1. Artificial Immune System against Viral Attack
ICCS 2004
Artificial Immune System against Viral Attack
Hyung Joon Lee
Wonil Kim
Manpyo Hong
Wonil Kim, Sejong University
Wonil Kim, Sejong University

2. Wonil Kim, Sejong University
ICCS 2004
Contents
Introduction
Artificial immune system
Proposed Virus Detection System (VDS)
Simulation
Conclusion
Wonil Kim, Sejong University
Wonil Kim, Sejong University

3. Wonil Kim, Sejong University
Introduction
Computer virus detection system
Scanning detection has been used as a primary method in virus detection system
No longer able to detect various forms of viruses and worms effectively
This paper proposes artificial immune based virus detection system that can detect unknown viruses
Wonil Kim, Sejong University

4. Artificial Immune System
Human Immune System
Distinguishing self from dangerous non-self and eliminating the non-self
Artificial Immune System for Computer Security
Distinguishing benign program from malicious program
Wonil Kim, Sejong University

5. Wonil Kim, Sejong University
The proposed VDS
Signature learning system to detect unknown viruses
Anomaly detection
Use the ideas of negative selection and decoy program
Ignore common part with self
Select similar part among non self
Wonil Kim, Sejong University

6. Wonil Kim, Sejong University
3 steps
1st step : VDS assumes that all existing programs are legitimate
2nd step : All the incoming and changed programs are classified into suspicious program
3rd step : VDS selects virus programs using detection method based on virus behavior
Wonil Kim, Sejong University

7. Wonil Kim, Sejong University
3 components
Signature representation
Signature extractor
Signature selector
Wonil Kim, Sejong University

8. Proposed Virus Detection System
Self signatures
Wonil Kim, Sejong University

9. Signature Representation
Wonil Kim, Sejong University

10. Wonil Kim, Sejong University
Signature Extractor
Wonil Kim, Sejong University

11. Wonil Kim, Sejong University
Signature Selector
Calculates the similarity values of non-self signatures
Wonil Kim, Sejong University

12. Wonil Kim, Sejong University
Similarity values between signatures of the same program code are higher than the others.
Therefore, the proposed VDS can distinguish signatures of the same program codes from signatures of other distinct program codes
The threshold value for classifying signatures of the same and different programs are determined by analyzing similarity values of the entire non-self programs
Wonil Kim, Sejong University

13. Simulation Parameters
Variables
# of self programs
1385 execution files
# of non-self programs
160 execution files
( 3 virus infected files )
SER size
500Byte, 1Kbyte, 5Kbyte, 10Kbyte
Comparison unit size
1Byte, 2Byte, 3Byte
Wonil Kim, Sejong University

14. Simulation (Signature Extractor)
Wonil Kim, Sejong University

15. Wonil Kim, Sejong University
Signature size and similarity values are important factors in VDS
Larger extraction regions and comparison unit  larger signature
Larger than 1K byte is not feasible
% of zero signature is independent(8.75%)
1K byte and 500byte are chosen (SER)
Wonil Kim, Sejong University

16. Wonil Kim, Sejong University
Signature selector (1)
Wonil Kim, Sejong University

17. Wonil Kim, Sejong University
Signature selector (2)
Wonil Kim, Sejong University

18. Wonil Kim, Sejong University
Since the % of the actual virus infected file is 1.875% (3 of 160), the ideal % of signatures that the similarity value is zero should be %
Need to determine threshold value for similarity value
SER 1 K byte with 3 byte comparison unit, and 1.e+08 of similarity value selects three signatures
Wonil Kim, Sejong University

19. Wonil Kim, Sejong University
Conclusion
Proposed VDS can classify suspicious non-self programs into normal programs and viral programs
94% of extracted signature were completely different.
Remaining 6% signatures including virus signatures had distinguished similarity values.
Especially, 2% virus signatures had relatively high similarity values.
Wonil Kim, Sejong University