Analysis of the Effectiveness of a Constructive Induction-Based VirusDetection Prototype

Computer viruses remain a tangible threat to systems both within the Department of Defense and throughout the greater international data communications infrastructure on which the DoD increasingly depends. This threat is exacerbated continually, as new viruses are introduced at an alarming rate by the growing collection of connected machines and their operators. Unfortunately, current antivirus solutions are ill-equipped to address these issues in the long term. This thesis documents an investigation into the use of constructive induction, a form of machine learning, as a supplemental antivirus technique theoretically capable of detecting previously unknown viruses through generalized decision-making techniques. A group of examples derived from common software applications, utilities, and viruses was tested in order to evaluate the benefits of adding constructive induction to the process of selecting suitable virus signatures. A prototype virus detection system subcomponent, DRIVER, was developed to conduct the experiments. Due to the feature-rich content of nontrivial example files and DRIVER's ability to assemble decision trees, results showed marginal benefits--compounded with significantly increased computational resource requirements--in the use of constructive induction. Future research, emphasizing a combination of optimization techniques and test cases increasingly approximating "real world" detection scenarios, should eventually establish whether constructive induction represents a genuinely useful and practical alternative to today's antivirus measures.Air Force Inst of Tech Wright-Patterson AFB OH is the author of 'Analysis of the Effectiveness of a Constructive Induction-Based VirusDetection Prototype', published 2000 under ISBN 9781423536031 and ISBN 1423536037.