The 6 th IEEE International Conference on Intelligent Data Acquisition and Advanced Computing Systems: Technology and Applications 15-17 September 2011, Prague, Czech Republic Evolution of Immune Detectors in Intelligent Security System for Malware Detection Vladimir Golovko 1 , Sergei Bezobrazov 2 , Vasilii Melianchuk 3 1,2 Brest State Technical University, Moskovskaja str. 267, Brest, 224017, Republic of Belarus 1 gva@bstu.by, 2 bescase@gmail.com 3 IOOO CIB Software, Gazety “Pravda” pr. 9-10H, Minsk, 220000, Republic of Belarus, basilisk@pisem.net Abstract—In this paper we present the basic principles of the evolution of detectors in intelligent malware detection system. This system based on integration of both AI methods: artificial neural networks and artificial immune systems. The goal of the evolution is adaptation of detectors to new, unknown malicious code for increasing of quality of detection. Keywords—malware detection; artificial immune system; neural networks. I. INTRODUCTION The CIS company [1] reported that during 2009 – 2010 every second organization was attacked. There are four types of cyber attacks detected: 1. Attacks via Internet. 2. Local attacks. 3. Network attacks (detected by Intrusion Detection System). 4. E-mail attacks. The today’s malicious trend is characterized by intensive growth of the first two types of attacks. In 2010 the highest known level (more than 1,9 billion) of these attacks was fixed. Most famous from these attacks are: Mariposa, Bredolab, TDSS, Koobface, Sinowal, Black Energy etc. Each of them infected millions of computers all over the world. The quality and complexity of malware are constantly enhancing. The striking example of such new cyber threat is Stuxnet [2]. It was discovered in July 2010 but experts are still analyzing the ability and hide functions up till now. Stuxnet was written especially for attacking Supervisory Control And Data Acquisition (SCADA) systems used to control and monitor industrial processes. Stuxnet includes the capability to reprogram the PLCs, to take over control of object and to hide its changes. This malware probably have damaged Iran's nuclear facilities in Natanz and eventually delayed the start up of Iran's Bushehr Nuclear Power Plant. Several security companies claim that Stuxnet is “a working and fearsome prototype of a cyber-weapon that will lead to the creation of a new arms race in the world” [3]. The users of social networks also undergo an often cyber attacks. The main goal of such attacks is a stealing of confidential information and placement of links on infected web resources. Thus worm Koobface [4] is displayed the largest activity, attacked Twitter and sent messages with links to Trojans. The currently applying methods of information security do not guarantee effective information protection level. The reactive defense [5] based on signature analysis is exact method but is able to detect only already known attacks. The modern proactive [5] defense based on different heuristic methods is characterized by low level of malicious code detection. We need new robust methods to defend against constantly evolvable cyber attacks. In our previous works we presented and described self-organizing and self-adapting security system based on integration of both artificial intelligence methods: artificial neural networks and artificial immune systems [6, 7, 8, 9]. Such system consists of population of detectors which scanned file and memory space for the purpose of malware detection. We had demonstrated that immune detectors with neural architecture can detect new, unknown attacks and provide better results in comparison with different methods of malware detection. The immune detectors are going through several stages during lifecycle: generation, learning, selection, cloning, mutation and transformation into the memory detectors. In this paper we explore the adaptability of immune detectors to unknown threat. The adaptability of detector consists in modification of its structure for increasing of detection rate of unknown malware. The modification of the structure of detector is occurs if malicious code was detected. The process of reviewing of the features of new malware is occurs whereupon detectors changed self parameters. The paper is organized in a following way: Section 2 explains the structure of developed security system and gives the description of basic working principles. Section 3 presents the detailed mechanism of adaptation of immune detectors to the new detected malware. Results of experiments are discussed in Section 4. Finally, Section 5 concludes this paper.