基于图神经网络的抗混淆恶意软件检测方法  

作　　者：黄文盛 卞云波 HUANG Wensheng;BIAN Yunbo(School of Intelligent Engineering,Nanjing Open University,Nanjing 211200,China;Jiangsu Administrative Information Center for Education,Nanjing 210018,China)

机构地区：[1]南京开放大学智能工程学院,江苏南京211200 [2]江苏省电化教育馆,江苏南京210018

出　　处：《淮阴师范学院学报(自然科学版)》2025年第1期8-13,共6页Journal of Huaiyin Teachers College(Natural Science Edition)

基　　金：南京开放大学课程建设项目(JG202301);教育部供需对接就业育人项目(2023122881605)。

摘　　要：为更准确识别和分析恶意软件行为,提出一种基于图神经网络的抗混淆恶意软件检测方法.该方法使用Cuckoo Sandbox收集网络内软件行为代码序列后,先使用解析器生成器读取、处理和执行软件行为代码序列,生成软件代码二进制文件的抽象语法树.利用开源工具中的Joern对软件行为代码抽象语法树内的控制节点和控制边界进行遍历,生成软件行为代码图.以软件行为代码图作为基础,使用离散傅里叶变换方式提取软件行为代码图内恶意软件行为代码节点特征.将恶意软件行为代码特征输入到图神经网络模型内,图神经网络模型对恶意软件行为代码特征进行调用后,生成恶意软件行为代码调用图.对该调用图进行图采样、图嵌入以及信息融合等处理,运用预测层输入恶意软件抗检测结果.实验表明:该方法具备较强的软件行为代码属性图生成能力,可有效提取恶意软件行为代码特征,同时可准确检测不同类型恶意软件,且该方法具备较强的抗混淆性,应用性较佳.To more accurately identify and analyze malware behavior,thereby improving detection rate and reducing security risks,an anti-obfuscation malware detection method based on a graph neural network is studied.This method uses Cuckoo Sandbox to collect software behavior code sequences within the network,and then uses a trial parser generator to read,process,and execute the software behavior code sequence,generating an abstract syntax tree of the software code binary file.Using Joern in open-source tools to traverse the control nodes and control boundaries within the abstract syntax tree of software behavior code,generate a software behavior code graph.Based on the software behavior code graph,the discrete Fourier transform is used to extract the node features of malware behavior code within the software behavior code graph.Input the characteristics of malware behavior code into a graph neural network model,and the graph neural network model calls the characteristics of malware behavior code to generate a call graph of malicious software behavior code.Perform graph sampling,graph embedding,and information fusion on the call graph,and use a prediction layer to input malware detection results.The experiment shows that this method has strong ability to generate software behavior code.

关 键 词：图神经网络 代码属性图 傅里叶变换 抽象语法树 节点特征 恶意软件检测 

分 类 号：TP309[自动化与计算机技术—计算机系统结构]