目前采用的基于API的恶意代码检测方法只能检测运行在用户态的恶意代码,不能检测运行在内核态、采用内核API调用的恶意代码.为此,文中提出基于I/O请求包（IRP）的未知恶意代码检测方法.应用朴素贝叶斯、贝叶斯网络、支持向量机、C4.5决策树、Boosting、否定选择算法及针对IRP序列特点改进的人工免疫算法对捕获的IRP序列进行检测,并比较了各种算法在不同特征选择方法下的检测效果.结果表明：所提出的基于IRP的未知恶意代码检测方法是可行的;在所有方法中,采用Fisher score进行特征选择的Boosting决策树算法可获得最高的检测率（98.3%）;采用改进的人工免疫算法,通过精选的少量仅在恶意代码中存在的IRP序列,可获得95.0%的检测率,且误检率为0.

As the malware detection method based on API can only detect the malware running in user mode and is noneffective for the malware running in kernel mode and calling kernel APIs,a novel detection method of unknown malware is proposed based on IRP（I/O Request Packet）.Then,the Nave Bayes,the Bayesian networks,the support vector machine,the C4.5 decision tree,the Boosting,the negative selection algorithm and an improved artificial immune system are used to classify IRP sequences for malware detection,and the detection rates of all the above-mentioned methods with different feature selection algorithms are compared.The results demonstrate that（1） the proposed method is effective in malware detection;（2） the Boosting decision tree with Fisher score feature selection algorithm outperforms other detection methods,with the highest detection rate of 98.3%;（3） the improved artificial immune system,which detects malware by selected IRP subsequences only existing in malware＇s IRP sequences,performs well,with a detection rate of 95.0% and a false detection rate of 0.