【作者】 芦天亮；

【导师】 郭世泽；

【作者基本信息】 北京邮电大学 ， 信息安全， 2013， 博士

【摘要】 随着互联网的高速发展,尤其是移动互联网的出现以及智能手机用户的快速增长,网络已经渗透到人们日常生活的方方面面。互联网的开放和共享特性,在给我们带来便捷的同时,也带来了各类安全问题。作为信息安全的首要威胁,恶意代码的广泛传播,给用户造成了巨大的经济损失,浪费用户的宝贵时间,干扰用户的正常生活和工作。恶意代码主要包括病毒、木马、蠕虫、后门及恶意脚本等程序。目前恶意代码的防护依赖于杀毒软件,防病毒网关等产品。这些产品主要基于恶意代码特征码匹配技术,对于已知恶意代码具有较高的检测率,但对于新出现的未知恶意代码检测率较低。并且面对加速增长的恶意代码数目,特征码的提取需要投入更多的人力。随着特征库的增加,杀毒软件会消耗更多的计算资源和存储资源,其检测效率受到极大的制约。为了更加有效地检测恶意代码,尤其是对未知恶意代码的准确识别,近年来一些基于智能算法的恶意代码检测技术被提出,包括数据挖掘算法、神经网络及人工免疫系统等。由于恶意代码检测与生物免疫系统具有天然的相似性,即它们都需要准确地识别入侵到自身系统的外来物质,所以基于人工免疫系统的恶意代码检测技术受到国内外学者的广泛关注,并且成为了当前信息安全领域的研究热点。本文通过对人工免疫系统的基本理论和主要算法的研究,包括阴性选择算法、克隆选择算法、危险理论等,解决了阴性选择算法的黑洞覆盖优化问题,以及基于人工免疫系统的计算机恶意代码检测和手机恶意代码检测等问题。本文主要创新工作如下：1.当前国内外提出的基于人工免疫系统的恶意代码检测模型种类较多,每种检测模型采用的免疫算法、适用的场合及检测效果各有不同。本文重点对这些检测模型使用的关键技术进行了分析,包括：恶意代码特征提取、数据编码形式、抗原与抗体匹配规则、检测器生成策略及应用的免疫算法等,并对近些年具有代表性的相关研究成果进行了总结。2.针对阴性选择算法中存在大量无法检测的黑洞的问题,提出了一种基于黑洞集合和自我集合定向生成匹配阈值可变的r块黑洞检测器的算法。并对阴性选择算法进行了改进,提出了采用双层检测器的阴性选择算法,该算法在保证较快的检测速度的前提下,通过提高黑洞元素检测率,实现更大范围的非我空间覆盖。仿真结果表明,该算法与r可变阴性选择算法相比,具有更高的非我空间覆盖率,尤其是在黑洞覆盖方面效果更好。3.为了提高恶意代码检测系统对于不断变化的恶意代码环境的动态适应能力,受生物免疫系统的启发,通过提取恶意代码文件的二进制片段特征,提出了一种基于动态克隆选择算法的恶意代码检测模型。相比已有的基于人工免疫系统的恶意代码检测模型,本文通过引入动态克隆选择算法并对其改进,解决了训练过程中自我空间静态固定的问题。实验结果表明,该模型拥有更强的自适应能力,可有效地检测未知恶意代码程序,并且具有较低的误报率。4.针对恶意代码变种及加密保护等技术带来的基于特征码的检测准确率较低的问题,提出了一种采用实值编码的基于行为特征克隆变异的计算机恶意代码检测模型。在虚拟机环境中收集恶意代码运行过程中的行为特征,经实值编码后生成抗原,并作为未成熟检测器的来源之一。利用阴性选择算法对未成熟检测器进行免疫耐受,生成成熟检测器。利用克隆选择算法对高亲和度的检测器进行繁殖和变异,增加检测器的多样性和提高亲和度。实验结果表明,通过延长克隆的代数可达到更高的检测率和更低的误报率。相比于主流杀毒软件,对于经过模糊变换和加密处理的恶意代码程序,所提出的模型具有更高的检测率。5.针对手机恶意代码的传播和破坏特征,提出了一种基于危险理论的手机恶意代码检测模型。模型包含4个阶段：危险捕获、抗原提呈、抗体生成和抗体分发。提取和分析手机本地信息以发现由恶意代码入侵引起的危险特征,超过阈值后发出危险信号。根据危险信号强度建立危险域,抗原提成细胞从危险域中的手机中提取抗原。决策中心在确认感染恶意代码后,生成抗体并分发到指定的手机,用于防御和清除恶意代码。基于人工免疫系统的分布式和协作的策略,模型降低了手机的计算和存储资源的消耗。在检测模型的基础上,提出了手机恶意代码免疫策略,经验证对于手机恶意代码传播具有较好的抑制效果。更多还原

【Abstract】 With the rapid development of the Internet, especially the emergence of the mobile Internet and the rapid growth of smartphone users, the network has penetrated into every aspect of people’s daily lives. Due to the openness and sharing characteristics of the Internet, it brings us convenience, but at the same time we are facing all kinds of security problems. As the primary threat, the widespread dissemination of malcode has caused huge economic loss, the wasted of the user’s valuable time, and interfer with the user’s normal life and work.The malcode includes viruses, Trojan horses, worms, backdoors, malicious scripts, etc. At present, the defense of the malcode relies on security products like anti-virus software and anti-virus gateway. These products are mainly based on signature matching techniques, so high detection rate for the known malcode can be achieved, but for the newly appeared unknown malcode the detection rate is low. In the face of accelerating growing malcode, signature extraction needs more manpower. With the increase of signature database, the anti-virus software will consume more computing resources and storage resources, and the malcode detect efficiency is greatly constrained.In order to detect the malcode more effectively, especially to recognize the unknown malcode more accurately, in recent years some malcode detection technology based on intelligent algorithm is put forward, including data mining algorithm, neural network, artificial immune system, etc. Due to the natural similarity between malcode detection and biological immune system, that is they both need to accurately recognize the foreigners that invade to their systems. So the malcode detection technology based on artificial immune system has drawn the wide attention of scholars both at home and abroad, and currently it has become research hotspots in the field of information security.The basic principles and mainstream algorithms of artificial immune system are studied, including the negative selection algorithm, the clonal selection algorithms and the danger theory. This paper solves the issue of holes coverage optimization in negative selection algorithm, the detection technology based on artificial immune system both for computer malcode and mobile phone malcode. The main innovations of the present thesis are as follows:1. There are many kinds of immune-based malcode detection models which are different in immune algorithms, application occasions and detection performance. The key technology of these models are analyzed, including feature extraction, data encoding, matching rules of antigens and antibodies, generation strategies of detectors and immune algorithms adopted. Also the representative research achievements in recent years are summarized.2. With the problem that a large number of undetectable holes existed in negative selection algorithm, an algorithm of directional generating holes’ detectors using r-chunk matching rule with variable matching threshold based on hole-set and self-set is proposed. Improvement is made to negative selection algorithm that NSA with double layers detectors is proposed. With the precondition of ensuring fast detection speed, this algorithm achieves a wider range of non-self space coverage by increasing the detection rate of holes. Simulation result shows that comparing with r-adjustable NSA, higher non-self space coverage is achieved especially better performance in holes’ space coverage.3. In order to improve the adaptability of malcode detection systems to the continuously changing environment, inspired by biological immune system, by extracting the malcode binary string segments, a computer malcode detection model is proposed based on the dynamic clonal selection algorithm. Compared with the existing malcode detection models that based on the artificial immune system, the dynamic clonal selection algorithm is introduced and improved, solving the problem that the self-space is static during the training process. Experiment results show that the proposed model has stronger adaptability. It can effectively detect unknown malcode and has a lower false positive rate.4. According to the problem that the detection rate of signature-base malcode detection is low due to the variants and encryption protection techniques, a computer malcode detection model based on real-value encoded behavioral signature cloning and variation is proposed. Behavioral signatures are collected when the malcode is running in the virtual machine environment. Antigens are generated by real-value encoding the behavioral signatures, and these antigens are also one of the sources of immature detectors. Matured detectors are generated by tolerating immature detectors using the negative selection algorithm. In order to increase the diversity and affinity of detectors, detectors with high affinity are selected to proliferate and mutate using the clonal selection algorithm. The experimental result shows that higher detection rate and lower false positive rate can be achieved by increasing the clonal generation. Comparing with mainstream anti-virus software, it has higher detection rate for obfuscated and encrypted malcode programs.5. According to the propagation and destruction characteristics of mobile phone malcode, a malcode detection model based on the danger theory is proposed. This model includes four phases:danger capture, antigen presentation, antibody generation and antibody distribution. Local information of mobile phones is extracted and analyzed to discover danger caused by malcode, and a danger signal is sent out when the danger exceeds the threshold. A danger zone is built according to the strength of danger signal, and the antigen presenting cells (APCs) present the antigen from mobile phones in the danger zone. After the decision center confirms the infection of malcode, the antibody is generated and distributed to mobile phones. Due to the distributed and cooperative mechanism of artificial immune system, the proposed model lowers the computing and storage consumption of mobile phones. Base on the detection model, a mobile phone malcode immunization strategy is proposed which is proved to have good inhibition effect to the propagation of malcode.更多还原