RU2615317C1 - Method for detection of malicious software codes in network data traffic, including exposed to combination of polymorphic transformations - Google Patents

Abstract

FIELD: information technology.

SUBSTANCE: method in which ordered memory containing recorded traffic is separated to series of equal volume blocks of predetermined length; traffic image is formed in-memory, allocating an ordered set of cells with number of cells equal to number of blocks; in each of traffic blocks states of all memory cells included in the analyzed block is compared, the number of unique states of cells is defined in each block; values corresponding to the number of unique states of cells in i-th blocks of analyzed traffic is recorded in i-th image cells; degree of similarity of all subsets of consecutive cells of image generated with all standards is determined selecting such subsets of length equal to the length of at least one of the standards, and calculating the value of the degree of similarity of fragments of image generated with malicious software standards.

EFFECT: increased completeness of detection of malicious software, including exposed to polymorphic transformations.

2 dwg

Description

The invention relates to the field of protection of computers, their components, programs and data from unauthorized activity, and in particular to methods for detecting codes of malicious computer programs (VKP), including those subjected to polymorphic transformations, and is intended for use in the field of detecting traffic containing executable polymorphic codes VKP in data transmission networks.

Currently, there has been a sharp increase in the number of computer threats, which may include various VKP programs (for example, network worms, computer viruses, trojans), as well as attacks by cybercriminals. One of the types of intrusion detection systems is a signature-based VKP code detection system designed to intercept network traffic entering a computer system or network, analyze the traffic information load for threat signatures, and move suspicious traffic to a secure storage. In this case, the information load of network traffic is understood as the stream of user data transmitted over the network between hosts received after the assembly of packets of various underlying layers of the OSI model (channel, network, transport, etc.). In the process of detecting threats in the information load, the method of signature analysis is usually checked (the identity of the sections of the analyzed traffic to the reference code samples of known computer threats).

There are various methods of signature-based detection of malicious computer codes in data network traffic. Such methods will undoubtedly increase the number of detections of traffic containing BCP codes. There is a method (patents US 2004190506 A1, EP 2393030 A2) for detecting traffic containing patterns specific to VKP codes, where bit signatures of sections of the VKP executable code are used as patterns. Recently, VKP developers have been making significant efforts to hide executable VKP codes from signature search systems, including through the use of various polymorphic transformations. The disadvantage of the proposed method of signature detection is the low completeness of detection due to the inability to detect traffic containing sections of the executable code of the CPSU, subjected to various polymorphic transformations.

A number of patent publications describe approaches to detecting polymorphic VKP codes. The closest analogue (prototype) to the invention is the method (patent US 5442699A) for detecting in the analyzed bit sequences sections that are identical to the bit signatures of the VKP executable codes, where the reduced images of the bit signatures of the VKP executable codes act as templates. Moreover, each of the images is an invariant with respect to one of the following types of polymorphic transformations - additive addition (ADD), “Exclusive OR” (XOR), cyclic bit shift - that is, it remains unchanged for any valid keys of the selected transformation. The disadvantage of this method is the inability to build a template for a given section of the source code of malware that is invariant to arbitrary combinations of polymorphic transformations implemented by the method of additive addition (ADD) with a single-byte gamma, the method of "Exclusive OR with single-byte gamma" (XOR), the way to easily replace bytes , by a simple way of rearranging bytes on a window of a given length. The consequence of this is the low (less than 10%) completeness of detection of VKP codes subjected to combinations of these polymorphic transformations.

The objective of the invention is to provide a method for detecting malicious computer codes in traffic of a data network, including subjected to combinations of polymorphic transformations, which allows to increase the completeness of detection of VKP codes, which is caused by the use of reduced patterns of characteristic sections of VKP code as standards, corresponding to characteristic sections of the VKP code invariant under the influence of arbitrary combinations of polymorphic transformations realized by additive complex methods single-byte gamma (ADD), Exclusive OR with single-byte gamma (XOR), simple byte replacement, simple byte permutation on a window of a given length.

This problem is solved in that the set of previously known methods for detecting malicious computer codes in data traffic of a data network, including those subjected to combinations of polymorphic transformations implemented in the anti-virus protection system, is supplemented according to the invention in that ordered memory cells containing the registered traffic are divided into consecutive, equal size blocks of a given length; form a traffic image in the RAM, highlighting an ordered set of cells, with the number of cells equal to the number of blocks, and writing zero values to the selected cells; in each of the traffic blocks, the states of all memory cells included in the analyzed block are compared, determining the number of unique cell states in each block; in the i-th cell of the image write the values corresponding to the number of unique states of the cells in the i-th blocks of the analyzed traffic; determine the degree of similarity of all subsets of consecutive cells of the formed image with all the standards, choosing such subsets whose length is equal to the length of at least one of the standards, and calculating the value of the degree of similarity by finding the normalized Euclidean distance between the cell vectors of values; comparing the resulting values of the degree of similarity with the threshold values set for each of the standards; having found a portion of the traffic image whose degree of similarity with any standard does not exceed a predetermined threshold value, stop the analysis of the traffic image, send a signal to the system user about the detection of traffic containing a portion similar to the standard of the code of malicious computer programs, and transfer the suspicious traffic to the cells protected storage memory.

The listed new set of essential features allows us to obtain a technical result, which is expressed in increasing the completeness of detection of VKP codes, including those subjected to polymorphic transformations, by reducing the timeliness achieved by supplementing the set of detection methods for the anti-virus protection system with the proposed method for detecting sections of the analyzed traffic, reduced images of which to a certain degree are similar to the reference patterns of VKP codes invariant to the action of arbitrary combinations of the specified polymorphic transformations.

The analysis of the prior art made it possible to establish that analogues that are characterized by a combination of features that are identical to all the features of the claimed technical solution are absent, which indicates compliance of the invention with the condition of patentability “novelty”.

Search results for known solutions in this and related fields of technology in order to identify features that match the distinctive features of the claimed object from the prototype showed that they do not follow explicitly from the prior art. The prior art also did not reveal the popularity of the impact provided by the essential features of the claimed invention, the transformations on the achievement of the specified technical result. Therefore, the claimed invention meets the condition of patentability "inventive step".

The inventive method is illustrated by drawings in which are shown:

FIG. 1 is a schematic diagram of an anti-virus protection system that analyzes traffic entering a computing device from a data network;

FIG. 2 is a flowchart of a proposed traffic detection method comprising BCP codes.

The proposed method for detecting malicious computer codes in data network traffic, including those subjected to combinations of polymorphic transformations, complements the known detection methods implemented in the anti-virus protection system, the circuit diagram of which is shown in Figure 1, includes the following steps, presented in block form diagrams of the algorithm in FIG. 2:

1) vector vectors, coefficients of the elements of the standards corresponding to the standards, threshold values are extracted from the database of the anti-virus system located in the RAM of the computing device. In the selected physical RAM cells, logically organized by the memory controller into vectors with lengths equal to the lengths of the reference vectors, the electromagnetic characteristics of the successive cells are set to values that are unambiguously comparable with the values of the elements of the reference vectors;

2) for each sequence of equal-sized blocks that make up the portion of the analyzed traffic located in the RAM, with the number of blocks equal to the number of elements in the vector reference and the block length equal to the length of the block used in the generation of the reference vector, a reduced image is formed:

a) in the selected physical RAM cells, logically organized by the memory controller into vectors with lengths equal to the lengths of the reference vectors, the electromagnetic characteristics of the successive cells are set to values that are unambiguously comparable with the number of mutually unique characters in the corresponding analyzed block of the analyzed traffic section;

3) measure the degree of similarity of the formed reduced image with the standard:

a) sequentially measure the difference in the electromagnetic characteristics of the RAM cells containing the reference vector and the corresponding sequential RAM cells containing the analyzed reduced image;

b) calculate the square root of the sum of the ratios of the squares of the measured differences to the corresponding coefficients of the elements of the standard by the formula

where i is the serial number, E _i is the value of the element of the reference vector, P _i is the value of the element of the reduced image, D _i is the coefficient of the element of the reference vector (equal to the variance squared of the element of the reference vector);

c) if the threshold value exceeds the number R, a decision is made to detect a traffic section similar to the standard characteristic of the BCP code section;

4) when a section similar to the VKP code is detected in the analyzed traffic, a signal containing information about the detection of a traffic section similar to the standard and its characteristics is sent to the video adapter of the computer system, and then all traffic registered in the main memory is moved out of the reach of the user and processes of the operating system, with the exception of the processes of the anti-virus system, protected storage located outside the RAM of the computing device.

To confirm the attainability of the technical result, an experiment was performed to detect codes of malicious computer programs in the traffic of a data network, including those subjected to combinations of polymorphic transformations. The algorithms of the methods described in the patent prototype, as well as the proposed method are implemented in the format of the dynamic prototype libraries of the anti-virus protection system. An experimental verification of the proposed method was performed on a test bench implemented on the basis of computing devices represented by identical IBM-compatible computers with Intel Core 17 3.6 GHz processor, 4 GB RAM, 512 GB HDD. The data transmission network includes 2 computing devices of identical configuration, the first device runs a prototype anti-virus protection system using developed detectors. The second device is responsible for broadcasting files over a data network. The data network traffic entering the input of the computing device is processed by the network driver and recorded in the RAM of the computing device, and then analyzed by the prototype anti-virus system.

The Windows class of executable files (exe extension, Portable Executable format) was selected as the detected class of files. As the reference code sequence, characteristic for this class of files, the line “This program cannot be run in DOS mode” in ANSI encoding, which is typical for executable files, is selected. This line is used to build standards in the ways described in the patent prototype. When creating a standard for detecting by the proposed method, for the first 1000 bytes of each of the 100 analyzed executable files, a uniqueness image was created with the size of the window for calculating uniqueness statistics equal to 25 and the number of elements equal to 40. The mathematical expectations of the values of the corresponding elements in the sample of images analyzed were set as values of the elements of the reference image files. As the coefficients of the elements of the reference image, variances of the values of the corresponding elements in the sample of images of the analyzed files are used. The detector threshold is set to 12. The traffic sample for analysis was obtained by simulation based on the initial sample consisting of 100 previously analyzed executable files, supplemented by 100 other unique executable files, as well as 800 arbitrary unexecutable files from the workstation (Microsoft Office Word 2003 file formats , 2010, jpeg, png, bmp images, audio files mp3, wav, etc.).

The source code of each sample file is subjected to the following polymorphic transformations: simple replacement of bytes with a single-byte gamma, “Exclusive OR with single-byte gamma”, simple rearrangement of bytes on window 5. Also, the source code of each sample file is subjected to all possible combinations of two (6 combinations) or three (27 combinations) of these polymorphic transformations applied sequentially. When each of the polymorphic transformations is performed, the transform key is chosen arbitrarily, with equal probability, from the set of keys valid for the transform. As a result, 36 converted files were received from each sample file, in total N = 36000 files, of which N _E = 7200 converted executable files, N _O = 28800 converted non-executable files, the total sample size was about 3.6 GB.

A data transfer network, controlled by an anti-virus protection system that implements the detection methods described in the prototype patent, transmitted a sample of N converted files. As a result of the analysis, the system correctly detected 513 files that are converted executable files of the PE format, and also mistakenly detected 11 files that are not converted executable files of the PE format. The analysis took 44 seconds. After that, the set of methods for detecting the anti-virus protection system is supplemented by the proposed detection method. A data network controlled by the anti-virus protection system retransmitted a sample of N converted files. As a result of the analysis, the system correctly detected 2249 files that are converted executable files of the PE format, and also mistakenly detected 53 files that are not converted executable files of the PE format. Analysis took 62 seconds.

Thus, as a result of expanding the capabilities of the anti-virus protection system due to the proposed method for detecting converted files and reducing the timeliness (1.4 times), the completeness (from 7.1% to 31%) has been successfully increased reliability (from 81.3% to 86, 1%) detection of codes subjected to polymorphic transformations, where the completeness of detection is calculated by the formula

and the reliability of detection is calculated by the formula

which confirms the achievement of the claimed technical result. At the same time, the presented characteristics of reliability and completeness of detection may have different values in the case of analysis of other file formats, selection of other reference sequences in files, selection of different variances of elements of the reference image and decision threshold, due to the probabilistic nature of the proposed detection method.

Claims (1)

A method for detecting malicious computer program codes in data network traffic, including those subjected to combinations of polymorphic transformations, which consists in writing byte arrays of patterns extracted from the database that correspond to the executable codes of malicious computer programs to memory cells of a computing device; the registered traffic signals are digitized, the assembly of the session packets is performed and the information load is extracted from them, the bytes of the traffic information load are recorded in the ordered cells of the RAM of the computing device; in the allocated memory cells of the computing device form the image of the analyzed traffic; determine the degree of similarity of the sections of the generated traffic image with the standards; upon detection of a portion of the image, to a certain extent similar to the standard, they send a message to the system user about the detection of potentially dangerous traffic and move the registered traffic to the memory cells of the secure storage; characterized in that the ordered memory cells containing the registered traffic are divided into consecutive, equal size blocks of a given length; form a traffic image in the RAM, highlighting an ordered set of cells, with the number of cells equal to the number of blocks, and writing zero values to the selected cells; in each of the traffic blocks, the states of all memory cells included in the analyzed block are compared, determining the number of unique cell states in each block; in the i-th cell of the image write the values corresponding to the number of unique states of the cells in the i-th blocks of the analyzed traffic; determine the degree of similarity of all subsets of consecutive cells of the formed image with all the standards, choosing such subsets whose length is equal to the length of at least one of the standards, and calculating the value of the degree of similarity by finding the normalized Euclidean distance between the cell vectors of values; comparing the resulting values of the degree of similarity with the threshold values set for each of the standards; having found a portion of the traffic image whose degree of similarity with any standard does not exceed a predetermined threshold value, stop the analysis of the traffic image, send a signal to the system user about the detection of traffic containing a portion similar to the standard of the code of malicious computer programs, and transfer the suspicious traffic to the cells protected storage memory.

Images