朱禹,沈海斌,周喜川

DOI: https://doi.org/10.3969/j.issn.1005-9490.2008.06.060

2008-01-01

Abstract:Comparing to the common anti-virus tools,we propose a new host-based approach for detecting unknown computer worms based on the measurement of computer behaviors,rather than recognizing specific instances of worms.We collected 323 features in order to reflect the computer behaviors and used a new feature selection method to reduce classified features.In the experiment,Bayesian Network theorem was applied on the several feature subsets to deduce the rule.We performed several experiments to evaluate the detection system,focusing on computer worms being injected in the computer while running several programs in order to simulate different background statuses.The average accuracy we achieved was above 80% for unknown worms sample and for known worms even above 99%.

Hong CHEN,Weiwei YANG,Jiankun SHI,Weiqiang LIN

DOI: https://doi.org/10.16400/j.cnki.kjdkz.2015.07.086

2015-01-01

Abstract:In order to reduce the harm of the computer virus, the proposal is presented to cut off the computer virus' lifecycle based on the working principles of the computer virus. The effective strategy is to implement the defense mechanism during the design stage, the propagation phase and the operation phase with the safety education, which demonstrates it is effective to reduce the average probability of poisoning about 23%and the percentage of working hours is improved 25%in lab of uni-versities and colleges.

向郑涛,陈宇峰,董亚波,鲁东明

DOI: https://doi.org/10.16208/j.issn1000-7024.2009.05.037

2009-01-01

Abstract:The worm detection technologies are discussed. Anomaly detection will be a promising development because of the ability to detect unknown worms. For passive detection, the HoneyPot system designed deliberately with vulnerabilities is used to attract atta- ckers, collect attack information and process analysis. Active detection methods can process the mixed traffics of benign hosts and worm hosts, including the payload-based and behavior-based worm detection methods. The characters and applicability of each method are discussed. The viewpoint that more effective worm detection indices are needed for detection methods is proposed. Based on the diffe- rences of traffic self-similarity between benign hosts and worm hosts, the idea on how to select real-time detection indices is interpreted.

Caiming Liu,Xiaojie Liu,Tao Li,Jinquan Zeng,Lingxi Peng,Yan Zhang

2007-01-01

Abstract:An artificial immunity-based method for dynamic script-virus detection is presented. Antigen and antibody in the environment of virus detection are defined. Processes of self-tolerance and clone selection are simulated. Self and memory antibody are evolved dynamically. The mechanism of dynamic production and elimination of mature antibody is set up. The experiment result shows that the method can detect virus well, andmutated and unknown script-virus can be detected.

Jianguo Ding,Jian Jin,Pascal Bouvry,Yongtao Hu,Haibing Guan

DOI: https://doi.org/10.1109/ICIMP.2009.20

2009-01-01

Abstract:With the rising popularity of the Internet, the resulting increase in the number of available vulnerable machines, and the elevated sophistication of the malicious code itself, the detection and prevention of unknown malicious codes meet great challenges. Traditional anti-virus scanner employs static features to detect malicious executable codes and is hard to detect the unknown malicious codes effectively. We propose behavior-based dynamic heuristic analysis approach for proactive detection of unknown malicious codes. The behavior of malicious codes is identified by system calling through virtual emulation and the changes in system resources. A statistical detection model and mixture of expert (MoE) model are designed to analyze the behavior of malicious codes. The experiment results demonstrate the behavior-based proactive detection is efficient in detecting unknown malicious executable codes.

鲍欣龙,马建辉,罗文坚,曹先彬,王煦法

DOI: https://doi.org/10.3969/j.issn.1002-137X.2005.01.021

2005-01-01

Computer Science

Abstract:Lacking the ability of recognizing and processing the unknown viruses is one of the major limitations of common anti-virus technologies. Inspired by the vertebrate immune system,this paper puts forward and accomplished a novel immune recognition model and algorithm. Referencing the immune evolutionary learning mechanic and posi- tive/negative selection mechanic,this model and algorithm make the detectors and "self" to change by self-adaptation. This paper gives out the detailed implementation of this algorithm. Experiments on several real viruses prove that this algorithm has a good ability on recognizing unknown viruses and wide prospective application fields.

Yifeng Huang,Junwei Huang,Lian Wu

2014-01-01

Abstract:This paper mainly designs and realizes a Linux virus detection method using machine learning and D-S theory.It includes the design’s general framework,feature selection method,classifier selection method,detection result fusion and the design verification and result analysis.It intrdouces the control flow graph while doing feature selection,and introduces D-S theory while doing detection result fusion.Then it implements and test the method on the platform of Weka software.The results of implementation show that this design to detect Linux virus has high efficiency and good reliability,and it is adequate for commercial products.

Wu Bing,Yun Xiaochun

2012-01-01

Abstract:We present the dynamic information security theory model: P2DR to deal with malware epidemics. The model includes the following stages: detection of a malware epidemic by detection system, establishment of countermeasure strategy in strategy coordination center, activation of protection and response system, defense system activation for real-time protection and response. The process is a periodic one in which the strategy is adjusted dynamically. In the model we propose, the detection system is considered to be the key component. Based on our analysis of traditional IDS architecture, we think that it is not suitable for inspecting high speed network traffic and monitoring multivariant malware epidemics. Therefore, we propose a parallel detection model which can be applied to the backbone network matched with appropriate protocol parsing. Normalized taxonomy is also presented for the detection rules of malware. Five detection rule sets are covered, namely, match rules based on deep content pre-processing, special algorithms, binary level, binary level requiring network information checks, and pure network information. A Virus Detection System is realized based on the framework above.

韩兰胜,邹梦松,刘其文,刘铭

DOI: https://doi.org/10.3724/sp.j.1087.2010.00181

2010-01-01

Journal of Computer Applications

Abstract:In order to achieve specific functions,computer viruses are of some special behaviors different from those of the normal programs.Appling Support Vector Machine(SVM),the paper created a space of virus API feature vector and amplified the difference between normal programs and computer virus with the help of information entropy.By training a classifier,a hyper-plane was found,which could divide the API space into two parts,each of which represented one kind of the programs.Moreover,the paper collected behaviors of different kinds of viruses.Through statistics,analysis and calculation on amount of samples' API calls,the amount and distribution patterns of APIs were exposed.As most viruses' behaviors are finite,the paper set 2 100 as the length of API sequence,thus detecting most test viruses.Compared with previous virus detection methods,the proposed method is more practical.

Mengsong Zou,Lansheng Han,Ming Liu,Qiwen Liu

DOI: https://doi.org/10.3745/jips.2011.7.1.173

2011-01-01

Journal of Information Processing Systems

Abstract:Due to the disadvantages of signature-based computer virus detection techniques, behavior-based detection methods have developed rapidly in recent years. However, current popular behavior-based detection methods only take API call sequences as program behavior features and the difference between API calls in the detection is not taken into consideration. This paper divides virus behaviors into separate function modules by introducing DLLs into detection. APIs in different modules have different importance. DLLs and APIs are both considered program calling resources. Based on the calling relationships between DLLs and APIs, program calling resources can be pictured as a tree named program behavior resource tree. Important block structures are selected from the tree as program behavior features. Finally, a virus detection model based on behavior the resource tree is proposed and verified by experiment which provides a helpful reference to virus detection.

Caiming Liu,Xiaojie Liu,Tao Li,Jinquan Zeng,Lingxi Peng,Hui Zhao,Zhengtian Lu

2007-01-01

Journal of Computational Information Systems

Abstract:A virus detection model based on artificial immune principle and support vector domain description (SVDD) is proposed. Artificial immune principle combined with SVDD is applied to this model. SVDD description models of self, mature immune cell and memory immune cell are deduced to lessen self cells and immune cells needed by virus detection. Processes of self-tolerance and clone selection are simulated. Mature immune cell set is evolved dynamically. The data description models are updated in real time to advance the detection rate. The experimental results show that the method can detect virus efficiently, and mutated virus can be detected.

Jia-xi HU,Yi-jun WANG,Zhi XUE

DOI: https://doi.org/10.3969/j.issn.1002-0802.2017.12.028

2017-01-01

Abstract:Malicious code under the new situation is more focused on specific scenarios, such as banks, enterprise intranets, Internet of things, etc. Malicious code in different scenarios needs, as a common thing, to bypass anti-virus software and other defense systems. Via study and analysis on the working principle of anti-virus software and a large number of malicious code samples, some anti-anti-virus technology involving white list, code obfuscation, sandbox bypassing and other antivirus-bypassing software tricks is proposed. Based on the above anti-anti-virus technology, the malicious code samples are packaged for a second time, and the tests of their anti-anti-virus killing rates also done on VirusTotal platform. The test results indicate that the anti-anti-virus technology makes the killing rate of malicious code sample significantly reduced, and that the reliance only on anti-virus software for preventing malicious code is not very reliable.

周瑞丽,潘剑锋,谭小彬,奚宏生

DOI: https://doi.org/10.3969/j.issn.1009-8054.2009.09.037

2009-01-01

Abstract:Traditional signature-based malware detection method is not able to detect zero-day attacks and some malwares adopting circumvention techniques such as packer. In order to overcome this drawback, this paper proposes a heuristic detection technique based on expert systems. The technique could detect malwares using known techniques, even bottom-level techniques, for example, the rootkit technique. It also can detect those malwares even after they are packed or crypto-protected by any packer or protector. And its detection rate is much higher than some well-known anti-virus tools.

Xinguang Xiao,Bing Wu,Xiaochun Yun,Yongliang Qiu

2012-01-01

Abstract:After detailed analysis of the structure of traditional IDS, we believe that it doesn’t work well on a high speed network with various viruses. What we need is accurate and high-speed detection of virus transmission and of the attacks of known viruses as well as as-yet-unkown viruses. Based on port mirroring and the normalization theory, we developed the algorithm efficiency oriented Virus Detection System (VDS). We implemented a mechanism which adapts to the bandwidth by adopting simple divergence, a parallel large sign set and high speed matching, and parallel protocol resolution. This paper presents the data processing method used by VDS by introducing the AVML and DEDL. Deep processing and unknown virus discovery are also introduced.

Wenjun HU,Shuang ZHAO,Jing TAO,Xiaobo MA,Liang CHEN

DOI: https://doi.org/10.7652/xjtuxb201310007

2013-01-01

Abstract:An Android malware detection system is designed and implemented to focus on the problem that malware on Android becomes widespread. The system combines static and dynamic analysis technologies. The APK features such as permission, API call sequences, component, resource and structure are extracted to form a feature vector in static analysis, and a similarity-based method is proposed to detect known malware samples using these features. Android source code is then updated to generate new kernel images in dynamic analysis. The new kernel images can monitor the Android program's behaviors such as file reading and writing, network connection, SMS sending and telephone calling, etc. Thus, unknown malware samples can be successfully identified through analyzing these behaviors. Experimental results show that the proposed system is efficient and performs well on detecting Android malware. The proposed system has been released online and free use of the system is available on the Internet.

WEN Shi-qiang,DUAN Hai-xin,WU Jian-ping

DOI: https://doi.org/10.3969/j.issn.1000-7024.2005.05.007

2005-01-01

Abstract:New internet worm including many attack measures, such as virus, trojan and DDDS, will cause network block even paralysis, when it breaks out. A detection algorithm is brought forward which can find abnormity in the forepart of worm eruption by detection on variable rate of network flux, and then network administrators and emergency response teams can gain more time to take measures before worm blocks the network. This algorithm is evaluatedby DARPA98 intrusion detection evaluation system and has applied to real flux data of worm (Blaster、Nachi、slammer) eruption.

LI Hua,LIU Zhi,QIN Zheng,ZHANG Xiao-song

DOI: https://doi.org/10.3969/j.issn.1001-3695.2011.03.094

2011-01-01

Abstract:This paper proposed a new approach that could effectively detect and restrict(unknown) malware,and implemented a prototype system.First,used support vector machine to build classifier,which could judge whether a program was malicious or not,and extracted the malware's signature.Agents running in host could detect malware and stop its execution.To analyze precise behaviors,put samples in virtual machines for executions.Experiment results show compared with naive Bayes and decision tree,our system yields low false positives as well false negatives,and the distributed architecture accelerates restriction.

李之棠,王莉,李东

2008-01-01

Abstract:Large volume of security data makes it important to develop an advanced alert correlation system that can reduce alert redundancy,intelligently correlate security alerts and detect attack strategies.The existing methods of attack strategy recognition all have limited capabilities in detecting new and complete attack scenarios.The paper proposes a new method of recognizing attack plans by applying a new attack sequential pattern analysis technique to construct attack sequential pattern models from intrusion alert data offline.Then online alert sequential pattern matching and correlativity calculation are performed to recognize real attack strategies of the attacker.Experiments show that the method can effectively recognize attack plans online and can accordingly predict next most possible attack behavior.

Ting Liu,Xiaohong Guan,Qinghua Zheng,Ke Lu,Yuanfeng Song,Weizhang Zhang

DOI: https://doi.org/10.1109/CCNC.2009.4785028

2010-01-01

Abstract:This paper presents a novel Trojan detection and defense system. The prototype searches the important files which contain users' confidential information on the disk. And then, these files will be monitored to find which processes will access them by capturing and analyzing the IRPs (I/O Request Packets). The processes of Trojans will be distinguished from regular ones by evaluating their API-calls with several machine-learning models, rather than traditional signature-based mechanism. Testing results show that this prototype could detect and defend the unknown Trojans quickly and accurately.

GUAN Xin,ZHU Bing,CHEN Zhen,PENG Xue-hai

DOI: https://doi.org/10.3969/j.issn.1671-1122.2013.04.003

2013-01-01

Abstract:As the computing technology flourishes recently,the computing world is also in the peril of viruses.Network transferred viruses,such as worms,which threat millions of hosts in Internet.As countermeasure of such attacks,the research work for Anti-Virus is urgent affairs and a big problem.This paper describes an implementation of Anti-Virus engine.It focuses on technologies for scanning viruses by the use of virus signatures based on Hex Sig and MD5 Sig.The author implements two Hex-Sig-based scanning algorithms by using binary tree and hash table,and compares the performances of the two algorithms.Some conceived experiments are conducted,and results show that the hash-table-based algorithm achieves better performance in terms of the scanning speed.The author also investigates into a MD5-Sig-based scanning algorithm,and evaluates its performance.Finally,future work is planned and prospected.