Run-time malware detection based on positive selection
Tóm tắt
This paper presents a supervised methodology that detects malware based on positive selection. Malware detection is a challenging problem due to the rapid growth of the number of malware and increasing complexity. Run-time monitoring of program execution behavior is widely used to discriminate between benign and malicious executables due to its effectiveness and robustness. This paper proposes a novel classification algorithm based on the idea of positive selection, which is one of the important algorithms in Artificial Immune Systems (AIS), inspired by positive selection of T-cells. The proposed algorithm is applied to learn and classify program behavior based on I/O Request Packets (IRP). In our experiments, the proposed algorithm outperforms ANSC, Naï ve Bayes, Bayesian Networks, Support Vector Machine, and C4.5 Decision Tree. This algorithm can also be used in general purpose classification problems not just two-class but multi-class problems.
Tài liệu tham khảo
Symantec Corporation.: Internet security threat report volume XV. http://www.symantec.com/business/theme.jsp?themeid=threatreport
Willems C., Holzand T., Freiling F.: Toward automated dynamic malware analysis using CWSandbox. IEEE Secur. Priv. 5(2), 32–39 (2007)
Forrest, S., Hofmeyr, S.A., Somayaji, A., Longstaff, T.A.: A sense of self for Unix processes. In: Proceedings of the IEEE Symposium on Security and Privacy, pp. 120–128 (1996)
Hofmeyr S.A., Forrest S., Somayaji A.: Intrusion detection using sequences of system calls. J. Comput. Secur. 6(3), 151–180 (1998)
Wespi, A., Dacier, M., Debar, H.: Intrusion detection using variable-length audit trail patterns. In: Proceedings of the Recent Advances in Intrusion Detection, pp. 110–129. Springer, France (2000)
Sato I., Okazaki Y., Goto S.: An improved intrusion detection method based on process profiling. IPSJ J. 43, 3316–3326 (2002)
Manzoor, S., Shafiq, M.Z., Tabish, S.M., Farooq, M.: A sense of ‘danger’ for windows processes. In: ICARIS. LNCS, vol. 5666, pp. 220–233. Springer, Heidelberg (2009)
VX Heavens Virus Collection. http://vx.netlux.org/vl.php
API Monitor. http://www.rohitab.com/apimonitor
Aickelin, U., Bentley, P., Cayzer, S., Kim, J., McLeod, J.: Danger theory: the link between AIS and IDS? In: Proceedings of the ICARIS. LNCS, vol. 2787, pp. 147–155, Springer, Heidelberg (2003)
Greensmith, J., Aickelin, U., Cayzer, S.: Introducing dendritic cells as a novel immune-inspired algorithm for anomaly detection. In: Proceedings of the ICARIS. LNCS, vol. 3627, pp. 153–167, Springer, Heidelberg (2005)
Greensmith, J., Aickelin, U.: The deterministic dendritic cell algorithm. In: Proceedings of the ICARIS. LNCS, vol. 5132, pp. 291–303. Springer, Heidelberg (2008)
Ahmed, F., Hameed, H., Shafiq, M.Z., Farooq, M.: Using spatio-temporal information in API calls with machine learning algorithms for malware detection. In: Proceedings of the ACM Conference on Computer and Communications Security, pp. 55–62 (2009)
Parampalli, C., Sekar, R., Johnson, R.: A practical mimicry attack against powerful system-call monitors. In: Proceedings of the ACM Symposium on Information, Computer and Communications Security (AsiaCCS), pp. 156–167, Japan (2008)
Wagner, D., Soto, P.: Mimicry attacks on host-based intrusion detection systems. In: Proceedings of the ACM Conference on Computer and Communications Security (CCS), pp. 255–264. ACM Press, New York (2002)
Oberheide, J.: Detecting and evading CWSandbox. http://jon.oberheide.org/blog/2008/01/15/detecting-and-evading-cwsandbox/
Seifert C., Steenson R., Welch I., Komisarczuk P., Endicott-Popovsky B.: Capture—a behavioral analysis tool for applications and documents. Digit. Investig. 4(Suppl. 1), S23–S30 (2007)
Bassov, A.: Hooking the kernel directly. http://www.codeproject.com/system/soviet_direct_hooking.asp
Field, S.: An introduction to kernel patch protection. http://blogs.msdn.com/windowsvistasecurity/archive/2006/08/11/695993.aspx
Zhang, F.Y., Qi, D.Y., Hu, J.L.: MBMAS: a system for malware behavior monitor and analysis. In: Proceedings of the International Symposium on Computer Network and Multimedia Technology, pp. 1–4 (2009)
Forrest, S., Perelson, A.S., Allen, L., Cherukuri, R.: Self-nonself discrimination in a computer. In: Proceedings of the IEEE Symposium on Research in Security and Privacy, pp. 202–212 (1994)
Forrest S., Hofmeyr S.A., Somayaji A.: Computer immunology. Commun. ACM. 40(10), 88–96 (1997)
Esponda F., Forrest S., Helman P.: A formal framework for positive and negative detection schemes. IEEE Trans. Syst. Man Cybern. B 34(1), 357–373 (2004)
de Castro L.N., Von Zuden F.J.: Learning and optimization using the clonal selection principle. IEEE Trans. Evol. Comput. 6(3), 239–251 (2002)
Coello, C.A.C., Rivera, D.C., Cortes, N.C.: Use of an artificial immune system for job shop scheduling. LNCS, vol. 2787, pp. 1–10 (2003)
de Castro, L.N., Von Zuden, F.J.: aiNet: an artificial immune network for data analysis. In: Data Mining: A Heuristic Approach. Idea Group Publishing, USA (2001)
Neal, M.: Meta-stable memory in an artificial immune network. In: Proceedings of ICARIS 2003, pp. 168–181 (2003)
Watkins A., Timmis J., Boggess L.: Artificial immune recognition system (AIRS): an immune-inspired supervised learning algorithm. Genet. Program. Evol. Mach. 5(3), 291–317 (2004)
Igawa K., Ohashi H.: A negative selection algorithm for classification and reduction of the noise effect. Appl. Soft Comput. 9(1), 431–438 (2009)
Kahramanli H., Allahverdi N.: Extracting rules for classification problems: AIS based approach. Expert Syst. Appl. 36(7), 10494–10502 (2009)
de Castro, L.N., Von Zuben, F.J.: The clonal selection algorithm with engineering applications. In: Proceedings of the 2000 GECCO, Workshop on Artificial Immune Systems and Their Applications, pp. 36–37. Morgan Kaufmann, San Francisco (2000)
Seiden P.E., Celada F.: A model for simulating cognate recognition and response in the immune system. J. Theor. Biol. 158(3), 329–357 (1992)
Sim K.-B., Lee D.-W.: Modeling of positive selection for the development of a computer immune system and a self-recognition algorithm. Int. J. Control Autom. Syst. 1(4), 453–458 (2003)
Dervovic D., Zuniga-Pflucker J.C.: Positive selection of T cells, an in vitro view. Semin. Immunol. 22(5), 276–286 (2010)
Yang S.Y., Wang M., Jiao L.C.: Quantum-inspired immune clone algorithm and multiscale Bandelet based image representation. Pattern Recognit. Lett. 31(13), 1894–1902 (2010)
Laurentys C.A., Ronacher G., Palhares R.M., Caminhas W.M.: Design of an artificial immune system for fault detection: a negative selection approach. Exp. Syst. Appl. 37(7), 5507–5513 (2010)
VMware. http://www.VMware.com
Kolter J.Z., Maloof M.A.: Learning to detect and classify malicious executables in the wild. J. Mach. Learn. Res. 7, 2721–2744 (2006)
Golub T.R., Slonim D.K., Tamayo P., Huard C., Gaasenbeek M., Mesirov J.P., Coller H., Loh M.L., Downing J.R., Caligiuri M.A., Bloomfield C.D., Lander E.S.: Molecular classification of cancer: class discovery and class prediction by gene expression monitoring. Science 286(5439), 531–537 (1999)
Witten I.H., Frank E.: Data Mining: Practical Machine Learning Tools and Techniques, 2nd edn. Elsevier, San Francisco (2006)
Weka. http://www.cs.waikato.ac.nz/ml/weka/
Platt, J.: Fast training of support vector machines using sequential minimal optimization. In: Schölkopf, B., Burges, C., Mika, S. (eds) Advances in Kernel Methods—Support Vector Learning, MIT Press, Cambridge (1998)
Freund, Y., Schapire, R.: Experiments with a new boosting algorithm. In: Proceedings of the Thirteenth International Conference on Machine Learning, pp. 148–156 (1996)
Aydin I., Karakose M., Akin E.: Chaotic-based hybrid negative selection algorithm and its applications in fault and anomaly detection. Exp. Syst. Appl. 37(7), 5285–5294 (2010)
Gao, X.Z., Ovaska, S.J., Wang, X.: Particle swarm optimization of detectors in negative selection algorithm. In: Proceedings of IEEE Systems Man Cybernetics, Montreal, Quebec, Canada, pp. 1236–1242 (2007)
Zhou, J., Dipankar, D.: Real-valued negative selection algorithm with variable sized detectors. In: Proceedings of Genetic and Evolutionary Computation Conference, vol. 3102, pp. 287–298 (2004)
UCI Machine Learning Repository. http://archive.ics.uci.edu/ml/