An Analysis of the Effectiveness of a Constructive Induction-Based Virus Detection Prototype
Abstract
Computer viruses remain a tangible threat to systems both within the Department of Defense and throughout the greater international data communications infrastructure on which the DoD increasingly depends. This threat is exacerbated continually, as new viruses are introduced at an alarming rate by the growing collection of connected machines and their operators. Unfortunately, current antivirus solutions are ill-equipped to address these issues in the long term. This thesis documents an investigation into the use of constructive induction, a form of machine learning, as a supplemental antivirus technique theoretically capable of detecting previously unknown viruses through generalized decision-making techniques. A group of examples derived from common software applications, utilities, and viruses was tested in order to evaluate the benefits of adding constructive induction to the process of selecting suitable virus signatures. A prototype virus detection system subcomponent, DRIVER, was developed to conduct the experiments. Due to the feature-rich content of nontrivial example files and DRIVER's ability to assemble decision trees, results showed marginal benefits--compounded with significantly increased computational resource requirements--in the use of constructive induction. Future research, emphasizing a combination of optimization techniques and test cases increasingly approximating "real world" detection scenarios, should eventually establish whether constructive induction represents a genuinely useful and practical alternative to today's antivirus measures.
Document Details
- Document Type
- Technical Report
- Publication Date
- Apr 01, 2000
- Accession Number
- ADA380616
Entities
People
- Kevin T. Damp
Organizations
- Air Force Institute of Technology