Journal of Information Security Research ›› 2016, Vol. 2 ›› Issue (3): 238-243.

Previous Articles     Next Articles

Artificial Immune Based Mobile Malcode Detection Model


  • Received:2016-03-15 Online:2016-03-15 Published:2016-03-16



  1. 中国人民公安大学网络安全保卫学院
  • 通讯作者: 芦天亮
  • 作者简介:博士,讲师,主要研究方向为网络攻击与防御技术.

Abstract: The mobile Internet has brought great convenience to us, however, we have to face many threats such as malcode. In face of unknown malcode emerging in large numbers, traditional detection methods show many limitations, such as decline of detection speed, rise of false positive rate and false negative rate, the sharp increase of cost and so on. In recent years, some malcode detection methods based on intelligent algorithm are proposed. Among them, the artificial immune system has become the research hotpot of information security area because of its organization, adaption, memory and distributed advantages. According to the basic theory of nature immune system, a mobile malcode detection model for android platform was proposed. Extract the behavior features of malcode using the android emulator, such as starting service, telephoning, sending message, file read or write operations and accessing the Internet. The behavior features were encoded as one of the source of immature detectors. The immature detectors become mature through negative selection algorithm. Clone and mutate the mature detectors with higher affinity. Experiment results show that the proposed detection model has high detection rate and can also accurately detect the packed malcode samples.

Key words: mobile Internet, malcode, artificial immune system, detection, negative selection, clonal selection

摘要: 移动互联网带来极大便捷,但同时也要面对恶意代码等诸多安全威胁.面对未知恶意代码的不断涌现,传统的检测手段已经暴露出局限性,如查杀速度下降、误报率和漏报率上升以及成本投入大幅上涨等.近些年提出了部分基于智能算法的恶意代码检测手段,其中人工免疫系统算法由于其具有自组织、自适应、记忆和分布式等优势,成为信息安全领域研究的热点.借鉴自然免疫系统的基本原理,提出了适用于安卓平台移动恶意代码检测的模型.利用安卓模拟器提取恶意代码的行为特征,如启动服务、打电话、发短信、文件读写操作和网络访问等。对行为特征进行编码作为未成熟检测器来源之一,未成熟检测器经过阴性选择生成成熟检测器,对抗原亲和度高的成熟检测器克隆和变异.实验结果表明,检测模型对于移动恶意代码具有较高的检测率,能够准确检测加壳后的恶意样本.

关键词: 移动互联网, 恶意代码, 人工免疫系统, 检测, 阴性选择, 克隆选择