The Induction And Coordination Mechanisms In Artificial Immune Systems And Their Application To Spyware Detection

With the rapid development of network services, spyware is becoming a new trend of malware evolution. Unlike other malware, spyware is designed by hackers or intelligence agencies to steal privacy or confidential data in computers, rather than to harm computer systems or self-reproduce in a network. To achieve this goal, spyware equips latency, diversity and group infection properties which make the spyware hard to be detected and more dangerous.To reduce the harm caused by spyware, many spyware detection methods emerged. Signature-based approaches are fast, but can only detect known spyware. Behavior-based approaches detect spyware according to its specified behaviors. Although they can detect novel spyware, they generate more false positives (FP) and are easily evaded by latent spyware. Among behavior-based approaches, a hotspot method of Artificial Immune Systems (AISs)-danger theory, improves behavior-based approaches in some extent owing to its low FP rate and quick reaction characteristics.However, danger theory approaches can also be evaded by latent spyware because obvious danger signals and malicious antigens cannot be generated. Besides, all above approaches only concerned about spyware detection in a single host. This reduces overall efficiency of spyware detection in a network because of the lack of cooperation.To overcome these obstacles, this paper analyzed the shortcomings of existing spyware detection methods (especially danger theory methods), and described the reasons for these shortcomings. Then an artificial innate immune model regulated by artificial NK cells was proposed to detect novel spyware based on the induction strategies used by NK cells to discover latent viruses in vivo. Artificial adaptive immune system cells are introduced in this paper to remember the spyware behavioral characteristics, and form an integrated immune individual together with artificial innate immune cells. These immune individuals can collaborate and share detection capacities using the’immune coordination mechanisms’ proposed in this paper to realize group defense. This paper completed the following work:1) Induction mechanisms used by natural killer (NK) cells were introduced into the AIS to realize anti-latency. Through learning and evolving, artificial NK cells can adaptively capture subtle traces of novel spyware hidden in the host, and then release some bait (called induction cytokines) to trigger the latent spyware’s actions. If the spyware is interested in the bait, it will exhibit some malicious activities which expose itself to further detection.2) Based on the behavior mode of antigen presenting cells (APCs), artificial APCs were proposed to discover spyware from its behaviors stimulated by induction cytokines. Artificial APCs, together with artificial NK cells, compose a multi-cellular interactive, more biologically realistic artificial innate immune system. During the secretion of induction cytokines, the responses of programs in the host to the induction cytokines are transformed into danger signals. Artificial APCs perform multi-sensor data fusion on these signals (evidences), and correlate them with active antigens (suspects). This evidences-suspects correlation leads to adaptive detection of unknown spyware program with low FP rate.3) In response to targeted group infection of spyware in (business, government or military) networks, this paper introduced artificial adaptive immune system cells and collaboration ideas and designed immune coordination mechanisms for group defense against spyware. The immune coordination mechanisms realized three level coordinations through coordination architecture which consists of’immune individuals’distributed on all monitoring host and multi-level’epidemic prevention center’. They are coordinations within ’immune individuals’, coordinations between’immune individuals’and coordinations between’epidemic prevention centers’. Under these coordinations,’immune individuals’ can not only remember the behavioral characteristics of detected spyware, but also share memory cells among other’immune individuals’or’epidemic prevention centers’base on the micro and macro’spyware epidemic’analyzed by’epidemic prevention centers’4) This paper focused on the validation of the effectiveness of artificial innate immune system based on NK cells. Detection experiments were carried out with a prototype after choosing typical instances of latent spyware. Experimental results show that the prototype can detect latent spyware in a single machine with low FP rate and FN rate. Through evolution, artificial NK cells can discover subtle anomalies occurred in monitoring system, and adaptively release induction cytokines which enhance the significance of malicious activities exhibited by spyware currently hidden in the monitoring system.In this paper, an artificial innate immune model regulated by artificial NK cells was proposed based on the induction mechanisms used by NK cells to discover latent viruses in vivo. Compared to current innate immune model, this model has better performance when detect latent spyware. Artificial adaptive immune system cells are introduced in this paper, and form an integrated’immune individual’together with artificial innate immune cells. This immune individual can not only detect latent spyware, but also remember the behavioral characteristics of detected spyware. Beside,’immune individuals’can collaborate and share their memory to other individuals using the’immune coordination mechanisms’ proposed in this paper. This leads to group defense against spyware.