.

Tuesday, April 2, 2019

Artificial Intelligence In Antivirus Detection System Computer Science Essay

Artificial Intelligence In Anticomputer virus Detection agreement Computer Science EssayAbstract- Artificial comprehension (AI) techniques have compete increasingly important role in antivirus detecting. At present, some trader sentimental learning techniques utilize in antivirus signal detection be proposed, including heuristic rule syllabus technique, data mining, agent technique, artificial immune, and artificial neural network. It believes that it result meliorate the performance of antivirus detection brasss, and promote the production of new artificial intelligence algorithm and the application in antivirus detection to integrate antivirus detection with artificial intelligence. This paper introduces the main artificial intelligence technologies,especi exclusivelyy Heuristic which have been applied in antivirus system. Meanwhile, it likewise points out a fact that combining totally told kinds of artificial intelligence technologies will become the main devel opment bowel movement in the field of antivirus.Keywords- Anti-virus,Artificial Intelligence,Data mining,Heuristic,Neural networkIntroductionArtificial Intelligence (AI) is the forking of computer science which deals with intelligence of machines where an intelligent agent is a system that perceives its environment and takes actions which maximize its chances of success.It has numerous applications like robotics,medicine,Finance,Space.One of the most young cardinal is antivirus packets.Here we give details regarding heuristic method utilize in antivirus software.Malware and its typesMalware (malicious software) is software designed to infiltrate or damage a computer system without the owners informed consent.Malware typesWe burn distinguish quite hardly a(prenominal) malicious software types. It is important to be aware that nevertheless all of them have similar purpose, each one coiffe differently.Vir routinesWormsWabbitsTrojan horsesExploits/BackdoorsSpyware receivable to different doings, each malware group uses alternative routes of universe undetected. This forces anti-virus software producers to develop numerous solutions and countermeasures for computer protection. This paper focuses on methods used oddly for virus detection, non necessarily effective against other types of malicious software. contagious disease StrategiesTo better understand how viruses are detected and recognized, it is essential to divide them by their vitiateion ship canal.A. Non Resident VirusesThe simplest form of viruses which dont roost in memory, scarcely contaminate founded executable read and search for a nonher to replicate.Resident virusesMore analyzable and efficient type of viruses which stay in memory and hide their carriage from other processes. Kind of TSR apps.Fast infectors type which is designed to infect as m whatsoever files as possible.Slow infectors apply stealth and encryption techniques to stay undetected outlast.Methods UsedA. Metaheuris ticMetaheuristic is a heuristic method for solving a very general class of computational problems by combining user-given black-box procedures in a hopefully efficient way. Metaheuristics are generally applied to problems for which at that place is no satisfactory problem-specific algorithm or heuristic.B. HeuristicHeuristic is a method to help solve a problem, comm more(prenominal)over an informal method. It is in particular used to rapidly come to a solution that is reasonably clam up to the best possible answer.General HeuristicsIt is important to remember that metaheuristics are only ideas to solve a problem non a specific way to do that. List below shows main metaheuristics used for virus detection and recognitionPattern matching reflexive learningEnvironment rivalryNeural networksData miningBayes networksHidden Markov modelsConcrete Heuristics ad hoc heuristics practically used in virus detection and recognition, are naturally inherited from metaheuristics.And so, for e xample concrete method for virus detection apply neural networks can be implementation of SOM (Self Organizing Map). Neural Networks (metaheuristic) SOM (heuristic).The most popular, and one of most efficient heuristic used byanti-virus software is technique called Heuristic Scanning.Lacks in limited DetectionGreat deal of youthful viruses are only slightly changed versions of few conceptions developed years ago. Specific detection methods like signature examine became very efficient ways of detecting known threats. Finding specific signature in formula allows image scanner to recognize every virus which signature has been stored in intact database.BB ?2 B9 10 01 81 37 ?2 81 77 02 ?2 83 C3 04 E2 F2FireFly virus signature(hexadecimal)Problem occurs when virus denotation is changed by a coursemer or mutation engine. Signature is being malformed collectible to even minor changes. Virus may behave in an exactly same way but is undetectable due to new, unique signature.BB ?2 B9 10 01 81 37 ?2 81 A1 D3 ?2 01 C3 04 E2 F2Malformed signature(hexadecimal)Heuristic ScanningWe can recognise a virus without examining itsstructure by its behaviour and characteristics. Heuristic scanning in its basal form is implementation of three metaheuristicsPattern matchingAutomatic learningEnvironment emulationThe basic idea of heuristic scanning is to examine lying language pedagogics sequences(step-by-step) and qualify them by their potence harmfulness. If there are sequences behaving suspiciously, class can be qualified as a virus. The phenomenon of this method is that it actually detects threats that arent yet knownFig1. Examination of assembly language sequenceA. Recognising Potential ThreatIn real anti-virus software, heuristic scanning is implemented to recognize threats by following built-in rules, e.g. if program tries to data formatting hard drive its behaviour is highly suspicious but it can be only simple disk utility. Singular suspense is never a reason to trigger the alarm. But if the same program also tries to stay nonmigratory and contains routine tosearch for executables, it is highly probable that its a real virus. AV software very often classifies sequences by their behaviour granting them a flag. Every flag has its weight, if total values for one program exceeds a predefined threshold, scanner regards it as virus.Fig.2. Single-layer classifier with thresholdHeuristics FlagsSome scanners set a flag for each suspected ability which has been found in the file being analyzed. This makes it easier to explain to the user what has been found. TbScan for instance recognizes many suspected instruction sequences. Every suspected instruction sequence has a flag depute to it.A. Flag DescriptionF = comic file access. Might be able to infect a file.R = Relocator. Program inscribe will be relocated in a suspicious way.A = Suspicious Memory Allocation. The program uses a non-standard way to search for, and/or allocate memory.N = Wrong na me extension. Extension conflicts with program structure.S = Contains a routine to search for executable (.COM or .EXE) files. = Found an instruction decipherment routine. This is putting green for viruses but also for some protected software.E = compromising Entry-point. The code seems to be designed to be linked on any location within an executable file. Common for viruses.L = The program traps the payload of software. Might be a virus that intercepts program load to infect the software.D = Disk write access. The program writes to disk without using DOS.M = Memory resident code. This program is designed to stay in memory. = invalid opcode (non-8088 instructions) or out-of-range branch.T = Incorrect timestamp. Some viruses use this to mark give files.J = Suspicious jump construct. Entry point via chained or indirect jumps. This is unusual for normal software but common for viruses.? = incompatible exe-header. Might be a virus but can also be a bug.G = Garbage instructions. Con tains code that seems to have no purpose other than encryption or avoiding recognition by virus scanners.U = Undocumented interrupt/DOS call. The program might be just tricky but can also be a virus using a non-standard way to detect itself.Z = EXE/COM determination. The program tries to check whether a file is a COM or EXE file. Viruses contend to do this to infect a program.O = Found code that can be used to overwrite/move a program in memory.B = Back to entry point. Contains code to re-start the program after modifications at the entry-point are made. Very usual for viruses.K = Unusual stack. The program has a suspicious stack or an odd stack.Avoiding False PositivesJust like all other generic detection techniques, heuristic scanners sometimes blame exonerated programs for being contaminated by a virus. This is called a treasonably peremptory or False Alarm. The reason for this is simple. Some programs happen to have several(prenominal) suspected abilities.If a heuristic scan ner pops up with a content saying This program is able to format a disk and it cincture resident in memory, and the program is a resident disk format utility, is this really a false alarm? Actually, the scanner is right. A resident format utility obviously contains code to format a disk, and it contains code to stay resident in memory.The heuristic scanner is therefore entirely right You could name it a false suspicion, but not a false positive. The only problem here is that the scanner says that it might be a virus. If you think the scanner tells you it has found a virus, it turns out to be a false alarm. However, if you take this tuition as is, saying ok, the facts you account are true for this program, I can verify this so it is not a virus, I wouldnt count it as a false alarm. The scanner just tells the truth. The main problem here is the person who has to make decisions with the information supplied by the scanner. If it is a novice user, it is a problem.Whether we call it a false positive or a false suspicion doesnt matter. We do not like the scanner to yell every time we scan. So we need to avoid this situation. How do we achieve this?Definition of (combinations of) suspicious abilitiesRecognition of common program codesRecognition of specific programsAssumption that the machine is initially not infectedPerformance of Heuristics ScanningHeuristics is a relatively new technique and still under development. It is however gaining importance rapidly. This is not surprising as heuristic scanners are able to detect over 90% of the viruses without using any predefined information like signatures or checksum values. The amount of false positives depends on the scanner, but a figure as low as 0.1% can be reached easily. A false positive test however is more difficult to perform so there are no individual results available.Pros and ConsA. AdvantagesCan detect future viruses. User is less dependent on product updates.B. DisadvantagesFalse positives are possib le. Judgment of the result requires some basic knowledge.ConclusionsThus, artificial intelligence technique helps improving the performance of antivirus softwares.This detection-avoiding method makes detection by conventional anti-virus products easier because it means that the programmer can not use very tight and straight code. The virus writer will be forced to write more complex viruses. Thus artificial intelligence increases the threat to virus writers.AcknowledgmentI hereby thank Ms.Padmapriya for load-bearing(a) and helping us for the submission of this paper

No comments:

Post a Comment