Journal of South China University of Technology(Natural Science) >
Run-Time Malware Detection Based on IRP
Received date: 2010-04-28
Revised date: 2010-08-17
Online published: 2011-01-02
Supported by
国家科技型中小企业技术创新基金资助项目(08C26214411198);粤港关键领域重点突破项目(2008A01 1400010)
API(Application Program Interface) is widely used to analyze Windows program behaviors for run-time malware detection.However,API call sequences can be manipulated to circumvent detection.In order to solve this problem,a novel method of run-time malware detection is proposed based on IRP(I/O Request Packet).In this method,n-grams are employed to analyze IRP sequences for feature extraction,and,by combining the negative selection algorithm(NSA) and the positive selection algorithm(PSA) in the artificial immune system(AIS),n-grams existing only in malicious IRP sequences are selected as detectors.Experimental results indicate that the proposed method outperforms both the NSA and the dendritic cell algorithm in terms of false detection rate and detection efficiency.
Zhang Fu-yong Qi De-yu Hu Jing-lin . Run-Time Malware Detection Based on IRP[J]. Journal of South China University of Technology(Natural Science), 2011 , 39(2) : 113 -117 . DOI: 10.3969/j.issn.1000-565X.2011.02.019
/
| 〈 |
|
〉 |