Application of CLIPS Expert System to Malware Detection System

Malware detection is a crucial aspect of software security. Traditional signature-based detection method cannot detect zero-day attacks and some malware adopting some circumvention techniques such as polymorphic, metamorphic, obfuscation and packer. So some anomaly-based detection techniques are introduced to overcome this drawback, but these techniques have high false alarm rate and the complexity involved in determining what features should be learned in the training phase. In order to overcome these shortcomings, we propose a malware detection system based on expert systems in this paper. This system integrates signature-based analysis and anomaly-detection technique together. The signature is anomaly behavioral signatures. Accord to expertise about malware¿s major suspicious behaviors, we build the knowledge base of the expert system. And we design a behavior gathering component to intercept anomaly behaviors happened in the operating system and get significant traces leaved by malware, then present these behaviors and traces as facts. The expert system uses the knowledge base and behaviors facts to infer and give the results. This system can detect not only known malware, but some zero-day attacks using known techniques and also malware adopting low-level techniques, such as polymorphic and packer.