Bio-inspired data mining: Treating malware signatures as biosequences

The application of machine learning to bioinformatics problems is well established. Less well understood is the application of bioinformatics techniques to machine learning and, in particular, the representation of non-biological data as biosequences. The aim of this paper is to explore the effects of giving amino acid representation to problematic machine learning data and to evaluate the benefits of supplementing traditional machine learning with bioinformatics tools and techniques. The signatures of 60 computer viruses and 60 computer worms were converted into amino acid representations and first multiply aligned separately to identify conserved regions across different families within each class (virus and worm). This was followed by a second alignment of all 120 aligned signatures together so that nonconserved regions were identified prior to input to a number of machine learning techniques. Differences in length between virus and worm signatures after the first alignment were resolved by the second alignment. Our first set of experiments indicates that representing computer malware signatures as amino acid sequences followed by alignment leads to greater classification and prediction accuracy. Our second set of experiments indicates that checking the results of data mining from artificial virus and worm data against known proteins can lead to generalizations being made from the domain of naturally occurring proteins to malware signatures. However, further work is needed to determine the advantages and disadvantages of different representations and sequence alignment methods for handling problematic machine learning data. All data, machine learning and biological tools used in this paper are publicly available and free. Computer malware signatures were downloaded from VX heavens: www.vxheavens.com. The multiple sequence alignment techniques were ClustalW and T-Coffee from EBI: www.ebi.ac.uk/Tools/msa/tcoffee. Various data mining functions within Weka (Waikato Environment for Knowledge Analysis) were used for machine learning involving cross-validation, rule extraction and classification: www.cs.waikato.ac.nz/ml/weka. Biological match of consensuses and meta-signatures was checked through the PRINTS database available via Motif3D at the University of Manchester http://www.bioinf.manchester.ac.uk/dbbrowser/motif3d/motif3d.html and FingerPRINTScan at the EBI (http address above). QUARK and the Protein Data Bank were used for consensus modeling and protein matching: zhanglab.ccmb.med.umich.edu/QUARK/ and www.pdb.org/pdb/home/home.do, respectively. The National Centre for Biotechnology Information (NCBI) was used for checking the biological function of matched proteins: ncbi.nlm.nih.gov/. The commercial package SPSS v19 was used for statistical analysis of alignment lengths and accuracy results by T tests and analysis of variance.  Corresponding author: Ajit Narayanan, [email protected]. Tel: +64 9921 9345; Fax: +64 9921 9944