Computer Virus Conserved Patterns Based On Innate-Immune System

According to CSI/FBI computer crime and security survey in the past five years, computer virus has kept its top level in all the twelve kinds of information security events although nearly 100% respondents have anti-virus software and firewalls, and 70%～80% of them used IDS. The main reasons for this phenomenon are that the coming forth of various new attack methods, encryptions and polymorphic technologies accelerates the computer viruses and their variations appearing. The present virus detection technologies based on signatures and system transcendent knowledge show their drawbacks of passive and lagged. New and more effective virus detection technologies are considerated.In fact, computer virus detection is pattern recognition. It includes two aspects. One is the description of the pattern characteristics. The other is pattern recognition method. The traditional signature-based scanner is exact for known viruses, while customers' signature bases should be updated very frequently as those signatures could be changed easily by computer virus authors. Computer virus malicious behavior analysis will consume more resources of host computers, and consequently it is very difficult to monitor the systems timely and online. Anomaly detection based on statistics can recognize unknown viruses, but it has high false positive. The prevalent combination of signature scanner and statistics analysis seems more effective, while it is at the high cost of consuming computer resources. The users still have to download signature bases frequently. And it will take at least 1 hour to scan a computer disk for common antivirus software.In order to solve the above mentioned problems, a new concept of computer virus conserved pattern is presented in this paper, inspired by Human beings' powerful innate immune system. Some profound researches are carried on, which includes the mathematic descriptions of computer virus conserved patterns, the characteristic extraction, the virus detection online based on computer virus conserved pattern rules, and its AIS model. The main work of this dissertation is as follows.(1) Presenting the concept of computer virus conserved patternsOn the theory analysis of human beings immune system, the new concept of computer virus conserved patterns is presented, inspired by the new research results of pattern recognition receptor (PRR) to pathogen-associated molecular pattern (PAMP) of human innate immune system. The mathematic descriptions of computer virus conserved patterns are defined. Computer virus categories and structure disassembly based on knowledge tree are employed to mapping the relationships between computer virus structure features and function mechanism, and they are also the basis of construction of computer virus conserved patterns and classifying reasoning. In the meantime, VSM is used to describe computer virus structure knowledge, which can decrease data memory space, and the computing time of pattern matching consequently. And then a comprehensive method combining statistics and contrast is used to extract the characteristic functions of computer virus conserved patterns.(2) Improving the pattern matching algorithmsPattern matching algorithms is very important in pattern recognition including computer virus detection and intrusion detection. In this dissertation, a new rapid mutli-pattern matching algorithm is presented, that is called NMSA. It applies the theory of finited state automaton of AC algorithm to construct the pattern trees, and it also applies heuristic thought of BM algorithm to obtain more jumps. Its steps are longer than BM, AC, and AC-BM. The theory analysis and test datas show that NMSA need less time of pattern matching, whether in single pattern matching or in multi pattern matching.(3) Applying computer virus conserved patterns to IDS to implement virus detection onlineThe computer virus conserved pattern function can be transformed to IDS rules which can implement computer virus detection online. A novel fuzzy expert system reasoning method based on computer virus conserved pattern strong rules is proposed in order to implement costimulation by mutli-features. And, a pre-processing method on protocol analysis based on decision tree is presented in order to deal with large amount of network data packages timely. In this way we can implement computer viruses detection online. Some test results show that the new integrated method is more effective and accuracy, especially for unknown computer viruses.(4) Presenting a new AIS model based on computer virus conserved patternsOn reviewing the existing AIS, a new AIS model based on computer virus conserved patterns is presented. Its detectors online, distributed structures and evolvement mechanism are designed detailed. The new AIS model is autonomous, adaptive, and scalable. It can meet the requirement of large-scale computer viruses detection.In summary, the main idea of this dissertation is to build an AIS model based on human innate immune system. Computer virus detection would become simple and effective. The end users needn't to update their signature bases frequently any more. And the detection can be processed online and on time.