[1]TAN Ying,ZHANG Pengtao.Immune based computer virus detection approaches[J].智能系统学报,2013,8(01):80-94.[doi:10.3969/j.issn.1673-4785.201209059]
 TAN Ying,ZHANG Pengtao.Immune based computer virus detection approaches[J].CAAI Transactions on Intelligent Systems,2013,8(01):80-94.[doi:10.3969/j.issn.1673-4785.201209059]

Immune based computer virus detection approaches(/HTML)




Immune based computer virus detection approaches
TAN Ying12 ZHANG Pengtao12
TAN Ying12 ZHANG Pengtao12
1. Department of Machine Intelligence, School of Electronics Engineering and Computer Science, Peking University, Beijing 100871, China;
 2. Key Laboratory of Machine Perception, Ministry of Education, Peking University, Beijing 100871, China
computer virus detection artificial immune system immune algorithms hierarchical model negative selection algorithm with penalty factor
The computer virus is considered one of the most horrifying threats to the security of computer systems worldwide. The rapid development of evasion techniques used in virus causes the signature based computer virus detection techniques to be ineffective. Many novel computer virus detection approaches have been proposed in the past to cope with the ineffectiveness, mainly classified into three categories: static, dynamic and heuristics techniques. As the natural similarities between the biological immune system (BIS), computer security system (CSS), and the artificial immune system (AIS) were all developed as a new prototype in the community of antivirus research. The immune mechanisms in the BIS provide the opportunities to construct computer virus detection models that are robust and adaptive with the ability to detect unseen viruses. In this paper, a variety of classic computer virus detection approaches were introduced and reviewed based on the background knowledge of the computer virus history. Next, a variety of immune based computer virus detection approaches were also discussed in detail. Promising experimental results suggest that the immune based computer virus detection approaches were able to detect new variants and unseen viruses at lower false positive rates, which have paved a new way for the antivirus research.


[1]BAILEY M, OBERHEIDE J, ANDERSEN J, et al. Automated classification and analysis of internet malware[C]//The 10th Symposium on Recent Advances in Intrusion Detection. Gold Coast, Australia, 2007: 178-197.
[2]PERELSON A S, WEISBUCH G. Immunology for physicists[J]. Reviews of Modern Physics, 1997, 69(4): 1219-1268.
[3]FORREST S, PERELSON A S, ALLEN L, et al. Self nonself discrimination in a computer[C]//IEEE Computer Society Symposium on Research in Security and Privacy. Oakland, USA, 1994: 202-212.
[4]KEPHART J O, ARNOLD W C. Automatic extraction of computer virus signatures[C]//The 4th Virus Bulletin International Conference. Jersey Islands, UK, 1994: 178-184.
[5]KEPHART J O, SORKIN G B, SWIMMER M, et al. Blueprint for a computer immune system[C]//Proceedings of the Seventh International Virus Bulletin Conference. San Francisco, USA, 1997: 159-173.
[6]OKAMOTO T, ISHIDA Y. Distributed approach against computer viruses inspired by the immune system[J]. IEICE Transactions on Communications, 2000, 83(5): 908-915.
[7]WANG Wei, ZHANG Pengtao, TAN Ying, et al. A hierarchical artificial immune model for virus detection[C]//International Conference on Computational Intelligence and Security. Beijing, China, 2009: 1-5.
[8]CHAO Rui, TAN Ying. A virus detection system based on artificial immune system[C]//International Conference on Computational Intelligence and Security. Beijing, China, 2009: 6-10.
[9]WANG Wei, ZHANG Pengtao, TAN Ying. An immune concentration based virus detection approach using particle swarm optimization[C]//International Conference on Swarm Intelligence. Beijing, China, 2010: 347-354.
[10]COHEN F. Computer viruses: theory and experiments[J]. Computers and Security, 1987, 6(1): 22-35.
[11]FU Jianming, PENG Guojun, ZHANG Huanguo. Computer virus analysis and confronting[M]. Wuhan, China: Wuhan University Press, 2009.
[12]DAOUD E A. Metamorphic viruses detection using artificial immune system[C]//International Conference on Communication Software and Networks. Macau, China, 2009: 168-172.
[13]XU J Y, SUNG A H, MUKKAMALA S, et al. Obfuscated malicious executable scanner[J]. Journal of Research and Practice in Information Technology, 2007, 39: 181-197.
[14]KERCHEN P, LO R, CROSSLEY J, et al. Static analysis virus detection tools for unix systems[C]//13th National Computer Security Conference. Washington, DC, USA, 1990: 4-9.
[15]CHRISTODORESCU M, JHA S, SESHIA S A, et al. Semantics aware malware detection[C]//IEEE Symposium on Security and Privacy. Berkeley/Oakland, USA, 2005: 32-46.
[16]CARPENTER M, LISTON T, SKOUDIS E. Hiding virtualization from attackers and malware[J]. Security & Privacy, 2007, 5(3): 62-65.
[17]WILLEMS C, HOLZ T, FREILING F. Toward automated dynamic malware analysis using CW Sandbox[J]. Security & Privacy, 2007, 5(2): 32-39.
[18]YAN Wei, ZHANG Zheng, ANSARI N. Revealing packed malware[J]. Security & Privacy, 2008, 6(5): 65-69.
[19]ZHANG Xiaosong, PAN Xiaohui, LONG Xiaoshu. Analysis of virtual machine applied to malware detection system[C]//International Symposium on Information Engineering and Electronic Commerce. Ternopil, Ukraine, 2009: 290-294.
[20]WANG Cheng, PANG Jianmin, ZHAO Rongcai, et al. Malware detection based on suspicious behavior identification[C]//Proceedings of the 2009 First International Workshop on Education Technology and Computer Science. Washington, DC, USA: IEEE Computer Society, 2009, 2: 198-202.
[21]HOFMEYR S A, FORREST S, SOMAYAJI A. Intrusion detection using sequences of system calls[J]. Journal of Computer Security, 1998, 6(3): 151-180.
[22]SCHULTZ M G, ESKIN E, ZADOK E, et al. Data mining methods for detection of new malicious executables[C]//Proceedings of the IEEE Symposium on Security and Privacy. Oakland, USA, 2001: 38-49.
[23]Cygnus. GNU Binutils Cygwin[EB/OL]. [2012-09-16]. http://sourceware.cygnus.com/cygwin.
[24]MILLER P. Hexdump[EB/OL]. [2012-09-16]. http://miller.emu.id.au/ pmiller/software/hexdump/.
[25]KOLTER J Z, MALOOF M A. Learning to detect malicious executables in the wild[C]//Proceedings of the 10th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining. Seattle, USA, 2004: 470-478.
[26]KOLTER J Z, MALOOF M A. Learning to detect and classify malicious executables in the wild[J]. Journal of Machine Learning Research, 2006, 7: 2721-2744.
[27]REDDY D K S, PUJARI A K. N gram analysis for computer virus detection[J]. Journal of Computer Virol, 2006, 2(3): 231-239.
[28]LI W J, WANG K, STOLFO S J, et al. Fileprints: identifying filetypes by Ngram analysis[C]//Proceedings of the 6th IEEE Systems, Man, and Cybernetics Information Assurance Workshop. Piscataway, USA: IEEE Press, 2005: 64-71.
[29]STOLFO S J, WANG K, LI W J. Towards stealthy malware detection[M]//CHRISTODORESCU M, JHA S, MAUGHAN D. Advances in Information Security. [S.l.]: Springer, 2007: 231-249.
[30]LI W J, STOLFO S J, STAVROU A, et al. A study of malcodebearing documents[C]//International Conference on Detection of Intrusions & Virus, and Vulnerability Assessment (DIMVA). Lucerne, Switzerland, 2007: 231-250.
[31]SULAIMAN A, RAMAMOORTHY K, MUKKAMALA S, et al. Disassembled code analyzer for malware (DCAM)[C]//Proceedings of the IEEE International Conference on Information Reuse and Integration. Las Vegas, USA, 2005: 398-403.
[32]HENCHIRI O, JAPKOWICZ N. A feature selection and evaluation scheme for computer virus detection[C]//Sixth International Conference on Data Mining. Hong Kong, China, 2006: 891-895.
[33]KARNIK A, GOSWAMI S, GUHA P. Detecting obfuscated viruses using cosine similarity analysis[C]//Proceedings of the First Asia International Conference on Modeling & Simulation. Phuket, Thailand, 2007: 165-170.
[34]YE Yanfang, JIANG Qingshan, ZHUANG Weiwei. Associative classification and post processing techniques used for malware detection[C]//2nd International Conference on Anti Counterfeiting, Security and Identification. Guiyang, China, 2008: 276-279.
[35]YE Yanfang, WANG Dingding, LI Tao, et al. IMDS: intelligent malware detection system[C]//Proceedings of the 13th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining. San Jose, USA, 2007: 1043-1047.
[36]YE Yanfang, WANG Dingding, LI Tao, et al. An intelligent PE malware detection system based on association mining[J]. Journal in Computer Virology, 2008, 4(4): 323-334.
[37]TABISH S M, SHAFIQ M Z, FAROOQ M. Malware detection using statistical analysis of bytelevel file content[C]//Proceedings of the ACM SIGKDD Workshop on Cyber Security and Intelligence Informatics. Paris, France, 2009: 23-31.
[38]TREADWELL S, ZHOU M. A heuristic approach for detection of obfuscated malware[C]//IEEE International Conference on Intelligence and Security Informatics. Dallas, USA, 2009: 291-299.
[39]YE Yanfang, LI Tao, JIANG Qingshan, et al. CIMDS: adapting post processing techniques of associative classification for virus detection[J]. IEEE Transactions on Systems, Man, and Cybernetics, Part C: Applications and Reviews, 2010, 40(3): 298307.
[40]ZOLKIPLI M F, JANTAN A. A framework for malware detection using combination technique and signature generation[C]//Proceedings of the 2010 Second International Conference on Computer Research and Development. Kuala Lumpur, Malaysia, 2010: 196-199.
[41]KOMASHINSKIY D, KOTENKO I. Malware detection by data mining techniques based on positionally dependent features[C]//18th Euromicro International Conference on Parallel, Distributed and Network Based Processing (PDP). Pisa, Italy, 2010: 617-623.
[42]FENG Shaorong, HAN Zhixue. An incremental associative classification algorithm used for malware detection[C]//2nd International Conference on Future Computer and Communication (ICFCC). Wuhan, China, 2010, 1: 757-760.
[43]MUHAYA F B, KHAN M K, XIANG Y. Polymorphic malware detection using hierarchical hidden Markov model[C]//IEEE Ninth International Conference on Dependable, Autonomic and Secure Computing (DASC). Sydney, Australia, 2011: 151-155.
[44]SHANKARAPANI M K, RAMAMOORTHY S, MOVVA R S, et al. Malware detection using assembly and API call sequences[J]. Journal in Computer Virology, 2011, 7(2): 107-119.
[45]RAVI C, MANOHARAN R. Malware detection using windows API sequence and machine learning[J]. International Journal of Computer Applications, 2012, 43(17): 12-16.
[46]HAN K S, KIM I K, IM E G. Detection methods for malware variant using API call related graphs[C]//International Conference on IT Convergence and Security. Suwon, Korea, 2012: 607-611.
[47]FORREST S, HOFMEYR S A, SOMAYAJI A, et al. A sense of self for uix processes[C]//Proceedings of IEEE Symposium on Security and Privacy. Oakland, USA, 1996: 120-128.
[48]KIM J, BENTLEY P. Towards an artificial immune system for network intrusion detection: an investigation of clonal selection with a negative selection operator[C]//2001 IEEE Congress on Evolutionary Computation. Seoul, Korea ,2001: 1244-1252.
[49]MATZINGER P. The danger model: a renewed sense of self[J]. Science, 2002, 296(5566): 301-305.
[50]LEE H, KIM W, HONG M. Artificial immune system against viral attack[C]//International Conference on Computational Science 2004. Krakow, Poland, 2004: 499-506.
[51]EDGE K S, LAMONT G B, RAINES R A. A retrovirus inspired algorithm for virus detection & optimization[C]//Proceedings of the 8th Annual Conference on Genetic and Evolutionary Computation. Seattle, USA, 2006: 103-110.
[52]LI Zhou, LIANG Yiwen, WU Zejun, et al. Immunity based virus detection with process call arguments and user feedback[C]//International Conference on BioInspired Models of Network, Information and Computing Systems. Budapest, Hungary, 2007: 57-64.
[53]GONZALEZ F, DASGUPTA D. Anomaly detection using realvalued negative selection[J]. Journal of Genetic Programming and Evolvable Machines, 2003, 4(4): 383-403.
[54]BALACHANDRAN S, DASGUPTA D, NINO F, et al. A general framework for evolving multishaped detectors in negative selection[C]//Proceedings of the IEEE Symposium Series on Computational Intelligence. Honolulu, USA, 2007: 401-408.
[55]LI Tao. Dynamic detection for computer virus based on immune system[J]. Science China Series F: Information Sciences, 2009, 39(4): 422-430.
[56]HARMER P K, WILLIAMS P D, GUNSCH G H, et al. An artificial immune system architecture for computer security applications[J]. IEEE Transactions on Evolutionary Computation, 2002, 6(3): 252-280.
[57]MARHUSIN M F, CORNFORTH D, LARKIN H. Malicious code detection architecture inspired by human immune system[C]//Proceedings of the 2008 Ninth ACIS International Conference on Software Engineering, Artificial Intelligence, Networking, and Parallel/Distributed Computing. Phuket, Thailand, 2008: 312-317.
[58]GONG Tao. Unknown nonself detection & robustness of distributed artificial immune system with normal model[C]//7th World Congress on Intelligent Control and Automation. Chongqing, China, 2008: 1444-1448.
[59]ZHANG Yu, LI Tao, QIN Renchao. A dynamic immunitybased model for computer virus detection[C]//2008 International Symposiums on Information Processing (ISIP). Moscow, Russia, 2008: 515-519.
[60]QIN Renchao, LI Tao, ZHANG Yu. An immune inspired model for obfuscated virus detection[C]//International Conference on Industrial Mechatronics and Automation. Chengdu, China, 2009: 228-231.
[61]ZENG Jie, LI Tao. A novel computer virus detection method from ideas of immunology[C]//International Conference on Multimedia Information Networking and Security. Wuhan, China, 2009: 412-416.
[62]AL D E. Metamorphic viruses detection using artificial immune system[C]//International Conference on Communication Software and Networks. Macau, China, 2009: 168-172.
[63]ZHANG Chenggong, YI Zhang. A danger theory inspired artificial immune algorithm for on line supervised two class classification problem[J]. Neurocomputing, 2010, 73(7): 1244-1255.
[64]ZHU Yuanchun, TAN Ying. A danger theory inspired learning model and its application to spam detection[C]//International Conference on Swarm Intelligence. Chongqing, China, 2011: 382-389.
[65]ZHANG Pengtao, TAN Ying. A danger feature based negative selection algorithm[C]//International Conference on Swarm Intelligence. Shenzhen, China, 2012: 291-299.
[66]Computational Intelligence Laboratory of Peking University. CILPKU08 Dateset[EB/OL]. [2012-09-16]. http://www.cil.pku.edu.cn/resources/.
[67]ZHANG Pengtao, WANG Wei, TAN Ying. A malware detection model based on a negative selection algorithm with penalty factor[J]. Scientia Sinica Informationis, 2010, 53(12): 2461-2471.


Received Date: 2012-09-27.
Network Publishing Date: 2013-02-05.
Foundation Item: National Natural Science Foundation of China(No. 61170057, 60875080).
Corresponding Author: TAN Ying.
E-mail: ytan@pku.edu.cn.
About the authors:
TAN Ying(M′98, SM′02), male, born in 1964. He is a full professor, advisor for Ph.D. candidates at the Key Laboratory of Machine Perception (Ministry of Education), Peking University, and Department of Machine Intelligence, EECS, Peking University. His current research interests include computational intelligence, artificial immune system, swarm intelligence and data mining, signal and information processing, pattern recognition, and their applications.
ZHANG Pengtao, male, born in 1986. His research interests include artificial immune system, intelligent information processing algorithm, computer information security, pattern recognition, machine learning and data mining.
更新日期/Last Update: 2013-04-12