CN113407938A - Malicious code classification method based on attention mechanism - Google Patents

Malicious code classification method based on attention mechanism Download PDF

Info

Publication number
CN113407938A
CN113407938A CN202011267779.5A CN202011267779A CN113407938A CN 113407938 A CN113407938 A CN 113407938A CN 202011267779 A CN202011267779 A CN 202011267779A CN 113407938 A CN113407938 A CN 113407938A
Authority
CN
China
Prior art keywords
attention mechanism
layer
attention
input
malicious code
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202011267779.5A
Other languages
Chinese (zh)
Inventor
陈剑延
张建国
王翔龙
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Xiamen Herocheer Electronic Technology Co ltd
Original Assignee
Xiamen Herocheer Electronic Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Xiamen Herocheer Electronic Technology Co ltd filed Critical Xiamen Herocheer Electronic Technology Co ltd
Priority to CN202011267779.5A priority Critical patent/CN113407938A/en
Publication of CN113407938A publication Critical patent/CN113407938A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/21Design or setup of recognition systems or techniques; Extraction of features in feature space; Blind source separation
    • G06F18/214Generating training patterns; Bootstrap methods, e.g. bagging or boosting
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/24Classification techniques
    • G06F18/243Classification techniques relating to the number of classes
    • G06F18/24323Tree-organised classifiers
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/04Architecture, e.g. interconnection topology
    • G06N3/045Combinations of networks
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/04Architecture, e.g. interconnection topology
    • G06N3/049Temporal neural networks, e.g. delay elements, oscillating neurons or pulsed inputs

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Mining & Analysis (AREA)
  • General Physics & Mathematics (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Artificial Intelligence (AREA)
  • Software Systems (AREA)
  • Evolutionary Computation (AREA)
  • Health & Medical Sciences (AREA)
  • Computer Security & Cryptography (AREA)
  • General Health & Medical Sciences (AREA)
  • Computing Systems (AREA)
  • Molecular Biology (AREA)
  • Mathematical Physics (AREA)
  • Computational Linguistics (AREA)
  • Biophysics (AREA)
  • Bioinformatics & Cheminformatics (AREA)
  • Bioinformatics & Computational Biology (AREA)
  • Computer Vision & Pattern Recognition (AREA)
  • Evolutionary Biology (AREA)
  • Computer Hardware Design (AREA)
  • Biomedical Technology (AREA)
  • Virology (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

A malicious code classification method based on an attention mechanism comprises the following steps: s1, using IDA Pro as a resolver of malicious codes, constructing an automatic decoder by using scripts, and forming two files of each decoded executable code, namely a Byte file and an ASM file, wherein the Byte file contains hexadecimal to represent the resolved executable code, and the ASM file contains a disassembly statement to represent the resolved executable code; s2, extracting the disassembling sentences from the ASM file, extracting the hexadecimal numbers corresponding to the disassembling sentences from the Byte file, setting the length of each disassembling sentence, extracting the hexadecimal numbers according to the execution sequence, and forming a two-dimensional vector by contrasting the methods to be used as the input of the model; s3, constructing an ACNN recognition model: the ACNN recognition model comprises an attention mechanism and a CNN mechanism, and the two-dimensional vector is input into the ACNN recognition model to recognize and classify the malicious codes.

Description

Malicious code classification method based on attention mechanism
Technical Field
The invention relates to a classification method of malicious codes, in particular to a classification method of malicious codes based on an attention mechanism.
Background
For binary forms of malware, human experts are primarily concerned with the series of malicious operations that code performs when they analyze malware. Typically, we will study its disassembled code, which reflects to some extent the execution logic of the program. The malware is detected by researching the disassembled codes, so that the analysis of the malware from the point of view of binary and disassembled codes is an important component of the field of malware detection, a large number of scholars are engaged in the research, and a good feature extraction and model construction method is provided.
However, they may not be able to efficiently utilize information when processing binary code and disassembled code. For example, some scholars convert binary code directly to a fixed length picture, but there is no evidence that this number is fixed length. Others extract the operation code directly from the disassembled code to form a sequence, which to some extent retains sequence information but loses considerable disassembled code semantic information. It is known that even though the operation codes of assembly sentences are the same, the operands are different, and the meaning of the assembly sentences can be quite different.
At present, the methods for detecting malicious codes by machine learning generally include a traditional machine learning method and a deep learning method. The traditional machine learning method mainly comprises random forests, decision trees, SVM, XGboost and the like. The deep learning method mainly comprises a full-connection neural network, a convolution neural network, a time series neural network and the like. However, the two learning methods generally have the problem of low classification accuracy.
Disclosure of Invention
The invention provides a malicious code classification method based on an attention mechanism, and mainly aims to solve the problem of low accuracy of the existing malicious code classification method.
In order to solve the technical problems, the invention adopts the following technical scheme:
a malicious code classification method based on an attention mechanism comprises the following steps:
s1, malicious software analysis: using IDA Pro as a resolver of malicious codes to construct an automatic decoder by using scripts, wherein each decoded executable code forms two files, namely a Byte file and an ASM file, the Byte file comprises hexadecimal to represent the resolved executable code, and the ASM file comprises a disassembly statement to represent the resolved executable code;
s2, feature extraction: firstly, extracting the disassembling sentences from the ASM file, then extracting hexadecimal numbers corresponding to the disassembling sentences from the Byte file, setting the length of each disassembling sentence, extracting the hexadecimal numbers according to the execution sequence, and forming a two-dimensional vector by contrasting the method, wherein the two-dimensional vector is used as the input of the model;
s3, constructing an ACNN recognition model: the ACNN recognition model comprises an attention mechanism and a CNN mechanism, and the two-dimensional vector is input into the ACNN recognition model to recognize and classify the malicious codes.
Further, in the step S2, since the hexadecimal number lengths corresponding to each disassembled sentence are different, the length of each disassembled sentence is set to 20, and if the length is less than 20, 0 is complemented; if it exceeds 20, truncation is performed.
Furthermore, assembly sentences are horizontally represented in the two-dimensional vector, and the assembly sentence execution sequence is vertically represented in the two-dimensional vector.
Further, the ACNN identification model comprises an input layer, an attention mechanism layer, a CNN layer, a fully-connected dense layer and an output layer; inputting a two-dimensional vector at an input layer; then, the generated vector is input to an attention mechanism layer, the attention mechanism layer can output different score values for different input values according to the global context, namely the attention mechanism layer is utilized to obtain key assembly statement information, and the key assembly statement information is expressed in hexadecimal codes in the input vector; then, the score value is input into a CNN layer, and the CNN layer is used for acquiring adjacent assembly sentence characteristics, and usually the adjacent assembly sentences form a meaningful group of operations which serve as an important basis for distinguishing the category of the malicious software; then, the fully connected dense layer is used for learning the high-level features of the CNN layer; and finally, the output layer outputs the final classification result.
Furthermore, the attention mechanism layer adopts a multi-head attention mechanism, the multi-head attention mechanism uses a plurality of groups of attention and connects attention results, and more features can be extracted by using the plurality of groups of attention.
Still further, in the multi-head attention mechanism, the size of the head is set to be 8, and the number of the heads is set to be 2.
Further, the convolution layers in the CNN layer are set to 3 layers of convolution, each layer having a convolution kernel of 3 in size and 100 in number and connected to pooling layers of 3 in size.
Further, the data shape of the two-dimensional vector is (2000 × 20).
Further, the attention mechanism layer is described by the following formula:
Attention(Q,K,V)=F(Q,K)V
in the formula, Q represents a query vector, and (K, V) represents a group of key-value pairs, and the query vector obtains the weight value of the vector by querying the key-value pairs. The formula is further analyzed and, in addition,
Q=(q1,q2,...,qn) If AV is Attention (Q, K, V), AV may be (AV)1,av2,...,avn)。
aviIs represented by qiThe attention value in the global state, that is, by applying the attention mechanism, a weight value of each component in the global state, which represents the importance degree of the component in the global state, can be obtained.
As can be seen from the above description of the present invention, compared with the prior art, the present invention has the following advantages: the invention fully utilizes the corresponding relation between the machine code (binary code of malicious software) and the assembly statement to construct the two-dimensional input vector which transversely represents the assembly statement and longitudinally represents the execution sequence of the assembly statement. Meanwhile, the identification model construction method fully utilizes the attention mechanism principle, and by using the idea of CNN convolution kernel for reference, through comparison, the identification model has higher fitting efficiency, and the classification accuracy is greatly improved.
Drawings
FIG. 1 is a schematic diagram of the steps of the present invention.
FIG. 2 is a schematic diagram of the ACNN recognition model of the present invention.
FIG. 3 is a classification and numbering diagram for nine malware.
FIG. 4 is a graph of training accuracy for the present invention.
Fig. 5 is a graph of the loss rate of training for the present invention.
Detailed Description
Referring to fig. 1, a malicious code classification method based on an attention mechanism includes the following steps:
s1, malicious software analysis: using IDA Pro as a resolver of malicious codes to construct an automatic decoder by using scripts, wherein each decoded executable code forms two files, namely a Byte file and an ASM file, the Byte file comprises hexadecimal to represent the resolved executable code, and the ASM file comprises a disassembly statement to represent the resolved executable code;
s2, feature extraction: firstly, extracting disassembling sentences from an ASM file, then extracting hexadecimal numbers corresponding to the disassembling sentences from a Byte file, and setting the length of each disassembling sentence, wherein the length of each disassembling sentence is set to be 20 because the hexadecimal numbers corresponding to each disassembling sentence are different in length, and if the length is less than 20, 0 is supplemented; if it exceeds 20, truncating; by extracting hexadecimal numbers according to the execution sequence and contrasting the method, a two-dimensional vector which transversely represents the assembly statement and longitudinally represents the execution sequence of the assembly statement can be formed and used as the input of the model;
s3, constructing an ACNN recognition model: the ACNN recognition model comprises an attention mechanism and a CNN mechanism, and the two-dimensional vector is input into the ACNN recognition model to recognize and classify the malicious codes.
Referring to fig. 2, the ACNN recognition model includes an input layer, an attention mechanism layer, a CNN layer, a fully-connected dense layer, and an output layer; inputting a two-dimensional vector with a data shape of (2000 x 20) at an input layer; then, the generated vector is input to an attention mechanism layer, the attention mechanism layer can output different score values for different input values according to the global context, namely the attention mechanism layer is utilized to obtain key assembly statement information, and the key assembly statement information is expressed in hexadecimal codes in the input vector; then, the score value is input into a CNN layer, and the CNN layer is used for acquiring adjacent assembly sentence characteristics, and usually the adjacent assembly sentences form a meaningful group of operations which serve as an important basis for distinguishing the category of the malicious software; then, the fully connected dense layer is used for learning the high-level features of the CNN layer; and finally, the output layer outputs the final classification result.
The attention mechanism layer adopts a multi-head attention mechanism, the multi-head attention mechanism uses multiple groups of attention and connects attention results, and more features can be extracted by using the multiple groups of attention. In the invention, the size of the head part in the multi-head attention mechanism is set to be 8, and the number of the head parts is set to be 2; the convolution layers in the CNN layers are set to be 3 layers of convolution, the convolution kernel of each layer is 3 in size, the number of the convolution kernels is 100, and the convolution kernels are connected to pooling layers of 3 in size.
The attention mechanism layer is described by the following formula:
Attention(Q,K,V)=F(Q,K)V
in the formula, Q represents a query vector, and (K, V) represents a group of key-value pairs, and the query vector obtains the weight value of the vector by querying the key-value pairs. The formula is further analyzed and, in addition,
Q=(q1,q2,...,qn) If AV is Attention (Q, K, V), AV may be (AV)1,av2,...,avn)。
aviIs represented by qiThe attention value in the global state, that is, by applying the attention mechanism, a weight value of each component in the global state, which represents the importance degree of the component in the global state, can be obtained.
In order to prove the superiority of the feature extraction method and the ACNN recognition model, the following experiments are carried out: we selected data from Microsoft 2015 kagger competition as our dataset, whose data was malware of the window platform. After the IDA Pro parsing, Byte files and ASM files were generated, which had a total of 10086 samples and were classified into 9 different types of malware, Ramnit, locipop, Kelihos ver3, Vundo, Simda, Tracur, Kelihos ver1, Obfus-catalog. acy and Gatak, and the number of each category is shown in fig. 3.
The parameters of the ACNN recognition model based on the attention mechanism and the CNN mechanism are set as follows: the attention mechanism layer employs a multi-head attention model in which the head size is set to 8 and the number of heads is set to 2. The convolutional layers are arranged into 3 layers of convolution, the convolution kernel of each layer is 3 in size, the number of convolution kernels is 100, and the convolution kernels are connected to pooling layers with the size of 3.
After 200 training rounds, the accuracy reaches the highest, as shown in fig. 4. After 200 training rounds, the loss rate is the lowest, as shown in fig. 5.
As can be seen from fig. 4 and 5, our ACNN recognition model converges rapidly, with the advantages of high accuracy and low loss.
To verify the effectiveness of our feature extraction method, we set up several sets of comparative experiments. Then, we adopt a 10-fold cross validation method to divide the database into a training set and a test set, and then we calculate the average classification accuracy of these test sets.
The data we input into the model is a two-dimensional vector in which the horizontal row representation represents the hexadecimal representation of each assembly statement and the vertical column representation represents the sequential execution order of the assembly statements. To verify that this two-dimensional vector form is more efficient, we designed two forms of contrast. One is the commonly used one-dimensional data, which is generated by flattening a two-dimensional vector into a one-dimensional vector, the data shape being (6000, 1). The other is also two-dimensional data, which is only smaller than the horizontal dimension we extracted, we extract 20 horizontal dimensions, the data shape is (2000,20), and the data shape of the contrast two-dimensional data is (2000, 3). The results of the tests using the LSTM model and the random forest model evaluation model are shown in table 1.
Figure RE-GDA0002943982830000071
TABLE 1
In this experiment, we first flatten the two-dimensional vector into a one-dimensional vector, which is used as the input of the "random forest" model, and the test results are listed in table 1.
As can be seen from table 1, for the conventional Random Forest model, the classification accuracy under different feature extraction methods is 0.71, and the influence of various feature extraction methods is not large, which proves that the influence of the feature extraction method on the conventional Random Forest model is not large. For the LSTM model, the larger the dimension extracted in the horizontal direction is, the better the classification effect is, and the optimal classification accuracy reaches 0.8725 under the data shape (2000,20), which proves that for the deep learning model, the feature extraction method is favorable for enhancing the horizontal correlation and improving the classification accuracy.
To validate the effectiveness of the ACNN framework, we established four baseline models, namely a Random Forest (Random Forest) model, a Bi-directional LSTM (Bi-LSTM) model, a Multi-head attention model, a Deep Neural Network (DNN) model, and others, and compared the results of the comparison tests as shown in table 2.
Figure RE-GDA0002943982830000081
TABLE 2
As can be seen from Table 2, the classification accuracy of the ACNN (Attention + CNN) recognition model based on the combination of the Attention mechanism and the CNN mechanism reaches 0.9609. The method is nearly 5 percent higher than a Multi-head attention mechanism (Multi-head attention) model, nearly 9 percent higher than a bidirectional LSTM (Bi-Lstm) model, and nearly 25 percent higher than a traditional Random Forest (Random Forest) model. At the same time, the ACNN model is far ahead of other models based on the attention mechanism.
The above description is only an embodiment of the present invention, but the design concept of the present invention is not limited thereto, and any insubstantial modifications made by using the design concept should fall within the scope of infringing the present invention.

Claims (9)

1. A malicious code classification method based on an attention mechanism is characterized by comprising the following steps: the method comprises the following steps:
s1, malicious software analysis: using IDA Pro as a resolver of malicious codes to construct an automatic decoder by using scripts, wherein each decoded executable code forms two files, namely a Byte file and an ASM file, the Byte file comprises hexadecimal to represent the resolved executable code, and the ASM file comprises a disassembly statement to represent the resolved executable code;
s2, feature extraction: firstly, extracting the disassembling sentences from the ASM file, then extracting hexadecimal numbers corresponding to the disassembling sentences from the Byte file, setting the length of each disassembling sentence, extracting the hexadecimal numbers according to the execution sequence, and forming a two-dimensional vector by contrasting the method, wherein the two-dimensional vector is used as the input of the model;
s3, constructing an ACNN recognition model: the ACNN recognition model comprises an attention mechanism and a CNN mechanism, and the two-dimensional vector is input into the ACNN recognition model to recognize and classify the malicious codes.
2. The method for classifying malicious code based on an attention mechanism according to claim 1, wherein: in the step S2, because the hexadecimal numbers corresponding to each disassembly statement have different lengths, the length of each disassembly statement is set to be 20, and if the length is less than 20, 0 is complemented; if it exceeds 20, truncation is performed.
3. The method for classifying malicious code based on an attention mechanism according to claim 1, wherein: the assembly statement is horizontally represented in the two-dimensional vector, and the execution sequence of the assembly statement is vertically represented.
4. The method for classifying malicious code based on an attention mechanism according to claim 1, wherein: the ACNN identification model comprises an input layer, an attention mechanism layer, a CNN layer, a full-connection compact layer and an output layer; inputting a two-dimensional vector at an input layer; then, the generated vector is input to an attention mechanism layer, the attention mechanism layer can output different score values for different input values according to the global context, namely the attention mechanism layer is utilized to obtain key assembly statement information, and the key assembly statement information is expressed in hexadecimal codes in the input vector; then, the score value is input into a CNN layer, and the CNN layer is used for acquiring adjacent assembly sentence characteristics, and usually the adjacent assembly sentences form a meaningful group of operations which serve as an important basis for distinguishing the category of the malicious software; then, the fully connected dense layer is used for learning the high-level features of the CNN layer; and finally, the output layer outputs the final classification result.
5. The method for classifying malicious code based on an attention mechanism as claimed in claim 4, wherein: the attention mechanism layer adopts a multi-head attention mechanism, the multi-head attention mechanism uses multiple groups of attention and connects attention results, and more features can be extracted by using the multiple groups of attention.
6. The method for classifying malicious code based on an attention mechanism according to claim 5, wherein: in the multi-head attention mechanism, the size of the head is set to be 8, and the number of the heads is set to be 2.
7. The method for classifying malicious code based on an attention mechanism as claimed in claim 4, wherein: the convolution layers in the CNN layers are set to be 3 layers of convolution, the convolution kernel of each layer is 3 in size, the number of the convolution kernels is 100, and the convolution kernels are connected to pooling layers of 3 in size.
8. The method for classifying malicious code based on an attention mechanism according to claim 3, wherein: the data shape of the two-dimensional vector is (2000 x 20).
9. The method for classifying malicious code based on an attention mechanism as claimed in claim 4, wherein: the attention mechanism layer is described by the following formula:
Attention(Q,K,V)=F(Q,K)V
in the formula, Q represents a query vector, and (K, V) represents a group of key-value pairs, and the query vector obtains the weight value of the vector by querying the key-value pairs. The formula is further analyzed and, in addition,
Q=(q1,q2,...,qn) If AV is Attention (Q, K, V), AV may be (AV)1,av2,...,avn)。
aviIs represented by qiThe attention value in the global state, that is, by applying the attention mechanism, a weight value of each component in the global state, which represents the importance degree of the component in the global state, can be obtained.
CN202011267779.5A 2020-11-13 2020-11-13 Malicious code classification method based on attention mechanism Pending CN113407938A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011267779.5A CN113407938A (en) 2020-11-13 2020-11-13 Malicious code classification method based on attention mechanism

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011267779.5A CN113407938A (en) 2020-11-13 2020-11-13 Malicious code classification method based on attention mechanism

Publications (1)

Publication Number Publication Date
CN113407938A true CN113407938A (en) 2021-09-17

Family

ID=77677412

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011267779.5A Pending CN113407938A (en) 2020-11-13 2020-11-13 Malicious code classification method based on attention mechanism

Country Status (1)

Country Link
CN (1) CN113407938A (en)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2019083737A1 (en) * 2017-10-27 2019-05-02 Fireeye, Inc. System and method for analyzing binary code malware classification using artificial neural network techniques
CN111538989A (en) * 2020-04-22 2020-08-14 四川大学 Malicious code homology analysis method based on graph convolution network and topic model
CN111723368A (en) * 2020-05-28 2020-09-29 中国人民解放军战略支援部队信息工程大学 Bi-LSTM and self-attention based malicious code detection method and system

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2019083737A1 (en) * 2017-10-27 2019-05-02 Fireeye, Inc. System and method for analyzing binary code malware classification using artificial neural network techniques
CN111538989A (en) * 2020-04-22 2020-08-14 四川大学 Malicious code homology analysis method based on graph convolution network and topic model
CN111723368A (en) * 2020-05-28 2020-09-29 中国人民解放军战略支援部队信息工程大学 Bi-LSTM and self-attention based malicious code detection method and system

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
XIN MA 等: "How to Make Attention Mechanisms More Practical in Malware Classification", 《IEEEACCESS》 *

Similar Documents

Publication Publication Date Title
Lines et al. Hive-cote: The hierarchical vote collective of transformation-based ensembles for time series classification
CN109005145B (en) Malicious URL detection system and method based on automatic feature extraction
CN104615642B (en) The erroneous matching detection method of the space checking constrained based on local neighborhood
CN109241741B (en) Malicious code classification method based on image texture fingerprints
CN104636465A (en) Webpage abstract generating methods and displaying methods and corresponding devices
US20240169751A1 (en) Layout-aware, scalable recognition system
Wang et al. Deep signatures for indexing and retrieval in large motion databases
CN110191096A (en) A kind of term vector homepage invasion detection method based on semantic analysis
Mahdavi et al. LPGA: Line-of-sight parsing with graph-based attention for math formula recognition
CN112527948A (en) Data real-time duplicate removal method and system based on sentence-level index
Biswas et al. Writer identification of Bangla handwritings by radon transform projection profile
CN110826056A (en) Recommendation system attack detection method based on attention convolution self-encoder
CN114818643A (en) Log template extraction method for reserving specific service information
CN114237621A (en) Semantic code searching method based on fine-grained common attention mechanism
CN115361176A (en) SQL injection attack detection method based on FlexUDA model
CN111506726A (en) Short text clustering method and device based on part-of-speech coding and computer equipment
CN111737694B (en) Malicious software homology analysis method based on behavior tree
US20220318506A1 (en) Method and apparatus for event extraction and extraction model training, device and medium
CN113407938A (en) Malicious code classification method based on attention mechanism
CN102902984A (en) Remote-sensing image semi-supervised projection dimension reducing method based on local consistency
Har-Even et al. Probabilistic validation approach for clustering
CN111797395A (en) Malicious code visualization and variety detection method, device, equipment and storage medium
CN115858219A (en) Token conversion-based multi-sequence log analysis method and system
CN111091003A (en) Parallel extraction method based on knowledge graph query
Lin et al. Classifying textual components of bilingual documents with decision-tree support vector machines

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
WD01 Invention patent application deemed withdrawn after publication
WD01 Invention patent application deemed withdrawn after publication

Application publication date: 20210917