Elsevier

Neurocomputing

Volume 148, 19 January 2015, Pages 158-166
Neurocomputing

Immune cooperation mechanism based learning framework

https://doi.org/10.1016/j.neucom.2012.08.076Get rights and content

Highlights

  • Immune cooperation based learning-ICL utilizes cooperation effect of immune signals.

  • ICL framework takes advantage of real-valued immune signals instead of binary ones.

  • The danger zone is an unnecessary step for artificial immune system (AIS).

  • The antigen-specific-nonspecific features are explicitly defined in this paper.

  • ICL-MD model greatly outperforms global/local concentration based approaches.

Abstract

Inspired from the immune cooperation (IC) mechanism in biological immune system (BIS), this paper proposes an IC mechanism based learning (ICL) framework. In this framework, a sample is expressed as an antigen-specific feature vector and an antigen-nonspecific feature vector at first, respectively, simulating the antigenic determinant and danger features in the BIS. The antigen-specific and antigen-nonspecific classifiers score the two vectors and export real-valued Signal 1 and Signal 2, respectively. With the cooperation of the two signals, the sample is classified by the cooperation classifier, which resolves the signal conflict problem at the same time. The ICL framework simulates the BIS in the view of immune signals and takes full advantage of the cooperation effect of the immune signals, which improves the performance of the ICL framework. It does not involve the concept of the danger zone and further suggests that the danger zone is considered to be unnecessary in an artificial immune system (AIS). Comprehensive experimental results demonstrate that the ICL framework is an effective learning framework. The ICL framework based malware detection model outperforms the global concentration based malware detection approach and the local concentration based malware detection approach for about 3.28% and 2.24% with twice faster speed, respectively.

Introduction

With the development of the biological immunology, more and more immune mechanisms become clear. One of the most important achievements is the danger theory (DT) which overcomes the drawback of the traditional self–nonself (SNS) model in defining the harmfulness of self and nonself [1], [2]. The DT believes that the immune system reacts to danger instead of nonself, and the internal conversation between the tissues and the cells in the immune system controls immunity. It explains the autoimmunity problem perfectly and has been one of the most important immune theories.

Many immune based artificial immune systems (AIS) have been proposed and applied to the field of computer security in the past few years. Forrest et al. applied the immune theory to computer abnormality detection for the first time in 1994. They proposed a negative selection algorithm on the basis of the SNS model to detect the abnormal modification of protected data [3], and later to monitor UNIX processes [4]. In the last decade, lots of the DT based learning approaches were proposed with some success, most of which involved a danger zone. The danger zone defines the spread range of a danger signal and the way of different signals to interact with each other. It has been one of the most important components in the DT based artificial immune systems.

According to the study of the adaptive immune system, a danger signal is considered to spread in the global space of the immune system rather than a local zone in this paper. Although an immune signal could spread only among adjacent cells physically, the cells are able to move in the immune system. This mechanism breaks the assumption of a danger zone which limits the spread range of a danger signal in a local zone. Hence this paper suggests that the danger zone is considered to be unnecessary in AIS.

The immune cooperation (IC) mechanism in the biological immune system (BIS) is crucial for producing an effective immune response to an antigen precisely and avoiding the autoimmunity. Introducing this mechanism into AIS is considered to be helpful for improving the performance of AIS. Taking inspiration from the IC mechanism and simulating BIS in the view of immune signals provide new ideas for constructing better AIS. Now how to introduce the IC mechanism into AIS and make full advantage of the cooperation effect of the immune signals become valuable works.

Malware is a general term for all the malicious codes that is a program designed to harm or secretly access a computer system without the owners׳ informed consent, such as computer virus, Trojan and worm. It has been one of the most terrible threats to the security of the computers worldwide [5]. How to detect malware efficiently is one of the hottest research points.

A variety of malware detection approaches have been proposed so far, which can be classified into two categories: static techniques and dynamic techniques. As the static techniques usually work on the binary string or application programming interface (API) calls of a program without running the program, they are portable and can be deployed on personal computers. The dynamic techniques keep watch over the execution of every program during run-time and stop the program once it tries to harm the system. The dynamic techniques bring too much extra loads and significantly degrade the performance of the computer system, so they are usually used to analyze malware in companies instead of detecting malware in personal computers.

Inspired from the BIS, an IC mechanism based learning (ICL) framework is proposed in this paper. This framework expresses a sample as an antigen-specific feature vector and an antigen-nonspecific feature vector at first, respectively, simulating the antigenic determinant and danger features in the BIS. The antigen-specific and antigen-nonspecific classifiers score the two vectors and export real-valued Signal 1 and Signal 2, respectively, corresponding to the signals in the BIS. With the cooperation of the two signals, the sample is classified by the cooperation classifier, which resolves the signal conflict problem at the same time. In order to incorporate the ICL framework into the whole procedure of malware detection, an ICL framework based malware detection (ICL-MD) model is further proposed in this paper.

The ICL framework simulates the BIS in the view of immune signals. And it introduces the IC mechanism into the AIS successfully and makes full use of the cooperation effect of the immune signals. What is more, it does not involve the concept of the danger zone and further suggests that the danger zone is considered to be unnecessary in the AIS. Experimental results suggest that the ICL framework is an effective learning framework.

The remainder of this paper is organized as follows. In Section 2, the related works are introduced. Section 2 describes the proposed ICL framework in detail. In Section 4, the ICL-MD model is presented. Section 5 gives the detailed experimental setup and results. Finally, we conclude the paper with some discussions.

Section snippets

Related work

The SNS model has been accepted to describe how the immune system works for over 50 years. Although it fails to explain a plenty of new findings, the SNS model based AIS were still applied to a wide range of fields successfully.

Li proposed an immune based dynamic detection model for computer viruses [6]. Through dynamic evolution of ‘self’, an antibody gene library and detectors, this model reduces the size of the ‘self’ set, raises the generating efficiency of detectors, and resolves the

Immune cooperation mechanism

The adaptive immune system is one of the most important parts of BIS. It allows for a stronger immune response as well as immunological memory [23]. There are two kinds of immunities in the adaptive immune system, humoral immunity and cellular immunity. The humoral immunity is mediated by antibodies secreted in the B lymphocytes (B cell), which can be found in the body fluids, while the cellular immunity is the immunity mediated by cells, involving the macrophages, natural killer cells, T

ICL framework based malware detection model

In order to incorporate the ICL framework into the procedure of malware detection, a novel ICL framework based malware detection (ICL-MD) model is proposed in this paper. This model involves two modules, feature extraction and classification. In the malware detection problem, malware are taken as antigens, while benign programs are non-antigens.

In the ICL-MD model, the 4-Grams are taken as the candidate features which are binary strings of length 4 bytes. N-Gram is a concept from text

Experimental setup

Comprehensive experiments are conducted on three public malware datasets in this paper: CILPKU08 dataset, Henchiri dataset and VXHeanvens dataset, which can be download from www.cil.pku.edu.cn/resources/.

The benign program dataset used here consists of the files in portable executable format from Windows XP and a series of applications, which are the main punching bag of malware.

This paper optimizes the following two parameters for the SVM, the gamma g in kernel function and the cost c, by

Advantages of the ICL framework

Inspired from BIS, the danger zone is considered to be unnecessary in AIS in this paper. Based on this idea, the proposed ICL framework does not define a danger zone. It is different from the previous danger theory based learning models which almost always define a danger zone to limit the spread range of the danger signal. Hence the ICL framework need not optimize the size of the danger zone. It drops down the complexity of the ICL framework. Compared to the BIS, the ICL framework without

Conclusions

Inspired from BIS, this paper has proposed a novel IC mechanism based learning framework. It characterizes a sample from both the antigen-specific and antigen-nonspecific perspectives, and classifies the sample by using the immune cooperation effect of the immune signals. Extended experimental results suggest that the ICL framework is an effective learning framework. The ICL-MD model outperforms the GC-MD and LC-MD approaches for about 3.28% and 2.24% on average, respectively, with twice faster

Acknowledgment

This work is supported by the National Natural Science Foundation of China under Grant nos. 61170057 and 61375119.

Pengtao Zhang received a Bachelor of Science in Computer Science from Dalian University of Technology, Liaoning, China, in 2008. He is currently majoring in Computer Science and working towards the Ph.D. degree at Key Laboratory of Machine Perception (Ministry of Education) and Department of Machine Intelligence, EECS, Peking University, Beijing. His research interests include artificial immune system, intelligent information processing algorithm, computer information security, pattern

References (29)

  • P. Zhang et al.

    A malware detection model based on a negative selection algorithm with penalty factor

    Sci. China Inf. Sci.

    (2010)
  • P. Zhang et al.

    A danger feature based negative selection algorithm

    Adv. Swarm Intell.

    (2012)
  • Y. Tan, C. Deng, G. Ruan, Concentration based feature construction approach for spam detection, in: International Joint...
  • G. Ruan et al.

    A three-layer back-propagation neural network for spam detection using artificial immune concentration

    Soft Comput. A Fus. Found. Methodol. Appl.

    (2010)
  • Cited by (0)

    Pengtao Zhang received a Bachelor of Science in Computer Science from Dalian University of Technology, Liaoning, China, in 2008. He is currently majoring in Computer Science and working towards the Ph.D. degree at Key Laboratory of Machine Perception (Ministry of Education) and Department of Machine Intelligence, EECS, Peking University, Beijing. His research interests include artificial immune system, intelligent information processing algorithm, computer information security, pattern recognition, machine learning and data mining.

    Ying Tan (M׳98, SM׳02) received the B.S. degree in 1985, the M.S. degree in 1988, and the Ph.D. degree in signal and information processing from Southeast University, Nanjing, China, in 1997. Since then, he became a postdoctoral fellow then an associate professor at University of Science and Technology of China. He was a full professor, advisor of Ph.D. candidates, and director of the Institute of Intelligent Information Science of his university. He worked with the Chinese University of Hong Kong, in 1999 and in 2004–2005. He was an electee of 100 talent program of the Chinese Academy of Science, in 2005. Now, he is a full professor, advisor of Ph.D. candidates at the Key Laboratory of Machine Perception (Ministry of Education), Peking University, and department of Machine Intelligence, EECS, Peking University, and he is also the head of Computational Intelligence Laboratory (CIL) of Peking University. He has authored or coauthored more than 200 academic papers in refereed journals and conferences and several books and book chapters. His current research interests include computational intelligence, artificial immune system, swarm intelligence and data mining, signal and information processing, pattern recognition, and their applications. He is an Associate Editor of International Journal of Swarm Intelligence Research and IES Journal B, Intelligent Devices and Systems, and Associate Editor-in-Chief of International Journal of Intelligent Information Processing. He is a member of Advisory Board of International Journal on Knowledge Based Intelligent Engineering System and The Editorial Board of Journal of Computer Science and Systems Biology and Applied Mathematical and Computational Sciences. He is also the Editor of Springer Lecture Notes on Computer Science, LNCS 5263, 5264, 6145 and 6146, and Guest Editor of Special Issues on Several Journals including Information Science, Soft computing, International Journal of Artificial Intelligence, etc. He was the General Chair of International Journal on Swarm Intelligence (ICSI 2010, ICSI 2011) and the Program Committee Chair of ISNN2008. He was honored the 2nd-class prize of National Natural Science Award of China in 2009. He is a senior member of the IEEE.

    View full text