SlideShare a Scribd company logo

Artificial immune system against viral attack

U
UltraUploader
1 of 8
Download to read offline
M. Bubak et al. (Eds.): ICCS 2004, LNCS 3037, pp. 499–506, 2004. © Springer-Verlag Berlin Heidelberg 2004 Artificial Immune System against Viral Attack Hyungjoon Lee 1 , Wonil Kim 2* , and Manpyo Hong 1 1 Digital Vaccine Lab, G,raduated School of Information and Communication Ajou University, Suwon, Republic of Korea {prime, mphong}@ajou.ac.kr 2 College of Electronics and Information Engineering, Sejong University, Seoul, Republic of Korea wikim@sejong.ac.kr Abstract. Since the first computer virus has been found, scanning detection has been used as a primarily method in virus detection systems. As computer viruses and worms become more complex and sophisticated, the scanning detection method is no longer able to detect various forms of viruses and worms effectively. Many anti-virus researchers proposed various detection methods including artificial immune system to cope with these characteristics of viruses and worms. This paper discusses some principle of artificial immune system and proposes artificial immune based virus detection system that can detect unknown viruses. 1 Introduction Since the computer virus first appeared in 1981, it has been evolved as computer environments such as operating system, network, and application program have changed. The frequent evolution of computer virus has forced anti-virus researchers continuous development of new detection method. However most anti-virus systems are still based on scanning detection using signature, since other mechanisms have false positive or detection speed problem in real situations. In this paper, we propose a new virus detection approach that employs the artificial immune system. Artificial immune system is based on human immune system. The human immune system recognizes, memorizes, and responses to virus adaptively. Anomaly detection and adaptability are important properties of artificial immune system. The proposed artificial immune based system applies this property and detects unknown computer viruses. In the next section, Artificial Immune system will be discussed in detail. In Section 3, the proposed artificial immune based virus detection system will be described. Simulation results and the direction of future research will be discussed in Section 4 and Section 5 respectively. * Author for correspondence +82-2-3408-3795
500 H. Lee, W. Kim, and M. Hong 2 Artificial Immune System Immunologists have traditionally described the human immune system as the problem of distinguishing "self" from dangerous "non-self" and eliminating dangerous non- self. Similarly, the computer security can be viewed as the problem of distinguishing benign program from malicious program such as computer virus or worm. Spafford described a computer virus from a biological point of view by analyzing several characteristic of virus as in artificial life [1]. Since then, many anti-virus researchers have researched on artificial immune system to protect a system from the intrusion including viruses and worms. Artificial immune system should have anomaly detection capability to defend unknown intrusion. Adaptability is also a necessary property of artificial immune system to learn unknown intrusion and to response learned intrusions quickly. Other properties such as distributability, autonomy, diversity and disposability are required for the flexibility and stability of artificial immune system [14]. Protecting static File Protecting Process Protecting a Network M atching the system call sequence using negative selection Decoy program self, non-self discrimination Kill-signal NAVEX(Symantec) Distributed CVIS Artificial Immune System Fig. 1. Taxonomy of artificial immune system Artificial immune system can be divided into three categories according to which computer component will be identified as a protected cell. Figure 1 shows this classification. First, protecting static file category assumes a file including program code as a cell. Forrest proposed a method for change detection using negative selection algorithm [6]. Forrest’s artificial immune system randomly generates check code called detector, and eliminates ones that can recognize self (benign program). This process is called negative selection algorithm. All programs or data matched with detectors are indicated as non-self (malicious code). Kephart proposed an artificial immune model that consists of monitoring, scanning and biological immunology [11]. In his model, known viruses are detected by scanner based on weak signature, and unknown viruses are collected and analyzed using decoy program. The decoy program is a dummy program that is not changeable. If decoy program is modified, it is virus infection. Distributed Computer Virus Immune System (CVIS) combined negative selection and decoy program. It uses decoy program to detect the unknown virus and employs negative selection to identify detected unknown virus [16]. Second, protecting process category assumes a process as a cell. Matching the system call sequence is proposed by Forrest [10]. The mechanism of this system is the same as self-nonself discrimination using negative selection. It is different from the first category that this mechanism matches detector with system call sequences, not with program codes.
Artificial Immune System against Viral Attack 501 Third, protecting a network category assumes a host as a cell. Kill-signal mechanism is proposed by Kephart, and a immune system called NAVEX that is proposed by Symantec [11,17]. Both immune systems propagate signatures of detected viruses to protect network connected hosts, as does biological immune system. In biological immune system, when an immune cell detects a virus, the cell spread chemical signal in order to duplicate the same immune cells. SelfN on-self Sig natures Sign atu res Sig natures Signature Selecto r V iru s Scanning Signatures Self sign atu res program program program Sign atu re E xtractor Fig. 2. Structure of proposed virus detection system 3 Proposed Virus Detection System Negative selection algorithm and decoy programs are important methods in artificial immune system. Negative selection algorithm is inspired by genetic random-process. But this mechanism has a weakness that come from the difference between human body and computer system. State of human body is stable, whereas that of computer system is not. Negative selection algorithm is suitable in stable system. Idea of decoy program comes from the distributability and diversity of immune system. In the case of decoy program, there is no guarantee that a virus will attack a decoy program. The proposed artificial immune based Virus Detection System (VDS) compromises this weakness, and is suitable for dynamically changing environment such as computer system. VDS is a signature learning system to detect unknown viruses. VDS classify incoming or changed (patched) programs into legitimate programs and viruses. The process of VDS is consists of the following three steps. In the first step, VDS assumes that all existing programs are legitimate. In the next step, all incoming and changed programs are classified into suspicious programs. Finally, VDS selects virus programs from these suspicious programs using detection method based on virus behavior. Hereafter, we refer to legitimate program as self and suspicious program as non-self. VDS consists of signature extractor and signature selector as in Figure 2. Signature extractor produces signatures of non-self. The main operation of signature extractor is selecting bit strings that are not matched with any self code at the same position. Therefore, signature extractor produces signature of non-self that never matched with any self. Produced non-self signatures are collected and analyzed by signature selector. Signature selector compares the similarity of non-self signature with each others. Since viruses tend to infect other programs, if the same non-self signatures are appeared frequently, signature selector classifies those into signatures of viruses, and these signatures are used for virus scanner. Notice that these non-self signatures never
502 H. Lee, W. Kim, and M. Hong match with any self program. In the case of less frequent signatures, it is assumed as signature of self. We classify the program that contains any one of these self signatures as self. This process provides the adaptable capacity to the proposed VDS. The detailed process of each steps are discussed in the following 3 sections. 3.1 Signature Representation The VDS generates signatures to recognize self and non-self program. The size of signature extraction region, from which we analyze for signature extraction, is always constant. Since most infected file executes virus code at first, most entry pointer of infected program indicates virus code. Therefore, we decide that starting point of signature extraction region is entry point of program. Signature consists of several pairs of offset and bit string. Number of pairs, offset and bit string are selected by signature extractor. Signature extraction region String1 String2 String3 String1 Signature offset offset String2 offset String3 Progrram program entry point Fig. 3. Signature representation 3.2 Signature Extractor Signature extractor produces non-self program signature that never matches with any self-program signature. This process consists of the following steps. 00100101 00110101 00100101 00100100 ...... self1 non-self 00100101 00111101 11100101 00110101 ...... mark XXXXXXXX 00110101 00100101 00110101 ...... 00100101 00111101 11100101 00110101 ...... self2 mark XXXXXXXX 00110101 00100101 XXXXXXXX ...... signature updated non-self ... ... Fig. 4. Generating signature of non-self program • Step 1: Divide a signature extraction region into several same sized comparison units. • Step 2: Compare a signature extraction region of non-self program with each one of all self-programs.
Artificial Immune System against Viral Attack 503 • Step 3: If two comparison units on same position are same, mark the comparison unit in signature extraction region of non-self program. Continue this process on each signature extraction region of all self-programs. In Figure 4, comparison unit is 1 byte. Non-self is compared with self1 and self2. When two comparisons are finished, first unit and fourth unit are marked. After all the comparisons with other self-programs are done, the signature of non-self consists of remained unmatched units. Since all of the comparison units that are the same with self’s are marked as useless, the generated signature never matches with any self- programs. 3.3 Signature Selector After we obtain signatures of non-self programs, we need to classify non-self program into virus or normal program. If virus infects other programs, the signature extractor generates signatures from same virus code because infected program is changed by one virus. Therefore, checking frequency of occurrence of the same signature is the same as checking the spread of the same virus code. 10110001 XXXXXXXX 00100101 XXXXXXXX 10110001 10000001 XXXXXXXX 00110101 00100101 XXXXXXXX 10110001 10000001signature1 signature2 Similarity value = 1 + 11 = 1 + 3 = 4 Fig. 5. Similarity between two signatures Signature selector calculates the similarity values of non-self signatures, as shown in Figure 5. Comparison factors are bit sequence and offset of comparison unit in signature extraction region. If two factors of comparison units are equal, similarity function adds one to similarity value. When consecutive comparison units are equal, similarity value increases. For example, if two compare units are equal and adjacent, similarity value is 3 (112 ). In other words, when n consecutive comparison units are equal, similarity value is 2 n -1. Note that signatures of the same programs are more similar than signatures of different programs. In other words, similarity values between signatures of the same program codes are higher than the others. Therefore, VDS can distinguish signatures of the same program codes from signatures of other distinct program codes. The threshold values for classifying signatures of the same and different programs are determined by analyzing similarity values of the entire non-self programs. Determining the threshold values for classifying is discussed in Section 4. 4 Simulation VDS extracts signatures of non-self programs based on self-programs. Signature size and similarity value are important factors in VDS. As the number of self-programs that has the same comparison units at the same position is increased, the size of a
504 H. Lee, W. Kim, and M. Hong signature of the non-self program is decreased. In the worst case, VDS cannot generate the signature of particular program, because every comparison unit is marked as useless. The similarity value is used for classifying virus detector from suspicious signatures. In this section, we will discuss several simulation results from various signature extraction region size and comparison unit. The simulation is processed on several parameters as in Table. 1. Table 1. Simulation parameters Parameters Variables The number of self-programs 1385 execution files The number of non-self programs 160 execution files (3 virus infected files) Signature extraction region size 500byte, 1Kbyte, 5Kbyte, 10Kbyte Comparison unit size 1byte, 2byte, 3byte (a) SER 10Kbyte 0 2000 4000 6000 8000 10000 12000 0 50 100 150 Files SignatureSize(byte) 1byte 2byte 3byte (b) SER 5Kbyte 0 1000 2000 3000 4000 5000 6000 0 50 100 150 Files SignatureSize(byte) 1byte 2byte 3byte (c) SER 1Kbyte 0 200 400 600 800 1000 1200 0 50 100 150 Files SignatureSize(byte) 1byte 2byte 3byte (d) SER 500byte 0 100 200 300 400 500 600 0 50 100 150 Files SignatureSize(byte) 1byte 2byte 3byte Fig. 6. Simulating using various sizes of SER: Graphs show signature size of different Signature Extraction Region (SER) 10Kbyte; 5Kbyte, 1Kbyte, and 500byte. Each graph has three parameters of comparison unit 1byte, 2byte, and 3byte. The graphs in Figure 6 show the relation between signature size and two parameters; signature extraction region and comparison unit. The more signature extraction region and comparison unit increases, the more signature size increases. Larger signature includes richer information about related non-self program. But, when signature is used for scanning viruses, small signature is effective. Signatures that are larger than 1KB are not feasible for a virus-scanning signature. Moreover, the percentage of files that has zero signature is independent with size of signature extraction region and comparison unit. The number of files with zero signature size is almost 14 (8.75%) in all cases. We chose two effective sizes of signature extraction region; 1Kbyte and 500 byte. We simulated comparison for signature selection about the extracted signatures of non-self programs on these two parameters.
Artificial Immune System against Viral Attack 505 Similarity values between each signature of non-self programs are shown in Figure 7. When signature extraction region is 1Kbyte and comparison unit is 1byte, 88% of signatures of non-self programs have similarity value zero. When signature extraction region is 500byte and comparison unit is 1byte, signatures with zero similarity value are 92% in entire signatures of non-self programs. Since the percentage of actual virus infected file is 1.875%, ideal percentage of signatures that similarity value is zero should be 98.125%. Then, we can classify non-self signatures into virus signatures, whose similarity value is greater than zero. But, the percentage of non-zero signatures is 6% even though the extraction region size is 1Kbyte and comparison unit size is 3 byte. We need to determine threshold value to classify non-self programs into normal programs and viruses. When SER is fixed, increasing the size of comparison unit results in rapid increase of its similarity value, since consecutive extracted signature is larger. When larger comparison unit is used, the gap of similarity value is larger. When signature extraction region is 1Kbyte and comparison unit is 3byte, we can find easily threshold of similarity value 1.E+08 to classify signatures of non-self programs into virus, because ideal percentage of signatures of normal programs is 98.125%. When threshold of similarity value is 1.E+08, three signatures are selected by signature selector. Virus scanner using these signatures can detect virus-infected files. (a) Percentage of Files as Similarity ( SER 1 Kbyte ) 90% 92% 94% 96% 98% 100% 0.E+00 3.E+02 7.E+02 2.E+03 6.E+03 1.E+04 1.E+08 Similarity PercentageofFiles 3 Byte 2 Byte 1 Byte (b) Percentage of Files as Similarity ( SER 500 Byte ) 90% 92% 94% 96% 98% 100% 0.E+00 3.E+02 7.E+02 2.E+03 6.E+03 1.E+04 1.E+08 Similarity PercentageofFiles 3 Byte 2 Byte 1 Byte Fig. 7. Percentage of files as similarity: In the case of SER 1Kbyte and 500byte, Percentage of files is showed. Each graph has three parameters of comparison unit 1byte, 2byte, and 3byte. 5 Conclusion Artificial immune system is based on distinguish “self” and “non-self” like biological immune system. But previous artificial immune system is not feasible for dynamic computer system, especially for negative selection algorithm. In this paper, we proposed the artificial immune based Virus Detection System (VDS) that is feasible for dynamic computer system. VDS is a signature learning system to detect unknown virus. VDS produces signatures of non-self from suspicious program, and classify them into self-program and virus. Since virus tends to infect other programs, if similar non-self signatures are appeared frequently, VDS classifies those into signature of viruses for virus scanning. Therefore, VDS detect adaptively unknown viruses In the simulation of VDS with 1Kbyte of the Signature Extraction Region (SER) and 3byte of the comparison unit, 94% of extracted signatures were completely
506 H. Lee, W. Kim, and M. Hong different. In other words, their similarity values are zero. The remaining 6% signatures including virus signatures had distinguished similarity values. Especially, the 2% virus signatures had relatively high similarity values. Therefore, proposed VDS can classify suspicious non-self programs into normal programs and viral programs. Using threshold of similarity value, VDS can select virus signatures. Virus scanner using these signatures can detect virus-infected files correctly. References [1] Eugene H. Spafford, Computer Viruses as Artificial Life, in Artificial Life II, Addison- Wesley (1992). [2] Richard Marko, Heuristics: Retrospective and Future, Virus Bulletin Conference (2002) [3] Taras Malivanchuk, The WIN32 worms: Classification and Possibility of Heuristic detection, Virus Bulletin Conference (2002) [4] Vesselin Bonchev, Macro and Script Virus Polymorphism, Virus Bulletin Conference, (2002) [5] Gabor Szappanos, Are There Any Polymorphic Macro Viruses at All?, Virus Bulletin Conference, (2002) [6] Stephanie Forrest, Self-Nonself Discrimination in a Computer, IEEE Symposium on Research in Security and Privacy (1994) [7] J. P. Anderson, Computer Security threat monitoring and surveillance, Technical report, (1980) [8] Dorothy E. Denning , An Intrusion-Detection Model, IEEE (1986) [9] David Wagner and Drew Dean, Intrusion Detection via Static Analysis, IEEE (2001) [10] S. Forrest, S. Hofmeyr, A. Somayaji, and T. Longstaff, A Sense of Self for Unix Processes, IEEE (1996) [11] Jeffrey O. Kephart, A Biologically Inspired Immune System for Computers, High Integrity Computing Laboratory IBM Thomas J. Watson. Artificial Life IV: Proceedings of the Fourth International Workshop on the Synthesis and Simulation of Living Systems (1994) [12] Kim, J., Bentley, P., (1999), The Human Immune System and Network Intrusion Detection, submitted to EUFIT'99 [13] Digging For Worms, Fishing For Answers, (2002) [14] Dipankar Dasgupta and Nii Attoh-Okine, Immunity-Based Systems : A survey, IEEE International Conference (1997) [15] Anil Somayaji, Steven Hofmeyr and Stephanie Forrest, Principles of a Computer Immune System, (1997) [16] Robert E. Marmelstein, David A. Van Veldhuizen and Gray B. Lamont, A Distributed Architecture for an Adaptive CVIS [17] The Digital Immune System, Symantec technical report [18] Stephanie Forrest, Anil Somayaji and David H. Ackley, Building Diverse Computer Systems, IEEE (1997) [19] Dipankar Dasgupta and Stephanie Forrest, Novelty Detection in Time Series Data Using Ideas from Immunology, International Conference on Intelligent System (1999) [20] Dipankar Dasgupta, Artificial Neural Networks and Artificial Immune System : Similarities and Differences, IEEE (1997) [21] Okamoto, T. and Ishida, Y., Multiagent Approach Computer virus: An Immunity-Based System, AROB (1999)

Recommended

Design and Implementation of Artificial Immune System for Detecting Flooding ...
Design and Implementation of Artificial Immune System for Detecting Flooding ...Design and Implementation of Artificial Immune System for Detecting Flooding ...
Design and Implementation of Artificial Immune System for Detecting Flooding ...
Kent State University
 
Applications of artificial immune system a review
Applications of artificial immune system a reviewApplications of artificial immune system a review
Applications of artificial immune system a review
ijfcstjournal
 
Inspiration to Application: A Tutorial on Artificial Immune Systems
Inspiration to Application: A Tutorial on Artificial Immune SystemsInspiration to Application: A Tutorial on Artificial Immune Systems
Inspiration to Application: A Tutorial on Artificial Immune Systems
Julie Greensmith
 
Artificial immune system
Artificial immune systemArtificial immune system
Artificial immune system
Tejaswini Jitta
 
MultiAgent artificial immune system for network intrusion detection
MultiAgent artificial immune system for network intrusion detectionMultiAgent artificial immune system for network intrusion detection
MultiAgent artificial immune system for network intrusion detection
Aboul Ella Hassanien
 
AIS
AISAIS
AIS
Sweta Leena Panda
 
2001: An Introduction to Artificial Immune Systems
2001: An Introduction to Artificial Immune Systems2001: An Introduction to Artificial Immune Systems
2001: An Introduction to Artificial Immune Systems
Leandro de Castro
 
2005: An Introduction to Artificial Immune Systems
2005: An Introduction to Artificial Immune Systems2005: An Introduction to Artificial Immune Systems
2005: An Introduction to Artificial Immune Systems
Leandro de Castro
 

Recommended

Design and Implementation of Artificial Immune System for Detecting Flooding ...
Design and Implementation of Artificial Immune System for Detecting Flooding ...Design and Implementation of Artificial Immune System for Detecting Flooding ...
Design and Implementation of Artificial Immune System for Detecting Flooding ...
Kent State University
 
Applications of artificial immune system a review
Applications of artificial immune system a reviewApplications of artificial immune system a review
Applications of artificial immune system a review
ijfcstjournal
 
Inspiration to Application: A Tutorial on Artificial Immune Systems
Inspiration to Application: A Tutorial on Artificial Immune SystemsInspiration to Application: A Tutorial on Artificial Immune Systems
Inspiration to Application: A Tutorial on Artificial Immune Systems
Julie Greensmith
 
Artificial immune system
Artificial immune systemArtificial immune system
Artificial immune system
Tejaswini Jitta
 
MultiAgent artificial immune system for network intrusion detection
MultiAgent artificial immune system for network intrusion detectionMultiAgent artificial immune system for network intrusion detection
MultiAgent artificial immune system for network intrusion detection
Aboul Ella Hassanien
 
AIS
AISAIS
AIS
Sweta Leena Panda
 
2001: An Introduction to Artificial Immune Systems
2001: An Introduction to Artificial Immune Systems2001: An Introduction to Artificial Immune Systems
2001: An Introduction to Artificial Immune Systems
Leandro de Castro
 
2005: An Introduction to Artificial Immune Systems
2005: An Introduction to Artificial Immune Systems2005: An Introduction to Artificial Immune Systems
2005: An Introduction to Artificial Immune Systems
Leandro de Castro
 
Negative Selection for Algorithm for Anomaly Detection
Negative Selection for Algorithm for Anomaly DetectionNegative Selection for Algorithm for Anomaly Detection
Negative Selection for Algorithm for Anomaly Detection
Xavier Llorà
 
Volume 2-issue-6-2190-2194
Volume 2-issue-6-2190-2194Volume 2-issue-6-2190-2194
Volume 2-issue-6-2190-2194
Editor IJARCET
 
Self Evolving Antivirus Based on Neuro-Fuzzy Inference System
Self Evolving Antivirus Based on Neuro-Fuzzy Inference SystemSelf Evolving Antivirus Based on Neuro-Fuzzy Inference System
Self Evolving Antivirus Based on Neuro-Fuzzy Inference System
IJRES Journal
 
A retrovirus inspired algorithm for virus detection & optimization
A retrovirus inspired algorithm for virus detection & optimizationA retrovirus inspired algorithm for virus detection & optimization
A retrovirus inspired algorithm for virus detection & optimization
UltraUploader
 
Metamorphic Malware Analysis and Detection
Metamorphic Malware Analysis and DetectionMetamorphic Malware Analysis and Detection
Metamorphic Malware Analysis and Detection
Grijesh Chauhan
 
Kx3419591964
Kx3419591964Kx3419591964
Kx3419591964
IJERA Editor
 
DB-OLS: An Approach for IDS1
DB-OLS: An Approach for IDS1DB-OLS: An Approach for IDS1
DB-OLS: An Approach for IDS1
IJITE
 
A review of machine learning based anomaly detection
A review of machine learning based anomaly detectionA review of machine learning based anomaly detection
A review of machine learning based anomaly detection
Mohamed Elfadly
 
145 148
145 148145 148
145 148
Editor IJARCET
 
A malware detection method for health sensor data based on machine learning
A malware detection method for health sensor data based on machine learningA malware detection method for health sensor data based on machine learning
A malware detection method for health sensor data based on machine learning
jaigera
 
Layered approach
Layered approachLayered approach
Layered approach
ingenioustech
 
ANALYSIS OF MACHINE LEARNING ALGORITHMS WITH FEATURE SELECTION FOR INTRUSION ...
ANALYSIS OF MACHINE LEARNING ALGORITHMS WITH FEATURE SELECTION FOR INTRUSION ...ANALYSIS OF MACHINE LEARNING ALGORITHMS WITH FEATURE SELECTION FOR INTRUSION ...
ANALYSIS OF MACHINE LEARNING ALGORITHMS WITH FEATURE SELECTION FOR INTRUSION ...
IJNSA Journal
 
Weapon detection using artificial intelligence and deep learning for security...
Weapon detection using artificial intelligence and deep learning for security...Weapon detection using artificial intelligence and deep learning for security...
Weapon detection using artificial intelligence and deep learning for security...
Venkat Projects
 
Application of genetic algorithm in intrusion detection system
Application of genetic algorithm in intrusion detection systemApplication of genetic algorithm in intrusion detection system
Application of genetic algorithm in intrusion detection system
Alexander Decker
 
A Study of Intrusion Detection System Methods in Computer Networks
A Study of Intrusion Detection System Methods in Computer NetworksA Study of Intrusion Detection System Methods in Computer Networks
A Study of Intrusion Detection System Methods in Computer Networks
Editor IJCATR
 
Ids 014 anomaly detection
Ids 014 anomaly detectionIds 014 anomaly detection
Ids 014 anomaly detection
jyoti_lakhani
 
Wmn06MODERNIZED INTRUSION DETECTION USING ENHANCED APRIORI ALGORITHM
Wmn06MODERNIZED INTRUSION DETECTION USING ENHANCED APRIORI ALGORITHM Wmn06MODERNIZED INTRUSION DETECTION USING ENHANCED APRIORI ALGORITHM
Wmn06MODERNIZED INTRUSION DETECTION USING ENHANCED APRIORI ALGORITHM
ijwmn
 
A SURVEY ON DIFFERENT MACHINE LEARNING ALGORITHMS AND WEAK CLASSIFIERS BASED ...
A SURVEY ON DIFFERENT MACHINE LEARNING ALGORITHMS AND WEAK CLASSIFIERS BASED ...A SURVEY ON DIFFERENT MACHINE LEARNING ALGORITHMS AND WEAK CLASSIFIERS BASED ...
A SURVEY ON DIFFERENT MACHINE LEARNING ALGORITHMS AND WEAK CLASSIFIERS BASED ...
ijaia
 
A SURVEY ON DIFFERENT MACHINE LEARNING ALGORITHMS AND WEAK CLASSIFIERS BASED ...
A SURVEY ON DIFFERENT MACHINE LEARNING ALGORITHMS AND WEAK CLASSIFIERS BASED ...A SURVEY ON DIFFERENT MACHINE LEARNING ALGORITHMS AND WEAK CLASSIFIERS BASED ...
A SURVEY ON DIFFERENT MACHINE LEARNING ALGORITHMS AND WEAK CLASSIFIERS BASED ...
gerogepatton
 
2005: A Matlab Tour on Artificial Immune Systems
2005: A Matlab Tour on Artificial Immune Systems2005: A Matlab Tour on Artificial Immune Systems
2005: A Matlab Tour on Artificial Immune Systems
Leandro de Castro
 
Blue Star
Blue StarBlue Star
Blue Star
Angel Broking
 
Ibutton
Ibutton Ibutton
Ibutton
berdici
 

More Related Content

What's hot

Volume 2-issue-6-2190-2194
Volume 2-issue-6-2190-2194Volume 2-issue-6-2190-2194
Volume 2-issue-6-2190-2194
Editor IJARCET
 
A retrovirus inspired algorithm for virus detection & optimization
A retrovirus inspired algorithm for virus detection & optimizationA retrovirus inspired algorithm for virus detection & optimization
A retrovirus inspired algorithm for virus detection & optimization
UltraUploader
 
Metamorphic Malware Analysis and Detection
Metamorphic Malware Analysis and DetectionMetamorphic Malware Analysis and Detection
Metamorphic Malware Analysis and Detection
Grijesh Chauhan
 
ANALYSIS OF MACHINE LEARNING ALGORITHMS WITH FEATURE SELECTION FOR INTRUSION ...
ANALYSIS OF MACHINE LEARNING ALGORITHMS WITH FEATURE SELECTION FOR INTRUSION ...ANALYSIS OF MACHINE LEARNING ALGORITHMS WITH FEATURE SELECTION FOR INTRUSION ...
ANALYSIS OF MACHINE LEARNING ALGORITHMS WITH FEATURE SELECTION FOR INTRUSION ...
IJNSA Journal
 
Weapon detection using artificial intelligence and deep learning for security...
Weapon detection using artificial intelligence and deep learning for security...Weapon detection using artificial intelligence and deep learning for security...
Weapon detection using artificial intelligence and deep learning for security...
Venkat Projects
 
A Study of Intrusion Detection System Methods in Computer Networks
A Study of Intrusion Detection System Methods in Computer NetworksA Study of Intrusion Detection System Methods in Computer Networks
A Study of Intrusion Detection System Methods in Computer Networks
Editor IJCATR
 
Wmn06MODERNIZED INTRUSION DETECTION USING ENHANCED APRIORI ALGORITHM
Wmn06MODERNIZED INTRUSION DETECTION USING ENHANCED APRIORI ALGORITHM Wmn06MODERNIZED INTRUSION DETECTION USING ENHANCED APRIORI ALGORITHM
Wmn06MODERNIZED INTRUSION DETECTION USING ENHANCED APRIORI ALGORITHM
ijwmn
 

What's hot (19)

Negative Selection for Algorithm for Anomaly Detection
Negative Selection for Algorithm for Anomaly DetectionNegative Selection for Algorithm for Anomaly Detection
Negative Selection for Algorithm for Anomaly Detection
 
Volume 2-issue-6-2190-2194
Volume 2-issue-6-2190-2194Volume 2-issue-6-2190-2194
Volume 2-issue-6-2190-2194
 
Self Evolving Antivirus Based on Neuro-Fuzzy Inference System
Self Evolving Antivirus Based on Neuro-Fuzzy Inference SystemSelf Evolving Antivirus Based on Neuro-Fuzzy Inference System
Self Evolving Antivirus Based on Neuro-Fuzzy Inference System
 
A retrovirus inspired algorithm for virus detection & optimization
A retrovirus inspired algorithm for virus detection & optimizationA retrovirus inspired algorithm for virus detection & optimization
A retrovirus inspired algorithm for virus detection & optimization
 
Metamorphic Malware Analysis and Detection
Metamorphic Malware Analysis and DetectionMetamorphic Malware Analysis and Detection
Metamorphic Malware Analysis and Detection
 
Kx3419591964
Kx3419591964Kx3419591964
Kx3419591964
 
DB-OLS: An Approach for IDS1
DB-OLS: An Approach for IDS1DB-OLS: An Approach for IDS1
DB-OLS: An Approach for IDS1
 
A review of machine learning based anomaly detection
A review of machine learning based anomaly detectionA review of machine learning based anomaly detection
A review of machine learning based anomaly detection
 
145 148
145 148145 148
145 148
 
A malware detection method for health sensor data based on machine learning
A malware detection method for health sensor data based on machine learningA malware detection method for health sensor data based on machine learning
A malware detection method for health sensor data based on machine learning
 
Layered approach
Layered approachLayered approach
Layered approach
 
ANALYSIS OF MACHINE LEARNING ALGORITHMS WITH FEATURE SELECTION FOR INTRUSION ...
ANALYSIS OF MACHINE LEARNING ALGORITHMS WITH FEATURE SELECTION FOR INTRUSION ...ANALYSIS OF MACHINE LEARNING ALGORITHMS WITH FEATURE SELECTION FOR INTRUSION ...
ANALYSIS OF MACHINE LEARNING ALGORITHMS WITH FEATURE SELECTION FOR INTRUSION ...
 
Weapon detection using artificial intelligence and deep learning for security...
Weapon detection using artificial intelligence and deep learning for security...Weapon detection using artificial intelligence and deep learning for security...
Weapon detection using artificial intelligence and deep learning for security...
 
Application of genetic algorithm in intrusion detection system
Application of genetic algorithm in intrusion detection systemApplication of genetic algorithm in intrusion detection system
Application of genetic algorithm in intrusion detection system
 
A Study of Intrusion Detection System Methods in Computer Networks
A Study of Intrusion Detection System Methods in Computer NetworksA Study of Intrusion Detection System Methods in Computer Networks
A Study of Intrusion Detection System Methods in Computer Networks
 
Ids 014 anomaly detection
Ids 014 anomaly detectionIds 014 anomaly detection
Ids 014 anomaly detection
 
Wmn06MODERNIZED INTRUSION DETECTION USING ENHANCED APRIORI ALGORITHM
Wmn06MODERNIZED INTRUSION DETECTION USING ENHANCED APRIORI ALGORITHM Wmn06MODERNIZED INTRUSION DETECTION USING ENHANCED APRIORI ALGORITHM
Wmn06MODERNIZED INTRUSION DETECTION USING ENHANCED APRIORI ALGORITHM
 
A SURVEY ON DIFFERENT MACHINE LEARNING ALGORITHMS AND WEAK CLASSIFIERS BASED ...
A SURVEY ON DIFFERENT MACHINE LEARNING ALGORITHMS AND WEAK CLASSIFIERS BASED ...A SURVEY ON DIFFERENT MACHINE LEARNING ALGORITHMS AND WEAK CLASSIFIERS BASED ...
A SURVEY ON DIFFERENT MACHINE LEARNING ALGORITHMS AND WEAK CLASSIFIERS BASED ...
 
A SURVEY ON DIFFERENT MACHINE LEARNING ALGORITHMS AND WEAK CLASSIFIERS BASED ...
A SURVEY ON DIFFERENT MACHINE LEARNING ALGORITHMS AND WEAK CLASSIFIERS BASED ...A SURVEY ON DIFFERENT MACHINE LEARNING ALGORITHMS AND WEAK CLASSIFIERS BASED ...
A SURVEY ON DIFFERENT MACHINE LEARNING ALGORITHMS AND WEAK CLASSIFIERS BASED ...
 

Viewers also liked

Ibutton
Ibutton Ibutton
Ibutton
berdici
 
Intelligent urban traffic control system
Intelligent urban traffic control systemIntelligent urban traffic control system
Intelligent urban traffic control system
mustafa_talib_yousif
 
Seminar
SeminarSeminar
Seminar
JNTU
 
ppt on embedded system
ppt on embedded systemppt on embedded system
ppt on embedded system
manish katara
 

Viewers also liked (14)

2005: A Matlab Tour on Artificial Immune Systems
2005: A Matlab Tour on Artificial Immune Systems2005: A Matlab Tour on Artificial Immune Systems
2005: A Matlab Tour on Artificial Immune Systems
 
Blue Star
Blue StarBlue Star
Blue Star
 
Ibutton
Ibutton Ibutton
Ibutton
 
Modified artificial immune system for single row facility layout problem
Modified artificial immune system for single row facility layout problemModified artificial immune system for single row facility layout problem
Modified artificial immune system for single row facility layout problem
 
Developing an Artificial Immune Model for Cash Fraud Detection
Developing an Artificial Immune Model for Cash Fraud Detection Developing an Artificial Immune Model for Cash Fraud Detection
Developing an Artificial Immune Model for Cash Fraud Detection
 
Intelligent urban traffic control system
Intelligent urban traffic control systemIntelligent urban traffic control system
Intelligent urban traffic control system
 
Blue star
Blue starBlue star
Blue star
 
Seminar
SeminarSeminar
Seminar
 
Smart note taker
Smart note takerSmart note taker
Smart note taker
 
Skybus
SkybusSkybus
Skybus
 
Bubble power
Bubble powerBubble power
Bubble power
 
Pill camera
Pill cameraPill camera
Pill camera
 
ppt on embedded system
ppt on embedded systemppt on embedded system
ppt on embedded system
 
anti sleep alarm for students
anti sleep alarm for studentsanti sleep alarm for students
anti sleep alarm for students
 

Similar to Artificial immune system against viral attack

A distributed approach against computer viruses inspired by the immune system
A distributed approach against computer viruses inspired by the immune systemA distributed approach against computer viruses inspired by the immune system
A distributed approach against computer viruses inspired by the immune system
UltraUploader
 
A trust system based on multi level virus detection
A trust system based on multi level virus detectionA trust system based on multi level virus detection
A trust system based on multi level virus detection
UltraUploader
 
Microsoft Word - Welcome to Universiti Teknologi PETRONAS
Microsoft Word - Welcome to Universiti Teknologi PETRONASMicrosoft Word - Welcome to Universiti Teknologi PETRONAS
Microsoft Word - Welcome to Universiti Teknologi PETRONAS
butest
 
Automatic extraction of computer virus signatures
Automatic extraction of computer virus signaturesAutomatic extraction of computer virus signatures
Automatic extraction of computer virus signatures
UltraUploader
 
A feature selection and evaluation scheme for computer virus detection
A feature selection and evaluation scheme for computer virus detectionA feature selection and evaluation scheme for computer virus detection
A feature selection and evaluation scheme for computer virus detection
UltraUploader
 
An email worm vaccine architecture
An email worm vaccine architectureAn email worm vaccine architecture
An email worm vaccine architecture
UltraUploader
 
Analysis of virus algorithms
Analysis of virus algorithmsAnalysis of virus algorithms
Analysis of virus algorithms
UltraUploader
 
Ijfls05
Ijfls05Ijfls05
Ijfls05
ijfls
 
Automated malware invariant generation
Automated malware invariant generationAutomated malware invariant generation
Automated malware invariant generation
UltraUploader
 
Agisa towards automatic generation of infection signatures
Agisa towards automatic generation of infection signaturesAgisa towards automatic generation of infection signatures
Agisa towards automatic generation of infection signatures
UltraUploader
 
A generic virus detection agent on the internet
A generic virus detection agent on the internetA generic virus detection agent on the internet
A generic virus detection agent on the internet
UltraUploader
 
A memory symptom based virus detection approach
A memory symptom based virus detection approachA memory symptom based virus detection approach
A memory symptom based virus detection approach
UltraUploader
 
Basic survey on malware analysis, tools and techniques
Basic survey on malware analysis, tools and techniquesBasic survey on malware analysis, tools and techniques
Basic survey on malware analysis, tools and techniques
ijcsa
 
A generic virus scanner in c++
A generic virus scanner in c++A generic virus scanner in c++
A generic virus scanner in c++
UltraUploader
 

Similar to Artificial immune system against viral attack (20)

A distributed approach against computer viruses inspired by the immune system
A distributed approach against computer viruses inspired by the immune systemA distributed approach against computer viruses inspired by the immune system
A distributed approach against computer viruses inspired by the immune system
 
B410054
B410054B410054
B410054
 
A trust system based on multi level virus detection
A trust system based on multi level virus detectionA trust system based on multi level virus detection
A trust system based on multi level virus detection
 
Microsoft Word - Welcome to Universiti Teknologi PETRONAS
Microsoft Word - Welcome to Universiti Teknologi PETRONASMicrosoft Word - Welcome to Universiti Teknologi PETRONAS
Microsoft Word - Welcome to Universiti Teknologi PETRONAS
 
Automatic extraction of computer virus signatures
Automatic extraction of computer virus signaturesAutomatic extraction of computer virus signatures
Automatic extraction of computer virus signatures
 
A feature selection and evaluation scheme for computer virus detection
A feature selection and evaluation scheme for computer virus detectionA feature selection and evaluation scheme for computer virus detection
A feature selection and evaluation scheme for computer virus detection
 
An email worm vaccine architecture
An email worm vaccine architectureAn email worm vaccine architecture
An email worm vaccine architecture
 
Analysis of virus algorithms
Analysis of virus algorithmsAnalysis of virus algorithms
Analysis of virus algorithms
 
Ijfls05
Ijfls05Ijfls05
Ijfls05
 
Automated malware invariant generation
Automated malware invariant generationAutomated malware invariant generation
Automated malware invariant generation
 
Agisa towards automatic generation of infection signatures
Agisa towards automatic generation of infection signaturesAgisa towards automatic generation of infection signatures
Agisa towards automatic generation of infection signatures
 
Survey on Malware Detection Techniques
Survey on Malware Detection TechniquesSurvey on Malware Detection Techniques
Survey on Malware Detection Techniques
 
Antivirus
AntivirusAntivirus
Antivirus
 
A generic virus detection agent on the internet
A generic virus detection agent on the internetA generic virus detection agent on the internet
A generic virus detection agent on the internet
 
A0430104
A0430104A0430104
A0430104
 
Utilization Data Mining to Detect Spyware
Utilization Data Mining to Detect Spyware Utilization Data Mining to Detect Spyware
Utilization Data Mining to Detect Spyware
 
Fighting computer viruses
Fighting computer virusesFighting computer viruses
Fighting computer viruses
 
A memory symptom based virus detection approach
A memory symptom based virus detection approachA memory symptom based virus detection approach
A memory symptom based virus detection approach
 
Basic survey on malware analysis, tools and techniques
Basic survey on malware analysis, tools and techniquesBasic survey on malware analysis, tools and techniques
Basic survey on malware analysis, tools and techniques
 
A generic virus scanner in c++
A generic virus scanner in c++A generic virus scanner in c++
A generic virus scanner in c++
 

More from UltraUploader

01 le 10 regole dell'hacking
01 le 10 regole dell'hacking01 le 10 regole dell'hacking
01 le 10 regole dell'hacking
UltraUploader
 
00 the big guide sz (by dr.to-d)
00 the big guide sz (by dr.to-d)00 the big guide sz (by dr.to-d)
00 the big guide sz (by dr.to-d)
UltraUploader
 
[E book ita] php manual
[E book ita] php manual[E book ita] php manual
[E book ita] php manual
UltraUploader
 
[Ebook ita - security] introduzione alle tecniche di exploit - mori - ifoa ...
[Ebook ita - security] introduzione alle tecniche di exploit - mori - ifoa ...[Ebook ita - security] introduzione alle tecniche di exploit - mori - ifoa ...
[Ebook ita - security] introduzione alle tecniche di exploit - mori - ifoa ...
UltraUploader
 
[Ebook ita - database] access 2000 manuale
[Ebook ita - database] access 2000 manuale[Ebook ita - database] access 2000 manuale
[Ebook ita - database] access 2000 manuale
UltraUploader
 
(E book) cracking & hacking tutorial 1000 pagine (ita)
(E book) cracking & hacking tutorial 1000 pagine (ita)(E book) cracking & hacking tutorial 1000 pagine (ita)
(E book) cracking & hacking tutorial 1000 pagine (ita)
UltraUploader
 
(Ebook ita - inform - access) guida al database access (doc)
(Ebook ita - inform - access) guida al database access (doc)(Ebook ita - inform - access) guida al database access (doc)
(Ebook ita - inform - access) guida al database access (doc)
UltraUploader
 
(Ebook computer - ita - pdf) fondamenti di informatica - teoria
(Ebook computer - ita - pdf) fondamenti di informatica - teoria(Ebook computer - ita - pdf) fondamenti di informatica - teoria
(Ebook computer - ita - pdf) fondamenti di informatica - teoria
UltraUploader
 
Broadband network virus detection system based on bypass monitor
Broadband network virus detection system based on bypass monitorBroadband network virus detection system based on bypass monitor
Broadband network virus detection system based on bypass monitor
UltraUploader
 
Botnetsand applications
Botnetsand applicationsBotnetsand applications
Botnetsand applications
UltraUploader
 
Bot software spreads, causes new worries
Bot software spreads, causes new worriesBot software spreads, causes new worries
Bot software spreads, causes new worries
UltraUploader
 
Blended attacks exploits, vulnerabilities and buffer overflow techniques in c...
Blended attacks exploits, vulnerabilities and buffer overflow techniques in c...Blended attacks exploits, vulnerabilities and buffer overflow techniques in c...
Blended attacks exploits, vulnerabilities and buffer overflow techniques in c...
UltraUploader
 
Bird binary interpretation using runtime disassembly
Bird binary interpretation using runtime disassemblyBird binary interpretation using runtime disassembly
Bird binary interpretation using runtime disassembly
UltraUploader
 
Biologically inspired defenses against computer viruses
Biologically inspired defenses against computer virusesBiologically inspired defenses against computer viruses
Biologically inspired defenses against computer viruses
UltraUploader
 
Biological versus computer viruses
Biological versus computer virusesBiological versus computer viruses
Biological versus computer viruses
UltraUploader
 
Biological aspects of computer virology
Biological aspects of computer virologyBiological aspects of computer virology
Biological aspects of computer virology
UltraUploader
 
Biological models of security for virus propagation in computer networks
Biological models of security for virus propagation in computer networksBiological models of security for virus propagation in computer networks
Biological models of security for virus propagation in computer networks
UltraUploader
 

More from UltraUploader (20)

1 (1)
1 (1)1 (1)
1 (1)
 
01 intro
01 intro01 intro
01 intro
 
01 le 10 regole dell'hacking
01 le 10 regole dell'hacking01 le 10 regole dell'hacking
01 le 10 regole dell'hacking
 
00 the big guide sz (by dr.to-d)
00 the big guide sz (by dr.to-d)00 the big guide sz (by dr.to-d)
00 the big guide sz (by dr.to-d)
 
[E book ita] php manual
[E book ita] php manual[E book ita] php manual
[E book ita] php manual
 
[Ebook ita - security] introduzione alle tecniche di exploit - mori - ifoa ...
[Ebook ita - security] introduzione alle tecniche di exploit - mori - ifoa ...[Ebook ita - security] introduzione alle tecniche di exploit - mori - ifoa ...
[Ebook ita - security] introduzione alle tecniche di exploit - mori - ifoa ...
 
[Ebook ita - database] access 2000 manuale
[Ebook ita - database] access 2000 manuale[Ebook ita - database] access 2000 manuale
[Ebook ita - database] access 2000 manuale
 
(E book) cracking & hacking tutorial 1000 pagine (ita)
(E book) cracking & hacking tutorial 1000 pagine (ita)(E book) cracking & hacking tutorial 1000 pagine (ita)
(E book) cracking & hacking tutorial 1000 pagine (ita)
 
(Ebook ita - inform - access) guida al database access (doc)
(Ebook ita - inform - access) guida al database access (doc)(Ebook ita - inform - access) guida al database access (doc)
(Ebook ita - inform - access) guida al database access (doc)
 
(Ebook computer - ita - pdf) fondamenti di informatica - teoria
(Ebook computer - ita - pdf) fondamenti di informatica - teoria(Ebook computer - ita - pdf) fondamenti di informatica - teoria
(Ebook computer - ita - pdf) fondamenti di informatica - teoria
 
Broadband network virus detection system based on bypass monitor
Broadband network virus detection system based on bypass monitorBroadband network virus detection system based on bypass monitor
Broadband network virus detection system based on bypass monitor
 
Botnetsand applications
Botnetsand applicationsBotnetsand applications
Botnetsand applications
 
Bot software spreads, causes new worries
Bot software spreads, causes new worriesBot software spreads, causes new worries
Bot software spreads, causes new worries
 
Blended attacks exploits, vulnerabilities and buffer overflow techniques in c...
Blended attacks exploits, vulnerabilities and buffer overflow techniques in c...Blended attacks exploits, vulnerabilities and buffer overflow techniques in c...
Blended attacks exploits, vulnerabilities and buffer overflow techniques in c...
 
Blast off!
Blast off!Blast off!
Blast off!
 
Bird binary interpretation using runtime disassembly
Bird binary interpretation using runtime disassemblyBird binary interpretation using runtime disassembly
Bird binary interpretation using runtime disassembly
 
Biologically inspired defenses against computer viruses
Biologically inspired defenses against computer virusesBiologically inspired defenses against computer viruses
Biologically inspired defenses against computer viruses
 
Biological versus computer viruses
Biological versus computer virusesBiological versus computer viruses
Biological versus computer viruses
 
Biological aspects of computer virology
Biological aspects of computer virologyBiological aspects of computer virology
Biological aspects of computer virology
 
Biological models of security for virus propagation in computer networks
Biological models of security for virus propagation in computer networksBiological models of security for virus propagation in computer networks
Biological models of security for virus propagation in computer networks
 

Artificial immune system against viral attack

  • 1. M. Bubak et al. (Eds.): ICCS 2004, LNCS 3037, pp. 499–506, 2004. © Springer-Verlag Berlin Heidelberg 2004 Artificial Immune System against Viral Attack Hyungjoon Lee 1 , Wonil Kim 2* , and Manpyo Hong 1 1 Digital Vaccine Lab, G,raduated School of Information and Communication Ajou University, Suwon, Republic of Korea {prime, mphong}@ajou.ac.kr 2 College of Electronics and Information Engineering, Sejong University, Seoul, Republic of Korea wikim@sejong.ac.kr Abstract. Since the first computer virus has been found, scanning detection has been used as a primarily method in virus detection systems. As computer viruses and worms become more complex and sophisticated, the scanning detection method is no longer able to detect various forms of viruses and worms effectively. Many anti-virus researchers proposed various detection methods including artificial immune system to cope with these characteristics of viruses and worms. This paper discusses some principle of artificial immune system and proposes artificial immune based virus detection system that can detect unknown viruses. 1 Introduction Since the computer virus first appeared in 1981, it has been evolved as computer environments such as operating system, network, and application program have changed. The frequent evolution of computer virus has forced anti-virus researchers continuous development of new detection method. However most anti-virus systems are still based on scanning detection using signature, since other mechanisms have false positive or detection speed problem in real situations. In this paper, we propose a new virus detection approach that employs the artificial immune system. Artificial immune system is based on human immune system. The human immune system recognizes, memorizes, and responses to virus adaptively. Anomaly detection and adaptability are important properties of artificial immune system. The proposed artificial immune based system applies this property and detects unknown computer viruses. In the next section, Artificial Immune system will be discussed in detail. In Section 3, the proposed artificial immune based virus detection system will be described. Simulation results and the direction of future research will be discussed in Section 4 and Section 5 respectively. * Author for correspondence +82-2-3408-3795
  • 2. 500 H. Lee, W. Kim, and M. Hong 2 Artificial Immune System Immunologists have traditionally described the human immune system as the problem of distinguishing "self" from dangerous "non-self" and eliminating dangerous non- self. Similarly, the computer security can be viewed as the problem of distinguishing benign program from malicious program such as computer virus or worm. Spafford described a computer virus from a biological point of view by analyzing several characteristic of virus as in artificial life [1]. Since then, many anti-virus researchers have researched on artificial immune system to protect a system from the intrusion including viruses and worms. Artificial immune system should have anomaly detection capability to defend unknown intrusion. Adaptability is also a necessary property of artificial immune system to learn unknown intrusion and to response learned intrusions quickly. Other properties such as distributability, autonomy, diversity and disposability are required for the flexibility and stability of artificial immune system [14]. Protecting static File Protecting Process Protecting a Network M atching the system call sequence using negative selection Decoy program self, non-self discrimination Kill-signal NAVEX(Symantec) Distributed CVIS Artificial Immune System Fig. 1. Taxonomy of artificial immune system Artificial immune system can be divided into three categories according to which computer component will be identified as a protected cell. Figure 1 shows this classification. First, protecting static file category assumes a file including program code as a cell. Forrest proposed a method for change detection using negative selection algorithm [6]. Forrest’s artificial immune system randomly generates check code called detector, and eliminates ones that can recognize self (benign program). This process is called negative selection algorithm. All programs or data matched with detectors are indicated as non-self (malicious code). Kephart proposed an artificial immune model that consists of monitoring, scanning and biological immunology [11]. In his model, known viruses are detected by scanner based on weak signature, and unknown viruses are collected and analyzed using decoy program. The decoy program is a dummy program that is not changeable. If decoy program is modified, it is virus infection. Distributed Computer Virus Immune System (CVIS) combined negative selection and decoy program. It uses decoy program to detect the unknown virus and employs negative selection to identify detected unknown virus [16]. Second, protecting process category assumes a process as a cell. Matching the system call sequence is proposed by Forrest [10]. The mechanism of this system is the same as self-nonself discrimination using negative selection. It is different from the first category that this mechanism matches detector with system call sequences, not with program codes.
  • 3. Artificial Immune System against Viral Attack 501 Third, protecting a network category assumes a host as a cell. Kill-signal mechanism is proposed by Kephart, and a immune system called NAVEX that is proposed by Symantec [11,17]. Both immune systems propagate signatures of detected viruses to protect network connected hosts, as does biological immune system. In biological immune system, when an immune cell detects a virus, the cell spread chemical signal in order to duplicate the same immune cells. SelfN on-self Sig natures Sign atu res Sig natures Signature Selecto r V iru s Scanning Signatures Self sign atu res program program program Sign atu re E xtractor Fig. 2. Structure of proposed virus detection system 3 Proposed Virus Detection System Negative selection algorithm and decoy programs are important methods in artificial immune system. Negative selection algorithm is inspired by genetic random-process. But this mechanism has a weakness that come from the difference between human body and computer system. State of human body is stable, whereas that of computer system is not. Negative selection algorithm is suitable in stable system. Idea of decoy program comes from the distributability and diversity of immune system. In the case of decoy program, there is no guarantee that a virus will attack a decoy program. The proposed artificial immune based Virus Detection System (VDS) compromises this weakness, and is suitable for dynamically changing environment such as computer system. VDS is a signature learning system to detect unknown viruses. VDS classify incoming or changed (patched) programs into legitimate programs and viruses. The process of VDS is consists of the following three steps. In the first step, VDS assumes that all existing programs are legitimate. In the next step, all incoming and changed programs are classified into suspicious programs. Finally, VDS selects virus programs from these suspicious programs using detection method based on virus behavior. Hereafter, we refer to legitimate program as self and suspicious program as non-self. VDS consists of signature extractor and signature selector as in Figure 2. Signature extractor produces signatures of non-self. The main operation of signature extractor is selecting bit strings that are not matched with any self code at the same position. Therefore, signature extractor produces signature of non-self that never matched with any self. Produced non-self signatures are collected and analyzed by signature selector. Signature selector compares the similarity of non-self signature with each others. Since viruses tend to infect other programs, if the same non-self signatures are appeared frequently, signature selector classifies those into signatures of viruses, and these signatures are used for virus scanner. Notice that these non-self signatures never
  • 4. 502 H. Lee, W. Kim, and M. Hong match with any self program. In the case of less frequent signatures, it is assumed as signature of self. We classify the program that contains any one of these self signatures as self. This process provides the adaptable capacity to the proposed VDS. The detailed process of each steps are discussed in the following 3 sections. 3.1 Signature Representation The VDS generates signatures to recognize self and non-self program. The size of signature extraction region, from which we analyze for signature extraction, is always constant. Since most infected file executes virus code at first, most entry pointer of infected program indicates virus code. Therefore, we decide that starting point of signature extraction region is entry point of program. Signature consists of several pairs of offset and bit string. Number of pairs, offset and bit string are selected by signature extractor. Signature extraction region String1 String2 String3 String1 Signature offset offset String2 offset String3 Progrram program entry point Fig. 3. Signature representation 3.2 Signature Extractor Signature extractor produces non-self program signature that never matches with any self-program signature. This process consists of the following steps. 00100101 00110101 00100101 00100100 ...... self1 non-self 00100101 00111101 11100101 00110101 ...... mark XXXXXXXX 00110101 00100101 00110101 ...... 00100101 00111101 11100101 00110101 ...... self2 mark XXXXXXXX 00110101 00100101 XXXXXXXX ...... signature updated non-self ... ... Fig. 4. Generating signature of non-self program • Step 1: Divide a signature extraction region into several same sized comparison units. • Step 2: Compare a signature extraction region of non-self program with each one of all self-programs.
  • 5. Artificial Immune System against Viral Attack 503 • Step 3: If two comparison units on same position are same, mark the comparison unit in signature extraction region of non-self program. Continue this process on each signature extraction region of all self-programs. In Figure 4, comparison unit is 1 byte. Non-self is compared with self1 and self2. When two comparisons are finished, first unit and fourth unit are marked. After all the comparisons with other self-programs are done, the signature of non-self consists of remained unmatched units. Since all of the comparison units that are the same with self’s are marked as useless, the generated signature never matches with any self- programs. 3.3 Signature Selector After we obtain signatures of non-self programs, we need to classify non-self program into virus or normal program. If virus infects other programs, the signature extractor generates signatures from same virus code because infected program is changed by one virus. Therefore, checking frequency of occurrence of the same signature is the same as checking the spread of the same virus code. 10110001 XXXXXXXX 00100101 XXXXXXXX 10110001 10000001 XXXXXXXX 00110101 00100101 XXXXXXXX 10110001 10000001signature1 signature2 Similarity value = 1 + 11 = 1 + 3 = 4 Fig. 5. Similarity between two signatures Signature selector calculates the similarity values of non-self signatures, as shown in Figure 5. Comparison factors are bit sequence and offset of comparison unit in signature extraction region. If two factors of comparison units are equal, similarity function adds one to similarity value. When consecutive comparison units are equal, similarity value increases. For example, if two compare units are equal and adjacent, similarity value is 3 (112 ). In other words, when n consecutive comparison units are equal, similarity value is 2 n -1. Note that signatures of the same programs are more similar than signatures of different programs. In other words, similarity values between signatures of the same program codes are higher than the others. Therefore, VDS can distinguish signatures of the same program codes from signatures of other distinct program codes. The threshold values for classifying signatures of the same and different programs are determined by analyzing similarity values of the entire non-self programs. Determining the threshold values for classifying is discussed in Section 4. 4 Simulation VDS extracts signatures of non-self programs based on self-programs. Signature size and similarity value are important factors in VDS. As the number of self-programs that has the same comparison units at the same position is increased, the size of a
  • 6. 504 H. Lee, W. Kim, and M. Hong signature of the non-self program is decreased. In the worst case, VDS cannot generate the signature of particular program, because every comparison unit is marked as useless. The similarity value is used for classifying virus detector from suspicious signatures. In this section, we will discuss several simulation results from various signature extraction region size and comparison unit. The simulation is processed on several parameters as in Table. 1. Table 1. Simulation parameters Parameters Variables The number of self-programs 1385 execution files The number of non-self programs 160 execution files (3 virus infected files) Signature extraction region size 500byte, 1Kbyte, 5Kbyte, 10Kbyte Comparison unit size 1byte, 2byte, 3byte (a) SER 10Kbyte 0 2000 4000 6000 8000 10000 12000 0 50 100 150 Files SignatureSize(byte) 1byte 2byte 3byte (b) SER 5Kbyte 0 1000 2000 3000 4000 5000 6000 0 50 100 150 Files SignatureSize(byte) 1byte 2byte 3byte (c) SER 1Kbyte 0 200 400 600 800 1000 1200 0 50 100 150 Files SignatureSize(byte) 1byte 2byte 3byte (d) SER 500byte 0 100 200 300 400 500 600 0 50 100 150 Files SignatureSize(byte) 1byte 2byte 3byte Fig. 6. Simulating using various sizes of SER: Graphs show signature size of different Signature Extraction Region (SER) 10Kbyte; 5Kbyte, 1Kbyte, and 500byte. Each graph has three parameters of comparison unit 1byte, 2byte, and 3byte. The graphs in Figure 6 show the relation between signature size and two parameters; signature extraction region and comparison unit. The more signature extraction region and comparison unit increases, the more signature size increases. Larger signature includes richer information about related non-self program. But, when signature is used for scanning viruses, small signature is effective. Signatures that are larger than 1KB are not feasible for a virus-scanning signature. Moreover, the percentage of files that has zero signature is independent with size of signature extraction region and comparison unit. The number of files with zero signature size is almost 14 (8.75%) in all cases. We chose two effective sizes of signature extraction region; 1Kbyte and 500 byte. We simulated comparison for signature selection about the extracted signatures of non-self programs on these two parameters.
  • 7. Artificial Immune System against Viral Attack 505 Similarity values between each signature of non-self programs are shown in Figure 7. When signature extraction region is 1Kbyte and comparison unit is 1byte, 88% of signatures of non-self programs have similarity value zero. When signature extraction region is 500byte and comparison unit is 1byte, signatures with zero similarity value are 92% in entire signatures of non-self programs. Since the percentage of actual virus infected file is 1.875%, ideal percentage of signatures that similarity value is zero should be 98.125%. Then, we can classify non-self signatures into virus signatures, whose similarity value is greater than zero. But, the percentage of non-zero signatures is 6% even though the extraction region size is 1Kbyte and comparison unit size is 3 byte. We need to determine threshold value to classify non-self programs into normal programs and viruses. When SER is fixed, increasing the size of comparison unit results in rapid increase of its similarity value, since consecutive extracted signature is larger. When larger comparison unit is used, the gap of similarity value is larger. When signature extraction region is 1Kbyte and comparison unit is 3byte, we can find easily threshold of similarity value 1.E+08 to classify signatures of non-self programs into virus, because ideal percentage of signatures of normal programs is 98.125%. When threshold of similarity value is 1.E+08, three signatures are selected by signature selector. Virus scanner using these signatures can detect virus-infected files. (a) Percentage of Files as Similarity ( SER 1 Kbyte ) 90% 92% 94% 96% 98% 100% 0.E+00 3.E+02 7.E+02 2.E+03 6.E+03 1.E+04 1.E+08 Similarity PercentageofFiles 3 Byte 2 Byte 1 Byte (b) Percentage of Files as Similarity ( SER 500 Byte ) 90% 92% 94% 96% 98% 100% 0.E+00 3.E+02 7.E+02 2.E+03 6.E+03 1.E+04 1.E+08 Similarity PercentageofFiles 3 Byte 2 Byte 1 Byte Fig. 7. Percentage of files as similarity: In the case of SER 1Kbyte and 500byte, Percentage of files is showed. Each graph has three parameters of comparison unit 1byte, 2byte, and 3byte. 5 Conclusion Artificial immune system is based on distinguish “self” and “non-self” like biological immune system. But previous artificial immune system is not feasible for dynamic computer system, especially for negative selection algorithm. In this paper, we proposed the artificial immune based Virus Detection System (VDS) that is feasible for dynamic computer system. VDS is a signature learning system to detect unknown virus. VDS produces signatures of non-self from suspicious program, and classify them into self-program and virus. Since virus tends to infect other programs, if similar non-self signatures are appeared frequently, VDS classifies those into signature of viruses for virus scanning. Therefore, VDS detect adaptively unknown viruses In the simulation of VDS with 1Kbyte of the Signature Extraction Region (SER) and 3byte of the comparison unit, 94% of extracted signatures were completely
  • 8. 506 H. Lee, W. Kim, and M. Hong different. In other words, their similarity values are zero. The remaining 6% signatures including virus signatures had distinguished similarity values. Especially, the 2% virus signatures had relatively high similarity values. Therefore, proposed VDS can classify suspicious non-self programs into normal programs and viral programs. Using threshold of similarity value, VDS can select virus signatures. Virus scanner using these signatures can detect virus-infected files correctly. References [1] Eugene H. Spafford, Computer Viruses as Artificial Life, in Artificial Life II, Addison- Wesley (1992). [2] Richard Marko, Heuristics: Retrospective and Future, Virus Bulletin Conference (2002) [3] Taras Malivanchuk, The WIN32 worms: Classification and Possibility of Heuristic detection, Virus Bulletin Conference (2002) [4] Vesselin Bonchev, Macro and Script Virus Polymorphism, Virus Bulletin Conference, (2002) [5] Gabor Szappanos, Are There Any Polymorphic Macro Viruses at All?, Virus Bulletin Conference, (2002) [6] Stephanie Forrest, Self-Nonself Discrimination in a Computer, IEEE Symposium on Research in Security and Privacy (1994) [7] J. P. Anderson, Computer Security threat monitoring and surveillance, Technical report, (1980) [8] Dorothy E. Denning , An Intrusion-Detection Model, IEEE (1986) [9] David Wagner and Drew Dean, Intrusion Detection via Static Analysis, IEEE (2001) [10] S. Forrest, S. Hofmeyr, A. Somayaji, and T. Longstaff, A Sense of Self for Unix Processes, IEEE (1996) [11] Jeffrey O. Kephart, A Biologically Inspired Immune System for Computers, High Integrity Computing Laboratory IBM Thomas J. Watson. Artificial Life IV: Proceedings of the Fourth International Workshop on the Synthesis and Simulation of Living Systems (1994) [12] Kim, J., Bentley, P., (1999), The Human Immune System and Network Intrusion Detection, submitted to EUFIT'99 [13] Digging For Worms, Fishing For Answers, (2002) [14] Dipankar Dasgupta and Nii Attoh-Okine, Immunity-Based Systems : A survey, IEEE International Conference (1997) [15] Anil Somayaji, Steven Hofmeyr and Stephanie Forrest, Principles of a Computer Immune System, (1997) [16] Robert E. Marmelstein, David A. Van Veldhuizen and Gray B. Lamont, A Distributed Architecture for an Adaptive CVIS [17] The Digital Immune System, Symantec technical report [18] Stephanie Forrest, Anil Somayaji and David H. Ackley, Building Diverse Computer Systems, IEEE (1997) [19] Dipankar Dasgupta and Stephanie Forrest, Novelty Detection in Time Series Data Using Ideas from Immunology, International Conference on Intelligent System (1999) [20] Dipankar Dasgupta, Artificial Neural Networks and Artificial Immune System : Similarities and Differences, IEEE (1997) [21] Okamoto, T. and Ishida, Y., Multiagent Approach Computer virus: An Immunity-Based System, AROB (1999)