Run-time malware detection based on positive selection

This paper presents a supervised methodology that detects malware based on positive selection. Malware detection is a challenging problem due to the rapid growth of the number of malware and increasing complexity. Run-time monitoring of program execution behavior is widely used to discriminate between benign and malicious executables due to its effectiveness and robustness. This paper proposes a novel classification algorithm based on the idea of positive selection, which is one of the important algorithms in Artificial Immune Systems (AIS), inspired by positive selection of T-cells. The proposed algorithm is applied to learn and classify program behavior based on I/O Request Packets (IRP). In our experiments, the proposed algorithm outperforms ANSC, Naï ve Bayes, Bayesian Networks, Support Vector Machine, and C4. 5 Decision Tree. This algorithm can also be used in general purpose classification problems not just two-class but multi-class problems. © 2011 Springer-Verlag France.