Preface

The most terrible threats to the security of computers and networking systems are the so-called computer virus and unknown intrusion. The rapid development of evasion techniques used in viruses invalidate the well-known signature-based computer virus detection techniques, so a number of novel virus detection approaches have been proposed to cope with this vital security issue. Because the natural similarities between the biological immune system (BIS) and computer security system, the artificial immune system (AIS) has been developed as a new field in the community of anti-virus researches. The various principles and mechanisms in BIS provide unique opportunities to build novel computer virus detection models with abilities of robustness and adaptiveness in detecting the known and unknown viruses.

Biological immune systems are hierarchical natural systems featuring high distribution, parallelization, and the ability to process complex information, among other useful features. It is also a dynamically adjusting system that is characterized by the abilities of learning, memory, recognition, and cognition, such that the BIS is good at recognizing and removing antigens effectively for the purpose of protection of the organism. The BIS makes full use of various intelligent ways to react to an antigen's intrusions, producing accurate immune responses by means of intrinsic and adaptive immune abilities. Through mutation, evolution, and learning to adapt to new environments, along with memory mechanisms, BIS can react much stronger and faster against foreign antigens and their likes. The BIS consists of intrinsic immune (i.e., non-specific immune) and adaptive immune (i.e., specific immune) responses that mutually cooperate to defend against foreign antigens.

An artificial immune system is an adaptive system inspired by theoretical immunology and observed immune functions, principles, and models, which are applied for problem solving. In another words, the AIS is a computational system inspired by the BIS, sometime also referred to as the second brain, made up of computational intelligence paradigms. The AIS is a dynamic, adaptive, robust, and distributed learning system. Because it has fault tolerance and noise resistance, it is very suitable for applications in time-varying unknown environments. The AIS has been applied to many complex problem fields, such as optimization, pattern recognition, fault and anomaly diagnosis, network intrusion detection, and virus detection, as well as many others.

Generally speaking, the AIS could be roughly classified into two major categories: population-based and network-based algorithms. Network-based algorithms make use of the concepts of immune network theory, while population-based algorithms use theories and models such as negative selection principle, clonal principle, danger theory, and others. During the past decades, there have been a large number of immune theories and models, such as self and nonself models, clonal selection algorithm, immune network, dendritic cell algorithms, danger theory, and so on. By mimicking BIS's mechanisms and functions, AIS has developed and is now widely used in anomaly detection, fault detection, pattern recognition, optimization, learning, and so on. Like its biological counterpart, AIS is also characterized by noise-tolerance, unsupervised learning, self-organization, memorizing, recognition, and so on.

In particular, anomaly detection techniques decide whether an unknown test sample is produced by the underlying probability distribution that corresponds to the training set of normal examples. The pioneering work of Forrest and associates led to a great deal of research and proposals of immune-inspired anomaly detection systems. For example, as for the self and nonself model, the central challenges with anomaly detection is determining the difference between normal and potentially harmful activity. Usually, only self (normal) class is available for training the system regardless of nonself (anomaly) class. Thus, the essence of the anomaly detection task is that the training set contains instances only from the self class, while the test set contains instances of both self and nonself classes. Specifically, computer security and virus detection should be regarded as the typical examples of anomaly detection in artificial immune systems whose task is protecting computers from viruses, unauthorized users, and so on. In computer security, AIS has a very strong capability of anomaly detection for defending against unknown viruses and intrusions. The adaptability is also a very important feature for AIS to learn unknown viruses and intrusions as well as quickly reacting to the learned ones. Other features of AIS like distributability, autonomy, diversity, and disposability are also required for the flexibility and stability of AIS.

Therefore, the features of the BIS are just what a computer security system needs, meanwhile the functions of BIS and computer security system are similar to each other to some extent. Therefore, the biological immune principles provide effective solutions to computer security issues. The research and development of AIS-based computer security detection are receiving increasing attention. The application of immune principles and mechanisms can better protect the computer and improve the network environment greatly.

In recent years, computer and networking technologies have developed rapidly and been used more and more widely in our daily life. At the same time, computer security issues appear frequently. The large varieties of malwares, especially new variants and unknown ones, always seriously threaten computers. What is worse is that malwares are getting more complicated and delicate, with faster speed and greater damage. Meanwhile, a huge number of spam not only occupy storage and network bandwidth, but also waste users' time to handle them, resulting in a great loss of productivity. Although many classic solutions have been proposed, there are still many limitations in dealing with the real-world computer security issues.

A computer virus is a program or a piece of code that can infect other programs by modifying them to include an evolved copy of it. Broadly, one can regard the computer virus as the malicious code designed to harm or secretly access a computer system without the owners' informed consent, such as viruses, worms, backdoors, Trojans, harmful Apps, hacker codes, and so on. All programs that are not authorized by users and that perform harmful operations in the background are referred to as viruses; they are characterized by several salient features including infectivity, destruction, concealment, latency, triggering, and so on.

Computer viruses have evolved with computer technologies and systems. Generally speaking, the development of viruses has gone through several phases, including the DOS boot phase, DOS executable phase, virus generator phase, macro virus phase, as well as virus techniques merging with hacker techniques. As computer viruses have developed and proliferated, they have become the main urgent threat to the security of computers and Internet.

The battle between viruses and anti-virus techniques is an endless warfare. Computer viruses disguise themselves by means of various kinds of evasion techniques, including metamorphic and polymorphous techniques, packer and encryption techniques, to name a few. To confront these critical situations, anti-virus techniques have to unpack the suspicious programs, decrypt them, and try to be robust to these evasion techniques. The viruses are also trying to evolve to anti-unpack, anti-decrypt, and develop to obfuscate the anti-virus techniques. The fighting between viruses and anti-virus techniques is very serious and will last forever.

Nowadays, varieties of novel viruses' techniques are continuously emergent and are often one step ahead of the anti-virus techniques. A good anti-virus technique should have to increase the difficulty of viruses' intrusion, decrease the losses caused by the viruses, and react to an outbreak of viruses as quickly as possible.

Many host-based anti-virus solutions have been proposed by researchers and companies, which could be roughly classified into three categories-static techniques, dynamic techniques, and heuristics.

Static techniques usually work on bit strings, assembly codes, and application programming interface (API) calls of a program without running the program. One of the most famous static techniques is the signature-based virus detection technique, in which a signature usually is a bit string divided from a virus sample and can identify the virus uniquely.

Dynamic techniques keep watching over the execution of every program in real time and observe the behaviors of the program. The dynamic techniques usually utilize the operating system's API sequences, system calls, and other kinds of behavior characteristics to identify the purpose of a program.

Heuristic approaches make full use of various heuristic knowledge and information in the program and its environments, by using intelligent computing techniques such as machine learning, data mining, evolutionary computing, AIS, and so on, for detecting viruses, which not only can fight the known viruses efficiently, but also can detect new variants and unseen viruses.

Because classic detection approaches of computer viruses are not able to efficiently detect new variants of viruses and unseen viruses, it is urgent to study novel virus detection approaches in depth. As for this point, the immune principle-based computer virus detection approaches have been becoming a priority choice in the community of the anti-virus...