Artificial Intelligence In Antivirus Detection System Computer Science Essay

Abstract- Artificial intelligence ( AI ) techniques have played progressively of import function in antivirus sensing. At present, some chief unreal intelligence techniques applied in antivirus sensing are proposed, including heuristic technique, information excavation, agent technique, unreal immune, and unreal nervous web. It believes that it will better the public presentation of antivirus sensing systems, and advance the production of new unreal intelligence algorithm and the application in antivirus sensing to incorporate antivirus sensing with unreal intelligence. This paper introduces the chief unreal intelligence engineerings, particularly Heuristic which have been applied in antivirus system. Meanwhile, it besides points out a fact that uniting all sorts of unreal intelligence engineerings will go the chief development tendency in the field of antivirus.

Keywords- Anti-virus, Artificial Intelligence, Data excavation, Heuristic, Neural web


Artificial Intelligence ( AI ) is the subdivision of computing machine scientific discipline which deals with intelligence of machines where an intelligent agent is a system that perceives its environment and takes actions which maximize its opportunities of success.It has legion applications like robotics, medical specialty, Finance, Space.

One of the most recent one is antivirus packages.

Here we give inside informations sing heuristic method used in antivirus package.

Malware and its types

Malware ( malicious package ) is package designed to infiltrate or damage a computing machine system without the proprietor ‘s informed consent.

Malware types

We can separate rather few malicious package types. It is of import to be cognizant that however all of them have similar intent, each one behave otherwise.




Dardan Equus caballuss



Due to different behavior, each malware group uses alternate ways of being undetected. This forces anti-virus package manufacturers to develop legion solutions and countermeasures for computing machine protection. This paper focuses on methods used particularly for virus sensing, non needfully effectual against other types of malicious package.

Infection Schemes

To better understand how viruses are detected and recognized, it is indispensable to split them by their infection ways.

A. Non Resident Viruses

The simplest signifier of viruses which do n’t remain in memory, but infect founded feasible file and hunt for another to retroflex.

Resident viruses

More complex and efficient type of viruses which stay in memory and conceal their presence from other procedures. Kind of TSR apps.

Fast infectors type which is designed to infect as many files as possible.

Slow infectors utilizing stealing and encoding techniques to remain undetected outlast.

Methods Used

A. Metaheuristic

Metaheuristic is a heuristic method for work outing a really general category of computational jobs by uniting user-given black-box processs in a hopefully efficient manner. Metaheuristics are by and large applied to jobs for which there is no satisfactory problem-specific algorithm or heuristic.

B. Heuristic

Heuristic is a method to assist work out a job, normally an informal method. It is peculiarly used to quickly come to a solution that is moderately close to the best possible reply.

General Heuristics

It is of import to retrieve that metaheuristics are merely ‘ideas ‘ to work out a job non a specific manner to make that. List below shows chief metaheuristics used for virus sensing and acknowledgment:

Pattern fiting

Automatic acquisition

Environment emulation

Nervous webs

Data excavation

Bayes webs

Hidden Markov theoretical accounts

Concrete Heuristics

Specific heuristics practically used in virus sensing and acknowledgment, are of course inherited from metaheuristics.

And so, for illustration concrete method for virus sensing utilizing nervous webs can be execution of SOM ( Self Organizing Map ) . Nervous Networks ( metaheuristic ) a†’ SOM ( heuristic ) .

The most popular, and one of most efficient heuristic used by

anti-virus package is technique called Heuristic Scanning.

Lacks in Specific Detection

Great trade of modern viruses are merely somewhat changed versions of few constructs developed old ages ago. Specific sensing methods like signature scanning became really efficient ways of observing known menaces. Finding specific signature in codification allows scanner to acknowledge every virus which signature has been stored in constitutional database.

BB? 2 B9 10 01 81 37? 2 81 77 02? 2 83 C3 04 E2 F2

FireFly virus signature ( hexadecimal )

Problem occurs when virus beginning is changed by a coder or mutant engine. Signature is being malformed due to even minor alterations. Virus may act in an precisely same manner but is undetectable due to new, alone signature.

BB? 2 B9 10 01 81 37? 2 81 A1 D3? 2 01 C3 04 E2 F2

Malformed signature ( hexadecimal )

Heuristic Scaning

We can recognize a virus without analyzing its

construction by its behavior and features. Heuristic scanning in its basic signifier is execution of three metaheuristics:

Pattern fiting

Automatic acquisition

Environment emulation

The basic thought of heuristic scanning is to analyze assembly linguistic communication direction sequences ( step-by-step ) and measure up them by their possible injuriousness. If there are sequences acting suspiciously, plan can be qualified as a virus. The phenomenon of this method is that it really detects menaces that are n’t yet known!

Fig1. Examination of assembly linguistic communication sequence

A. Recognising Potential Menace

In existent anti-virus package, heuristic scanning is implemented to acknowledge menaces by following built-in regulations, e.g. if plan attempts to arrange difficult thrust its behavior is extremely leery but it can be merely simple disc public-service corporation. Remarkable intuition is ne’er a ground to trip the dismay. But if the same plan besides tries to remain resident and contains everyday tosearch for executables, it is extremely likely that it ‘s a existent virus. AV package really frequently classifies sequences by their behavior allowing them a flag. Every flag has its weight, if entire values for one plan exceeds a predefined threshold, scanner respects it as virus.

Fig.2. Single-layer classifier with threshold

Heuristics Flags

Some scanners set a flag for each suspected ability which has been found in the file being analyzed. This makes it easier to explicate to the user what has been found. TbScan for case recognizes many suspected direction sequences. Every suspected direction sequence has a flag assigned to it.

A. Flag Description:

F = Suspicious file entree. Might be able to infect a file.

R = Relocator. Program codification will be relocated in a leery manner.

A = Suspicious Memory Allocation. The plan uses a non-standard manner to seek for, and/or allocate memory.

N = Wrong name extension. Extension struggles with plan construction.

S = Contains a everyday to seek for feasible ( .COM or.EXE ) files.

# = Found an direction decoding modus operandi. This is common for viruses but besides for some protected package.

E = Flexible Entry-point. The codification seems to be designed to be linked on any location within an feasible file. Common for viruses.

L = The plan traps the burden of package. Might be a virus that intercepts plan burden to infect the package.

D = Disk write entree. The plan writes to harrow without utilizing DOS.

M = Memory occupant codification. This plan is designed to remain in memory.

! = Invalid opcode ( non-8088 instructions ) or out-of-range subdivision.

T = Incorrect timestamp. Some viruses use this to tag septic files.

J = Suspicious leap concept. Entry point via chained or indirect leaps. This is unusual for normal package but common for viruses.

? = Inconsistent exe-header. Might be a virus but can besides be a bug.

G = Garbage instructions. Contains codification that seems to hold no intent other than encoding or avoiding acknowledgment by virus scanners.

U = Undocumented interrupt/DOS call. The plan might be merely slippery but can besides be a virus utilizing a non-standard manner to observe itself.

Z = EXE/COM finding. The plan attempts to look into whether a file is a COM or EXE file. Viruss need to make this to infect a plan.

O = Found codification that can be used to overwrite/move a plan in memory.

B = Back to entry point. Contains codification to restart the plan after alterations at the entry-point are made. Very usual for viruses.

K = Unusual stack. The plan has a leery stack or an uneven stack.

Avoiding False Positives

Merely like all other generic sensing techniques, heuristic scanners sometimes fault guiltless plans for being contaminated by a virus. This is called a “ false positive ” or “ False Alarm ” . The ground for this is simple. Some plans happen to hold several suspected abilities.

If a heuristic scanner pops up with a message stating: “ This plan is able to arrange a disc and it stays occupant in memory ” , and the plan is a resident disc format public-service corporation, is this truly a false dismay? Actually, the scanner is right. A resident format public-service corporation evidently contains codification to arrange a disc, and it contains codification to remain resident in memory.

The heuristic scanner is hence wholly right! You could call it a false intuition, but non a false positive. The lone job here is that the scanner says that it might be a virus. If you think the scanner tells you it has found a virus, it turns out to be a false dismay. However, if you take this information as is, stating ‘ok, the facts you reported are true for this plan, I can verify this so it is non a virus ‘ , I would n’t number it as a false dismay. The scanner merely tells the truth. The chief job here is the individual who has to do determinations with the information supplied by the scanner. If it is a novice user, it is a job.

Whether we call it a false positive or a false intuition does n’t count. We do non like the scanner to shout every clip we scan. So we need to avoid this state of affairs. How do we accomplish this?

Definition of ( combinations of ) leery abilities

Recognition of common plan codifications

Recognition of specific plans

Premise that the machine is ab initio non infected

Performance of Heuristics Scaning

Heuristics is a comparatively new technique and still under development. It is nevertheless gaining importance quickly. This is non surprising as heuristic scanners are able to observe over 90 % of the viruses without utilizing any predefined information like signatures or checksum values. The sum of false positives depends on the scanner, but a figure every bit low as 0.1 % can be reached easy. A false positive trial nevertheless is more hard to execute so there are no independent consequences available.

Professionals and Cons

A. Advantages

Can observe future viruses. User is less dependent on merchandise updates.

B. Disadvantages

False positives are possible. Judgment of the consequence requires some basic cognition.


Therefore, unreal intelligence technique helps bettering the public presentation of antivirus packages.

This detection-avoiding method makes sensing by conventional anti-virus merchandises easier because it means that the coder can non utilize really tight and consecutive codification. The virus author will be forced to compose more complex viruses. Therefore unreal intelligence increases the menace to virus authors.


I hereby thank Ms.Padmapriya for promoting and assisting us for the entry of this paper