CN116383707A - Malicious code detection method, device, equipment and medium - Google Patents

Malicious code detection method, device, equipment and medium Download PDF

Info

Publication number
CN116383707A
CN116383707A CN202310511436.6A CN202310511436A CN116383707A CN 116383707 A CN116383707 A CN 116383707A CN 202310511436 A CN202310511436 A CN 202310511436A CN 116383707 A CN116383707 A CN 116383707A
Authority
CN
China
Prior art keywords
vector
quantum
code
quantum state
obtaining
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202310511436.6A
Other languages
Chinese (zh)
Inventor
樊旭东
闫海林
李帅宇
范鑫禹
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Industrial and Commercial Bank of China Ltd ICBC
Original Assignee
Industrial and Commercial Bank of China Ltd ICBC
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Industrial and Commercial Bank of China Ltd ICBC filed Critical Industrial and Commercial Bank of China Ltd ICBC
Priority to CN202310511436.6A priority Critical patent/CN116383707A/en
Publication of CN116383707A publication Critical patent/CN116383707A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/24Classification techniques
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/04Architecture, e.g. interconnection topology
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/08Learning methods

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • General Physics & Mathematics (AREA)
  • Data Mining & Analysis (AREA)
  • Computer Security & Cryptography (AREA)
  • General Health & Medical Sciences (AREA)
  • Evolutionary Computation (AREA)
  • Artificial Intelligence (AREA)
  • Health & Medical Sciences (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Molecular Biology (AREA)
  • Computer Hardware Design (AREA)
  • Biomedical Technology (AREA)
  • Biophysics (AREA)
  • Computational Linguistics (AREA)
  • Computing Systems (AREA)
  • Mathematical Physics (AREA)
  • Bioinformatics & Computational Biology (AREA)
  • Bioinformatics & Cheminformatics (AREA)
  • Virology (AREA)
  • Computer Vision & Pattern Recognition (AREA)
  • Evolutionary Biology (AREA)
  • Error Detection And Correction (AREA)

Abstract

The disclosure provides a malicious code detection method, and relates to the field of information security or artificial intelligence. The method comprises the following steps: acquiring characteristic information of code data to be detected, wherein the code data to be detected comprises at least one section of code statement and/or operation information generated after the at least one section of code statement is executed; performing word coding and position coding on the characteristic information to obtain a first classical representation vector; inputting the first classical representation vector to a quantum attention layer for processing, wherein the processing comprises the steps of converting the first classical representation vector into a first quantum state vector and obtaining a second quantum state vector based on a quantum attention mechanism; and obtaining the malicious code detection result output by the classifier according to the input after obtaining the input of the classifier based on the second quantum state vector. The disclosure also provides a malicious code detection apparatus, a device, a storage medium, and a program product.

Description

Malicious code detection method, device, equipment and medium
Technical Field
The present disclosure relates to the field of information security or artificial intelligence, and more particularly, to a malicious code detection method, apparatus, device, medium, and program product.
Background
With the rapid development of the current network and the maturation of development technology, more and more enterprises continuously develop diversified applications to provide services for users, and many lawbreakers can use various malicious codes to attack application servers, so that the normal operation of enterprise business is seriously affected, and meanwhile, enterprises and users face serious data security risks. In the related art, a way of malicious code detection using machine learning and deep learning algorithms appears.
In the process of realizing the inventive concept, the inventor finds that the traditional neural network algorithm model has the problems of poor expandability and small memory capacity, so that the problems of poor robustness, catastrophic memory loss and the like can occur. Therefore, aiming at endless malicious codes, a method capable of efficiently and accurately detecting the malicious codes is provided, which is a current urgent problem to be solved.
Disclosure of Invention
In view of the foregoing, the present disclosure provides a malicious code detection method, apparatus, device, medium, and program product.
In one aspect of the embodiments of the present disclosure, a malicious code detection method is provided, including: acquiring characteristic information of code data to be detected, wherein the code data to be detected comprises at least one section of code statement and/or operation information generated after the at least one section of code statement is executed; performing word coding and position coding on the characteristic information to obtain a first classical representation vector; inputting the first classical representation vector to a quantum attention layer for processing, wherein the processing comprises the steps of converting the first classical representation vector into a first quantum state vector and obtaining a second quantum state vector based on a quantum attention mechanism; and obtaining the malicious code detection result output by the classifier according to the input after obtaining the input of the classifier based on the second quantum state vector.
According to an embodiment of the disclosure, the classifier includes a feedforward neural network including a hidden layer and an output layer implemented based on a variable component sub-classifier, and obtaining a malicious code detection result output by the classifier according to the input includes: processing the input with the hidden layer; and processing the output of the hidden layer through the variable component sub-classifier to obtain the malicious code detection result.
According to an embodiment of the present disclosure, acquiring feature information of code data to be detected includes: extracting metadata and/or original characteristic data in the at least one code statement; and obtaining first characteristic information in the characteristic information according to the metadata and/or the original characteristic data.
According to an embodiment of the disclosure, the raw feature data includes N functions, N being greater than or equal to 1, and obtaining the first feature information includes: analyzing the internal code information of the N functions to obtain at least part of the first characteristic information; and/or analyzing the calling relation among the N functions to form a calling graph, and extracting graph features in the calling graph as at least part of the first feature information; and/or analyzing the code annotation information of each of the N functions, and performing natural language processing on the code annotation information to obtain at least part of the first characteristic information.
According to an embodiment of the present disclosure, acquiring feature information of code data to be detected includes: determining at least one of code behavior, operation process log and operation result in the operation information; and obtaining second characteristic information in the characteristic information based on at least one of the code behavior, the operation process log and the operation result.
According to an embodiment of the present disclosure, the deriving the second quantum state vector based on the quantum attention mechanism includes: weighting the first quantum state vector through a quantum state query matrix, a key matrix and a value matrix to obtain a quantum state query vector, a key vector and a value vector; calculating the correlation between the query vector and the key vector based on a quantum bit gate and a single bit rotation gate to obtain a correlation coefficient matrix; and obtaining the second quantum state vector based on the correlation coefficient matrix and the value vector.
According to an embodiment of the present disclosure, deriving the input of the classifier based on the second quantum state vector includes: mapping the second quantum state vector to a second classical representation vector; obtaining a malicious code detection result output by the classifier according to the input comprises: and processing the second classical representation vector through the classifier, and outputting the malicious code detection result.
According to an embodiment of the present disclosure, the number of dimensions of the first classical representation vector is equal to the number of quanta, converting the first classical representation vector into a first quantum state vector comprises: respectively performing angle coding on each dimension of the first classical representation vector to obtain an angle coding vector; and processing the angle coding vector through M quantum circuits to obtain the first quantum state vector, wherein M is greater than or equal to 1.
Another aspect of the disclosed embodiments provides a malicious code detection apparatus, including: the characteristic information module is used for acquiring characteristic information of code data to be detected, wherein the code data to be detected comprises at least one section of code statement and/or operation information generated after the at least one section of code statement is executed; the feature coding module is used for carrying out word coding and position coding on the feature information to obtain a first classical representation vector; the quantum state module is used for inputting the first classical representation vector into the quantum attention layer for processing, and the quantum state module is used for obtaining a second quantum state vector based on a quantum attention mechanism after converting the first classical representation vector into the first quantum state vector; and the classification module is used for obtaining the malicious code detection result output by the classifier according to the input after obtaining the input of the classifier based on the second quantum state vector. The apparatus comprises means for performing the steps of the method as claimed in any one of the preceding claims, respectively.
Another aspect of an embodiment of the present disclosure provides an electronic device, including: one or more processors; and a storage means for storing one or more programs, wherein the one or more programs, when executed by the one or more processors, cause the one or more processors to perform the method as described above.
Another aspect of the disclosed embodiments also provides a computer-readable storage medium having stored thereon executable instructions that, when executed by a processor, cause the processor to perform the method as described above.
Another aspect of the disclosed embodiments also provides a computer program product comprising a computer program which, when executed by a processor, implements a method as described above.
One or more of the above embodiments have the following advantages: based on the superposition state and entanglement state principle of quantum states and combining the design ideas of classical neural networks and quantum neural networks, malicious code detection based on the quantum hybrid neural networks is realized, due to the quantum entanglement states, the quantum states have larger representation space under the condition that the dimensions of output layers are the same, fewer neurons are needed, the network scale is smaller, the quantum attention layer is more than code information processed by the traditional attention layer, the calculated amount of the traditional neural network model is reduced, the countermeasure robustness of malicious code detection is improved, the catastrophe memory loss problem is relieved to a certain extent, and the malicious code detection efficiency and accuracy are improved.
Drawings
The foregoing and other objects, features and advantages of the disclosure will be more apparent from the following description of embodiments of the disclosure with reference to the accompanying drawings, in which:
FIG. 1 schematically illustrates an application scenario diagram of malicious code detection according to an embodiment of the present disclosure;
FIG. 2 schematically illustrates a flow chart of a malicious code detection method according to an embodiment of the disclosure;
FIG. 3 schematically illustrates a flow chart of acquiring feature information of code data to be detected, according to an embodiment of the disclosure;
FIG. 4 schematically illustrates a flow chart of acquiring feature information of code data to be detected according to another embodiment of the present disclosure;
FIG. 5 schematically illustrates a flow chart of converting a first canonical representation vector according to an embodiment of the disclosure;
FIGS. 6A-6C schematically illustrate block diagrams of analog quantum circuits according to various embodiments of the present disclosure;
FIG. 7 schematically illustrates a flow chart of deriving a second quantum state vector in accordance with an embodiment of the disclosure;
FIG. 8 schematically illustrates an architectural diagram of a quantum attention mechanism in accordance with an embodiment of the present disclosure;
FIG. 9 schematically illustrates an architecture diagram of a malicious code detection model according to an embodiment of the disclosure;
FIG. 10 schematically illustrates a block diagram of a malicious code detection apparatus according to an embodiment of the present disclosure; and
Fig. 11 schematically illustrates a block diagram of an electronic device adapted to implement a malicious code detection method according to an embodiment of the disclosure.
Detailed Description
Hereinafter, embodiments of the present disclosure will be described with reference to the accompanying drawings. It should be understood that the description is only exemplary and is not intended to limit the scope of the present disclosure. In the following detailed description, for purposes of explanation, numerous specific details are set forth in order to provide a thorough understanding of the embodiments of the present disclosure. It may be evident, however, that one or more embodiments may be practiced without these specific details. In addition, in the following description, descriptions of well-known structures and techniques are omitted so as not to unnecessarily obscure the concepts of the present disclosure.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the disclosure. The terms "comprises," "comprising," and/or the like, as used herein, specify the presence of stated features, steps, operations, and/or components, but do not preclude the presence or addition of one or more other features, steps, operations, or components.
All terms (including technical and scientific terms) used herein have the same meaning as commonly understood by one of ordinary skill in the art unless otherwise defined. It should be noted that the terms used herein should be construed to have meanings consistent with the context of the present specification and should not be construed in an idealized or overly formal manner.
Where expressions like at least one of "A, B and C, etc. are used, the expressions should generally be interpreted in accordance with the meaning as commonly understood by those skilled in the art (e.g.," a system having at least one of A, B and C "shall include, but not be limited to, a system having a alone, B alone, C alone, a and B together, a and C together, B and C together, and/or A, B, C together, etc.).
Malicious code refers to code that can perform unauthorized operations in a computer system, which may have undesirable consequences after execution. Some malicious code has all the functions that a complete program should have, can be propagated and run independently, and such malicious code need not be hosted in another program, and may be referred to as independent malicious code. While some malicious code is just a piece of code, and needs to be embedded into a complete program, and is propagated and run as a component of the program, such malicious code may be called as dependent malicious code, which may cause its host program to embody malicious behavior.
Malicious code, also known as malware, mostly has the purpose of promoting a certain product, providing network charging services, or directly intentionally destroying computers of others, for the purpose of commercial or detection of other people's material, and in general, it has the purpose of malicious destruction, itself being a program, and acting through execution. How to quickly detect malicious codes in the acquired codes is important to ensure network security.
In recent years, malicious code detection through machine learning and deep learning algorithms has become a current research hotspot, but the existing detection methods have some defects, such as difficult acquisition of training samples, too high human participation, small memory capacity of a shallow network, excessive layers caused by too large depth of a neural network, more resources consumption, and difficulty in detection of the original malicious code type due to the fact that the neural network is updated at any time when the malicious code type is updated continuously, so that disaster damage and memory loss are caused.
The embodiment of the disclosure provides a malicious code detection method, which is based on the superposition state and entanglement state principle of quantum states, combines the design ideas of a classical neural network and a quantum neural network, realizes malicious code detection based on the quantum hybrid neural network, has larger representation space, fewer required neurons and smaller network scale under the condition that the dimensions of output layers are the same due to the quantum entanglement state, and has the advantages of more code information processed by a quantum attention layer compared with the traditional attention layer, reducing the calculated amount of a traditional neural network model, improving the robustness against malicious code detection, relieving the catastrophic memory loss problem to a certain extent, and improving the malicious code detection efficiency and accuracy.
Fig. 1 schematically illustrates an application scenario diagram of malicious code detection according to an embodiment of the present disclosure. It should be noted that fig. 1 is only an example of a system architecture to which embodiments of the present disclosure may be applied to assist those skilled in the art in understanding the technical content of the present disclosure, but does not mean that embodiments of the present disclosure may not be used in other devices, systems, environments, or scenarios.
As shown in fig. 1, an application scenario 100 according to this embodiment may include terminal devices 101, 102, 103, a network 104, and a server 105. The network 104 is used as a medium to provide communication links between the terminal devices 101, 102, 103 and the server 105. The network 104 may include various connection types, such as wired, wireless communication links, or fiber optic cables, among others.
The user may interact with the server 105 via the network 104 using the terminal devices 101, 102, 103 to receive or send messages or the like. Various communication client applications, such as shopping class applications, web browser applications, search class applications, instant messaging tools, mailbox clients, social platform software, etc. (by way of example only) may be installed on the terminal devices 101, 102, 103.
The terminal devices 101, 102, 103 may be a variety of electronic devices having a display screen and supporting web browsing, including but not limited to smartphones, tablets, laptop and desktop computers, and the like.
The server 105 may be a server providing various services, such as a background management server (by way of example only) providing support for websites browsed by users using the terminal devices 101, 102, 103. The background management server may analyze and process the received data such as the user request, and feed back the processing result (e.g., the web page, information, or data obtained or generated according to the user request) to the terminal device.
The server 105 may be an independent physical server, a server cluster or a distributed system formed by a plurality of physical servers, or a cloud server providing basic cloud computing services such as cloud computing, network service, and middleware service.
It should be noted that, the malicious code detection method provided by the embodiments of the present disclosure may be generally executed by the server 105. Accordingly, the malicious code detection apparatus provided by the embodiments of the present disclosure may be generally disposed in the server 105. The malicious code detection method provided by the embodiments of the present disclosure may also be performed by a server or a server cluster that is different from the server 105 and is capable of communicating with the terminal devices 101, 102, 103 and/or the server 105. Accordingly, the malicious code detection apparatus provided by the embodiments of the present disclosure may also be provided in a server or a server cluster that is different from the server 105 and is capable of communicating with the terminal devices 101, 102, 103 and/or the server 105.
It should be understood that the number of terminal devices, networks and servers in fig. 1 is merely illustrative. There may be any number of terminal devices, networks, and servers, as desired for implementation.
The malicious code detection method of the embodiment of the present disclosure will be described in detail below by fig. 2 to 9 based on the scenario described in fig. 1.
Fig. 2 schematically illustrates a flow chart of a malicious code detection method according to an embodiment of the present disclosure.
As shown in fig. 2, the malicious code detection method of this embodiment includes operations S210 to S240.
In operation S210, feature information of code data to be detected is obtained, where the code data to be detected includes at least one code statement and/or operation information generated after execution of the at least one code statement.
For example, an original code packet to be detected is obtained, and the original code packet is cleaned to obtain code data to be detected. Wherein, the cleaning process removes nonsensical characters or spaces, or messy codes, etc. in the original code packet. The original code package can be programmed using a language such as Python, java, go, C ++ or HTML. For example, the feature information may include data features obtained by screening after further word segmentation or keyword matching of the code data to be detected.
The code data to be detected comprises static data and dynamic data, wherein the static data comprises at least one section of code statement, and the dynamic data comprises the running information.
For at least one section of code statement, word segmentation processing can be carried out on the code data to be detected by adopting various rules to obtain one or more sections of code statement, wherein each section comprises one or more sections of code statement. The various rules may include functional rules (word segmentation based on functionality), keyword rules (word segmentation based on keywords), or context rules (word segmentation based on context), etc.
The running information refers to the associated information generated after the execution of at least one code statement, and comprises dynamic information in the execution process and result information obtained after the running. The dynamic information comprises various dynamic behaviors of at least one code statement in the running process, such as file reading, process creation, registry writing and the like, and further each code statement has corresponding dynamic information, such as command execution, code injection, memory residence, credential collection, information turning and the like. Various dynamic behaviors may be embodied by executing a code statement by a process or thread as the basic execution entity, so that the code behaviors referred to in the embodiments of the present application may be generated by the corresponding process or thread of the code during the running process.
Illustratively, for static data, one or more controllable variables are included, for example. A controllable variable refers to a value of the variable input from a user. Since the user input content is not controllable, malicious code is added, either intentionally or unintentionally, so that the value of the variable can lead to undesirable consequences.
For dynamic data, for example, the dynamic behavior of a malicious code may be that a large number of processes are replicated first, then a plurality of processes are generated through the large number of replicated malicious code and reside in a memory for a long time, and finally the credentials are continuously collected through the plurality of processes residing for a long time, so that it is obvious that the code behavior causes data leakage, occupies system resources and also causes undesirable consequences.
It will be appreciated that the above examples of malicious consequences to static and dynamic data are illustrative only and the present disclosure is not limited to the above described malicious behavior of controlled variables or mass replication. Thus, obtaining characteristic information of static data and/or dynamic data facilitates malicious code detection.
In operation S220, the feature information is word-encoded and position-encoded to obtain a first classical representation vector.
Word encoding can be implemented based on Word Embedding (Word Embedding) technology, and Word vector representation is performed on words and symbols in feature information. For example, symbols are included in the code, and in order to process these symbol data into computer-recognizable feature vectors, and considering that the manner represented by One-Hot encoding is very sparse and there is a lack of correlation between semantics, the encoding is selected by a Word Embedding (Word Embedding) technique, in which the value of the feature dimension (unbeddim) is set to n_qubits (i.e., quantum number).
Position coding may be implemented based on a position embedding (position embedding) technique, adding position information to word vectors after word coding. Reference is made to the following formulas 1 and 2.
Figure BDA0004217595330000091
Figure BDA0004217595330000092
Wherein d is model Representing the length of word filling, pos representing the position of the i-th word, i being 0-d model -1。
In operation S230, the first classical representation vector is input to the quantum attention layer for processing, which includes converting the first classical representation vector into a first quantum state vector and obtaining a second quantum state vector based on the quantum attention mechanism.
Classical representation vectors include traditional vectors of non-quantum states. The quantum attention layer comprises an attention layer designed to process quantum state data based on the attention mechanism and quantum physical concepts of a traditional neural network. The quantum attention mechanism is used for realizing attention distribution, namely dynamic weight distribution, on the processed data in a quantum state.
In operation S240, after the input of the classifier is obtained based on the second quantum state vector, a malicious code detection result output by the classifier according to the input is obtained.
Illustratively, the malicious code detection result may be a classification result, such as malicious code or non-malicious code. The malicious code detection result may be a multi-class result, giving specific malicious code types, such as polymorphic, morphed, self-modifying, indirect jump, or non-self-contained, etc.
According to the embodiment of the disclosure, based on the superposition state and entanglement state principle of the quantum states, and in combination with the design ideas of the classical neural network and the quantum neural network, malicious code detection based on the quantum hybrid neural network is realized, due to the quantum entanglement state, under the condition that the dimensions of the output layers are the same, the quantum states have larger representation space, the quantum attention layers have more code information processed by the traditional attention layers, fewer neurons are needed, the network scale is smaller, the calculated amount of the traditional neural network model is reduced, the countermeasure robustness of malicious code detection is improved, the catastrophic memory loss problem is relieved to a certain extent, and the malicious code detection efficiency and accuracy are improved.
Fig. 3 schematically illustrates a flowchart of acquiring feature information of code data to be detected according to an embodiment of the present disclosure.
As shown in fig. 3, acquiring feature information of code data to be detected in operation S210 includes operations S310 to S320.
Metadata and/or raw feature data in at least one code statement is extracted in operation S310.
The metadata may include sha256 hashes and time information of the original code packet, etc. The raw feature data may include general information, header information, import functions, export functions, section information, strings, byte entropy, histograms, or other functions, etc., and in other embodiments, the metadata may include DOS header, NT header, file header, other header information, DLL characteristics, PE section information, directories, version information, import symbol tables, resource directories, relocations, etc.
In operation S320, first feature information among the feature information is obtained according to the metadata and/or the original feature data.
According to the embodiment of the disclosure, the first characteristic information is obtained through at least one of the metadata and the original characteristic data, so that malicious code information can be accurately and comprehensively reserved, and further, the malicious code information can be accurately detected.
In some embodiments, the raw feature data includes N functions, where N is greater than or equal to 1, and parsing the N functions and obtaining the first feature information may specifically include: and analyzing the internal code information of the N functions to obtain at least part of first characteristic information. And/or analyzing the calling relation among the N functions to form a calling graph, and extracting graph features in the calling graph as at least part of first feature information. And/or analyzing the code annotation information of each of the N functions, and performing natural language processing on the code annotation information to obtain at least part of the first characteristic information.
For example, the N functions may include callback functions, utility functions (performing some utility function such as arithmetic operations, string operations, array searches, etc.), business logic functions (implementing the core business logic of the application, e.g., updating user state), data processing functions (extracting and processing data from input), or response functions, etc.
In some embodiments, at least a portion of the first feature information may be characterized by internal code information of a plurality of functions, where the internal code information includes, for example, symbols and symbol meanings, such as a function name, a return value type, a function parameter list, and information characterizing a code structure (e.g., key node information such as if statements, for loop statements, etc.), etc.
In other embodiments, call relationships between a plurality of functions are obtained, and a call graph is formed, at least one call chain can be obtained through a depth graph search algorithm, a call sequence is extracted to serve as graph features, and at least part of first feature information is represented by the graph features. So that more explicit or potentially malicious code information can be obtained in the form of a graph.
In other embodiments, the code annotation information is subjected to natural language processing, so that semantic information representing each function can be obtained, and the semantic information is used as at least part of the first characteristic information. By means of the semantic information, the code language can be detected from another code language, and noise interference of intentional disguise of malicious codes to a certain extent can be resisted. In some embodiments, if one or more functions do not have code annotation information, then it may be generated using an existing or future to be published code annotation generation model.
In other embodiments, by considering at least two of the above code annotation information, the internal code information and the call relationship, it is possible to detect whether each function is a malicious function, and also consider the relationship between each function, for example, usually one malicious code will be implemented by a plurality of functions in cooperation, so that, considering the functions themselves, the relationship between functions, and the code annotation of each function, it is possible to avoid the overstock of non-malicious code and the omission of malicious code.
Fig. 4 schematically illustrates a flowchart of acquiring feature information of code data to be detected according to another embodiment of the present disclosure.
As shown in fig. 4, acquiring the feature information of the code data to be detected in operation S210 further includes operations S410 to S420.
At least one of code behavior, a run process log, and a run result in the run information is determined in operation S410.
In operation S420, second characteristic information among the characteristic information is obtained based on at least one of the code behavior, the operation process log, and the operation result.
For example, at least one code statement may be executed in a dynamic sandbox simulation. The dynamic sandboxes are realized by installing auxiliary analysis tools in the virtual operating system, and the hierarchical relationship of the dynamic sandboxes comprises: virtual machine layer (for implementing virtualization) +virtual operating system layer (for running samples and analytics).
Code behavior refers to dynamic behavior exhibited by code after execution, and specifically may be behavior exhibited by a process or thread created by code after execution, such as variable definition, function call, condition judgment, loop iteration, array access, object creation, file operation, network request, and the like. For example, during the running process, a code behavior of "file read" is generated, then a code behavior of "network request" is generated, and then a code behavior of "file write" is generated. The running process log comprises log records generated in the running process of the code, and comprises information such as a time stamp, a name or description of the code behavior, parameters or return values of the code behavior and the like. The runtime log can record some or all of the code behavior that occurs throughout the running of the code. The running result comprises the result data finally output or returned after the code running is finished. The result of the run is the cumulative effect of the code behavior.
Although at least one of code behavior, operation process log, and operation result is obtained, it is not necessarily able to determine whether malicious code is malicious or not, for example, no problem is found after simulation execution in a dynamic sandbox, and then specific instructions may be received after actual execution to generate malicious behavior.
According to the embodiment of the disclosure, dynamic behavior data can be acquired based on the operation information, so that subsequent quantum state data processing is facilitated, and whether malicious codes are automatically identified.
Fig. 5 schematically illustrates a flow chart of converting a first classical representation vector according to an embodiment of the present disclosure. Fig. 6A-6C schematically illustrate block diagrams of analog quantum circuits according to various embodiments of the present disclosure.
As shown in fig. 5, converting the first classical representation vector into the first quantum state vector in operation S230 includes operations S510 to S520.
In operation S510, each dimension of the first canonical representation vector is angle-coded, respectively, to obtain an angle-coded vector.
First, each dimension (may be one dimension per behavior) of the first classical representation vector is angle-coded in at least one axis direction of XYZ in the spherical coordinate system, to obtain an angle-coded vector |x >, as shown in equation 3. By rotation as in equation 3, different states can be generated, so that a large amount of code information can be encoded by using a small amount of qubits.
Figure BDA0004217595330000131
Wherein, the liquid crystal display device comprises a liquid crystal display device,
Figure BDA0004217595330000132
r (x) i ) Multiplying, R () is any one function of Rx, ry or Rz of angle coding, n represents the number of quantum bits, and i represents the ith quantum bit.
In operation S520, the angle encoding vector is processed through M quantum wires to obtain a first quantum state vector, where M is greater than or equal to 1.
As shown in fig. 6a, i takes a value of 0-3, angle encoding is performed according to equation 3 through Angel embedding, and then M quantum circuits are processed by Basic Entangler layers.
Based on the expansion of FIG. 6A, FIG. 6B shows a simulated 4-bit quantum circuit diagram in some embodiments, first rotating θ about the x-axis based on each qubit separately 1 、θ 2 、θ 3 And theta 4 The x-axis rotation gate is used to embed variables into the quantum circuit. The trainable universal turnstiles, such as R (α, β, γ), can then be optimized in advance during the training phase, using the trainable universal turnstiles within the dashed box. Finally, the quantum bit gate CNOT gates entangled quantum bits in a circular topology, and outputs the expected value < sigma z And (3) obtaining a first quantum state vector according to the expected value of each circuit.
Based on the expansion of FIG. 6A, FIG. 6C shows a simulated 4-bit quantum circuit diagram in other embodiments, the first two columns representing Rx-Ry rotations of each qubit, followed by repeated CNOT gate and y-axis rotation gate rotations. The circuit in the dashed box is repeated D times, which can enhance the expressive power of the simulation, D being greater than or equal to 1.
It is understood that angle encoding is only one embodiment of the present disclosure, and that ground state encoding, amplitude encoding, hamiltonian evolution encoding, etc. may also be used to effect the conversion of classical representation vectors into quantum state vectors.
Fig. 7 schematically illustrates a flow chart of deriving a second quantum state vector in accordance with an embodiment of the disclosure. Fig. 8 schematically illustrates an architectural diagram of a quantum attention mechanism in accordance with an embodiment of the present disclosure.
As shown in fig. 7, the obtaining of the second quantum state vector of this embodiment includes operations S710 to S730.
In operation S710, the first quantum state vector is weighted by the query matrix, the key matrix, and the value matrix of the quantum state to obtain the query vector, the key vector, and the value vector of the quantum state.
The query matrix, key matrix, and value matrix correspond to the query vector, key vector, and value vector, respectively, in the conventional attention mechanism. Different from the traditional attention mechanism, the query matrix, the key matrix and the value matrix are respectively expressed by using quantum circuits with parameters in advance, so that the query matrix, the key matrix and the value matrix can be respectively acted on a first quantum state vector to obtain a quantum state query vector, a quantum state key vector and a quantum state value vector.
In operation S720, a correlation between the query vector and the key vector is calculated based on the qubit gate and the single bit rotation gate, resulting in a correlation coefficient matrix.
The correlation can be determined by the similarity of the two quantum state vectors. If the similarity calculation between two quantum state vectors can use a quantum bit gate and a single bit rotation gate to process each quantum circuit, a specific density matrix or characteristic value spectrum is constructed, and the similarity judgment is realized. Illustratively, a similarity is considered if the query vector of quantum states and the density matrix corresponding to the key vector can be transformed into each other by a certain linear transformation. For another example, a similarity is considered if the query vector and the density matrix corresponding to the key vector of the quantum state have the same or similar eigenvalue spectra. The correlation coefficient matrix may include similarity values between the dimensions
In operation S730, a second quantum state vector is obtained based on the correlation coefficient matrix and the value vector.
Referring to fig. 8, x represents a first quantum state vector, Q, K, V represents a query matrix, a key matrix, and a value matrix, respectively, and C represents a correlation coefficient matrix. The phase relation matrix and the value vector may be subjected to addition processing, and a second quantum state vector may be output. In other embodiments, the matrix of phase relationships and the vector of values may be multiplied to output a second vector of quantum states.
According to the embodiment of the disclosure, the quantum attention layer is provided, attention distribution can be realized on a quantum state level based on a quantum attention mechanism, and the dependency relationship of relevant malicious codes in code information can be better represented on the basis that more code information is accommodated in a quantum state.
In other embodiments, the query vector, key vector, and value vector of quantum states may be obtained and then converted to classical representation vectors, respectively. Then, the similarity between the query vector and the key vector of the classical representation is calculated, so that the large information capacity of quantum calculation and the reliability of the traditional similarity calculation can be utilized. And multiplying the similarity matrix with the classical representation value vector, outputting the classical representation vector, and inputting the classical representation vector into a classifier for processing.
The quantum state vector can be converted into a classical representation vector using prior art techniques as described above. In some embodiments, to more accurately obtain the similarity between the query vector and the key vector of the classical representation, the query vector and the key vector of the quantum state may be mapped to a gaussian function space respectively, and the result is input into a softmax function to obtain a similarity matrix.
The process of obtaining malicious code detection results based on the second quantum state vector is further described below.
In some embodiments, deriving the input to the classifier based on the second quantum state vector comprises: the second quantum state vector is mapped to a second classical representation vector. The obtaining of the malicious code detection result output by the classifier according to the input comprises the following steps: and processing the second classical representation vector through a classifier, and outputting a malicious code detection result. The input to the classifier of this embodiment is the second classical representation vector.
The second quantum state vector may be mapped to a second classical representation vector based on a density matrix, for example, and the classifier may be implemented based on, for example, random forests, logistic regression, support vector machines, bayesian or neural networks, etc. In the dimension of classical representation data, the existing classifier structure can be multiplexed, malicious code samples and non-malicious code samples are input in advance for training, and the transformation difficulty of a traditional neural network is reduced.
In other embodiments, the classifier includes a feedforward neural network including a hidden layer and an output layer implemented based on a variable component sub-classifier, and obtaining the malicious code detection result output by the classifier according to the input includes: the input is processed with the hidden layer. And processing the output of the hidden layer through a variable component sub-classifier to obtain a malicious code detection result. The input to the classifier of this embodiment is the second quantum state vector.
Illustratively, the hidden layer of the feedforward neural network may include one or more layers, each layer including at least one quantum state neuron, and the connection relationship between the layers may refer to a conventional neural network, for example, a full connection relationship.
Illustratively, the variable component sub-neural network for solving the classification problem is also referred to as a variable component sub-classifier. The variable component quantum classifier is a typical classical-quantum hybrid algorithm, and can evolve a parameter-containing sub-line in a quantum computer, and a prediction of the quantum computer about a second quantum state vector is obtained through quantum measurement, wherein the prediction is a malicious code detection result. Due to the quantum entanglement state, under the condition that the dimensions of the output layers are the same, the quantum state has a larger representation space, can process high-dimension data, can improve the prediction speed, can realize accurate classification in a shorter time compared with the traditional classifier, and improves the malicious code detection efficiency.
The malicious code detection model can be implemented based on a quantum hybrid neural network, and the malicious code detection method of fig. 2-8 can be implemented by running the model in a server. Fig. 9 schematically illustrates an architecture diagram of a malicious code detection model according to an embodiment of the present disclosure.
And (5) data collection pretreatment is carried out. Existing datasets, such as an EMBER dataset and/or a SoReL-20M dataset (for example only), may be collected and sorted into training and testing sets, including normal, malicious and unknown samples, respectively, distributed in a proportional relationship. Taking the example of an EMBER dataset, it consists of a set of JSON row files, where each row contains one JSON object. Each object contains the following types in the data: sha256 hash of the original file, time information (used to estimate the time the file first appears), labels (benign 0, malignant 1, untagged-1) and 8 sets of original features (such as general information, header information, import functions, export functions, section information, strings, byte entropy, histograms or other functions).
Referring to fig. 9, a hybrid neural network based on quantum states (such as a quantum attention layer) is shown, a processed training data set is input for training, and a model is obtained after convergence. And finally, predicting the code data to be detected through the constructed model, and outputting whether the code data is malicious code or not.
Step 1, performing encoding on the collected data, wherein the value of the feature dimension (emmbed_dim) is set to n_qubits (i.e. the number of quanta), the longest text length is L, so as to obtain an encoding vector X, and the output result is Y.
And 2, performing pos_embedding on the coded vector to obtain a coded vector X'.
And 3, passing X' through a plurality of Norm layers and Drop layers. The generalization capability of the model is improved by adding a Norm layer, and the Drop layer is used for preventing overfitting.
Step 4, X' is passed through quantum-based quant_layer, wherein the layer comprises quantum circuit, to obtain X q
Step 5, X q Obtained by a classifier (classifier)And calculating loss (Y, Y') until the model converges, and predicting. For example, the loss layer of loss is calculated by adopting a Binary CrossEntropy Loss loss function, and prediction can be performed after the model converges.
According to the embodiment of the disclosure, based on the advantages of a quantum neural network, such as faster calculation speed, higher memory capacity, smaller network scale, stronger parallel processing capability, capability of eliminating catastrophe memory loss and the like, and combining with the design ideas of a classical neural network and a quantum neural network, a quantum state-based hybrid neural network is designed, and an extensible, efficient and accurate method for detecting malicious codes is provided. Meanwhile, due to quantum entanglement states, under the condition that the dimensions of the output layers are the same, the quantum states have larger representation space, required neurons are fewer, the network scale is smaller, and the problem that the robustness of the traditional neural network is poor when the countermeasure sample is processed can be effectively solved, so that the accuracy and the detection efficiency of malicious code detection are remarkably improved.
Based on the malicious code detection method, the disclosure also provides a malicious code detection device. The device will be described in detail below in connection with fig. 10.
Fig. 10 schematically shows a block diagram of a malicious code detection apparatus according to an embodiment of the present disclosure.
As shown in fig. 10, the malicious code detection apparatus 1000 of this embodiment includes a feature information module 1010, a feature encoding module 1020, a quantum state module 1030, and a classification module 1040.
The feature information module 1010 may perform operation S210, for obtaining feature information of code data to be detected, where the code data to be detected includes at least one code statement and/or operation information generated after the execution of the at least one code statement.
In some embodiments, the feature information module 1010 may perform operations S310 to S320, and operations S410 to S420, which are not described herein.
The feature encoding module 1020 may perform operation S220 for word encoding and position encoding the feature information to obtain a first canonical representation vector.
The quantum state module 1030 may perform operation S230 for inputting the first classical representation vector to the quantum attention layer for processing, including obtaining a second quantum state vector based on the quantum attention mechanism after converting the first classical representation vector to the first quantum state vector.
In some embodiments, the quantum state module 1030 may perform operations S510-S520, and operations S710-S730, which are not described herein.
The classification module 1040 may perform operation S240 for obtaining the malicious code detection result output by the classifier according to the input after obtaining the input of the classifier based on the second quantum state vector.
The malicious code detection apparatus 1000 includes modules for performing the steps of any of the embodiments described above with reference to fig. 2 to 9. The implementation manner, the solved technical problems, the realized functions and the realized technical effects of each module/unit/sub-unit and the like in the apparatus part embodiment are the same as or similar to the implementation manner, the solved technical problems, the realized functions and the realized technical effects of each corresponding step in the method part embodiment, and are not repeated herein.
Any of the feature information module 1010, the feature encoding module 1020, the quantum state module 1030, and the classification module 1040 may be combined in one module to be implemented, or any of them may be split into a plurality of modules, according to embodiments of the present disclosure. Alternatively, at least some of the functionality of one or more of the modules may be combined with at least some of the functionality of other modules and implemented in one module.
At least one of the feature information module 1010, the feature encoding module 1020, the quantum state module 1030, and the classification module 1040 may be implemented at least in part as hardware circuitry, such as a Field Programmable Gate Array (FPGA), a Programmable Logic Array (PLA), a system on a chip, a system on a substrate, a system on a package, an Application Specific Integrated Circuit (ASIC), or may be implemented in hardware or firmware in any other reasonable manner of integrating or packaging the circuitry, or in any one of or a suitable combination of three of software, hardware, and firmware. Alternatively, at least one of the feature information module 1010, the feature encoding module 1020, the quantum state module 1030, and the classification module 1040 may be at least partially implemented as a computer program module that, when executed, performs the corresponding functions.
Fig. 11 schematically illustrates a block diagram of an electronic device adapted to implement a malicious code detection method according to an embodiment of the disclosure.
As shown in fig. 11, an electronic device 1100 according to an embodiment of the present disclosure includes a processor 1101 that can perform various appropriate actions and processes according to a program stored in a Read Only Memory (ROM) 1102 or a program loaded from a storage section 1108 into a Random Access Memory (RAM) 1103. The processor 1101 may include, for example, a general purpose microprocessor (e.g., a CPU), an instruction set processor and/or an associated chipset and/or a special purpose microprocessor (e.g., an Application Specific Integrated Circuit (ASIC)), or the like. The processor 1101 may also include on-board memory for caching purposes. The processor 1101 may comprise a single processing unit or a plurality of processing units for performing the different actions of the method flow according to embodiments of the present disclosure.
In the RAM 1103, various programs and data necessary for the operation of the electronic device 1100 are stored. The processor 1101, ROM 1102, and RAM 1103 are connected to each other by a bus 1104. The processor 1101 performs various operations of the method flow according to the embodiments of the present disclosure by executing programs in the ROM 1102 and/or the RAM 1103. Note that the program can also be stored in one or more memories other than the ROM 1102 and the RAM 1103. The processor 1101 may also perform various operations of the method flow according to embodiments of the present disclosure by executing programs stored in one or more memories.
According to an embodiment of the disclosure, the electronic device 1100 may also include an input/output (I/O) interface 1105, the input/output (I/O) interface 1105 also being connected to the bus 1104. The electronic device 1100 may also include one or more of the following components connected to the I/O interface 1105: an input portion 1106 including a keyboard, mouse, etc. Including an output portion 1107 such as a Cathode Ray Tube (CRT), a Liquid Crystal Display (LCD), and the like, and a speaker, and the like. Including a storage portion 1108 of a hard disk or the like. And a communication section 1109 including a network interface card such as a LAN card, a modem, and the like. The communication section 1109 performs communication processing via a network such as the internet. The drive 1110 is also connected to the I/O interface 1105 as needed. Removable media 1111, such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like, is installed as needed in drive 1110, so that a computer program read therefrom is installed as needed in storage section 1108.
The present disclosure also provides a computer-readable storage medium that may be embodied in the apparatus/device/system described in the above embodiments. Or may exist alone without being assembled into the apparatus/device/system. The computer-readable storage medium carries one or more programs which, when executed, implement methods in accordance with embodiments of the present disclosure.
According to embodiments of the present disclosure, the computer-readable storage medium may be a non-volatile computer-readable storage medium, which may include, for example, but is not limited to: a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the context of this disclosure, a computer-readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. For example, according to embodiments of the present disclosure, the computer-readable storage medium may include ROM 1102 and/or RAM 1103 described above and/or one or more memories other than ROM 1102 and RAM 1103.
Embodiments of the present disclosure also include a computer program product comprising a computer program containing program code for performing the methods shown in the flowcharts. The program code, when executed in a computer system, causes the computer system to perform the methods provided by embodiments of the present disclosure.
The above-described functions defined in the system/apparatus of the embodiments of the present disclosure are performed when the computer program is executed by the processor 1101. The systems, apparatus, modules, units, etc. described above may be implemented by computer program modules according to embodiments of the disclosure.
In one embodiment, the computer program may be based on a tangible storage medium such as an optical storage device, a magnetic storage device, or the like. In another embodiment, the computer program can also be transmitted, distributed over a network medium in the form of signals, downloaded and installed via the communication portion 1109, and/or installed from the removable media 1111. The computer program may include program code that may be transmitted using any appropriate network medium, including but not limited to: wireless, wired, etc., or any suitable combination of the foregoing.
In such an embodiment, the computer program can be downloaded and installed from a network via the communication portion 1109, and/or installed from the removable media 1111. The above-described functions defined in the system of the embodiments of the present disclosure are performed when the computer program is executed by the processor 1101. The systems, devices, apparatus, modules, units, etc. described above may be implemented by computer program modules according to embodiments of the disclosure.
According to embodiments of the present disclosure, program code for performing computer programs provided by embodiments of the present disclosure may be written in any combination of one or more programming languages, and in particular, such computer programs may be implemented in high-level procedural and/or object-oriented programming languages, and/or assembly/machine languages. Programming languages include, but are not limited to, such as Java, c++, python, "C" or similar programming languages. The program code may execute entirely on the user's computing device, partly on the user's device, partly on a remote computing device, or entirely on the remote computing device or server. In the case of remote computing devices, the remote computing device may be connected to the user computing device through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computing device (e.g., connected via the Internet using an Internet service provider).
The flowcharts and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present disclosure. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams or flowchart illustration, and combinations of blocks in the block diagrams or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
Those skilled in the art will appreciate that the features recited in the various embodiments of the disclosure and/or in the claims may be provided in a variety of combinations and/or combinations, even if such combinations or combinations are not explicitly recited in the disclosure. In particular, the features recited in the various embodiments of the present disclosure and/or the claims may be variously combined and/or combined without departing from the spirit and teachings of the present disclosure. All such combinations and/or combinations fall within the scope of the present disclosure.
The embodiments of the present disclosure are described above. However, these examples are for illustrative purposes only and are not intended to limit the scope of the present disclosure. Although the embodiments are described above separately, this does not mean that the measures in the embodiments cannot be used advantageously in combination. The scope of the disclosure is defined by the appended claims and equivalents thereof. Various alternatives and modifications can be made by those skilled in the art without departing from the scope of the disclosure, and such alternatives and modifications are intended to fall within the scope of the disclosure.

Claims (12)

1. A malicious code detection method, comprising:
acquiring characteristic information of code data to be detected, wherein the code data to be detected comprises at least one section of code statement and/or operation information generated after the at least one section of code statement is executed;
performing word coding and position coding on the characteristic information to obtain a first classical representation vector;
inputting the first classical representation vector to a quantum attention layer for processing, wherein the processing comprises the steps of converting the first classical representation vector into a first quantum state vector and obtaining a second quantum state vector based on a quantum attention mechanism;
and obtaining the malicious code detection result output by the classifier according to the input after obtaining the input of the classifier based on the second quantum state vector.
2. The method of claim 1, wherein the classifier comprises a feedforward neural network including a hidden layer and an output layer implemented based on a variable component sub-classifier, the obtaining malicious code detection results output by the classifier according to the input comprising:
processing the input with the hidden layer;
and processing the output of the hidden layer through the variable component sub-classifier to obtain the malicious code detection result.
3. The method of claim 1, wherein acquiring characteristic information of code data to be detected comprises:
extracting metadata and/or original characteristic data in the at least one code statement;
and obtaining first characteristic information in the characteristic information according to the metadata and/or the original characteristic data.
4. A method according to claim 3, wherein the raw feature data comprises N functions, N being greater than or equal to 1, the obtaining the first feature information comprising:
analyzing the internal code information of the N functions to obtain at least part of the first characteristic information; and/or
Analyzing calling relations among the N functions to form a calling graph, and extracting graph features in the calling graph as at least part of the first feature information; and/or
Analyzing the code annotation information of each of the N functions, and performing natural language processing on the code annotation information to obtain at least part of the first characteristic information.
5. A method according to claim 1 or 3, wherein acquiring characteristic information of code data to be detected comprises:
determining at least one of code behavior, operation process log and operation result in the operation information; and
and obtaining second characteristic information in the characteristic information based on at least one of the code behavior, the operation process log and the operation result.
6. The method of claim 1, wherein the deriving a second quantum state vector based on a quantum attention mechanism comprises:
weighting the first quantum state vector through a quantum state query matrix, a key matrix and a value matrix to obtain a quantum state query vector, a key vector and a value vector;
calculating the correlation between the query vector and the key vector based on a quantum bit gate and a single bit rotation gate to obtain a correlation coefficient matrix;
and obtaining the second quantum state vector based on the correlation coefficient matrix and the value vector.
7. The method of claim 6, wherein,
Obtaining the input of the classifier based on the second quantum state vector includes: mapping the second quantum state vector to a second classical representation vector;
obtaining a malicious code detection result output by the classifier according to the input comprises: and processing the second classical representation vector through the classifier, and outputting the malicious code detection result.
8. The method of claim 1, wherein the number of dimensions of the first canonical representation vector is equal to a number of quanta, converting the first canonical representation vector into a first quantum state vector comprising:
respectively performing angle coding on each dimension of the first classical representation vector to obtain an angle coding vector;
and processing the angle coding vector through M quantum circuits to obtain the first quantum state vector, wherein M is greater than or equal to 1.
9. A malicious code detection apparatus, comprising:
the characteristic information module is used for acquiring characteristic information of code data to be detected, wherein the code data to be detected comprises at least one section of code statement and/or operation information generated after the at least one section of code statement is executed;
the feature coding module is used for carrying out word coding and position coding on the feature information to obtain a first classical representation vector;
The quantum state module is used for inputting the first classical representation vector into the quantum attention layer for processing, and the quantum state module is used for obtaining a second quantum state vector based on a quantum attention mechanism after converting the first classical representation vector into the first quantum state vector;
and the classification module is used for obtaining the malicious code detection result output by the classifier according to the input after obtaining the input of the classifier based on the second quantum state vector.
10. An electronic device, comprising:
one or more processors;
storage means for storing one or more programs,
wherein the one or more programs, when executed by the one or more processors, cause the one or more processors to perform the method of any of claims 1-8.
11. A computer readable storage medium having stored thereon executable instructions which, when executed by a processor, cause the processor to perform the method according to any of claims 1-8.
12. A computer program product comprising a computer program which, when executed by a processor, implements the method according to any one of claims 1 to 8.
CN202310511436.6A 2023-05-08 2023-05-08 Malicious code detection method, device, equipment and medium Pending CN116383707A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310511436.6A CN116383707A (en) 2023-05-08 2023-05-08 Malicious code detection method, device, equipment and medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310511436.6A CN116383707A (en) 2023-05-08 2023-05-08 Malicious code detection method, device, equipment and medium

Publications (1)

Publication Number Publication Date
CN116383707A true CN116383707A (en) 2023-07-04

Family

ID=86971169

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310511436.6A Pending CN116383707A (en) 2023-05-08 2023-05-08 Malicious code detection method, device, equipment and medium

Country Status (1)

Country Link
CN (1) CN116383707A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117093996A (en) * 2023-10-18 2023-11-21 湖南惟储信息技术有限公司 Safety protection method and system for embedded operating system

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117093996A (en) * 2023-10-18 2023-11-21 湖南惟储信息技术有限公司 Safety protection method and system for embedded operating system
CN117093996B (en) * 2023-10-18 2024-02-06 湖南惟储信息技术有限公司 Safety protection method and system for embedded operating system

Similar Documents

Publication Publication Date Title
Alguliyev et al. Efficient algorithm for big data clustering on single machine
US11025649B1 (en) Systems and methods for malware classification
Ponmalar et al. An intrusion detection approach using ensemble support vector machine based chaos game optimization algorithm in big data platform
US11159547B2 (en) Malware clustering approaches based on cognitive computing techniques
Zahoora et al. Zero-day ransomware attack detection using deep contractive autoencoder and voting based ensemble classifier
Zhu et al. A hybrid deep network framework for android malware detection
Meijin et al. A systematic overview of android malware detection
Hussain et al. Malware detection using machine learning algorithms for windows platform
Tang et al. An automatic source code vulnerability detection approach based on KELM
Bhaskara et al. Emulating malware authors for proactive protection using GANs over a distributed image visualization of dynamic file behavior
CN116383707A (en) Malicious code detection method, device, equipment and medium
CN116467710A (en) Unbalanced network-oriented malicious software detection method
Murty et al. Dark web text classification by learning through SVM optimization
Acharya et al. A low computational cost method for mobile malware detection using transfer learning and familial classification using topic modelling
CN113762294B (en) Feature vector dimension compression method, device, equipment and medium
Lin et al. Trust evaluation model based on PSO and LSTM for huge information environments
Huang et al. TagSeq: Malicious behavior discovery using dynamic analysis
Gera et al. A semi-automated approach for identification of trends in android ransomware literature
US20230306106A1 (en) Computer Security Systems and Methods Using Self-Supervised Consensus-Building Machine Learning
Meng et al. A survey on machine learning-based detection and classification technology of malware
Aswanandini et al. Hyper-heuristic firefly algorithm based convolutional neural networks for big data cyber security
Revathy et al. HadoopSec 2.0: Prescriptive analytics-based multi-model sensitivity-aware constraints centric block placement strategy for Hadoop
Wang et al. AIHGAT: A novel method of malware detection and homology analysis using assembly instruction heterogeneous graph
Zhao et al. Research on data imbalance in intrusion detection using CGAN
Dai et al. Approach for text classification based on the similarity measurement between normal cloud models

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination