Skip to main content
SpringerLink
Log in

Run-time malware detection based on positive selection

  • Original Paper
  • Published:
Journal in Computer Virology Aims and scope Submit manuscript

Abstract

This paper presents a supervised methodology that detects malware based on positive selection. Malware detection is a challenging problem due to the rapid growth of the number of malware and increasing complexity. Run-time monitoring of program execution behavior is widely used to discriminate between benign and malicious executables due to its effectiveness and robustness. This paper proposes a novel classification algorithm based on the idea of positive selection, which is one of the important algorithms in Artificial Immune Systems (AIS), inspired by positive selection of T-cells. The proposed algorithm is applied to learn and classify program behavior based on I/O Request Packets (IRP). In our experiments, the proposed algorithm outperforms ANSC, Naï ve Bayes, Bayesian Networks, Support Vector Machine, and C4.5 Decision Tree. This algorithm can also be used in general purpose classification problems not just two-class but multi-class problems.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Similar content being viewed by others

References

  1. Symantec Corporation.: Internet security threat report volume XV. http://www.symantec.com/business/theme.jsp?themeid=threatreport

  2. Willems C., Holzand T., Freiling F.: Toward automated dynamic malware analysis using CWSandbox. IEEE Secur. Priv. 5(2), 32–39 (2007)

    Article  Google Scholar 

  3. Forrest, S., Hofmeyr, S.A., Somayaji, A., Longstaff, T.A.: A sense of self for Unix processes. In: Proceedings of the IEEE Symposium on Security and Privacy, pp. 120–128 (1996)

  4. Hofmeyr S.A., Forrest S., Somayaji A.: Intrusion detection using sequences of system calls. J. Comput. Secur. 6(3), 151–180 (1998)

    Google Scholar 

  5. Wespi, A., Dacier, M., Debar, H.: Intrusion detection using variable-length audit trail patterns. In: Proceedings of the Recent Advances in Intrusion Detection, pp. 110–129. Springer, France (2000)

  6. Sato I., Okazaki Y., Goto S.: An improved intrusion detection method based on process profiling. IPSJ J. 43, 3316–3326 (2002)

    Google Scholar 

  7. Manzoor, S., Shafiq, M.Z., Tabish, S.M., Farooq, M.: A sense of ‘danger’ for windows processes. In: ICARIS. LNCS, vol. 5666, pp. 220–233. Springer, Heidelberg (2009)

  8. VX Heavens Virus Collection. http://vx.netlux.org/vl.php

  9. API Monitor. http://www.rohitab.com/apimonitor

  10. Aickelin, U., Bentley, P., Cayzer, S., Kim, J., McLeod, J.: Danger theory: the link between AIS and IDS? In: Proceedings of the ICARIS. LNCS, vol. 2787, pp. 147–155, Springer, Heidelberg (2003)

  11. Greensmith, J., Aickelin, U., Cayzer, S.: Introducing dendritic cells as a novel immune-inspired algorithm for anomaly detection. In: Proceedings of the ICARIS. LNCS, vol. 3627, pp. 153–167, Springer, Heidelberg (2005)

  12. Greensmith, J., Aickelin, U.: The deterministic dendritic cell algorithm. In: Proceedings of the ICARIS. LNCS, vol. 5132, pp. 291–303. Springer, Heidelberg (2008)

  13. Ahmed, F., Hameed, H., Shafiq, M.Z., Farooq, M.: Using spatio-temporal information in API calls with machine learning algorithms for malware detection. In: Proceedings of the ACM Conference on Computer and Communications Security, pp. 55–62 (2009)

  14. Parampalli, C., Sekar, R., Johnson, R.: A practical mimicry attack against powerful system-call monitors. In: Proceedings of the ACM Symposium on Information, Computer and Communications Security (AsiaCCS), pp. 156–167, Japan (2008)

  15. Wagner, D., Soto, P.: Mimicry attacks on host-based intrusion detection systems. In: Proceedings of the ACM Conference on Computer and Communications Security (CCS), pp. 255–264. ACM Press, New York (2002)

  16. Oberheide, J.: Detecting and evading CWSandbox. http://jon.oberheide.org/blog/2008/01/15/detecting-and-evading-cwsandbox/

  17. Seifert C., Steenson R., Welch I., Komisarczuk P., Endicott-Popovsky B.: Capture—a behavioral analysis tool for applications and documents. Digit. Investig. 4(Suppl. 1), S23–S30 (2007)

    Article  Google Scholar 

  18. Bassov, A.: Hooking the kernel directly. http://www.codeproject.com/system/soviet_direct_hooking.asp

  19. Field, S.: An introduction to kernel patch protection. http://blogs.msdn.com/windowsvistasecurity/archive/2006/08/11/695993.aspx

  20. Zhang, F.Y., Qi, D.Y., Hu, J.L.: MBMAS: a system for malware behavior monitor and analysis. In: Proceedings of the International Symposium on Computer Network and Multimedia Technology, pp. 1–4 (2009)

  21. Forrest, S., Perelson, A.S., Allen, L., Cherukuri, R.: Self-nonself discrimination in a computer. In: Proceedings of the IEEE Symposium on Research in Security and Privacy, pp. 202–212 (1994)

  22. Forrest S., Hofmeyr S.A., Somayaji A.: Computer immunology. Commun. ACM. 40(10), 88–96 (1997)

    Article  Google Scholar 

  23. Esponda F., Forrest S., Helman P.: A formal framework for positive and negative detection schemes. IEEE Trans. Syst. Man Cybern. B 34(1), 357–373 (2004)

    Article  Google Scholar 

  24. de Castro L.N., Von Zuden F.J.: Learning and optimization using the clonal selection principle. IEEE Trans. Evol. Comput. 6(3), 239–251 (2002)

    Article  Google Scholar 

  25. Coello, C.A.C., Rivera, D.C., Cortes, N.C.: Use of an artificial immune system for job shop scheduling. LNCS, vol. 2787, pp. 1–10 (2003)

  26. de Castro, L.N., Von Zuden, F.J.: aiNet: an artificial immune network for data analysis. In: Data Mining: A Heuristic Approach. Idea Group Publishing, USA (2001)

  27. Neal, M.: Meta-stable memory in an artificial immune network. In: Proceedings of ICARIS 2003, pp. 168–181 (2003)

  28. Watkins A., Timmis J., Boggess L.: Artificial immune recognition system (AIRS): an immune-inspired supervised learning algorithm. Genet. Program. Evol. Mach. 5(3), 291–317 (2004)

    Article  Google Scholar 

  29. Igawa K., Ohashi H.: A negative selection algorithm for classification and reduction of the noise effect. Appl. Soft Comput. 9(1), 431–438 (2009)

    Article  Google Scholar 

  30. Kahramanli H., Allahverdi N.: Extracting rules for classification problems: AIS based approach. Expert Syst. Appl. 36(7), 10494–10502 (2009)

    Article  Google Scholar 

  31. de Castro, L.N., Von Zuben, F.J.: The clonal selection algorithm with engineering applications. In: Proceedings of the 2000 GECCO, Workshop on Artificial Immune Systems and Their Applications, pp. 36–37. Morgan Kaufmann, San Francisco (2000)

  32. Seiden P.E., Celada F.: A model for simulating cognate recognition and response in the immune system. J. Theor. Biol. 158(3), 329–357 (1992)

    Article  Google Scholar 

  33. Sim K.-B., Lee D.-W.: Modeling of positive selection for the development of a computer immune system and a self-recognition algorithm. Int. J. Control Autom. Syst. 1(4), 453–458 (2003)

    Google Scholar 

  34. Dervovic D., Zuniga-Pflucker J.C.: Positive selection of T cells, an in vitro view. Semin. Immunol. 22(5), 276–286 (2010)

    Article  Google Scholar 

  35. Yang S.Y., Wang M., Jiao L.C.: Quantum-inspired immune clone algorithm and multiscale Bandelet based image representation. Pattern Recognit. Lett. 31(13), 1894–1902 (2010)

    Article  Google Scholar 

  36. Laurentys C.A., Ronacher G., Palhares R.M., Caminhas W.M.: Design of an artificial immune system for fault detection: a negative selection approach. Exp. Syst. Appl. 37(7), 5507–5513 (2010)

    Article  Google Scholar 

  37. VMware. http://www.VMware.com

  38. Kolter J.Z., Maloof M.A.: Learning to detect and classify malicious executables in the wild. J. Mach. Learn. Res. 7, 2721–2744 (2006)

    MathSciNet  MATH  Google Scholar 

  39. Golub T.R., Slonim D.K., Tamayo P., Huard C., Gaasenbeek M., Mesirov J.P., Coller H., Loh M.L., Downing J.R., Caligiuri M.A., Bloomfield C.D., Lander E.S.: Molecular classification of cancer: class discovery and class prediction by gene expression monitoring. Science 286(5439), 531–537 (1999)

    Article  Google Scholar 

  40. Witten I.H., Frank E.: Data Mining: Practical Machine Learning Tools and Techniques, 2nd edn. Elsevier, San Francisco (2006)

    Google Scholar 

  41. Weka. http://www.cs.waikato.ac.nz/ml/weka/

  42. Platt, J.: Fast training of support vector machines using sequential minimal optimization. In: Schölkopf, B., Burges, C., Mika, S. (eds) Advances in Kernel Methods—Support Vector Learning, MIT Press, Cambridge (1998)

  43. Freund, Y., Schapire, R.: Experiments with a new boosting algorithm. In: Proceedings of the Thirteenth International Conference on Machine Learning, pp. 148–156 (1996)

  44. Aydin I., Karakose M., Akin E.: Chaotic-based hybrid negative selection algorithm and its applications in fault and anomaly detection. Exp. Syst. Appl. 37(7), 5285–5294 (2010)

    Article  Google Scholar 

  45. Gao, X.Z., Ovaska, S.J., Wang, X.: Particle swarm optimization of detectors in negative selection algorithm. In: Proceedings of IEEE Systems Man Cybernetics, Montreal, Quebec, Canada, pp. 1236–1242 (2007)

  46. Zhou, J., Dipankar, D.: Real-valued negative selection algorithm with variable sized detectors. In: Proceedings of Genetic and Evolutionary Computation Conference, vol. 3102, pp. 287–298 (2004)

  47. UCI Machine Learning Repository. http://archive.ics.uci.edu/ml/

Download references

Author information

Authors and Affiliations

  1. Research Institute of Computer Systems, South China University of Technology, Guangzhou, 510006, China

    Zhang Fuyong & Qi Deyu

Authors
  1. Zhang Fuyong
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Qi Deyu
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Zhang Fuyong.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Fuyong, Z., Deyu, Q. Run-time malware detection based on positive selection. J Comput Virol 7, 267–277 (2011). https://doi.org/10.1007/s11416-011-0154-8

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11416-011-0154-8

Keywords

Search

Navigation