Research On Artificial Immune Algorithms On Malware Detection

For the problem that the current malware detection methods can not meet the actual needs,we present new run-time malware detection methods based on IRP (I/O Request Packets). Theartificial immune systems (AIS) are used for malware detection based on IRP. Many artificialimmune algorithms are proposed to improve the effectiveness and accuracy in malwaredetection. The main contributions are concluded as follows:(1) A classification model based on artificial immune is proposed. This model simulatesthe recognition processes of the biological immune system from innate to adaptiveimmune system and is successfully applied to the malware detection based on IRP.(2) For the problem that the inefficiency of the negative selection algorithm (NSA), weintegrate the NSA and the positive selection algorithm (PSA) to select short IRPsequences which exist only in malicious IRP sequences to detecte malware. A few ofdetectors are used in this method, which has high efficiency, but low false positiverate, and no significant drop in true positive rate. In order to solve the problem thatthe traditional NSA does not have the capacity of life-long learning, life-longlearning negative selection algorithm (LNSA) is proposed. LNSA simulates theprocesses of central tolerance and peripheral tolerance in human immune system.The high false positive problem of traditional NSA is solved in LNSA.(3) Data mining algorithms, including Na ve Bayes, Bayesian Networks, Support VectorMachine, C4.5Decision Tree and Boosting, are used in malware detection based onIRP. For the problems that the embedded malware is difficult to be detected, a newembedded malware detection method based on C4.5decision tree is proposed. The500high information gain n-grams are extracted as attribute to build decision tree fordetecting unknown embedded malware. Experimental results show that there areobvious advantages in detection rate and classification accuracy when C4.5decisiontree is used in embedded malware detection.(4) Based on the idea of positive selection algorithm, a multi-class classificationalgorithm, positive selection classification algorithm (PSCA), is proposed. Thisalgorithm turns multi-class classification problem to two class classification problem:self and nonself, and the detectors which can only recognize self are selected bypositive selection. The initial algorithm for detctor generation based on the maximumdistance is proposed to cover more self-space with fewer detectors, and clone selection algorithm is used to search approximate optimal detectors. The solutionsare presented for hole and overlap problems, and the noise data is handled in PSCA.Experiments on benchmark data sets show that PSCA outperforms AIRS, ANSC andsome other general classification algorithms.(5) Follow the principle of integrated innate immunity and adaptive immunity in body'simmune system, a classification algorithm for low-dimensional data, integratedinnate and adaptive artificial immune system (IAAIS) is proposed. A shape-space isdefined in IAAIS and evenly covered with each kind of antibodies. Each antigen hasa "danger zone", and antibodies in "danger zone" with the same class as antigen canreceive stimulation from this antigen. In learning process, stimulated antibodies aregenerated by training data. In classification process, the unknown data is classifiedby the sum of the antibodies' stimulation levels in "danger zone". The solution forunbalance number of training data is presented. Experimental results reveal thatIAAIS outperforms algorithms based on AIS, ARIS and ANSC, and classicalclassification algorithms, C4.5decision tree, Na ve Bayes, Bayesian Networks, andSupport Vector Machine, on low-dimensional data, and the accuracy for Iris data is97.3%.