Disclosure of Invention
In view of the above, the present disclosure provides a method for dynamically detecting simulated android malware based on enhanced deep learning, so as to solve the above technical problems.
The technical proposal provided by the invention is that, in particular,
the method comprises the steps of constructing a simulated android malicious software dynamic detection model based on the enhanced deep learning;
based on the model, the method comprises:
carrying out data preprocessing on input data, and then inputting the preprocessed data into a heterogeneous redundancy model structure; the heterogeneous redundancy model structure comprises three functionally equivalent heterogeneous redundancies, which are respectively: an enhanced LSTM model, an enhanced GRU model, and an enhanced capsule network model;
and randomly distributing the preprocessed input data through the dynamic detection model, randomly selecting an enhanced LSTM model, an enhanced GRU model or an enhanced capsule network model for training, obtaining output data, and completing dynamic detection of the android malicious software.
The defending performance of the android malicious software dynamic detection model is expressed as follows:
the execution body A1 is an enhanced LSTM model, the execution body A2 is an enhanced GRU model, and the execution body A3 is an enhanced capsule network model;
assuming that the probability of the single successful attack of the enhanced LSTM model by the attacker in the execution body is PLSTM, the probability of the single successful attack of the enhanced GRU model by the attacker is PGRU, and the probability of the single successful attack of the enhanced capsule network model by the attacker is PCapsule; the probability of successful attack to the dynamic detection model of android malware based on mimicry can be calculated as follows:
P=P LSTM *V i +P GRU *V i +P Capsule *V i (1)
wherein V is i Representing the probability of the random selection of the three executives A1, A2, A3 as a training learning model, V i The values of (2) are as follows:
the probabilities of the three executives A1, A2 and A3 being attacked successfully independently are PLSTM, PGRU, PCapsule and PLSTM, PGRU, PCapsule respectively, all belong to the [0,1] interval, and the probability P of the successful attack of the whole dynamic android malicious software detection model based on the mimicry architecture meets the following inequality:
min{P LSTM ,P GRU ,P Capsule }≤P≤max{P LSTM ,P GRU ,P Capsule } (3)
the enhanced LSTM model is obtained by inputting x t Enhancement processing x t =x t +x t-1 For cell state c t Enhancement treatment c t =c t +c t-1 Capturing input x using enhanced LSTM model t And cell state c t More history of API call sequence information;
when the time step is t, inputting x to the enhanced LSTM hidden unit t =x t +x t-1 This allows the input at each time step t to include the input x of the last time step t-1 t-1 C is increased t =c t +c t-1 The method comprises the steps of carrying out a first treatment on the surface of the The enhanced LSTM hidden unit further comprises a hidden state h t-1 Cell state c at time step t-1 t-1 The enhanced LSTM hidden unit outputs a hidden state h comprising a time step t t And cell state c of time step t t 。
The information flow of the enhanced LSTM model is:
1): updating an input value x of an enhanced LSTM hidden unit at time step t t =x t +x t-1 I.e. the input value x of the LSTM hidden unit enhanced at time step t t And the input value x of the enhanced LSTM hidden unit at time step t-1 t-1 Adding to obtain updated x t X is updated t As input data for the enhanced LSTM hidden unit at time step t;
x t =x t +x t-1 (4)
2): calculating forgetting value f of enhanced LSTM hidden unit at time step t t The method comprises the steps of carrying out a first treatment on the surface of the Input x of LSTM hidden unit enhanced at time step t t Enhanced hidden state h of LSTM hidden unit at time step t-1 t-1 And the cell status value c of the enhanced LSTM hidden unit at time step t-1 t-1 Leading in a sigmoid activation function to obtain the forgetting value f of the enhanced LSTM hidden unit at the time step t t ;
The sigmoid activation function expression is:
f t =sigmoid(x t W xf +h t-1 W hf +c t-1 W cf +b f ) (6)
wherein W is xf ,W hf ,W cf Is to calculate the forgetting value f t Weight matrix, b, as needed f Is a bias matrix;
3): will beInput x in enhanced LSTM hidden unit at time step t t Enhanced hidden state h of LSTM hidden unit at time step t-1 t-1 And the cell status value c of the enhanced LSTM hidden unit at time step t-1 t-1 Leading into a sigmoid activation function to obtain an input value i of an enhanced LSTM hidden unit at time step t t ;
i t =sigmoid(x t W xi +h t-1 W hi +c t-1 W ci +b i ) (7)
W xi ,W hi ,W ci Are respectively with x t ,h t-1 ,c t-1 Corresponding weight matrix, b i Is a bias matrix;
4): input x of LSTM hidden unit enhanced at time step t t And the hidden state h of the enhanced LSTM hidden unit at time step t-1 t-1 Leading into tanh activation function, and obtaining candidate cell state value of enhanced LSTM hidden unit at time step t
W xc ,W hc Are respectively with x t ,h t-1 Corresponding weight matrix, b c Is a bias matrix;
5): cell status value c of enhanced LSTM hidden unit at time step t-1 t-1 And the forgetting value f of the enhanced LSTM hidden unit at time step t t Candidate cell state values for enhanced LSTM hidden units at time step t by Hadamard productAnd the input value i of the enhanced LSTM hidden unit at time step t t Performing Hadamard product, and adding the obtained two Hadamard product results to obtain the cell state value c of the enhanced LSTM hidden unit at time step t t ;
c t =c t +c t-1 (10)
6): cell state value c of enhanced LSTM hidden unit at time step t t =c t +c t-1 Cell state value c of enhanced LSTM hidden unit at time step t t And the cell status value c of the enhanced LSTM hidden unit at time step t-1 t-1 Added updated c t ;
7): input x of enhanced LSTM hidden unit at time step t-1 t Enhanced hidden state h of LSTM hidden unit at time step t-1 t-1 And a cell state value c of the enhanced LSTM hidden unit at time step t t Leading into sigmoid activation function, and obtaining output value o of enhanced LSTM hidden unit at time step t t ,
o t =sigmoid(x t W xo +h t-1 W ho +c t W co +b o ) (11)
W xo ,W ho ,W co Are respectively with x t ,h t-1 ,c t Corresponding weight matrix, b o Is a bias matrix;
8): cell state value c of enhanced LSTM hidden unit at time step t t Leading in the tanh activation function to obtain a result and an output value o of the enhanced LSTM hidden unit at the time step t t And (3) carrying out Hadamard product to finally obtain a hidden state value h of the enhanced LSTM hidden unit at the time of the time step t t ;
h t =o t *tanh(c t ) (12)
The enhanced GRU model is obtained by inputting x t Enhancement processing x t =x t +x t-1 Such that the input data at time step t comprisesThe input of the current time step and the input information at the last time step t-1.
The information flow of the enhanced GRU model is as follows:
1): updating the input value x of the GRU model enhanced at time step t t =x t +x t-1 I.e. the input value x of the GRU model enhanced at time step t t And the input value x of the GRU model enhanced at time step t-1 t-1 Added updated x t X is updated t As input data for the GRU model enhanced at time step t;
x t =x t +x t-1 (13)
2): computing reset gate r of GRU model enhanced at time step t t The method comprises the steps of carrying out a first treatment on the surface of the Input x of GRU model enhanced at time step t t And hidden state h of GRU model enhanced at time step t-1 t-1 Importing to a sigmoid activation function to obtain a reset value r of the GRU model enhanced at the time step t t ;
r t =sigmoid(W r *[h t-1 ,x t ]) (14)
W r Is a corresponding weight matrix;
3): computing an update gate u of an enhanced GRU model at time step t t The method comprises the steps of carrying out a first treatment on the surface of the Input x of GRU model enhanced at time step t t Hidden state h of GRU model enhanced at time step t-1 t-1 Importing to a sigmoid activation function to obtain an updated value u of the GRU model enhanced at time step t t ;
u t =sigmoid(W z *[h t-1 ,x t ]) (15)
4): reset gate r of GRU model enhanced at time step t t And hidden state h of GRU model enhanced at time step t-1 t-1 Making Hadamard product; the obtained result and the input value x of the GRU model enhanced at the time step t are then combined t Leading into tanh activation function, and obtaining candidate hidden state value of GRU model enhanced at time step t
the tanh activation function expression is:
5): will be 1-u t And (3) withUpdate gate u of GRU model enhanced in time step t by Hadamard product t And h t-1 Carrying out Hadamard product, and combining two Hadamard product results to obtain the hidden state h of the reinforced GRU model at the time step t t ;
x t Representing the input x at time step t t Enhancing input values of treated GRU cells, h t-1 Is the hidden state value at time step t-1, h t Is the hidden state value at time step t, sigma represents the corresponding activation function, r t Reset gate at time step t, u t For the update gate at time step t,is the candidate hidden state value at time step t.
S for the enhanced capsule network model j +s j-1 To update s of the current capsule unit j The dynamic change condition of the API call sequence can be fully learned.
The information flow of the enhanced capsule network model is as follows:
the required inputs include a predictive vector indicating the number of route iterations r, L-layer capsule units
1): initializing vector b ij In the first iteration, b ij The initial value of the vector b is zero with the change of the iteration number r ij Dynamically updating;
b ij =0 (19)
2): for all L-layer capsule units i, vector b ij Performing softmax operation to obtain vector c i Is a value of (2);
c i =softmax(b ij ) (20)
3): after the coupling coefficient c of all the L-layer capsule units i is obtained ij After that, the information flow will flow to the capsule unit of the upper layer, i.e. the l+1 layer. Input vector s of different capsule units j Is the weighted sum of all possible incoming units, i.e. the coupling coefficient c ij Product sum with all possible prediction vectors;
4): between different neurons of the same layer, the input s of the latter neuron j =s j +s j-1 The degree of connection between the front capsule unit and the rear capsule unit is enhanced;
s j =s j +s j-1 (22)
5): for all vectors s subjected to enhancement processing j Performing the compression operation of the square nonlinear function; vector s j The vector v transmitted to the upper capsule unit is obtained after the compression operation j ;
v j =squash(s j ) (23)
6): weight b ij Carrying out dynamic updating operation, and carrying out weight updating operation after the data in the capsule network completes one unidirectional flow process each time; i.e. using L+1 layersOutput vector v of capsule unit j And the prediction vector obtained from the L-layer capsule unitAnd (3) performing dot product and adding the original weight to update to obtain a new weight, so as to realize dynamic update of the weight. After the step 6) is finished, jumping to the step 3) to restart the process, and repeating r times;
the invention has the beneficial effects that:
the invention provides a simulated android malicious software dynamic detection method based on enhanced deep learning. In the android malicious software dynamic detection model based on the mimicry architecture, the mimicry architecture and the mimicry defense principle are utilized, so that the model can autonomously defend against network attacks, and the defense performance of the model is enhanced.
Therefore, the dynamic android malicious software detection model based on the mimicry architecture can detect the android malicious software and simultaneously ensure that the android malicious software is not bothered by network security, so that the attack resistance of the detection model is enhanced, and the android malicious software detection can be efficiently and accurately carried out by the detection model.
The dynamic android malicious software detection model based on the mimicry architecture not only can ensure the capability of detecting the android malicious software, but also can enhance the anti-attack performance of the model and improve the defending performance of the model.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the disclosure of the invention as claimed.
Detailed Description
Reference will now be made in detail to exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, the same numbers in different drawings refer to the same or similar elements, unless otherwise indicated. The implementations described in the following exemplary examples do not represent all implementations consistent with the invention. Rather, they are merely examples of systems consistent with aspects of the invention as detailed in the accompanying claims.
In the prior art, common android malicious software detection methods comprise an android malicious software static detection method: the android software does not need to be really operated, and only static features are collected to be used as input features of the detection model under normal conditions; the android malicious software dynamic detection method comprises the following steps: the method comprises the steps that runtime features of android software are required to serve as input features of a detection model to detect android malicious software; the android malicious software hybrid detection method comprises the following steps: the method is a fusion of a static detection method and a dynamic detection method;
in addition, as security issues in network space are emphasized, mimicry architectures are widely used as mimicry defenses in terms of network security. Mimicry Defense (MD) is an active Defense, and utilizes a non-similar redundancy architecture to implement a multidimensional dynamic reconfiguration mechanism, and under the condition of guaranteeing functional equivalence, utilizes uncertainty of the mimicry architecture to resist the threat of network space. The mimicry architecture plays a great role in network space security.
The embodiment provides a simulated android malicious software dynamic detection method based on enhanced deep learning, which combines a simulated dissimilar redundancy construction principle and provides a simulated android malicious software dynamic detection model based on the enhanced deep learning. The input data is first data pre-processed and then input into the heterogeneous redundancy model structure. As shown in fig. 1, in the dynamic detection model of android malware based on mimicry architecture, there are three functionally equivalent heterogeneous redundancies. One is an enhanced LSTM model, one is an enhanced GRU model, and the other is an enhanced capsule network model. The preprocessed input data is randomly distributed through a model, and learning prediction is randomly selected based on an enhanced LSTM model, an enhanced GRU model or an enhanced capsule network model. The input data is randomly selected to enter an enhanced LSTM model, an enhanced GRU model or an enhanced capsule network model for training, and output data is obtained.
In the dynamic android malicious software detection model based on the mimicry architecture, the enhanced LSTM model, the enhanced GRU model and the enhanced capsule network model improve the detection of the malicious software and improve the accuracy of the detection of the malicious software. By referring to the mimicry dissimilar redundancy construction principle, the android malicious software dynamic detection model based on the mimicry architecture has certain defenses and higher safety.
In the android malicious software dynamic detection model based on the mimicry architecture, the mimicry architecture and the mimicry defense principle are utilized, so that the model can autonomously defend against network attacks, and the defense performance of the model is enhanced. Therefore, the dynamic android malicious software detection model based on the mimicry architecture can detect the android malicious software and simultaneously ensure that the android malicious software is not bothered by network security, so that the attack resistance of the detection model is enhanced, and the android malicious software detection can be efficiently and accurately carried out by the detection model. The dynamic android malicious software detection model based on the mimicry architecture not only can ensure the capability of detecting the android malicious software, but also can enhance the anti-attack performance of the model and improve the defending performance of the model. Therefore, the embodiment considers the defending performance of the dynamic android malicious software detection model based on the mimicry architecture;
first, in the defending performance of the dissimilar redundancy structure, if there are 4 functionally equivalent executors in an execution set in one dissimilar redundancy structure, each time an attacker wants to attack the dissimilar redundancy structure, the attacker needs to provide an interference sample to realize interference on the input data set, so as to attack the dissimilar redundancy structure.
Since the plurality of executives are functionally equivalent different algorithms, the attack success rate for different executives in the executives set is different when an attacker attacks the dissimilar redundancy structure because the properties of the different algorithms are different. It is assumed that four functionally equivalent execution volumes among the execution volumes are an execution volume A1, an execution volume A2, an execution volume A3, and an execution volume A4, respectively. The probability that the executing body A1 is singly and successfully attacked by an attacker is PA1, the probability that the executing body A2 is singly and successfully attacked by the attacker is PA2, the probability that the executing body A3 is singly and successfully attacked by the attacker is PA3, and the probability that the executing body A4 is singly and successfully attacked by the attacker is PA4. The probability P of a successful attack on the entire non-similar redundancy construct can be calculated by the following formula:
P=P A1 *V i +P A2 *V i +P A3 *V i +P A4 *V i (25)
wherein V is i Representing the probability of the random selection of the three executives A1, A2, A3, A4 as a training learning model, V i Wherein n represents the number of executives in the set of executives:
the probabilities of the four executives A1, A2, A3 and A4 being attacked successfully independently are PA1, PA2, PA3 and PA4 respectively, and PA1, PA2, PA3 and PA4 all belong to the [0,1] interval, and the probability P of the successful attack of the whole dynamic redundancy architecture satisfies the following inequality:
min{P A1 ,P A2 ,P A3 ,P A4 }≤P≤max{P A1 ,P A2 ,P A3 ,P A4 } (27)
defensive performance of dynamic android malicious software detection model based on mimicry architecture
When an android malicious software dynamic detection model based on a mimicry architecture is attacked, an attacker needs to provide an android malicious software countermeasure sample first. And the generated android malicious software countermeasure sample is taken into the data set of the android malicious software detection, the input data of the dynamic android malicious software detection model based on the mimicry architecture is interfered, so that the attack of the dynamic android malicious software detection model based on the mimicry architecture is performed, and the experiment result is analyzed, so that the defending performance of the dynamic android malicious software detection model based on the mimicry architecture is illustrated.
As shown in fig. 2, there are three executives in the dynamic android malware detection model based on the mimicry architecture, where the executor A1 is an enhanced LSTM model, the executor A2 is an enhanced GRU model, and the executor A3 is an enhanced capsule network model.
Assuming that the probability of the enhanced LSTM model being singly and successfully attacked by an attacker in an executing body is PLSTM, the probability of the enhanced GRU model being singly and successfully attacked by the attacker is PGRU, and the probability of the enhanced capsule network model being singly and successfully attacked by the attacker is PCapsule. The probability of successful attack to the dynamic detection model of android malware based on mimicry architecture can be calculated as follows:
P=P LSTM *V i +P GRU *V i +P Capsule *V i (1)
wherein,V i representing the probability of the random selection of the three executives A1, A2, A3 as a training learning model, V i The values of (2) are as follows:
the probabilities of the three executives A1, A2 and A3 being attacked successfully independently are PLSTM, PGRU, PCapsule and PLSTM, PGRU, PCapsule respectively, all belong to the [0,1] interval, and the probability P of successful attack of the whole dynamic android malicious software detection model based on the mimicry architecture meets the following inequality:
min{P LSTM ,P GRU ,P Capsule }≤P≤max{P LSTM ,P GRU ,P Capsule } (3)
in most cases, android software provides its functionality by representing basic behavior using API call sequences, permissions, intents, and the like. However, analysis of Android malware shows that these basic behaviors in applications are likely to be accepted as part of malicious functionality. For example, consider a spyware, regardless of how much malicious functionality it hides, there is still the basic behavior necessary to access private information from these devices. Thus, semantic representations of basic behavior, such as sequence-based features, will help provide potentially malicious information that is different from traditional grammatical features. Android requires calling different API sequences to implement different functions, and Android malware executes malicious behavior by calling sensitive APIs.
The Android application can be regarded as a series of API method calls because different API sequences are called when the Android software runs. All API calls are not filtered, where the order is a portion of the information used to identify android malware. It represents the temporal relationship between two API method calls and defines the intended subtasks of the application. And the difference in the number of calls of each API is another part of information identifying the android malware.
When normal android software is run, the class, sequence and times of the API call sequence of the android device are different from those of the API call sequence when android malicious software is run. More sensitive APIs are usually called by the android malicious software in the running process, and the calling times of the sensitive APIs are larger than those of the normal android software.
In summary, when the android malware is dynamically detected by taking the android API call sequence as the input feature, the input data should keep the order and the times of the API call sequence as much as possible. The overlong input sequence is unfavorable for the deep learning model to dynamically detect the android malicious software, because the deep learning model has limited learning ability on long-distance serialized data.
In order to solve the above problems, the present embodiment proposes an android malware dynamic detection method based on an enhanced LSTM model. In order to enable the LSTM model to better learn historical dynamic changes of the android malicious software in the running process, an enhanced deep learning model is provided, and the detection efficiency of the model on the android malicious software is improved.
The principle of the enhanced LSTM model is as follows: enhanced LSTM model by inputting x t Enhancement processing x t =x t +x t-1 For cell state c t Enhancement treatment c t =c t +c t-1 The input data and the cell state value can transmit more historical API call sequence information, not only the API call sequence information of the current time point. It is proposed to capture input x using enhanced LSTM model t And cell state c t More historical conditions of the API call sequence information are adopted, so that the detection capability of the enhanced LSTM model on android malicious software is improved.
When the time step is t, for the enhanced LSTM hidden unit, its input x t =x t +x t-1 This allows the input at each time step t to include the input x of the last time step t-1 t-1 C is increased t =c t +c t-1 By the aid of the method, more historical data flow in the network, and learning capacity of the model on the historical data is enhanced. In addition to this, the enhanced LSTM concealment unit also includes concealmentState h t-1 Cell state c at time step t-1 t-1 The enhanced LSTM hidden unit outputs a hidden state h comprising a time step t t And cell state c of time step t t 。
As shown in fig. 3, the information flow of the enhanced LSTM model is as follows:
the first step: updating an input value x of an enhanced LSTM hidden unit at time step t t =x t +x t-1 I.e. the input value x of the LSTM hidden unit enhanced at time step t t And the input value x of the enhanced LSTM hidden unit at time step t-1 t-1 Added updated x t X is updated t As input data for the enhanced LSTM hidden unit at time step t.
And a second step of: calculating forgetting value f of enhanced LSTM hidden unit at time step t t . Input x of LSTM hidden unit enhanced at time step t t Enhanced hidden state h of LSTM hidden unit at time step t-1 t-1 And the cell status value c of the enhanced LSTM hidden unit at time step t-1 t-1 Leading in a sigmoid activation function to obtain the forgetting value f of the enhanced LSTM hidden unit at the time step t t . Wherein W is xf ,W hf ,W cf Is to calculate the forgetting value f t Weight matrix, b, as needed f Is a bias matrix.
And a third step of: input x of LSTM hidden unit enhanced at time step t t Enhanced hidden state h of LSTM hidden unit at time step t-1 t-1 And the cell status value c of the enhanced LSTM hidden unit at time step t-1 t-1 Leading into a sigmoid activation function to obtain an input value i of an enhanced LSTM hidden unit at time step t t . In the calculation of i t In the process, W xi ,W hi ,W ci Are respectively with x t ,h t-1 ,c t-1 Corresponding weight matrix, b i Is a bias matrix.
Fourth step: input x of LSTM hidden unit enhanced at time step t t And the hidden state h of the enhanced LSTM hidden unit at time step t-1 t-1 Leading into tanh activation function, and obtaining candidate cell state value of enhanced LSTM hidden unit at time step tIn calculating candidate cell State values +.>In the process, W xc ,W hc Are respectively with x t ,h t-1 Corresponding weight matrix, b c Is a bias matrix.
Fifth step: cell status value c of enhanced LSTM hidden unit at time step t-1 t-1 And the forgetting value f of the enhanced LSTM hidden unit at time step t t Candidate cell state values for enhanced LSTM hidden units at time step t by Hadamard productAnd the input value i of the enhanced LSTM hidden unit at time step t t Performing Hadamard product, and adding the obtained two Hadamard product results to obtain the cell state value c of the enhanced LSTM hidden unit at time step t t 。
Sixth step: cell state value c of enhanced LSTM hidden unit at time step t t =c t +c t-1 Cell state value c of enhanced LSTM hidden unit at time step t t And the cell status value c of the enhanced LSTM hidden unit at time step t-1 t-1 Added updated c t 。
Seventh step: input x of enhanced LSTM hidden unit at time step t-1 t Enhanced hidden state h of LSTM hidden unit at time step t-1 t-1 And a cell state value c of the enhanced LSTM hidden unit at time step t t Leading into sigmoid activation function, and obtaining output value o of enhanced LSTM hidden unit at time step t t In calculating the output value o t In the process, W xo ,W ho ,W co Are respectively with x t ,h t-1 ,c t Corresponding weight matrix, b o Is a bias matrix.
Eighth step: cell state value c of enhanced LSTM hidden unit at time step t t Leading in the tanh activation function to obtain a result and an output value o of the enhanced LSTM hidden unit at the time step t t And (3) carrying out Hadamard product to finally obtain a hidden state value h of the enhanced LSTM hidden unit at the time of the time step t t 。
Wherein, the sigmoid activation function expression is:
the tanh activation function expression is:
the formula for the hidden unit (time step t) of the enhanced LSTM model is as follows:
x t =x t +x t-1 (4)
f t =sigmoid(x t W xf +h t-1 W hf +c t-1 W cf +b f ) (6)
i t =sigmoid(x t W xi +h t-1 W hi +c t-1 W ci +b i ) (7)
c t =c t +c t-1 (10)
o t =sigmoid(x t W xo +h t-1 W ho +c t W co +b o ) (11)
h t =o t *tanh(c t ) (12)
the training algorithm for malware dynamic detection based on the enhanced LSTM model is as follows:
the android malicious software dynamic detection method based on the enhanced deep learning carries out detection on the android malicious software by learning the dynamic change information of the API call sequence of the android software. Enhanced LSTM model by using x t =x t +x t-1 As input, each time of input data better contains the history data input before, c is increased t =c t +c t-1 The step ensures that the cell state value input into the model each time comprises the cell state value of the last time step, and improves the ability of the model to learn dynamic change data.
The principle of the enhanced GRU model is implemented by inputting x into t Enhancement processing x t =x t +x t-1 The input data at the time step t not only comprises the input of the current time step, but also comprises the input information at the last time step t-1. In the enhanced GRU model, the input data is able to pass more historical API call sequence information. The input enhanced GRU model can learn the history information of the input data better in the training and testing process, so that the detection accuracy of the android malicious software is improved.
Wherein the unit structure of the enhanced GRU is shown in FIG. 3, x in the model diagram t Representing input of time step tx t Enhancing input values of treated GRU cells, h t-1 Is the hidden state value at time step t-1, h t Is the hidden state value at time step t, sigma represents the corresponding activation function, r t Reset gate at time step t, u t For the update gate at time step t,is the candidate hidden state value at time step t.
As shown in fig. 2, the information flow of the enhanced GRU model is as follows:
the first step: updating the input value x of the GRU model enhanced at time step t t =x t +x t-1 I.e. the input value x of the GRU model enhanced at time step t t And the input value x of the GRU model enhanced at time step t-1 t-1 Added updated x t X is updated t As input data for the enhanced GRU model at time step t.
And a second step of: computing reset gate r of GRU model enhanced at time step t t . Input x of GRU model enhanced at time step t t And hidden state h of GRU model enhanced at time step t-1 t-1 Importing to a sigmoid activation function to obtain a reset value r of the GRU model enhanced at the time step t t 。W r Is a corresponding weight matrix.
And a third step of: computing an update gate u of an enhanced GRU model at time step t t . Input x of GRU model enhanced at time step t t Hidden state h of GRU model enhanced at time step t-1 t-1 Importing to a sigmoid activation function to obtain an updated value u of the GRU model enhanced at time step t t 。
Fourth step: reset gate r of GRU model enhanced at time step t t And hidden state h of GRU model enhanced at time step t-1 t-1 Hadamard product is formed. The obtained result and the input value x of the GRU model enhanced at the time step t are then combined t Leading into tanh activation function, and obtaining candidate hidden state value of GRU model enhanced at time step t
Fifth step: will be 1-u t And (3) withUpdate gate u of GRU model enhanced in time step t by Hadamard product t And h t-1 Carrying out Hadamard product, and combining two Hadamard product results to obtain the hidden state h of the reinforced GRU model at the time step t t 。
The formula for inputting hidden units (time step t) of the enhanced LSTM model is as follows:
x t =x t +x t-1 (13)
r t =sigmoid(W r *[h t-1 ,x t ]) (14)
u t =sigmoid(W z *[h t-1 ,x t ]) (15)
in the enhanced GRU model, input data are input to an input layer in batches, flow through a circulating layer halfway, and finally the data obtain a classification result through an output layer. Firstly, the running API call sequence of the android application software is subjected to data preprocessing to obtain serialized data suitable for training and learning. The experimental data set is divided into a corresponding training set, a test set and a verification set according to the proportion.
The data enters an enhanced GRU model through the input layer, and then the circulation layer learns the dynamic change information of the API call sequence when the android software runs. The nerve cells in the circulating layer of the enhanced GRU model are all connected end to end, and the input of the following nerve cell is the output of the previous nerve cell. And finally, outputting the detection result of the android malicious software through an output layer.
The training algorithm for malware dynamic detection based on the enhanced GRU model is as follows:
in the enhanced capsule network model, the enhanced capsule network performs enhancement processing on a dynamic routing algorithm, and s is added on the original dynamic routing formula j =s j +s j-1 . This makes s in the capsule network j The information of the last capsule unit can be carried, and the learning ability of the capsule network to the historical information is enhanced. Longer API call sequences were intercepted during the experiment in order to better learn the information of the API call sequences. S for enhanced capsule network model j +s j-1 To update s of the current capsule unit j Dynamic change conditions of the API call sequence can be fully learned, so that detection efficiency of malicious software is improved.
The operational flow of the enhanced capsule network model is approximately as follows:
first, in the L-layer capsule network, u 1 And u 2 Is a capsule unit containing a set of neurons, all of which are vectors. Vector u 1 And weight W 11 、W 12 、W 13 、W 14 Multiplication to obtain a predictive vectorVector u 2 And weight W 11 、W 12 、W 13 、W 14 Multiplication to obtain a predictive vector->By +.>Coupling systemNumber c ij The product of (2) and the resulting vector s j . Between different neurons of the same layer, the input s of the latter neuron j =s j +s j-1 The degree of association between the front and rear neurons is enhanced. Finally, for all vectors s subjected to enhancement processing j Performing compression operation of square nonlinear function to obtain output vector v j . Output vector v of capsule unit using l+1 layer j And the resulting prediction vector from the L-layer capsule unit +.>And (3) performing dot product and adding the original weight to update to obtain new weight, wherein the process is the information flow process from the capsule unit of the L layer to the capsule unit of the L+1 layer.
The dynamic detection method of android malicious software based on the enhanced capsule network model has the following formula:
b ij =0 (19)
c i =softmax(b ij ) (20)
s j =s j +s j-1 (22)
v j =squash(s j ) (23)
the detailed procedure for training based on the enhanced capsule network model is as follows:
first the required inputs include a predictive vector indicating the number of route iterations r, L-layer capsule units
Step one: initializing vector b ij In the first iteration, b ij Is zero. Vector b as the number of iterations r varies ij And dynamically updating.
Step two: for all L-layer capsule units i, vector b ij Performing softmax operation to obtain vector c i Is a value of (2). The softmax activation function ensures c ij The value of (c) is not negative and c of the capsule units of the same layer ij The sum of (2) is 1. Because in the first iteration, b ij The initial values of (a) are zero, so that after the first iteration is finished, the coupling coefficients c of different capsule units of the same layer ij Are all equal.
Step three: after the coupling coefficient c of all the L-layer capsule units i is obtained ij After that, the information flow will flow to the capsule unit of the upper layer, i.e. the l+1 layer. In this step, the input vectors s of the different capsule units j Is the weighted sum of all possible incoming units, i.e. the coupling coefficient c ij The product of the sum of all possible prediction vectors.
Step four: between different neurons of the same layer, the input s of the latter neuron j =s j +s j-1 The degree of connection between the front and rear capsule units is enhanced. The input of the second capsule element, e.g. in layer L+1, is the current input s 2 Adding the input s of the previous capsule unit 1 I.e. the input of the second capsule unit is s 2 =s 2 +s 1 . The second capsule unit of the L+1 layer can learn the information transmitted by the previous capsule unit better, and the learning capacity of the model on the historical input information is enhanced.
Step five: for all vectors s subjected to enhancement processing j And performing the compression operation of the square nonlinear function. After the function of the square compression function, the vector s j The original vector direction is reserved, the compression operation only changes the length of the vector, and the vector s is obtained j Is compressed to a length of 1 or less. Vector s j Performing compression operationThen the vector v transmitted to the upper capsule unit is obtained j 。
Step six: weight b ij The dynamic updating operation is carried out, and the weight updating operation is carried out after the data in the capsule network completes one unidirectional flow process each time, which is the key of the dynamic routing algorithm. In this step, the output vector v of the capsule unit of the l+1 layer is utilized j And the prediction vector obtained from the L-layer capsule unitAnd (3) performing dot product and adding the original weight to update to obtain a new weight, so as to realize dynamic update of the weight. The dot product operation is to calculate the predictive vector +.>And output vector v j Similarity between the weights, and updating the weights through the similarity. After the step six is finished, the algorithm jumps to the step 3 to restart the process, and repeats r times.
The training algorithm of the android malicious software dynamic detection method based on the enhanced capsule network is as follows:
other embodiments of the invention will be apparent to those skilled in the art from consideration of the specification and practice of the invention disclosed herein. This application is intended to cover any variations, uses, or adaptations of the invention following, in general, the principles of the invention and including such departures from the present disclosure as come within known or customary practice within the art to which the invention pertains. It is intended that the specification and examples be considered as exemplary only, with a true scope and spirit of the invention being indicated by the following claims.