Abstract
The sophistication of modern computer malware demands run-time malware detection strategies which are not only efficient but also robust to obfuscation and evasion attempts. In this paper, we investigate the suitability of recently proposed Dendritic Cell Algorithms (DCA), both classical DCA (cDCA) and deterministic DCA (dDCA), for malware detection at run-time. We have collected API call traces of real malware and benign processes running on Windows operating system. We evaluate the accuracy of cDCA and dDCA for classifying between malware and benign processes using API call sequences. Moreover, we also study the effects of antigen multiplier and time-windows on the detection accuracy of both algorithms.
Keywords
Apologies to Forrest et al. .
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
API Monitor, http://www.rohitab.com/apimonitor
F-Secure Corporation, F-Secure Reports Amount of Malware Grew by 100% during 2007, Press release (2007)
Symantec, Internet Security Threat Report, vol. XIV (2009)
The Danger Project, http://www.dangertheory.com
VX Heavens Virus Collection, VX Heavens website, http://vx.netlux.org
Aickelin, U., Bentley, P., Cayzer, S., Kim, J., McLeod, J.: Danger Theory: The Link between AIS and IDS? In: Timmis, J., Bentley, P.J., Hart, E. (eds.) ICARIS 2003. LNCS, vol. 2787, pp. 147–155. Springer, Heidelberg (2003)
Christodorescu, M., Jha, S.: Testing Malware Detectors. ACM SIGSOFT Software Engineering Notes 29(4), 34–44 (2004)
Damashek, M.: Gauging Similarity with n-Grams: Language-Independent Categorization of Text. Science 267, 843–848 (1995)
Forrest, S., Hofmeyr, S.A., Somayaji, A., Longstaff, T.A.: A sense of self for Unix processes. In: IEEE Symposium on Security and Privacy, USA, pp. 120–128. IEEE Press, Los Alamitos (1996)
Gonzalez, F., Dasgupta, D.: Anomaly Detection Using Real-Valued Negative Selection. Journal of Genetic Programming and Evolvable Machines 4(4), 383–403 (2003)
Gonzalez, F., Dasgupta, D., Nino, L.F.: A Randomized Real-Valued Negative Selection Algorithm. In: Timmis, J., Bentley, P.J., Hart, E. (eds.) ICARIS 2003. LNCS, vol. 2787, pp. 261–272. Springer, Heidelberg (2003)
Greensmith, J., Aickelin, U., Cayzer, S.: Introducing Dendritic Cells as a Novel Immune-Inspired Algorithm for Anomaly Detection. In: Jacob, C., Pilat, M.L., Bentley, P.J., Timmis, J.I. (eds.) ICARIS 2005. LNCS, vol. 3627, pp. 153–167. Springer, Heidelberg (2005)
Greensmith, J., Aickelin, U., Twycross, J.: Articulation and clarification of the dendritic cell algorithm. In: Bersini, H., Carneiro, J. (eds.) ICARIS 2006. LNCS, vol. 4163, pp. 404–417. Springer, Heidelberg (2006)
Greensmith, J., Aickelin, U.: Dendritic Cells for SYN Scan Detection. In: Genetic and Evolutionary Computation Conference (GECCO), pp. 49–56. ACM Press, UK (2007)
Greensmith, J., Aickelin, U.: The Deterministic Dendritic Cell Algorithm. In: Bentley, P.J., Lee, D., Jung, S. (eds.) ICARIS 2008. LNCS, vol. 5132, pp. 291–303. Springer, Heidelberg (2008)
Gu, F., Greensmith, J., Aickelin, U.: Further Exploration of the Dendritic Cell Algorithm: Antigen Multiplier and Time Windows. In: Bentley, P.J., Lee, D., Jung, S. (eds.) ICARIS 2008. LNCS, vol. 5132, pp. 142–153. Springer, Heidelberg (2008)
Ji, Z., Dasgupta, D.: Real-Valued Negative Selection Using Variable-Sized Detectors. In: Deb, K., et al. (eds.) GECCO 2004. LNCS, vol. 3102, pp. 287–298. Springer, Heidelberg (2004)
Kolter, J.Z., Maloof, M.A.: Learning to detect malicious executables in the wild. In: International Conference on Knowledge Discovery and Data Mining, pp. 470–478. ACM Press, USA (2004)
Matzinger, P.: Tolerance, danger and the extended family. Annual Review of lmmunology 12, 991–1045 (1994)
Stibor, T., Timmis, J., Eckert, C.: On the Appropriateness of Negative Selection defined over Hamming Shape Space As a Network Intrustion Detection System. In: IEEE Congress on Evolutionary Computation (CEC), pp. 995–1002. IEEE Press, UK (2005)
Stibor, T., Mohr, P., Timmis, J., Eckert, C.: Is Negative Selection Appropriate for Anomaly Detection? In: Genetic and Evolutionary Computation Conference (GECCO), USA, pp. 321–328. ACM Press, New York (2005)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2009 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Manzoor, S., Shafiq, M.Z., Tabish, S.M., Farooq, M. (2009). A Sense of ‘Danger’ for Windows Processes. In: Andrews, P.S., et al. Artificial Immune Systems. ICARIS 2009. Lecture Notes in Computer Science, vol 5666. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-03246-2_22
Download citation
DOI: https://doi.org/10.1007/978-3-642-03246-2_22
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-03245-5
Online ISBN: 978-3-642-03246-2
eBook Packages: Computer ScienceComputer Science (R0)