WANG Wei,ZHANG Peng-Tao,TAN Ying,HE Xin-Gui

DOI: https://doi.org/10.3724/sp.j.1016.2011.00204

2011-01-01

Chinese Journal of Computers

Abstract:Existing anti-virus methods make use of signatures to detect malicious codes.They are inefficient to detect various forms of computer viruses,especially new variants and unknown viruses.Inspired by biologic immune system,a novel artificial immune based signature extraction method is proposed.This method automatically identifies bit patterns that correlate with viruses using instruction frequency and file frequency,and then identifies higher-level genes that are associated with viruses,generating a detecting virus gene library using the negative selection algorithm which leads to a fairly low false positive rate compared with the traditional signature-based methods.The advantages of our proposed method are described as follows.In the feature extraction phase,the detecting virus gene library stores virus samples with variable number of variable length genes at individual level,and uses multiple genes coexistence in one virus to avoid the possible loss of information considerably,fully taking the advantages of relevance between viral instructions within a virus program;in the classification phase,suspicious programs are analyzed at individual level in contrast to the existing gene matching technique.Experimental results indicate that the proposed method yields high detection rates for obfuscated viruses with an averaged recognition rate of 94% in real-world conditions,the false positive rate can be maintained below 2%.The method has a good generalization ability,and is able to effectively and efficiently detect new variants of known virus and unknown viruses.

朱禹,沈海斌,周喜川

DOI: https://doi.org/10.3969/j.issn.1005-9490.2008.06.060

2008-01-01

Abstract:Comparing to the common anti-virus tools,we propose a new host-based approach for detecting unknown computer worms based on the measurement of computer behaviors,rather than recognizing specific instances of worms.We collected 323 features in order to reflect the computer behaviors and used a new feature selection method to reduce classified features.In the experiment,Bayesian Network theorem was applied on the several feature subsets to deduce the rule.We performed several experiments to evaluate the detection system,focusing on computer worms being injected in the computer while running several programs in order to simulate different background statuses.The average accuracy we achieved was above 80% for unknown worms sample and for known worms even above 99%.

Caiming Liu,Xiaojie Liu,Tao Li,Jinquan Zeng,Lingxi Peng,Yan Zhang

2007-01-01

Abstract:An artificial immunity-based method for dynamic script-virus detection is presented. Antigen and antibody in the environment of virus detection are defined. Processes of self-tolerance and clone selection are simulated. Self and memory antibody are evolved dynamically. The mechanism of dynamic production and elimination of mature antibody is set up. The experiment result shows that the method can detect virus well, andmutated and unknown script-virus can be detected.

Caiming Liu,Xiaojie Liu,Tao Li,Jinquan Zeng,Lingxi Peng,Hui Zhao,Zhengtian Lu

2007-01-01

Journal of Computational Information Systems

Abstract:A virus detection model based on artificial immune principle and support vector domain description (SVDD) is proposed. Artificial immune principle combined with SVDD is applied to this model. SVDD description models of self, mature immune cell and memory immune cell are deduced to lessen self cells and immune cells needed by virus detection. Processes of self-tolerance and clone selection are simulated. Mature immune cell set is evolved dynamically. The data description models are updated in real time to advance the detection rate. The experimental results show that the method can detect virus efficiently, and mutated virus can be detected.

Hong CHEN,Weiwei YANG,Jiankun SHI,Weiqiang LIN

DOI: https://doi.org/10.16400/j.cnki.kjdkz.2015.07.086

2015-01-01

Abstract:In order to reduce the harm of the computer virus, the proposal is presented to cut off the computer virus' lifecycle based on the working principles of the computer virus. The effective strategy is to implement the defense mechanism during the design stage, the propagation phase and the operation phase with the safety education, which demonstrates it is effective to reduce the average probability of poisoning about 23%and the percentage of working hours is improved 25%in lab of uni-versities and colleges.

鲍欣龙,马建辉,罗文坚,曹先彬,王煦法

DOI: https://doi.org/10.3969/j.issn.1002-137X.2005.01.021

2005-01-01

Computer Science

Abstract:Lacking the ability of recognizing and processing the unknown viruses is one of the major limitations of common anti-virus technologies. Inspired by the vertebrate immune system,this paper puts forward and accomplished a novel immune recognition model and algorithm. Referencing the immune evolutionary learning mechanic and posi- tive/negative selection mechanic,this model and algorithm make the detectors and "self" to change by self-adaptation. This paper gives out the detailed implementation of this algorithm. Experiments on several real viruses prove that this algorithm has a good ability on recognizing unknown viruses and wide prospective application fields.

GUAN Xin,ZHU Bing,CHEN Zhen,PENG Xue-hai

DOI: https://doi.org/10.3969/j.issn.1671-1122.2013.04.003

2013-01-01

Abstract:As the computing technology flourishes recently,the computing world is also in the peril of viruses.Network transferred viruses,such as worms,which threat millions of hosts in Internet.As countermeasure of such attacks,the research work for Anti-Virus is urgent affairs and a big problem.This paper describes an implementation of Anti-Virus engine.It focuses on technologies for scanning viruses by the use of virus signatures based on Hex Sig and MD5 Sig.The author implements two Hex-Sig-based scanning algorithms by using binary tree and hash table,and compares the performances of the two algorithms.Some conceived experiments are conducted,and results show that the hash-table-based algorithm achieves better performance in terms of the scanning speed.The author also investigates into a MD5-Sig-based scanning algorithm,and evaluates its performance.Finally,future work is planned and prospected.

Wei Wang,Pengtao Zhang,Ying Tan,Xingui He

DOI: https://doi.org/10.1109/CIS.2009.57

2009-01-01

Abstract:As viruses become more complex, existing antivirus methods are inefficient to detect various forms of viruses, especially new variants and unknown viruses. Inspired by immune system, a hierarchical artificial immune system (AIS) model, which is based on matching in three layers, is proposed to detect a variety of forms of viruses. In the bottom layer, a non-stochastic but guided candidate virus gene library is generated by statistical information of viral key codes. Then a detecting virus gene library is upgraded from the candidate virus gene library using negative selection. In the middle layer, a novel storage method is used to keep a potential relevance between different signatures on the individual level, by which the mutual cooperative information of each instruction in a virus program can be collected. In the top layer, an overall matching process can reduce the information loss considerably. Experimental results indicate that the proposed model can recognize obfuscated viruses efficiently with an averaged recognition rate of 94%, including new variants of viruses and unknown viruses.

Wei Wang,Peng-tao Zhang,Ying Tan,Xin-gui He

DOI: https://doi.org/10.1631/jzus.c1000445

2011-01-01

Journal of Zhejiang University SCIENCE C

Abstract:Along with the evolution of computer viruses, the number of file samples that need to be analyzed has constantly increased. An automatic and robust tool is needed to classify the file samples quickly and efficiently. Inspired by the human immune system, we developed a local concentration based virus detection method, which connects a certain number of two-element local concentration vectors as a feature vector. In contrast to the existing data mining techniques, the new method does not remember exact file content for virus detection, but uses a non-signature paradigm, such that it can detect some previously unknown viruses and overcome the techniques like obfuscation to bypass signatures. This model first extracts the viral tendency of each fragment and identifies a set of statical structural detectors, and then uses an information-theoretic preprocessing to remove redundancy in the detectors’ set to generate ‘self’ and ‘nonself’ detector libraries. Finally, ‘self’ and ‘nonself’ local concentrations are constructed by using the libraries, to form a vector with an array of two elements of local concentrations for detecting viruses efficiently. Several standard data mining classifiers, including K-nearest neighbor (KNN), radial basis function (RBF) neural networks, and support vector machine (SVM), are leveraged to classify the local concentration vector as the feature of a benign or malicious program and to verify the effectiveness and robustness of this approach. Experimental results show that the proposed approach not only has a much faster speed, but also gives around 98% of accuracy.

Jinquan Zeng,Caiming Liu,Jianbin Hu,Yu Zhang

2012-01-01

Abstract:Detecting unknown malicious executables is a challenging task. Traditional anti-virus systems use signatures to detect malicious executables. However, the method cannot detect unseen instances or variants. Inspired by biological immune systems, an immune-based approach for detection of unknown malicious executables is proposed in this paper, which is referred to MEDMI. The approach can use the benign executables to be the training set for building the profile of the system and then generates detectors to detect malicious executables. The experiments comparing with different detection methods show that the approach provides an effective novel solution to detect malicious executables. © Maxwell Scientific Organization, 2012.

陈顼颢,王志英,任江春,郑重,黄訸

DOI: https://doi.org/10.3969/j.issn.1001-3695.2010.06.098

2010-01-01

Abstract:Based on virus behavior analysis and pattern recognition technology, this paper proposed an active defense strategy with user behavior patterns as the core, which could identify the user’s normal behavior, and could find that the system was attacked by malware when abnormal behavior was detected. This strategy was independent of the proliferation of malware which made defense technology not be subject to malicious programs. It implemented this defense strategy, and did experiments in a virtual execution environment. The results show that this strategy has a high rate in recognition of the unknown virus.

XIN Yi,FANG Bin-xing,HE Long-tao,YUN Xiao-chun,LI Zhi-dong

DOI: https://doi.org/10.3321/j.issn:1000-436x.2007.12.001

2007-01-01

Abstract:Worm detection and signature extraction was presented based on analysis of similar communication character-istics,which identifies the distinct communication pattern of worm spread,and evaluates the similarity metric of commu-nication characteristic sets,and detects worms by detecting their infectivity with higher detection precision,generality and adaptability.Based on this,a heuristic detection framework is designed,which eliminates non-worm traffic from protocol,sequence,and content in three levels via blind,intent and lock track,then filters out worm packets and extracts signatures.The technique reduces data collection volume and analysis cost dramatically,and can detection worm and ex-tract signature quickly in the environment with high strength background noise.

CHEN Lei-ting,ZHANG Liang

DOI: https://doi.org/10.3969/j.issn.1001-0548.2005.02.021

2005-01-01

Abstract:This paper points out the deficiency in detecting the unknown Trojan horse of the present anti-virus software at first, introduces the advantage of artificial immune system in self-adaptability aspect, and points out the feasibility of artificial immunity mechanism in Trojan horses detection; Then through an analysis about the new technology of Trojan horses, proves the deficiency of current computer security system with a Trojan horses model, presents the transfer of Trojan horses detection from the anti-virus software to the subsystem of immune IDS, improves the self-adaptive capacity of Trojan horses detection with its immune mechanism; Finally, a behavior mode is put forward, which is mapped from the using situation of process systematic resource to the process systematic call, and by this means, a Trojan horse detection model based on artificial immunity mechanism is set up.

Jia-xi HU,Yi-jun WANG,Zhi XUE

DOI: https://doi.org/10.3969/j.issn.1002-0802.2017.12.028

2017-01-01

Abstract:Malicious code under the new situation is more focused on specific scenarios, such as banks, enterprise intranets, Internet of things, etc. Malicious code in different scenarios needs, as a common thing, to bypass anti-virus software and other defense systems. Via study and analysis on the working principle of anti-virus software and a large number of malicious code samples, some anti-anti-virus technology involving white list, code obfuscation, sandbox bypassing and other antivirus-bypassing software tricks is proposed. Based on the above anti-anti-virus technology, the malicious code samples are packaged for a second time, and the tests of their anti-anti-virus killing rates also done on VirusTotal platform. The test results indicate that the anti-anti-virus technology makes the killing rate of malicious code sample significantly reduced, and that the reliance only on anti-virus software for preventing malicious code is not very reliable.

Chen Zhongmin,Wang Yu,Xu Baowen

DOI: https://doi.org/10.1109/wicom.2007.446

2007-01-01

Abstract:Mobile agent technology could be used to solve the problems on intrusion detection in network security area, while immune principle could supply reference to algorithm design of agent for detecting and analyzing data. In this paper, the detecting algorithm based on the immune principle, including the definition of problem domain, computation of affinity between the antibody and antigen,as well as between antibody, the generation of the detectors, has been elaborated. The algorithm of negative selection used in the agent has been improved The experimental result indicates that the algorithm is more adaptive than the original one.

Zhenhe Guo,Zhengkai Liu,Ying Tan

DOI: https://doi.org/10.1007/978-3-540-28648-6_108

2004-01-01

Abstract:Detection of unknown malicious executables is one of most important tasks of Computer Immune System (CIS) studies. By using non-self detection, anomaly detection based on thickness, diversity of anti-body (Ab) and artificial neural networks, this paper proposes an NN-based malicious executables detection algorithm. This algorithm includes three parts, i.e., detector generation, anomaly information extraction and classification. At last, a number of experiments illustrate that this algorithm has high detection rate with very low the false positive rate.

WANG Ping,FANG Bin-xing,YUN Xiao-chun

DOI: https://doi.org/10.3321/j.issn:1000-436x.2006.06.013

2006-01-01

Abstract:Worms had done serious harm to the computer networks due to their propagating speeds.The research was necessary to detect worms quickly and automatically.In large scale networks,flux based anomaly found module was used to screen out anomalous network data set,and automatic signature extraction was processed in succession,then its signa-ture was updated to the signature database of the signature based detection module,thus,the approach to detect unknown worms was realized.Novel epidemic can be found effectively,and the whole system is the fundament of worm automatic defense.

梁文,曹先彬,张四海,王煦法

DOI: https://doi.org/10.3969/j.issn.1000-1220.2005.01.005

2005-01-01

Abstract:Immune network intrusion system is a new approach of anomaly detection and it detects relatively infinite foreign antigens using finite detectors. Cur rent work recognizes unknown antigens by traditional evolution methods but the e xperiment result is not satisfying. This paper points that particularity of NIDS requires many detectors rather than several best ones. Inspired by affinity mut ation mechanism in the biological immune system this paper proposes an immune re cognition method, in which polymorphism is introduced. Experiments results show that this model suits NID well and has excellent ability of recognizing unknown intrusion patterns.

Bo Yun Zhang,Xi Ai Yan,De Quan Tang

DOI: https://doi.org/10.1088/1742-6596/1087/6/062026

2018-09-01

Journal of Physics: Conference Series

Abstract:This paper describes the research status and progress of malicious code intelligent detection techniques. It introduced the research background of the malicious code detection. Then the classified and analyzed research work from the theoretical research on malicious code detection, malicious code static detection and dynamic detection, integrated detection and based on biological immune detection techniques are described in detail. The contrastive analysis of different detection methods principle and further study on the future directions are discussed.

Chenxi Wang,J. C. Knight,M. C. Elder

DOI: https://doi.org/10.1109/ACSAC.2000.898879

2000-01-01

Abstract:Viruses remain a significant threat to modern networked computer systems. Despite the best efforts of those who develop anti-virus systems, new viruses and new types of virus that are not dealt with by existing protection schemes appear regularly. In addition, the rate at which a virus can spread has risen dramatically with the increase in connectivity. Defenses against infections by known viruses rely at present on immunization yet, for a variety of reasons, immunization is often only effective on a subset of the nodes in a network and many nodes remain unprotected. Little is known about either the way in which a viral infection proceeds in general or the way that immunization affects the infection process. We present the results of a simulation study of the way in which virus infections propagate through certain types of network and of the effect that partial immunization has on the infection. The key result is that relatively low levels of immunization can slow an infection significantly.