Jingbo Hao

Malicious codes detection based on ensemble learning

As malicious codes become more complex and sophisticated, the scanning detection method is no longer able to detect various forms of viruses effectively. In this paper, we explore solutions based on multiple classifiers fusion and not strictly dependent on certain malicious code. Motivated by the standard signature-based technique for detecting viruses, we explore the idea of automatically detecting malicious code using the n-gram analysis. After selecting features based on information gain, the probabilistic neural network is used in the process of building and testing the proposed multi-classifiers system. Each one of the individual classifiers is used to produce classification evidences. Then these evidences are combined by the Dempster-Shafer combination rules to form the final classification results for new malicious code. Experimental results produced by the proposed detection engine shows improvement compared to the classification results produced by the individual classifiers.

Using fuzzy pattern recognition to detect unknown malicious executables code

An intelligent detect system to recognition unknown computer virus is proposed. Using the method based on fuzzy pattern recognition algorithm, a malicious executable code detection network model is designed also. This model target at Win32 binary viruses on Intel IA32 architectures. It could detect known and unknown malicious code by analyzing their behavior. We gathered 423 benign and 209 malicious executable programs that are in the Windows Portable Executable (PE) format as dataset for experiment . After extracting the most relevant API calls as feature, the fuzzy pattern recognition algorithm to detect computer virus was evaluated.

Unknown Malicious Codes Detection Based on Rough Set Theory and Support Vector Machine

For detecting malicious codes, a classification method of support vector machine (SVM) based on rough set theory (RST) is proposed. The original sample data is preprocessed with the knowledge reduction algorithm of RST, and the redundant features and conflicting samples are eliminated from the working sample dataset to reduce space dimension of sample data. Then the preprocessed sample data is used as training sample data of SVM. By utilizing SVM, the generalizing ability of detection system is still good even the sample dataset size is small. Experiment results show that the proposed detection system needs few priori knowledge and can improve the training speed and precision of classification.

New Malicious Code Detection Based on N-gram Analysis and Rough Set Theory

Motivated by the standard signature-based technique for detecting viruses, we explore the idea of automatically detecting malicious code using the N-gram analysis. The method is based on statistical learning and not strictly dependent on certain viruses. We propose the use of rough set theory (RST) to reduce the feature dimension. An efficient implementation to calculate relative core, based on positive region definition is presented also. The k nearest neighbor (KNN) and support vector machine (SVM) classifiers are used to categorize a program as either normal or abnormal. The experimental results are promising and show that the proposed scheme results in low rate of false positive

Intelligent detection computer viruses based on multiple classifiers

In this paper, we generalize the problem of multi-classifiers combination by using modified bagging method to detect previously unknown viruses. The detection engine applies two algorithms, Support Vector Machine and BP neural network to virus detection. For SVM classifier, we extract the feature vector from the API function calls by monitor the programs. And the static feature of program, n-gram, is used in the BP neural network classifier. Finally, the D-S theory of evidence is used to combine the contribution of each individual classifier to give the final decision. Our extensive experiments have shown that the combination approach improves the performance of the individual classifier significantly. It shows that the present method could effectively be used to discriminate normal and abnormal programs.

Structural fault tolerance of scale-free networks

The fault tolerance of scale-free networks is examined in this paper. Through the simulation on the changes of the average path length and network fragmentation of the Barabasi-Albert model when faults happen, it can be observed that generic scale-free networks are quite robust to random failures, but are very vulnerable to targeted attacks at the same time. Therefore, an existing optimization strategy for the robustness of scale-free networks to failures and attacks is also introduced. The simulation similar with the above proved that the so-called (1, 0) network has potentially interconnectedness closer to that of a scale-free network and robustness to targeted attacks closer to that of an exponential network. Furthermore, its resistance to random failures is better than that of either of them.

Using RS and SVM to detect new malicious executable codes

A hybrid algorithm based on attribute reduction of Rough Sets(RS) and classification principles of Support Vector Machine (SVM) to detect new malicious executable codes is present. Firstly, the attribute reduction of RS has been applied as preprocessor so that we can delete redundant attributes and conflicting objects from decision making table but remain efficient information lossless. Then, we realize classification modeling and forecasting test based on SVM. By this method, we can reduce the dimension of data, decrease the complexity in the process. Finally, comparison of detection ability between the above detection method and others is given. Experiment result shows that the present method could effectively use to discriminate normal and abnormal executable codes

Modeling viral agents and their dynamics with persistent turing machines and cellular automata

A computer virus is a program that can generate possibly evolved copies of itself when it runs on a computer utilizing the machine’s resources, and by some means each copy may be propagated to another computer in which the copy will have a chance to get executed. And we call a virus instance as a viral agent since it is autonomous during its execution by choosing what action to perform in the computer without a user’s intervention. In the paper we develop a computational model of viral agents based on the persistent Turing machine (PTM) model which is a canonical model for sequential interaction. The model reveals the most essential infection property of computer viruses well and overcomes the inherent deficiency of Turing machine (TM) virus models in expressing interaction. Then on that basis we deduce several helpful theorems about viral agents. Finally we also discuss modeling of viral agent dynamics with cellular automata (CAs) and get some useful results.

Characterization of Malicious Overlay Networks on the Internet

A set of correlated malicious agents may form a malicious overlay network (MON) based on an existing network, and a logical link between any two malicious nodes can be established in the overlay dispensing with direct substrate connection between these nodes. In terms of topology complexity, MONs can be divided into simple MONs and complex MONs. A simple MONs topology is statistically consistent while a complex MON is not, which makes them own much different features. In this paper we try to characterize different MONs based on several widely used network measurements since the characterization of MONs may help to defend against MON attacks

Evolvable viral agent modeling and exploration

A computer virus is a program that can generate possibly evolved copies of itself when it runs on a computer utilizing the machines resources, and by some means each copy may be propagated to another computer in which the copy will have a chance to get executed. And we call a virus instance as a viral agent since it is autonomous during its execution by choosing what action to perform in the computer without a users intervention. In the paper we develop a computational model of viral agents based on the persistent Turing machine (PTM) model which is a canonical model for sequential interaction. The model reveals the most essential infection property of computer viruses well and overcomes the inherent deficiency of Turing machine (TM) virus models in expressing interaction. It is conceivable that viral agents have much potential to evolve in various environments according to the model. Therefore we also discuss the evolution of viral agents with two existing relevant works.