基于多特征融合的PE恶意代码检测与分类研究

doi:10.11871/jfdc.issn.2096-742X.2025.06.008

数据与计算发展前沿 ›› 2025, Vol. 7 ›› Issue (6): 77-91.

CSTR: 32002.14.jfdc.CN10-1649/TP.2025.06.008

doi: 10.11871/jfdc.issn.2096-742X.2025.06.008

• 专刊：第40次全国计算机安全学术交流会征文 • 上一篇下一篇

基于多特征融合的PE恶意代码检测与分类研究

令狐荣微¹(),张瑜^1,^*(),石元泉²,杨玉军³

1.广东技术师范大学，网络空间安全学院，广东广州 510665
2.湖南第一师范学院，计算机学院，湖南长沙 410205
3.怀化学院，计算机与人工智能学院，湖南怀化 418000

收稿日期:2025-08-04 出版日期:2025-12-20 发布日期:2025-12-17
通讯作者: 张瑜
作者简介:令狐荣微，广东技术师范大学，硕士研究生，主要研究方向为恶意代码检测与分类。
本文承担工作为：模型设计，模型算法实现。
LINGHU Rongwei is a master’s student at Guangdong Polytechnic Normal University. Her research interests include malware detection and classification.
In this paper, she is responsible for the model design and algorithm implementation
E-mail: Linghu@gpnu.edu.cn|张瑜，广东技术师范大学硕士生导师，主要研究方向为恶意代码、网络攻防、免疫计算、人工智能等。
本文承担工作为:指导选题以及算法与模型优化。
ZHANG Yu is a master’s supervisor at Guangdong Polytechnic Normal University. His research interests include malware, network attack and defense, immune computation, and artificial intelligence.
In this work, he is responsible for supervising the selection of the research topic and the optimization of the algorithm and model.
E-mail：bullzhangyu@gpnu.edu.cn
基金资助:
国家自然科学基金(61862022);国家自然科学基金(62172182);广东省自然科学基金(2023A1515011084);广东省高校重点科研项目(2022ZDZX1011);浙江省信息安全重点实验室项目(KF202306);广东技术师范大学博士点提升计划(22GPNUZDJS27)

Multi-Feature Fusion-Based Detection and Classification of Portable Executable Malware

LINGHU Rongwei¹(),ZHANG Yu^1,^*(),SHI Yuanquan²,YANG Yujun³

1. College of Cybersecurity, Guangdong Polytechnic Normal University, Guangzhou, Guangdong 510665, China
2. School of Computer Science, Hunan First Normal University, Changsha, Hunan 410205, China
3. School of Computer and Artificial Intelligence, Huaihua University, Huaihua, Hunan 418000, China

Received:2025-08-04 Online:2025-12-20 Published:2025-12-17
Contact: ZHANG Yu

摘要/Abstract

摘要：

【目的】为了解决传统恶意代码的静态分析方法不仅依赖反汇编，而且特征提取十分耗时的问题。【方法】与现有依赖反汇编或动态分析的研究不同，本方法直接从二进制文件中提取熵、三阶马尔可夫矩阵与导入导出表特征，将三者融合构建三维张量。随后，采用双线性插值算法进行尺寸归一化，将生成统一尺寸的可视化图像输入卷积神经网络进行分类学习。【结果】显著降低了特征提取时间，同时保持了对复杂变种的鲁棒性，在BODMAS数据集上进行验证，该方法的分类准确率高达97.06%。【结论】证明了其有效性和鲁棒性。

关键词: 恶意代码, 可视化, 特征提取, 特征融合, 深度学习

Abstract:

[Objective] This paper is to address the limitations of traditional static malware analysis methods which heavily rely on disassembly technology and involve time-consuming feature extraction. [Methods] Unlike prior work that depends on disassembly or dynamic analysis, this method directly extracts entropy, third-order Markov matrices, and import/export-table features from the raw binaries, fusing the three into a unified three-dimensional tensor. Bilinear interpolation is then applied for size normalization, producing fixed-size visualized images that are fed into a convolutional neural network for classification. [Results] The proposed method significantly reduces feature-extraction time while preserving robustness against complex variants. Experiments conducted on the BODMAS dataset demonstrate that the proposed method achieves a high classification accuracy of 97.06%. [Conclusions] The results validate the effectiveness and robustness of the proposed method..

Key words: malicious code, visualization, feature extraction, feature fusion, deep learning

令狐荣微,张瑜,石元泉,杨玉军. 基于多特征融合的PE恶意代码检测与分类研究[J]. 数据与计算发展前沿, 2025, 7(6): 77-91.

LINGHU Rongwei,ZHANG Yu,SHI Yuanquan,YANG Yujun. Multi-Feature Fusion-Based Detection and Classification of Portable Executable Malware[J]. Frontiers of Data and Computing, 2025, 7(6): 77-91, https://cstr.cn/32002.14.jfdc.CN10-1649/TP.2025.06.008.

图/表 21

图1

图2

图3

图4

图5

表1

图6

表2

图7

图8

图9

图10

图11

图12

表3

图13

图14

图15

图16

图17

图18

参考文献 35

[1]	Kaspersky. 威胁数量上升: 2023年网络罪犯每天释放411,000个恶意文件[EB/OL]. (2023)[2023-07-14]. https://www.kaspersky.com.cn/about/press-relea-ses/rising-threats.
[2]	Federal Office for Information Security. The State of IT Security in Germany 2024[R/OL]. (2024-11-12)[2024-11-12]. https://www.bsi.bund.de/EN/Service-N- avi/Publikationen/Lagebericht/lagebericht_node.html.
[3]	NATARAJ L, KARTHIKEYAN S, JACOB G, et al. Malware Images: Visualization and Automatic Classification[C]. Malicious code classification method based on deep residual network and hybrid attention mechanism for edge s, 2011: 1-7.
[4]	HAN J, ZHANG Y, WANG H. Malware Analysis Using Visualization Images and Entropy Graphs for Detecting and Distinguishing New Malware and Var-iants[J]. International Journal of Information Security, 2015, 10(4): 789-800.
[5]	FU Y, LI M, WANG X. Malware Visualization for Fine-Grained Classification[J]. IEEE Access, 2018, 6: 14510-14523.
[6]	SCHULTZ M G, ESKIN E, ZADOK F, et al. Data Mining Methods for Detection of New Malicious Executables[C]// Proceedings of the IEEE Symposium on Security and Privacy (S&P 2001), 2001: 38-49.
[7]	KOLTER J Z, MALOOF M A. Learning to detect and classify malicious executables in the wild[J]. Jouenal of Machine Learning Research, 2006, 7(12): 2721-2744.
[8]	COULL S E, GARDNER C. Activation analysis of a byte-based deep neural network for malware classification[C]. 2019 IEEE Security and Privacy Workshops (SPW). San Francisco, CA, 2019: 21-27.
[9]	SHAFIQ M Z, TABISH S M, MIRZA F, et al. PE-Miner: Mining structural information to detect malicious executables in realtime[C]. Recent Advances in Intrusion Detection. Intrusion Detect, 2009: 121-141.
[10]	LI B, ROUNDY K, GATES C, et al. Large-scale identification of malicious singleton files[C]. 7th ACM Conf Data and Application Security and Privacy (CODASPY), 2017: 227-238.
[11]	KUMAR A, KUPPUSAMY K S, AGHILA G. A learning model to detect maliciousness of portable executable using integrated feature set[J]. Journal of King Saud University-Computer and Information Sc-iences, 2019, 31(2): 252-265.
[12]	REZAEI T, HAMZEH A. An efficient approach for malware detection using PE header specifications[C]// 2020 6th International Conference on Web Research (ICWR). Tehran, Iran, 2020: 234-239.
[13]	赵晓君, 王小英, 张咏梅, 等. 基于恶意代码行为分析的入侵检测技术研究[J]. 计算机仿真, 2015, 32(4): 277-280.
[14]	GALAL H S, MAHDY Y B, ALLATIEA M. Behavior-based features model for malware detection[J]. Journal Of Computer Virology And Hacking Techniques, 2016, 12(2): 59-67.
[15]	KIM H, KIM J, KIM Y, et al. Improvement of malware detection and classification using API call sequence alignment and visualization[J]. Cluster Computing-the Journal Of Networks Software Tools And Applications, 2019, 22(1): 921-929.
[16]	AMER E, ZELINKA I. A dynamic Windows malware detection and prediction method based on contextual understanding of API call sequence[J]. Computers & Security, 2020, 92: 101760.
[17]	ANDERSON B, QUIST D, NEIL J, et al. Graph-based malware detection using dynamic analysis[J]. Journal of Computer Virology and Hacking Techniques., 2011, 7: 247-258.
[18]	BRIDGES R, JIMÉNEZ J H, NICHOLS J, et al. Towards malware detection via CPU power consumption: Data collection design and analytics[C]. 2018 17th IEEE International Conference On Trust, Security And Privacy In Computing And Communications/12th IEEE International Conference On Big Data Science And Engineering (TrustCom/BigDataSE). New York: 2018: 1680-1684.
[19]	SAYADI H, PATEL N, SASAN A, et al. Ensemble learning for effective run-time hardware-based malware detection: A comprehensive analysis and classification[C]// Proceedings of the 55th Annual Design Automation Conference. San Francisco, CA: 2018: 1-6.
[20]	BURNAP P, FRENCH R, TURNER F, et al. Malware classification using self organising feature maps and machine activity data[J]. Computers & Security, 2018, 73: 399-410.
[21]	GHANEI H, MANAVI F, HAMZEH A. A novel method for malware detection based on hardware events using deep neural networks[J]. Journal of Computer Virology and Hacking Techniques, 2021, 17: 1-13.
[22]	CHEN J J, PENG B Z, WU P Z. Malicious code detection method based on dynamic behavior and machine learning[J]. Computer Engineering, 2021, 47(3): 166-173.
[23]	NI S, QIAN Q, ZHANG R. Malware identification using visualization and deep learning[J]. Journal of Computer Virology and Hacking Techniques, 2016, 12(3): 173-182.
[24]	WANG J W, CHEN Z J, XIE X, et al. Deep visualization classification method for malicious code based on Ngram-TFIDF[J]. Journal on Communications, 2024, 45(6).
[25]	XIAO X, ZHANG S, MERCALDO F, et al. Android malware detection based on system call sequences and LSTM[J]. Multimedia Tools and Applications, 2018, 78(4): 3979-3999.
[26]	WOJNOWICZ M, CHISHOLM G, WOLFF M, et al. Wavelet decomposition of software entropy reveals symptoms of malicious code[J]. Journal of Innovation in Digital Ecosystems, 2016, 3(2): 130-140.
[27]	LIU L, HE X, LIU L, et al. Capturing the symptoms of malicious code in electronic documents by files entropy signal combined with machine learning[J]. Applied Soft Computing, 2019, 82: 105598.
[28]	YANLI Y S, YANG L, WANG D, et al. Malicious code classification method based on deep residual network and hybrid attention mechanism for edge security[J]. Wireless Communications & Mobile Computing, 2022, 2022: 6243713.
[29]	QI X, LIU W, LOU R, et al. MC-ISA: A multi-channel code visualization method for malware detection[J]. Electronics, 2023, 12(9): 2272.
[30]	LI S, WANG J, SONG Y, et al. Tri-channel visualised malicious code classification based on impr-oved ResNet[J]. Applied Intelligence, 2024, 54: 12-453-12475.
[31]	任卓君, 陈光, 卢文科. 恶意软件的操作码可视化方法研究[J]. 计算机工程与应用, 2021, 57(18): 130-134.
[32]	JIANG L, ZHANG Y, SHI Y. Visual fileless malware classification via few-shot learning[C]// International Conference on Cyber Security, Artificial Intelligence, and Digital Economy (CSAIDE 2023). SPIE, 2023, 12718: 113-124.
[33]	ZILIN Z, SHUMIAN Y, DAWEI Z. A new framework for visual classification of multi-channel malware based on transfer learning[J]. Applied Sciences, 2023, 13(4): 2484.
[34]	MAURO C, SHUBHAM K, P V. A few-shot malware classification approach for unknown family recognition using malware feature visualization[J]. Computers & Security, 2022, 122: 102889.
[35]	SULTANIK E. bin2png:A simple cross-platform script to encode binary files as PNG images[EB/OL]. GitHub. [2023-07-14]. https://github.com/ESultanik/bin2png.

参数	值
操作系统	Windons专业版64bit
随机存取内存	8.00 GB
处理器	Intel(R) Core(TM) i5-8250U CPU @ 1.60GHz 1.80 GHz
硬盘	931GB SSD

方案	BODMAS				PE-Malware
方案	准确率	精度	Recall	F1-Score	准确率	精度	Recall	F1-Score
MTE（本方案）	97.06	97.02	96.85	96.85	96.97	97.04	97.42	97.13
DPP	91.01	91.58	92.82	91.64	92.8	94.74	93.77	93.66
GEM	87.03	89.17	90.76	89.29	88.64	90.25	90.03	90.09
Bin2	85.12	85.67	86.88	85.22	89.52	92.26	89.54	89.83
AHE	94.67	94.96	95.89	94.99	95.83	96.54	96.33	96.18

特征	BODMAS				PE-Malware
特征	准确率	精度	Recall	F1-Score	准确率	精度	Recall	F1-Score
E	86.4	89.76	89.83	87.99	89.52	90.15	91.04	90.35
M	83.82	92.76	88.2	88.18	88.76	92.27	88.95	89.46
T	85.76	89.19	90.5	87.64	83.08	83.98	84.85	78.83
E+M	91.49	91.07	94.44	92.09	91.16	93.88	92.59	92.06
E+T	93.56	92.75	94.4	93.12	94.19	94.4	94.79	94.42
T+M	90.38	90.99	91.74	90.96	92.68	94.31	93.2	93.23
MTE（本方案）	97.06	97.02	96.85	96.85	96.97	97.04	97.42	97.13

基于多特征融合的PE恶意代码检测与分类研究

Multi-Feature Fusion-Based Detection and Classification of Portable Executable Malware

RichHTML

PDF

可视化

摘要/Abstract

引用本文

使用本文

图/表 21

参考文献 35

相关文章 15

编辑推荐

Metrics

本文评价

[1]	杨沁蒙,聂宁明,周纯葆,王彦棡. 基于深度学习的Taylor杆碰撞数值模拟算法[J]. 数据与计算发展前沿, 2025, 7(6): 101-110.
[2]	周法国,刘芳,王彦棡,王珏,于淼,李顺德,周纯葆,王婧,杨沁蒙. 面向国产超算的深度学习框架算子的移植与适配[J]. 数据与计算发展前沿, 2025, 7(6): 136-148.
[3]	辛昱杭,王琦祎,孙婧,赵春燕,刘雨佳,梁雪,陈杰. 基于雷达回波外推的短临降水预报模型TrajCast在国产加速器上的实践[J]. 数据与计算发展前沿, 2025, 7(5): 113-122.
[4]	王鹏,杨霄凤,何忠臣,杜君. 基于浅层-深层卷积循环神经网络的多光谱遥感图像全色锐化方法[J]. 数据与计算发展前沿, 2025, 7(5): 138-152.
[5]	曾艳,吴宝福,易广政,黄成创,邱扬,陈越,万健,胡帆,金思聪,梁迦隽,李欣. FlowAware：一种支持AI for Science任务的模型分布式自动并行方法[J]. 数据与计算发展前沿, 2025, 7(5): 65-87.
[6]	刘方超, 张立, 郭弟均, 陈剑, 吕英波, 凌宗成, 李博然, 李心语, 马云龙. 月球撞击坑形态特征的多维度聚类方法研究[J]. 数据与计算发展前沿, 2025, 7(4): 89-100.
[7]	凌宗成, 李勃, 魏广飞, 郭弟均, 吕英波, 刘长卿, 朱凯, 陈剑, 赵强, 李静, 胡国平, 王娇, 刘建忠. 行星探测特征信息提取与知识挖掘关键技术及应用研究[J]. 数据与计算发展前沿, 2025, 7(4): 3-19.
[8]	钟佳, 邹自明. 基于直接体可视化方法提取磁层顶结构[J]. 数据与计算发展前沿, 2025, 7(4): 79-88.
[9]	崔潇骁, 赵玉立, 修涵文, 薛晓光, 黄咏政, 何晓辉, 朱江. 面向非规则体离散的高效物质点生成技术研究[J]. 数据与计算发展前沿, 2025, 7(3): 174-184.
[10]	李宇程, 黄志都, 杨钦. 固定翼无人机异地起降大范围自动巡检技术设计[J]. 数据与计算发展前沿, 2025, 7(3): 185-193.
[11]	冯志宸, 李佳霖, 高雅倩, 田少博, 叶煌, 张鉴. 极端尺度相场模拟中的原位特征提取[J]. 数据与计算发展前沿, 2025, 7(3): 67-80.
[12]	贾子昂. 基于多源半监督学习的牙齿结构分割[J]. 数据与计算发展前沿, 2025, 7(2): 175-185.
[13]	李勇,任勇毛,殷卓然,周旭. 一种基于深度学习的轻量化流量识别模型[J]. 数据与计算发展前沿, 2025, 7(2): 3-11.
[14]	马秋平, 张琪, 赵晓凡. 图表问答研究综述[J]. 数据与计算发展前沿, 2025, 7(1): 19-37.
[15]	水映懿, 张琪, 李根, 张士豪, 吴尚. 基于多类特征的社交网络影响力预测研究综述[J]. 数据与计算发展前沿, 2025, 7(1): 2-18.