Research On Malcode Detection Technology Based On Artificial Immune System

With the rapid development of the Internet, especially the emergence of the mobile Internet and the rapid growth of smartphone users, the network has penetrated into every aspect of people’s daily lives. Due to the openness and sharing characteristics of the Internet, it brings us convenience, but at the same time we are facing all kinds of security problems. As the primary threat, the widespread dissemination of malcode has caused huge economic loss, the wasted of the user’s valuable time, and interfer with the user’s normal life and work.The malcode includes viruses, Trojan horses, worms, backdoors, malicious scripts, etc. At present, the defense of the malcode relies on security products like anti-virus software and anti-virus gateway. These products are mainly based on signature matching techniques, so high detection rate for the known malcode can be achieved, but for the newly appeared unknown malcode the detection rate is low. In the face of accelerating growing malcode, signature extraction needs more manpower. With the increase of signature database, the anti-virus software will consume more computing resources and storage resources, and the malcode detect efficiency is greatly constrained.In order to detect the malcode more effectively, especially to recognize the unknown malcode more accurately, in recent years some malcode detection technology based on intelligent algorithm is put forward, including data mining algorithm, neural network, artificial immune system, etc. Due to the natural similarity between malcode detection and biological immune system, that is they both need to accurately recognize the foreigners that invade to their systems. So the malcode detection technology based on artificial immune system has drawn the wide attention of scholars both at home and abroad, and currently it has become research hotspots in the field of information security.The basic principles and mainstream algorithms of artificial immune system are studied, including the negative selection algorithm, the clonal selection algorithms and the danger theory. This paper solves the issue of holes coverage optimization in negative selection algorithm, the detection technology based on artificial immune system both for computer malcode and mobile phone malcode. The main innovations of the present thesis are as follows:1. There are many kinds of immune-based malcode detection models which are different in immune algorithms, application occasions and detection performance. The key technology of these models are analyzed, including feature extraction, data encoding, matching rules of antigens and antibodies, generation strategies of detectors and immune algorithms adopted. Also the representative research achievements in recent years are summarized.2. With the problem that a large number of undetectable holes existed in negative selection algorithm, an algorithm of directional generating holes’ detectors using r-chunk matching rule with variable matching threshold based on hole-set and self-set is proposed. Improvement is made to negative selection algorithm that NSA with double layers detectors is proposed. With the precondition of ensuring fast detection speed, this algorithm achieves a wider range of non-self space coverage by increasing the detection rate of holes. Simulation result shows that comparing with r-adjustable NSA, higher non-self space coverage is achieved especially better performance in holes’ space coverage.3. In order to improve the adaptability of malcode detection systems to the continuously changing environment, inspired by biological immune system, by extracting the malcode binary string segments, a computer malcode detection model is proposed based on the dynamic clonal selection algorithm. Compared with the existing malcode detection models that based on the artificial immune system, the dynamic clonal selection algorithm is introduced and improved, solving the problem that the self-space is static during the training process. Experiment results show that the proposed model has stronger adaptability. It can effectively detect unknown malcode and has a lower false positive rate.4. According to the problem that the detection rate of signature-base malcode detection is low due to the variants and encryption protection techniques, a computer malcode detection model based on real-value encoded behavioral signature cloning and variation is proposed. Behavioral signatures are collected when the malcode is running in the virtual machine environment. Antigens are generated by real-value encoding the behavioral signatures, and these antigens are also one of the sources of immature detectors. Matured detectors are generated by tolerating immature detectors using the negative selection algorithm. In order to increase the diversity and affinity of detectors, detectors with high affinity are selected to proliferate and mutate using the clonal selection algorithm. The experimental result shows that higher detection rate and lower false positive rate can be achieved by increasing the clonal generation. Comparing with mainstream anti-virus software, it has higher detection rate for obfuscated and encrypted malcode programs.5. According to the propagation and destruction characteristics of mobile phone malcode, a malcode detection model based on the danger theory is proposed. This model includes four phases:danger capture, antigen presentation, antibody generation and antibody distribution. Local information of mobile phones is extracted and analyzed to discover danger caused by malcode, and a danger signal is sent out when the danger exceeds the threshold. A danger zone is built according to the strength of danger signal, and the antigen presenting cells (APCs) present the antigen from mobile phones in the danger zone. After the decision center confirms the infection of malcode, the antibody is generated and distributed to mobile phones. Due to the distributed and cooperative mechanism of artificial immune system, the proposed model lowers the computing and storage consumption of mobile phones. Base on the detection model, a mobile phone malcode immunization strategy is proposed which is proved to have good inhibition effect to the propagation of malcode.