目前普遍采用API序列分析Windows系统下的程序行为,进行运行时恶意代码的检测.但API调用序列可以被篡改以逃避检测.为了解决这个问题,文中提出基于IRP（I/O请求包）的运行时恶意代码检测方法.该方法采用n-gram特征分析方法对IRP序列进行分析,将人工免疫系统中的否定选择算法和肯定选择算法相结合,筛选出仅在恶意代码IRP序列中出现的n-gram作为检测器.实验结果表明,文中所提出的方法在误检率及检测效率上均优于否定选择算法和树突细胞算法.

API（Application Program Interface） is widely used to analyze Windows program behaviors for run-time malware detection.However,API call sequences can be manipulated to circumvent detection.In order to solve this problem,a novel method of run-time malware detection is proposed based on IRP（I/O Request Packet）.In this method,n-grams are employed to analyze IRP sequences for feature extraction,and,by combining the negative selection algorithm（NSA） and the positive selection algorithm（PSA） in the artificial immune system（AIS）,n-grams existing only in malicious IRP sequences are selected as detectors.Experimental results indicate that the proposed method outperforms both the NSA and the dendritic cell algorithm in terms of false detection rate and detection efficiency.