A danger feature based negative selection algorithm

Abstract

This paper proposes a danger feature based negative selection algorithm (DFNSA). The DFNSA divides the danger feature space into four parts, and reserves the information of danger features to the utmost extent, laying a good foundation for measuring the danger of a sample. In order to incorporate the DFNSA into the procedure of malware detection, a DFNSA-based malware detection (DFNSA-MD) model is proposed. It maps a sample into the whole danger feature space by using the DFNSA. The danger of a sample is measured precisely in this way and used to classify the sample. Eight groups of experiments on three public malware datasets are exploited to evaluate the effectiveness of the proposed DFNSA-MD model using cross validation. Comprehensive experimental results suggest that the DFNSA is able to reserve as much information of danger features as possible, and the DFNSA-MD model is effective to detect unseen malware. It outperforms the traditional negative selection algorithm based and the negative selection algorithm with penalty factor based malware detection models in all the experiments for about 5.34% and 0.67% on average, respectively. © 2012 Springer-Verlag.