基于抽象汇编指令的恶意软件家族分类方法

恶意软件变体的大量出现对网络安全造成巨大威胁。针对基于汇编指令的恶意软件家族分类方法中，操作数语义与运行环境密切相关而难以提取，导致指令语义缺失，难以正确分类恶意软件变体的问题。提出了一种基于抽象汇编指令的恶意软件家族分类方法。通过抽象出操作数类型重构指令，使操作数语义脱离运行环境的约束；利用词注意力机制与双向门循环单元（Bi-GRU）构建指令嵌入网络以捕获指令行为语义，并结合双向循环神经网络（Bi-RNN）学习恶意软件家族共性指令序列，以减小变体技术对指令序列的干扰；融合原始指令和家族共性指令序列构建特征图像，并通过卷积神经网络实现恶意软件家族分类。公开数据集上的实验结果表明:所提方法能够有效提取操作数信息，抵抗恶意软件变体中无关指令的干扰，实现恶意软件变体的家族分类。 

Malware family classification method based on abstract assembly instructions

The emergence of malware variants poses a great threat to network security. In malware family classification methods based on assembly instructions, the semantics of operands are closely related to the operating environment and difficult to extract, which leads to the lack of instruction semantics and the difficulty in correctly classifying malware variants. A malware family classification method based on abstract assembly instructions is proposed. The instruction is reconstructed by abstracting the operand type, so that the semantics of the operands can be separated from the constraints of the operating environment. The word attention mechanism and bidirectional gate recurrent unit (Bi-GRU) are used to construct an instruction embedding network and to capture the instruction behavior semantics. Combined with bidirectional recursive neural networks (Bi-RNN), the common instruction sequence of malware family is learned to reduce the interference of variation technology on the instruction sequence. The original instruction and family common instruction sequence are integrated to construct feature images, and the malware family classification is realized through convolutional neural network. The experimental results on the public dataset show that the proposed method can effectively extract operand information, resist the interference of irrelevant instructions in malware variants, and realize the family classification of malware variants.