Journal of South China University of Technology (Natural Science Edition) ›› 2011, Vol. 39 ›› Issue (2): 113-117.doi: 10.3969/j.issn.1000-565X.2011.02.019

• Electronics, Communication & Automation Technology • Previous Articles     Next Articles

Run-Time Malware Detection Based on IRP

Zhang Fu-yong  Qi De-yu  Hu Jing-lin   

  1. South China university of technology, computer system, guangdong guangzhou 510006
  • Received:2010-04-28 Revised:2010-08-17 Online:2011-02-25 Published:2011-01-02
  • Contact: 张福勇(1982-),男,博士生,主要从事人工免疫系统、计算机安全研究 E-mail:fuyong1681@163.com
  • About author:张福勇(1982-),男,博士生,主要从事人工免疫系统、计算机安全研究
  • Supported by:

    国家科技型中小企业技术创新基金资助项目(08C26214411198);粤港关键领域重点突破项目(2008A01 1400010)

PDF

897

Abstract:

API(Application Program Interface) is widely used to analyze Windows program behaviors for run-time malware detection.However,API call sequences can be manipulated to circumvent detection.In order to solve this problem,a novel method of run-time malware detection is proposed based on IRP(I/O Request Packet).In this method,n-grams are employed to analyze IRP sequences for feature extraction,and,by combining the negative selection algorithm(NSA) and the positive selection algorithm(PSA) in the artificial immune system(AIS),n-grams existing only in malicious IRP sequences are selected as detectors.Experimental results indicate that the proposed method outperforms both the NSA and the dendritic cell algorithm in terms of false detection rate and detection efficiency.

Key words: computational intelligence, artificial immune system, negative selection algorithm, positive selection algorithm, dendritic cell algorithm, malware detection