Artificial Immune System against Viral Attack ICCS 2004 2018-11-27 Artificial Immune System against Viral Attack Hyung Joon Lee Wonil Kim Manpyo Hong 2018-11-27 Wonil Kim, Sejong University Wonil Kim, Sejong University

Wonil Kim, Sejong University ICCS 2004 2018-11-27 Contents Introduction Artificial immune system Proposed Virus Detection System (VDS) Simulation Conclusion 2018-11-27 Wonil Kim, Sejong University Wonil Kim, Sejong University

Wonil Kim, Sejong University Introduction Computer virus detection system Scanning detection has been used as a primary method in virus detection system No longer able to detect various forms of viruses and worms effectively This paper proposes artificial immune based virus detection system that can detect unknown viruses 2018-11-27 Wonil Kim, Sejong University

Artificial Immune System Human Immune System Distinguishing self from dangerous non-self and eliminating the non-self Artificial Immune System for Computer Security Distinguishing benign program from malicious program 2018-11-27 Wonil Kim, Sejong University

Wonil Kim, Sejong University The proposed VDS Signature learning system to detect unknown viruses Anomaly detection Use the ideas of negative selection and decoy program Ignore common part with self Select similar part among non self 2018-11-27 Wonil Kim, Sejong University

Wonil Kim, Sejong University 3 steps 1st step : VDS assumes that all existing programs are legitimate 2nd step : All the incoming and changed programs are classified into suspicious program 3rd step : VDS selects virus programs using detection method based on virus behavior 2018-11-27 Wonil Kim, Sejong University

Wonil Kim, Sejong University 3 components Signature representation Signature extractor Signature selector 2018-11-27 Wonil Kim, Sejong University

Proposed Virus Detection System Self signatures 2018-11-27 Wonil Kim, Sejong University

Signature Representation 2018-11-27 Wonil Kim, Sejong University

Wonil Kim, Sejong University Signature Extractor 2018-11-27 Wonil Kim, Sejong University

Wonil Kim, Sejong University Signature Selector Calculates the similarity values of non-self signatures 2018-11-27 Wonil Kim, Sejong University

Wonil Kim, Sejong University Similarity values between signatures of the same program code are higher than the others. Therefore, the proposed VDS can distinguish signatures of the same program codes from signatures of other distinct program codes The threshold value for classifying signatures of the same and different programs are determined by analyzing similarity values of the entire non-self programs 2018-11-27 Wonil Kim, Sejong University

Simulation Parameters Variables # of self programs 1385 execution files # of non-self programs 160 execution files ( 3 virus infected files ) SER size 500Byte, 1Kbyte, 5Kbyte, 10Kbyte Comparison unit size 1Byte, 2Byte, 3Byte 2018-11-27 Wonil Kim, Sejong University

Simulation (Signature Extractor) 2018-11-27 Wonil Kim, Sejong University

Wonil Kim, Sejong University Signature size and similarity values are important factors in VDS Larger extraction regions and comparison unit  larger signature Larger than 1K byte is not feasible % of zero signature is independent(8.75%) 1K byte and 500byte are chosen (SER) 2018-11-27 Wonil Kim, Sejong University

Wonil Kim, Sejong University Signature selector (1) 2018-11-27 Wonil Kim, Sejong University

Wonil Kim, Sejong University Signature selector (2) 2018-11-27 Wonil Kim, Sejong University

Wonil Kim, Sejong University Since the % of the actual virus infected file is 1.875% (3 of 160), the ideal % of signatures that the similarity value is zero should be 98.125% Need to determine threshold value for similarity value SER 1 K byte with 3 byte comparison unit, and 1.e+08 of similarity value selects three signatures 2018-11-27 Wonil Kim, Sejong University

Wonil Kim, Sejong University Conclusion Proposed VDS can classify suspicious non-self programs into normal programs and viral programs 94% of extracted signature were completely different. Remaining 6% signatures including virus signatures had distinguished similarity values. Especially, 2% virus signatures had relatively high similarity values. 2018-11-27 Wonil Kim, Sejong University