Hassan Hadi Al-Maksousy,Michele C. Weigle,Cong Wang

DOI: https://doi.org/10.1109/ths.2018.8574174

2018-01-01

Abstract:Malware detection is an important problem. We propose an efficient real-time system to detect and classify malware based on network behavior using deep neural networks. We show that the splitting of the system into two neural networks, detection and analysis, is the key to increasing accuracy. Therefore, this approach allows for the construction of a real-time monitoring system with very low CPU usage. Finally, we provide a comparison analysis of four machine learning classifiers for this task.

Jinquan Zeng,Caiming Liu,Jianbin Hu,Yu Zhang

2012-01-01

Abstract:Detecting unknown malicious executables is a challenging task. Traditional anti-virus systems use signatures to detect malicious executables. However, the method cannot detect unseen instances or variants. Inspired by biological immune systems, an immune-based approach for detection of unknown malicious executables is proposed in this paper, which is referred to MEDMI. The approach can use the benign executables to be the training set for building the profile of the system and then generates detectors to detect malicious executables. The experiments comparing with different detection methods show that the approach provides an effective novel solution to detect malicious executables. © Maxwell Scientific Organization, 2012.

Zhihua Cui,Lei Du,Penghong Wang,Xingjuan Cai,Wensheng Zhang

DOI: https://doi.org/10.1016/j.jpdc.2019.03.010

IF: 4.542

2019-01-01

Journal of Parallel and Distributed Computing

Abstract:An increasing amount of malicious code causes harm on the internet by threatening user privacy as one of the primary sources of network security vulnerabilities. The detection of malicious code is becoming increasingly crucial, and current methods of detection require much improvement. This paper proposes a method to advance the detection of malicious code using convolutional neural networks (CNNs) and intelligence algorithm. The CNNs are used to identify and classify grayscale images converted from executable files of malicious code. Non-dominated Sorting Genetic Algorithm II (NSGA-II) is then employed to deal with the data imbalance of malware families. A series of experiments are designed for malware image data from Vision Research Lab. The experimental results demonstrate that the proposed method is effective, maintaining higher accuracy and less loss.

Dongzhi Cao,Xinglan Zhang,Zhenhu Ning,Jianfeng Zhao,Fei Xue,Yongli Yang

DOI: https://doi.org/10.1145/3297156.3297246

2018-01-01

Abstract:With the rapid development of the Internet, people have variety in their life style. While the Internet is developing rapidly, some malware has also been generated, and the number of malicious codes grows exponentially, which seriously affects the security of the Internet. In the prevention of malicious code, the accurate classification of malicious code is the most critical components. At present, researchers mainly focus on static detection and dynamic detection to study malicious code variant detection schemes. In the study of malicious code classification, this paper first analyzes the limitations of static detection and dynamic detection, then employs convolution neural networks to classify and identify malicious code, and finally implements an efficient malicious code detection system based on convolutional neural networks. Our malware detection model realizes the idea of automatic detection of malicious code variants. Experimental results demonstrated that the proposed malicious code detection system is efficient.

Xiaowen Liu,Geying Yang,Lina Wang,Jie Fu,Qinghao Wang

DOI: https://doi.org/10.1007/s10489-024-05288-2

IF: 5.3

2024-01-28

Applied Intelligence

Abstract:The artificial immune system and network anomaly detection system are developed with common goals and principles considered. Moreover, artificial immune-based network anomaly detection can adaptively learn and dynamically detect threats. However, existing immune recognition algorithms suffer from the curse of dimensionality, hole problems, and detector inefficiency tolerance. In this paper, we proposed a novel immune detector training mechanism for network anomaly detection. First, a hybrid filter embedded feature selection algorithm is designed to comprehensively evaluate features and select the optimal subset. Then, candidate detectors are generated based on self antigens, and the nonself region is represented using complementary space to circumvent the hole problem. Finally, considering the training efficiency during the evolution of the candidate detectors, an antigen clustering feature tree is constructed to rapidly index the tolerance objects. Furthermore, the algorithm considers the effect of the collaboration of multiple mature detectors on candidate detectors, and a Monte Carlo-based coverage estimation algorithm is designed to achieve more accurate and fine-grained maturation tolerance of candidate detectors. The theoretical analysis shows that the time complexity of our algorithm is significantly reduced. The experimental results show that our algorithm not only improves the detection accuracy but also reduces the time cost of detector training.

computer science, artificial intelligence

Jungwon Kim,Julie Greensmith,Jamie Twycross,Uwe Aickelin

DOI: https://doi.org/10.48550/arXiv.1003.4142

2010-03-22

Abstract:The analysis of system calls is one method employed by anomaly detection systems to recognise malicious code execution. Similarities can be drawn between this process and the behaviour of certain cells belonging to the human immune system, and can be applied to construct an artificial immune system. A recently developed hypothesis in immunology, the Danger Theory, states that our immune system responds to the presence of intruders through sensing molecules belonging to those invaders, plus signals generated by the host indicating danger and damage. We propose the incorporation of this concept into a responsive intrusion detection system, where behavioural information of the system and running processes is combined with information regarding individual system calls.

Artificial Intelligence,Cryptography and Security,Neural and Evolutionary Computing

Zhihua Cui,Fei Xue,Xingjuan Cai,Yang Cao,Gai-ge Wang,Jinjun Chen

DOI: https://doi.org/10.1109/tii.2018.2822680

IF: 12.3

2018-07-01

IEEE Transactions on Industrial Informatics

Abstract:With the development of the Internet, malicious code attacks have increased exponentially, with malicious code variants ranking as a key threat to Internet security. The ability to detect variants of malicious code is critical for protection against security breaches, data theft, and other dangers. Current methods for recognizing malicious code have demonstrated poor detection accuracy and low detection speeds. This paper proposed a novel method that used deep learning to improve the detection of malware variants. In prior research, deep learning demonstrated excellent performance in image recognition. To implement our proposed detection method, we converted the malicious code into grayscale images. Then, the images were identified and classified using a convolutional neural network (CNN) that could extract the features of the malware images automatically. In addition, we utilized a bat algorithm to address the data imbalance among different malware families. To test our approach, we conducted a series of experiments on malware image data from Vision Research Lab. The experimental results demonstrated that our model achieved good accuracy and speed as compared with other malware detection models.

automation & control systems,computer science, interdisciplinary applications,engineering, industrial

XR Yang,JY Shen,R Wang

DOI: https://doi.org/10.1109/icmlc.2002.1176712

2002-01-01

Abstract:A network intrusion detection model based on artificial immune theory is proposed in this paper. In this model, self patterns and non-self patterns are built upon frequent behaviors sequences, then a simple but efficient algorithm for encoding patterns is proposed. Based on the result of encoding, another algorithm for creating detectors is presented, which integrates a negative selection with the clonal selection. The algorithm performance is analyzed, which shows that this method can shrink each generation scale greatly and create a good niche for patterns evolving.

Zheng Yang,Hua Zhu,Zhao Li,Gang Wang,Meng Su

DOI: https://doi.org/10.1109/access.2024.3485917

IF: 3.9

2024-01-01

IEEE Access

Abstract:In recent years, convolutional neural network (CNN) has achieved great success in the field of network security protection. With the popularization of smart terminals and the gradual increase of power grid informatization and digitization, the protection of power monitoring system from various cybersecurity threads is a current scientific problem that needs to be solved urgently. To this end, this paper proposes a malware detection method based on genetic algorithm optimization of CNN-SENet network, which firstly introduces the SENet attention mechanism into convolutional neural network to enhance the spatial feature extraction capability of the model; then, the application programming interface (API) sequences corresponding to different software behaviors are processed by segmentation and de-duplication, which in turn leads to the sequence feature extraction through the CNN-SENet model; finally, genetic algorithm is used to optimize the hyperparameters of CNN-SENet network to reduce the computational overhead of CNN and to achieve the recognition and classification of different malware at the output layer. The examples under the public dataset containing 8 kinds of malware show that the proposed method is better than the traditional algorithmic model, and can accurately and efficiently achieve malware detection with strong generalization ability.

Li Zhi-tang,Li Yao,Wang Li

DOI: https://doi.org/10.1109/hpcasia.2005.7

2005-01-01

Abstract:More and more intrusion detection systems were developed, but most of these systems have very poor accuracy. To overcome this problem, a self-adaptive anomaly detection system was developed using fuzzy detection anomaly algorithm with negative selection of biology. The algorithm improves the accuracy of the detection method and produces a novel method to measure the deviation from the normal that does not need a discrete division of the non-self space. The proposed anomaly detection model is designed as flexible, extendible, and adaptable in order to meet the needs and preferences of network administrators and can be also supplied for IPv6 environment. Different experiments are performed with MIT-DARAP 1999 dataset (Lippmann et al., 2000) and real word data from different sources. The experimental results show that the proposed algorithms provide some advantages over other algorithms

Liang Xi,Rui-Dong Wang,Zhi-Yu Yao,Feng-Bin Zhang

DOI: https://doi.org/10.1109/tevc.2021.3058687

IF: 16.497

2021-06-01

IEEE Transactions on Evolutionary Computation

Abstract:The artificial immune system (AIS) is one of the important branches of artificial intelligence technology, and it is widely used in many fields. The detector set is the core knowledge set, and the AIS application effects are mainly determined by the generation, evolution, and detection of the detectors. Presently, the problem space (shape-space) of AIS mainly applied real-valued representation. But the real-valued detectors have some problems that have not been solved well, such as slow convergence speed of generation, holes in the nonself region, detector overlapping redundancy, dimension curse, etc., which lead to the unsatisfactory detection effects. Moreover, artificial immune anomaly detection is a dynamic adaptive model, needs to be evolved adaptively with the detection environments. Without better adaptive modeling, these problems mentioned before will get worse. In view of this, this article proposes a multisource immune detector adaptive model in neighborhood shape-space and applies it to anomaly detection: based on random, chaotic map and DNA genetic algorithm (DNA-GA), multisource neighborhood negative selection algorithm (MSNNSA), multisource neighborhood immune detector generation algorithm (MS-NIDGA), and neighborhood immune anomaly detection algorithm (NIADA) are proposed, so that the generation and detection of immune detectors can be improved efficiently; introducing immune adaptive and feedback mechanism, multisource neighborhood immune detector adaptive model (MS-NIDAM) is built, so that the detectors can be adaptively evolved in a more targeted search domain, and keep better distribution to the nonself region in real time, so as to solve various problems existing in the real-valued shape-space under dynamic environment mentioned before and improve the overall detection performances. The experimental results show that MS-NIDAM can improve the detector generation/evolution efficiency, keep the up-to-date understanding of the changing e-vironment, so as to obtain better overall detection performances and stability than other comparative methods.

computer science, artificial intelligence, theory & methods

Chunyan Zhang,Qinglei Zhou,Yizhao Huang,Ke Tang,Hairen Gui,Fudong Liu

DOI: https://doi.org/10.1155/2022/7245403

2022-05-13

Wireless Communications and Mobile Computing

Abstract:Automatic malware detection was aimed at determining whether the application is malicious or not with automated systems. Android malware attacks have gained tremendous pace owing to the widespread use of mobile devices. Although significant progress has been made in antimalware techniques, these methods mainly rely on the program features, ignoring the importance of source code analysis. Furthermore, the dynamic analysis is low code coverage and poor efficiency. Hence, we propose an automatic Android malware detection approach, named HyGNN-Mal. It analyzes the Android applications at source code level by exploiting the sequence and structure information. Meanwhile, we combine the typical static features, permissions, and APIs. In HyGNN-Mal, we utilize a deep traversal tree neural network (Deep-TNN) to process the code structure information. Particularly, we add position information to code sequence information before putting in self-attention mechanism. The evaluations conducted on multiple public datasets indicate that our method can accurately identify and classify the malicious software, and their best accuracy is 99.62% and 99.2%, respectively.

computer science, information systems,telecommunications,engineering, electrical & electronic

Minghui Gao,Li Ma,Heng Liu,Zhijun Zhang,Zhiyan Ning,Jian Xu

DOI: https://doi.org/10.3390/s20051452

IF: 3.9

2020-03-06

Sensors

Abstract:Anomaly detection systems can accurately identify malicious network traffic, providing network security. With the development of internet technology, network attacks are becoming more and more sourced and complicated, making it difficult for traditional anomaly detection systems to effectively analyze and identify abnormal traffic. At present, deep neural network (DNN) technology achieved great results in terms of anomaly detection, and it can achieve automatic detection. However, there still exists misclassified traffic in the prediction results of deep neural networks, resulting in redundant alarm information. This paper designs a two-level anomaly detection system based on deep neural network and association analysis. We made a comprehensive evaluation of experiments using DNNs and other neural networks based on publicly available datasets. Through the experiments, we chose DNN-4 as an important part of our system, which has high precision and accuracy in identifying malicious traffic. The Apriori algorithm can mine rules between various discretized features and normal labels, which can be used to filter the classified traffic and reduce the false positive rate. Finally, we designed an intrusion detection system based on DNN-4 and association rules. We conducted experiments on the public training set NSL-KDD, which is considered as a modified dataset for the KDDCup 1999. The results show that our detection system has great precision in malicious traffic detection, and it achieves the effect of reducing the number of false alarms.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

鲍欣龙,马建辉,罗文坚,曹先彬,王煦法

DOI: https://doi.org/10.3969/j.issn.1002-137X.2005.01.021

2005-01-01

Computer Science

Abstract:Lacking the ability of recognizing and processing the unknown viruses is one of the major limitations of common anti-virus technologies. Inspired by the vertebrate immune system,this paper puts forward and accomplished a novel immune recognition model and algorithm. Referencing the immune evolutionary learning mechanic and posi- tive/negative selection mechanic,this model and algorithm make the detectors and "self" to change by self-adaptation. This paper gives out the detailed implementation of this algorithm. Experiments on several real viruses prove that this algorithm has a good ability on recognizing unknown viruses and wide prospective application fields.

Jianguo Ding,Jian Jin,Pascal Bouvry,Yongtao Hu,Haibing Guan

DOI: https://doi.org/10.1109/ICIMP.2009.20

2009-01-01

Abstract:With the rising popularity of the Internet, the resulting increase in the number of available vulnerable machines, and the elevated sophistication of the malicious code itself, the detection and prevention of unknown malicious codes meet great challenges. Traditional anti-virus scanner employs static features to detect malicious executable codes and is hard to detect the unknown malicious codes effectively. We propose behavior-based dynamic heuristic analysis approach for proactive detection of unknown malicious codes. The behavior of malicious codes is identified by system calling through virtual emulation and the changes in system resources. A statistical detection model and mixture of expert (MoE) model are designed to analyze the behavior of malicious codes. The experiment results demonstrate the behavior-based proactive detection is efficient in detecting unknown malicious executable codes.

Yichi Zhang,Jianmin Pang,Rongcai Zhao,Zhichang Guo

DOI: https://doi.org/10.1109/ICICISYS.2010.5658423

2010-01-01

Abstract:With the rapidly development of virus technology, the number of malicious code has continued to increase. So it is imperative to optimize the traditional manual analysis method by automatic maliciousness decision system. Motivated by the inference technique for detecting viruses, and a recent successful classification method, we explore Radux - an automatic software maliciousness decision system. It rests on artificial neural network based on behavior hidden in malicious code. Decompile technique is applied to characterize behavioral and structural properties of binary code, which creates more abstract descriptions of malware. Experiment shows that this system can decision software maliciousness efficiently. ©2010 IEEE.

Bo Yun Zhang,Xi Ai Yan,De Quan Tang

DOI: https://doi.org/10.1088/1742-6596/1087/6/062026

2018-09-01

Journal of Physics: Conference Series

Abstract:This paper describes the research status and progress of malicious code intelligent detection techniques. It introduced the research background of the malicious code detection. Then the classified and analyzed research work from the theoretical research on malicious code detection, malicious code static detection and dynamic detection, integrated detection and based on biological immune detection techniques are described in detail. The contrastive analysis of different detection methods principle and further study on the future directions are discussed.

Zongqu Zhao,Junfeng Wang,Chonggang Wang

DOI: https://doi.org/10.1002/sec.524

IF: 1.968

2012-02-28

Security and Communication Networks

Abstract:The traditional malware detection schemes based on specific signature give an unsatisfactory performance as disposing the previously unknown malware, so the general features of binary files should be explored to solve this problem. Recently, classification algorithms were employed successfully to choose the features in unknown malicious code, and most of the works use byte or operation code sequence n‐gram representation of the executables. However, these n‐gram representations are heavily dependent on the training data. In this paper, we present a graph‐based method to detect unknown malware. The function call graph of an executable, which includes the functions and the call relations between them, is selected as the representation of the executable in this method. The features are defined according to both the statistical information and the topology of the function call graph. They are extracted and processed through machine learning to classify unknown Portable Executable files. For the sake of fixed sum of the features, the graph‐based method can avoid so many features found in other methods. In our experiments, three types of malware datasets were tested, and as high as 96.8% accuracy can be achieved. Furthermore, it can achieve 92.1% accuracy when only 5% of the dataset is served as training set. Copyright © 2012 John Wiley & Sons, Ltd. To detect the unknown malware, the features of graph‐based method are predefined from function call graph of software, and then the rules are built with these features to classify an executable as the benign or the malware. The quantity and the contents of these features are independent of testing dataset, and this peculiarity enables our experiment results to nearly reflect the situation of unknown malware detection. The design can provide a high malware detection accuracy by using a small set of training set.

computer science, information systems,telecommunications

Chen Zhongmin,Wang Yu,Xu Baowen

DOI: https://doi.org/10.1109/wicom.2007.446

2007-01-01

Abstract:Mobile agent technology could be used to solve the problems on intrusion detection in network security area, while immune principle could supply reference to algorithm design of agent for detecting and analyzing data. In this paper, the detecting algorithm based on the immune principle, including the definition of problem domain, computation of affinity between the antibody and antigen,as well as between antibody, the generation of the detectors, has been elaborated. The algorithm of negative selection used in the agent has been improved The experimental result indicates that the algorithm is more adaptive than the original one.

Ding Yuxin,Zhu Siyi

DOI: https://doi.org/10.1007/s00521-017-3077-6

2017-01-01

Neural Computing and Applications

Abstract:In this study we represent malware as opcode sequences and detect it using a deep belief network (DBN). Compared with traditional shallow neural networks, DBNs can use unlabeled data to pretrain a multi-layer generative model, which can better represent the characteristics of data samples. We compare the performance of DBNs with that of three baseline malware detection models, which use support vector machines, decision trees, and the k-nearest neighbor algorithm as classifiers. The experiments demonstrate that the DBN model provides more accurate detection than the baseline models. When additional unlabeled data are used for DBN pretraining, the DBNs perform better than the other detection models. We also use the DBNs as an autoencoder to extract the feature vectors of executables. The experiments indicate that the autoencoder can effectively model the underlying structure of input data and significantly reduce the dimensions of feature vectors.