基于MP-FSCIL的恶意代码分类方法

王坚; 刘强; 王蕾

doi:10.12263/DZXB.20250692

您当前的位置：

首页 >

文章列表页 >

基于MP-FSCIL的恶意代码分类方法

学术论文 | 更新时间：2026-02-05

- 基于MP-FSCIL的恶意代码分类方法
- A Malware Classification Method Based on MP-FSCIL
- 电子学报 2025年53卷第10期页码：3566-3578
- 作者机构：
  
  1.空军工程大学防空反导学院，陕西西安 710051
  2.空军工程大学空管领航学院，陕西西安 710051
- 作者简介：
  
  [ "王坚男，1982年2月出生于陕西省渭南市.现为空军工程大学防空反导学院副教授.主要研究方向为智能信息处理和恶意软件检测.E-mail: 26471375@qq.com" ]
  [ "刘强男，1993年11月出生于陕西省渭南市.现为空军工程大学硕士研究生.主要研究方向为智能信息处理和恶意软件检测.E-mail: dugugongsui@163.com" ]
  [ "王蕾女，1983年7月出生于陕西省商洛市.现为空军工程大学空管领航学院讲师.主要研究方向为信号与信息处理.E-mail: xiaoci2000@sina.com" ]
- 基金信息：
  
  国家自然科学基金(62402521);陕西省科学基金(2021JM-226)
- DOI：10.12263/DZXB.20250692
  中图分类号： TP309.5;
- 收稿：2025-08-11，
  
  录用：2025-10-09，
  
  纸质出版：2025-10-25
- 稿件说明：
移动端阅览
王坚, 刘强, 王蕾. 基于MP-FSCIL的恶意代码分类方法[J]. 电子学报, 2025, 53(10): 3566-3578.

WANG Jian, LIU Qiang, WANG Lei. A Malware Classification Method Based on MP-FSCIL[J]. Acta Electronica Sinica, 2025, 53(10): 3566-3578.
王坚, 刘强, 王蕾. 基于MP-FSCIL的恶意代码分类方法[J]. 电子学报, 2025, 53(10): 3566-3578. DOI：10.12263/DZXB.20250692

WANG Jian, LIU Qiang, WANG Lei. A Malware Classification Method Based on MP-FSCIL[J]. Acta Electronica Sinica, 2025, 53(10): 3566-3578. DOI：10.12263/DZXB.20250692

摘要

恶意软件家族通过代码混淆、多态变形等技术持续变异，导致特征空间偏移与模型决策边界失效，且零日攻击的快速演化和早期小样本场景进一步加剧了传统检测模型的知识退化与适应瓶颈.针对上述问题，本文提出一种基于多原型小样本类增量学习的恶意代码分类方法MP-FSCIL（Multi-Prototype Few-Shot Class-Incremental Learning），旨在解决动态环境下模型灾难性遗忘与过拟合问题.在基类训练阶段，将可分离大核注意力（Large Separable Kernel Attention， LSKA）与DenseNet网络融合，设计面向恶意软件图像的专用特征提取器，通过LSKA模块的大核注意力机制捕捉恶意软件图像的全局特征，结合DenseNet的密集连接特性保留细粒度局部特征，有效解决了传统特征提取器对恶意软件图像关键特征捕捉不充分的问题，模型在Malimg数据集上实现99.36%的分类准确率，优于现有FSCIL（Few-Shot Class-Incremental Learning）方法在Malimg数据集上的特征提取效果；在新类适应阶段，构建“自适应聚类-多原型学习”协同机制：通过G-means算法基于恶意软件特征分布自动迭代确定新类最佳聚类数量，再结合多原型学习为每个新类生成多个类原型，解决了传统单原型方法对类内特征异质性较高的恶意代码家族区分能力弱的问题，该策略使模型在每个增量会话上对新类识别准确率平均提升17.23%.在Malimg与Microsoft Big 2015数据集上的跨数据集类增量实验验证了模型在真实恶意代码演化场景中的有效性，实验结果表明，MP-FSCIL在保持旧类记忆的同时，能够较好地学习新类特征，和现有研究方法相比，模型在所有类别上分类准确率提升8.89%，在最后一个增量会话上的性能下降率降至12.21%，且模型参数量仅为16.18 M，对每个样本的推理时间仅为12.6 ms，适合在实际应用中部署，为开放动态环境下的恶意软件检测提供了鲁棒、可扩展的解决方案.

Abstract

Malware families continue to mutate through techniques such as code obfuscation and polymorphic deformation

leading to the shift of feature space and the failure of model decision boundaries. In addition

the rapid evolution of zero-day attacks and small sample scenarios in early stage further exacerbate degradation of knowledge and adaptation bottleneck of traditional detection models. In response to the above issues

this article proposes a malicious code classification method based on multi-prototype few-shot class-incremental learning

namely MP-FSCIL (Multi-Prototype Few-Shot Class-Incremental Learning)

which aims to resolve the problems of catastrophic forgetting and overfitting in dynamic environments. In the base class training stage

the large separable kernel attention (LSKA) is fused with the DenseNet network to design a dedicated feature extractor for malware images. The large kernel attention mechanism of the LSKA module is capable of capturing the global features of malware images

while the dense connection feature of the DenseNet structure is competent to preserve fine-grained local features

effectively solving the problem of insufficient capture of key features in malware images by traditional feature extractors. The proposed model achieves a classification accuracy of 99.36% on the Malimg dataset

which is better than the feature extraction effect of existing FSCIL (Few-Shot Class-Incremental Learning) methods on the Malimg dataset; In the new class adaptation stage

a collaborative mechanism of “adaptive clustering and multi prototype learning” is constructed: the G-means algorithm is used to automatically iterate based on the distribution of malicious software features to determine the optimal number of clusters for the new class

and then combined with multi prototype learning to generate multiple class prototypes for each class. This strategy addresses the weakness of traditional single-prototype methods in distinguishing malware families with high intra-class feature heterogeneity

and increases the model’s average accuracy in identifying new classes by 17.23% in each incremental session. The cross-dataset class increment experiment on the Malimg and Microsoft Big 2015 datasets validated the effectiveness of the model in real scenarios of malicious code evolution. The experimental results show that MP-FSCIL can learn new class features well while maintaining the memory of old classes. Compared with existing research methods

the model improves classification accuracy by 8.89% on all classes

and the performance degradation rate on the last incremental session drops to 12.21%. Besides

The parameter size of the model is only 16.18 M

and the inference time for each sample is only 12.6 ms. It is suitable for deployment in practical applications and provides a robust and scalable solution for malware detection in open dynamic environments.

关键词

Keywords

references

Kaspersky Security Network . Mobile malware evolutionin 2024 [EB/OL ] . ( 2025-03-03 )[ 2025-5-1 ] . https://securelist.com/mobile-threat-report-2024/115494/ https://securelist.com/mobile-threat-report-2024/115494/ .

SONG Y F , ZHANG D D , WANG J , et al . Application of deep learning in malware detection: A review [J ] . Journal of Big Data , 2025 , 12 ( 1 ): 99 .

BROSOLO M , PUTHUVATH V , ASMITHA K A , et al . SoK: Visualization-based malware detection techniques [C ] // Proceedings of the 19th International Conference on Availability, Reliability and Security . New York : ACM , 2024 : 1 - 13 .

FANG W B , HE J J , LI W S , et al . Comprehensive Android malware detection based on federated learning architecture [J ] . IEEE Transactions on Information Forensics and Security , 2023 , 18 : 3977 - 3990 .

CHAI Y H , CHEN X M , QIU J , et al . MalFSCIL: A few-shot class-incremental learning approach for malware detection [J ] . IEEE Transactions on Information Forensics and Security , 2024 , 20 : 2999 - 3014 .

TAO X Y , HONG X P , CHANG X Y , et al . Few-shot class-incremental learning [C ] // 2020 IEEE/CVF Conference on Computer Vision and Pattern Recognition . Piscataway : IEEE , 2020 : 12180 - 12189 .

CUI Y W , XIONG W T , TAVAKOLIAN M , et al . Semi-supervised few-shot class-incremental learning [C ] // 2021 IEEE International Conference on Image Processing . Piscataway : IEEE , 2021 : 1239 - 1243 .

YANG B Y , LIN M B , ZHANG Y X , et al . Dynamic support network for few-shot class incremental learning [J ] . IEEE Transactions on Pattern Analysis and Machine Intelligence , 2023 , 45 ( 3 ): 2945 - 2951 .

SONG Z Y , ZHAO Y F , SHI Y J , et al . Learning with fantasy: Semantic-aware virtual contrastive constraint for few-shot class-incremental learning [C ] // 2023 IEEE/CVF Conference on Computer Vision and Pattern Recognition . Piscataway : IEEE , 2023 : 24183 - 24192 .

LIU J R , JI Z , PANG Y W , et al . NTK-guided few-shot class incremental learning [J ] . IEEE Transactions on Image Processing , 2024 , 33 : 6029 - 6044 .

GABER M G , AHMED M , JANICKE H . Malware detection with artificial intelligence: A systematic literature review [J ] . ACM Computing Surveys , 2024 , 56 ( 6 ): 1 - 33 .

任卓君 , 陈光 , 卢文科 . 恶意软件的操作码可视化方法研究 [J ] . 计算机工程与应用 , 2021 , 57 ( 18 ): 130 - 134 .

REN Z J , CHEN G , LU W K . Research on visualization method of malware opcodes [J ] . Computer Engineering and Applications , 2021 , 57 ( 18 ): 130 - 134 . (in Chinese)

LEE H , KIM S , BAEK D , et al . Robust IoT malware detection and classification using opcode category features on machine learning [J ] . IEEE Access , 2023 , 11 : 18855 - 18867 .

王硕 , 王坚 , 王亚男 , 等 . 一种基于特征融合的恶意代码快速检测方法 [J ] . 电子学报 , 2023 , 51 ( 1 ): 57 - 66 .

WANG S , WANG J , WANG Y N , et al . A fast malicious code detection method based on feature fusion [J ] . Acta Electronica Sinica , 2023 , 51 ( 1 ): 57 - 66 . (in Chinese)

李思聪 , 王坚 , 宋亚飞 , 等 . TriCh-LKRepNet: 融合三通道映射与结构重参数化的大核卷积恶意代码分类网络 [J ] . 电子学报 , 2024 , 52 ( 7 ): 2331 - 2340 .

LI S C , WANG J , SONG Y F , et al . TriCh-LKRepNet: A large kernel convolutional malicious code classification network for structure reparameterisation and triple-channel mapping [J ] . Acta Electronica Sinica , 2024 , 52 ( 7 ): 2331 - 2340 . (in Chinese)

LING X , WU L F , DENG W , et al . MalGraph: Hierarchical graph neural networks for robust windows malware detection [C ] // IEEE INFOCOM 2022 - IEEE Conference on Computer Communications . New York : ACM , 2022 : 1998 - 2007 .

DO XUAN C , HUONG D . A new approach for APT malware detection based on deep graph network for endpoint systems [J ] . Applied Intelligence , 2022 , 52 ( 12 ): 14005 - 14024 .

ZHANG S F , WU J H , ZHANG M Z , et al . Dynamic malware analysis based on API sequence semantic fusion [J ] . Applied Sciences , 2023 , 13 ( 11 ): 6526 .

TRIZNA D , DEMETRIO L , BIGGIO B , et al . Nebula: Self-attention for dynamic malware analysis [J ] . IEEE Transactions on Information Forensics and Security , 2024 , 19 : 6155 - 6167 .

LI C , CHENG Z J , ZHU H , et al . DMalNet: Dynamic malware analysis based on API feature engineering and graph learning [J ] . Computers & Security , 2022 , 122 : 102872 .

HAN W J , XUE J F , WANG Y , et al . MalDAE: Detecting and explaining malware based on correlation and fusion of static and dynamic characteristics [J ] . Computers & Security , 2019 , 83 : 208 - 233 .

ALHASHMI A A , DAREM A A , ALASHJAEE A M , et al . Similarity-based hybrid malware detection model using API calls [J ] . Mathematics , 2023 , 11 ( 13 ): 2944 .

HUANG X , MA L , YANG W Y , et al . A method for windows malware detection based on deep learning [J ] . Journal of Signal Processing Systems , 2021 , 93 ( 2 ): 265 - 273 .

JEON J , JEONG B , BAEK S , et al . Hybrid malware detection based on Bi-LSTM and SPP-net for smart IoT [J ] . IEEE Transactions on Industrial Informatics , 2022 , 18 ( 7 ): 4830 - 4837 .

QIANG Q , CHENG M , HU Y , et al . An incremental malware classification approach based on few-shot learning [C ] // ICC 2022 - IEEE International Conference on Communications . Piscataway : IEEE , 2022 : 2682 - 2687 .

ZHANG C , SONG N , LIN G S , et al . Few-shot incremental learning with continually evolved classifiers [C ] // 2021 IEEE/CVF Conference on Computer Vision and Pattern Recognition . Piscataway : IEEE , 2021 : 12450 - 12459 .

HUANG G , LIU Z , VAN DER MAATEN L , et al . Densely connected convolutional networks [C ] // 2017 IEEE Conference on Computer Vision and Pattern Recognition . Piscataway : IEEE , 2017 : 2261 - 2269 .

张丹丹 , 宋亚飞 , 刘曙 . MalMKNet: 一种用于恶意代码分类的多尺度卷积神经网络 [J ] . 电子学报 , 2023 , 51 ( 5 ): 1359 - 1369 .

ZHANG D D , SONG Y F , LIU S . MalMKNet: A multi-scale convolutional neural network used for malware classification [J ] . Acta Electronica Sinica , 2023 , 51 ( 5 ): 1359 - 1369 . (in Chinese)

LAU K W , PO L M , REHMAN Y A U . Large separable kernel attention: Rethinking the large kernel attention design in CNN [J ] . Expert Systems with Applications , 2024 , 236 : 121352 .

FENG Y , HAMERLY G . PG-means: Learning the number of clusters in data [M ] // Advances in Neural Information Processing Systems 19 . Cambridge : MIT Press , 2007 : 393 - 400 .

SALAS M P , DE GEUS P L . Deep learning applied to imbalanced malware datasets classification [J ] . Journal of Internet Services and Applications , 2024 , 15 ( 1 ): 342 - 359 .

ZHOU D W , WANG F Y , YE H J , et al . Forward compatible few-shot class-incremental learning [C ] // 2022 IEEE/CVF Conference on Computer Vision and Pattern Recognition . Piscataway : IEEE , 2022 : 9036 - 9046 .

HERSCHE M , KARUNARATNE G , CHERUBINI G , et al . Constrained few-shot class-incremental learning [C ] // 2022 IEEE/CVF Conference on Computer Vision and Pattern Recognition . Piscataway : IEEE , 2022 : 9047 - 9057 .

ZHAO L L , LU J , XU Y L , et al . Few-shot class-incremental learning via class-aware bilateral distillation [C ] // 2023 IEEE/CVF Conference on Computer Vision and Pattern Recognition . Piscataway : IEEE , 2023 : 11838 - 11847 .

QIN D F , LEICHNER C , DELAKIS M , et al . MobileNetV4: Universal models for the mobile ecosystem [C ] // Computer Vision - ECCV 2024 . Cham : Springer , 2025 : 78 - 96 .

HE K M , ZHANG X Y , REN S Q , et al . Deep residual learning for image recognition [C ] // 2016 IEEE Conference on Computer Vision and Pattern Recognition . Piscataway : IEEE , 2016 : 770 - 778 .

TAN M X , LE Q V . EfficientNetV2: Smaller models and faster training [EB/OL ] . ( 2021-06-23 )[ 2025-09-09 ] . https://arXiv.org/abs/2104.00298 https://arXiv.org/abs/2104.00298 .

DOSOVITSKIY A , BEYER L , KOLESNIKOV A , et al . An image is worth 16 x 16 words: Transformers for image recognition at scale[EB/OL ] . ( 2021-06-03 )[ 2025-09-09 ] . https://arXiv.org/abs/2010.11929 https://arXiv.org/abs/2010.11929 .

浏览量

下载量

CSCD

文章被引用时，请邮件提醒。

提交

工具集

关联资源

基于P2P的僵尸网络及其防御

基于调用习惯的恶意代码自动化同源判定方法

面向大规模物联网的零信任管理研究综述

基于改进CNN的恶意软件分类方法

Xe^1v离子激光感生荧光用于医用X射线ZnCdS:Ag荧光屏的性能研究