基于序列特征选择的自适应恶意软件检测：一种用于智能分类的Dueling Double Deep Q-Network (D3QN)框架 (Adaptive Malware Detection using Sequential Feature Selection: A Dueling Double Deep Q-Network (D3QN) Framework for Intelligent Classification)

Traditional malware detection methods exhibit computational inefficiency due to exhaustive feature extraction requirements, creating accuracy-efficiency trade-offs that limit real-time deployment. We formulate malware classification as a Markov Decision Process with episodic feature acquisition and propose a Dueling Double Deep Q-Network (D3QN) framework for adaptive sequential feature selection. The agent learns to dynamically select informative features per sample before terminating with classification decisions, optimizing both detection accuracy and computational cost through reinforcement learning. We evaluate our approach on Microsoft Big2015 (9-class, 1,795 features) and BODMAS (binary, 2,381 features) datasets. D3QN achieves 99.22% and 98.83% accuracy while utilizing only 61 and 56 features on average, representing 96.6% and 97.6% dimensionality reduction. This yields computational efficiency improvements of 30.1x and 42.5x over traditional ensemble methods. Comprehensive ablation studies demonstrate consistent superiority over Random Forest, XGBoost, and static feature selection approaches. Quantitative analysis demonstrates that D3QN learns non-random feature selection policies with 62.5% deviation from uniform baseline distributions. The learned policies exhibit structured hierarchical preferences, utilizing high-level metadata features for initial assessment while selectively incorporating detailed behavioral features based on classification uncertainty. Feature specialization analysis reveals 57.7% of examined features demonstrate significant class-specific discrimination patterns. Our results validate reinforcement learning-based sequential feature selection for malware classification, achieving superior accuracy with substantial computational reduction through learned adaptive policies.

翻译：传统的恶意软件检测方法由于需要穷举式特征提取，存在计算效率低下的问题，由此产生的准确率与效率间的权衡限制了其实时部署能力。本文将恶意软件分类建模为具有阶段性特征获取的马尔可夫决策过程，并提出一种用于自适应序列特征选择的Dueling Double Deep Q-Network (D3QN)框架。智能体通过学习，在终止分类决策前动态地为每个样本选择信息丰富的特征，通过强化学习同时优化检测准确率和计算成本。我们在Microsoft Big2015（9分类，1,795个特征）和BODMAS（二分类，2,381个特征）数据集上评估了所提方法。D3QN分别实现了99.22%和98.83%的准确率，同时平均仅使用了61个和56个特征，相当于实现了96.6%和97.6%的维度约减。这带来了相较于传统集成方法30.1倍和42.5倍的计算效率提升。全面的消融实验证明了该方法相对于随机森林、XGBoost以及静态特征选择方法具有一致优越性。定量分析表明，D3QN学习到的特征选择策略是非随机的，其分布与均匀基线分布的偏离度达62.5%。学习到的策略展现出结构化的层次偏好：利用高层元数据特征进行初步评估，同时根据分类不确定性有选择地纳入详细的行为特征。特征特异性分析揭示，57.7%的被检特征表现出显著的类别区分模式。我们的结果验证了基于强化学习的序列特征选择在恶意软件分类中的有效性，通过学习到的自适应策略，在实现卓越准确率的同时大幅降低了计算开销。