تشخیص ویروس با استفاده از الگوریتم انتخاب کلونال با الگوریتم ژنتیک

This paper presents a novel approach for computer viruses detection based on modeling the structures and dynamics of real life paradigm that exists in the bodies of all living creatures. It aims to develop an algorithm based on the concept of the artificial immune system (AIS) for the purpose of detecting viruses. The algorithm is called Virus Detection Clonal algorithm (VDC), and it is derived from the clonal selection algorithm. The VDC algorithm consists of three basic steps: cloning, hyper-mutation and stochastic re-selection. In later stage, the developed VDC algorithm is subjected to validation, which consists of two phases; learning and testing. Two main parameters are determined; one of them is setting the number of signatures per clone (Fat), while the other defines the hypermutation probability (Pm). Later on, the Genetic Algorithm (GA) is used as a tool, to improve the developed algorithm by searching the values of the main parameters (Fat and Pm) to reproduce better results. The results have shown that the detection rate of viruses, by using the developed algorithm, is 94.4%, whereas the detection rate of false positives has reached 0%. These percentages indicate that the VDC algorithm is sufficient and usable in this field. Moreover, the results of employing the GA to optimize the VDC algorithm have shown an improvement in the detection speed of the algorithm.

Different artificial intelligence based techniques are used nowadays in all areas of computer security [1]. Techniques such as swarm intelligence, Genetic Algorithms, and ant colony optimization have different applications in pattern classification and image and signal processing [2], [3] and [4]. The artificial immune system (AIS), on the other hand, is very similar to those paradigms in structure and mechanism, however, it is quite recent, and has not been matured yet. The AIS has been applied in different fields, most notably in computer viruses’ detection field. The protection against viruses is becoming more and more difficult day after day, and they constitute a threat for every one who uses computers. The viruses’ intelligence is escalating by the time, and their signatures are changing continuously [5] and [6]. That has made the anti-viruses mission more difficult [7]. The (AIS) has several concepts: clonal selection, negative selection and network immune theory. This paper proposes the (VDC) algorithm which is inspired by the clonal selection algorithm and more precisely by the CLONALG [8] in detecting viruses. Studies have shown that 25% of people using computers are infected by some sort of malwares, while the commercial PC sector is suffering from around the half of this percentage [9]. The simplest and the most common method to protect networks from the viral attacks is to use the signature technology. This paper should offer a helping hand by proposing a Virus Detection Clonal (VDC) algorithm then optimizing the parameters using the GA, the VDC algorithm is a modern field, despite the fact that the virus issue is an aged issue. However, the problem we are solving can be considered as a growing problem because it affects every individual that uses computers. The Negative Selection Algorithm (the self-non-self algorithm) has been used for virus detection [10], [11], [12] and [1], but the clonal selection algorithm has not been used yet with this type of application, after making a wide web search and investigating a wide range of specialized journals, it has been found that applying the clonal selection algorithm is a brand new contribution. The clonal selection principle describes the approach of an immune response to an antigenic stimulus. Which can be explained as the following: only the cells that recognize the antigen do proliferate and are selected against those that do not. These generated B-cells, which are copies of their parents, are mutated. When the antibody strongly matches the antigen, then these B-cells will be stimulated to produce clones of themselves [13]. In this paper the antigens represent the computer viruses in the infected files and the antibodies represent the signatures. The signatures with high matching values (fitness) are selected to the cloning, the hypermutation and the reselection processes; so that the cloning produces copies of the signatures with Best fitness, then they are mutated to provide the ability of detecting viruses which are different in some characters (genes), even if these viruses have not attacked previously (just like the adaptive defense in the Immune System). In this research, the reselection is stochastically added to the clonal selection algorithm in order to guarantee choosing the best mutated signatures.

As a result of the previous simulations, the following points could be concluded: 1. In the VDC algorithm, if one of the following (the number of generations, the number of the infected files inside the files’ pool, the hypermutation rate during the learning phase) increases, the fitness of the signatures will be increased as well. 2. Employing the GA to optimize the VDC algorithm, improves the detection speed of the VDC algorithm, by increasing the Mean fitness, which leads the algorithm to be faster in detecting viruses. 3. Regarding the average detection rate, which is 94.4%, and the false positive which is 0%, these rates are considered good, and they do not change with the use of the GA, on the contrary, they are confirmed. 4. The results of the paper prove the ability of using the VDC algorithm to detect viruses. This paper agreed with the studies of [10], [11], [12], [1] and [14] in concentrating on the (AIS) with virus detection, but deviated from them, in applying the Negative Selection Algorithm. This work employed the clonal selection algorithm. Note that Ref. [6] had the detection rate of 97%, and the false positive of 3.6%, and also enclosed a list of detection rates for antivirus companies which were: Eset NOD32 = 94%, Kaspersky = 88%, Panda 2008 = 67%, KV 2008 = 55% and Kingsoft = 44%. Although this research is applied on different set of data but the results (i.e. detection rate of 94.4% and the false positive of 0%) are considered good and accepted. After concluding this work, and based on the results we had, the following points are recommended: 1. In the VDC algorithm, the initial fitness of the signatures is used as random numbers. It is suggested to use the Data Mining in categorizing the viruses according to their wide spread. 2. The VDC algorithm employed the exact match between signatures and files. It is recommended that different matching methods to be applied, such as Euclidean Distance, Manhattan Distance or Hamming Distance. 3. The Negative Selection Algorithm should be added to the VDC algorithm, to make possible to distinguish between Self and Non-self in regard to the existing files and later the detected infected files. 4. Different methods of mutation; such as Gauss Mutation, Cauchy Mutation or Mean Mutation should be used.