 , 139 : 103734 .

Babu S , Singh V . Bd-mdlc: Behavior description-based enhanced malware detection for Windows environment using Longformer classifier [J ] . Computers & Security , 2024 , 146 : 104031 .

Xu Z , Fang X , Yang G . MalBERT: A novel pre-training method for malware detection [J ] . Computers & Security , 2021 , 111 : 102458 .

Zhou Z , Li Y , Li J , et al . GAN-Siamese Network for cross-domain vehicle re-identification in intelligent transport systems [J ] . IEEE Transactions on Network Science and Engineering , 2023 , 10 ( 5 ): 2779 - 2790 .

Hsiao S C , Kao D Y , Liu Z Y , et al . Malware image classification using one-shot learning with Siamese networks [C ] // Proceedings of the 23rd International Conference on Knowledge-Based and Intelligent Information & Engineering Systems . Procedia Computer Science , 2019 , 159 : 1863 - 1871 .

Gao S H , Cheng M M , Zhao K , et al . Res2Net: A new multi-scale backbone architecture [J ] . IEEE Transactions on Pattern Analysis and Machine Intelligence , 2019 , 43 ( 2 ): 652 - 662 .

Sikorski M , Honig A . Practical malware analysis: The hands-on guide to dissecting malicious software [M ] . No Starch Press , 2012 .

Rudd E M , Rozsa A , Günther M , et al . A survey of stealth malware attacks, mitigation measures, and steps toward autonomous open world solutions [J ] . IEEE Communications Surveys & Tutorials , 2017 , 19 ( 2 ): 1145 - 1172 . DOI: 10.1109/COMST.2016.2636078 http://dx.doi.org/10.1109/COMST.2016.2636078 .

Vaswani A , Shazeer N , Parmar N , et al . Attention is all you need [J ] . Advances in Neural Information Processing Systems , 2017 , 30 .

Kebede T M , Djaneye-Boundjou O , Narayanan B N , et al . Classification of malware programs using autoencoders based deep learning architecture and its application to the Microsoft malware classification challenge (BIG 2015) dataset [C ] // 2017 IEEE National Aerospace and Electronics Conference (NAECON) . IEEE , 2017 : 70 - 75 .

Cho K , Van Merriënboer B , Gulcehre C , et al . Learning phrase representations using RNN encoder-decoder for statistical machine translation [J ] . arXiv preprint arXiv: 1406.1078 , 2014 .

Graves A , Schmidhuber J . Framewise phoneme classification with bidirectional LSTM and other neural network architectures [J ] . Neural Networks , 2005 , 18 ( 5-6 ): 602 - 610 .

He P , Liu X , Gao J , et al . DeBERTa: Decoding-enhanced BERT with disentangled attention [J ] . arXiv preprint arXiv: 2006.03654 , 2020 .

Bai S , Kolter J Z , Koltun V . An empirical evaluation of generic convolutional and recurrent networks for sequence modeling [J ] . arXiv preprint arXiv: 1803.01271 , 2018 .

Yu F , Koltun V . Multi-scale context aggregation by dilated convolutions [J ] . arXiv preprint arXiv: 1511.07122 , 2015 .

Szegedy C , Liu W , Jia Y , et al . Going deeper with convolutions [C ] // Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition . 2015 : 1 - 9 .

Sandler M , Howard A , Zhu M , et al . MobileNetV2: Inverted residuals and linear bottlenecks [C ] // Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition . 2018 : 4510 - 4520 .

Chaganti R. , Ravi V. , Pham T.D. , 2022 . Image-based malware representation approach with EfficientNet convolutional neural networks for effective malware classification .

Fan Y , Zhang K , Zheng B , et al . GCSA-ResNet: a deep neural network architecture for Malware detection [J ] . Scientific Reports , 2025 , 15 ( 1 ): 24098 .

Zou B , Cao C , Wang L , et al . FACILE: A capsule network with fewer capsules and richer hierarchical information for malware image classification [J ] . Computers & Security , 2024 , 137 : 103606 .

Wang F , Shi X , Yang F , et al . Malsort: Lightweight and efficient image-based malware classification using masked self-supervised framework with swin transformer [J ] . Journal of Information Security and Applications , 2024 , 83 : 103784 .

Anand S , Mitra B , Dey S , et al . Malite: Lightweight malware detection and classification for constrained devices [J ] . IEEE transactions on emerging topics in computing , 2025 .

Mosleh M R B , Sharifian S . An efficient cloud-integrated distributed deep neural network framework for IoT malware classification [J ] . Future Generation Computer Systems , 2024 , 157 : 603 - 617 .

Guo W , Du W , Yang X , et al . MalHAPGNN: An Enhanced Call Graph-Based Malware Detection Framework Using Hierarchical Attention Pooling Graph Neural Network [J ] . Sensors , 2025 , 25 ( 2 ): 374 .

Cam N T , Huy T M , Tin N T . Malware classification using deep neural networks with Deep Q-Learning and eXplainable artificial intelligence [J ] . Engineering Applications of Artificial Intelligence , 2026 , 166 : 113622 .

王金伟 , 陈正嘉 , 谢雪等 . 基于Ngram-TFIDF的深度恶意代码可视化分类方法 [J ] . 通信学报 , 2024 , 45 ( 06 ): 160 - 175 . DOI: 10.11959/j.issn.1000-436x.2024115 http://dx.doi.org/10.11959/j.issn.1000-436x.2024115 .

浏览量

下载量

CSCD

文章被引用时，请邮件提醒。

提交

工具集

关联资源

医学影像无监督异常检测技术综述

基于成本敏感CNN-BiLSTM网络的目标可见性预测方法

工业雾霾环境下多模态语义辅助的毫米波波束预测方法

基于置信度差异与熵最小化的跨时间鲁棒射频指纹识别方法

基于API时序关系图的恶意软件检测方法