Researches on process algebra based rootkits-immune mechanism

We present a novel mechanism for detecting unknown rootkits and immunizing known rootkit for the purposes of protecting the computer from being infected by rootkits. Inspired by the immune system of human beings, our mechanism adopts the humoral immunity mechanism to detect and defense tough rootkits. First, the features of the processes are analyzed, the known rootkit features are extracted, and the process algebra are applied to formally represent object such as the self-antigens, pathogene, antibody, etc. Then, the known rootkit are used to train to generate relevant antibody which can recognize antigens of non-self. Meanwhile, the rejection reaction of humoral immunity is used to detect unknown rootkit and generate specific antibody. Last, both known and unknown rootkits can be killed once detected. Based on this mechanism, a prototype system is implemented. And experimental results indicate that this mechanism possesses higher detection ratio and lower false ratio.