面向特征融合与知识蒸馏的恶意软件分类

恶意软件分类是一个多分类任务，旨在提取软件特征来训练模型，以判断恶意软件的类别。现有工作主要集中于利用深度神经网络从恶意软件图像中抽取特征进行分类，对恶意软件的序列特征和分布特征之间的关联性缺乏关注，限制了模型性能。此外，这些现有模型大多具有较高的参数量，往往需要占用较大的计算资源。为此，提出一种基于特征融合与知识蒸馏的恶意软件分类方法。一方面，通过残差网络分别从灰度图和马尔可夫图中抽取恶意软件的序列特征和分布特征，并利用自注意力挖掘不同特征之间的关联性，以提升模型性能。另一方面，通过教师网络向多个学生网络进行知识迁移，并让学生网络互相协作学习，以进一步降低模型规模。在微软和CCF数据集上的实验结果证明，该方法不仅有效提升了模型性能，而且可以降低模型的参数量和计算量。此外，本文通过热力图定位影响分类结果的字节，对分类依据进行解释。

Malware classification for feature fusion and knowledge distillation

Malware classification is a multi-classification task that aims to extract software features to train a model to judge the category of malware. The existing works mainly focus on the use of the deep neural network to extract features from malware images for classification, and lack of attention to the correlation between the sequence features and distributed features of malware, which limits the performance of the model. In addition, most of the current models have high parameter quantities, which often require large computational resources. Therefore, we proposed a method of malware classification based on feature fusion and knowledge distillation. On the one hand, the sequence features and distribution features of malware are extracted from the grayscale image and the Markov image respectively through the residual network, and the correlation between different features is mined by using self-attention to improve the performance of the model. On the other hand, the teacher network transfer knowledge to multiple student networks, and the student networks collaborate learning to further reduce the scale of the model. The experimental results on Microsoft and CCF data sets show that this method not only effectively improves the performance of the model, but also reduces the number of parameters and computation of the model. In addition, this paper explains the classification basis by locating the bytes that affect the classification results through the thermal map.