DEVELOPMENT OF AUTOMATED MALWARE DETECTION SYSTEM
Abstract
When research in the field of malware detection, the authors focus exclusively on detection methods, ignoring how these methods could practically be implemented. On the other hand, there are works that reveal some technical details of the implementation or optimization of the process of analyzing the malware sample and collecting data on its work. However, it is necessary to com-bine the results of the concepts of experimental systems and the implementation possibilities that are available. The purpose of the work is description of the implementation of an automated mal-ware detection system based on the method proposed earlier by the authors, thus supplementing the results of previous studies and putting into practice the proposed method for detecting and clustering malware. As a result, the technical requirements for the developed system for detecting malware is described, due to the previously proposed method of detection and clustering. A com-parison of existing behavioral analysis tools was made, Сuckoo Sandbox was chosen as the most suitable one, its main advantage is the open source code, which made it possible to refine both its client part and server part. In particular, the list of controlled system functions has been expand-ed, the source module of the call has been determined, and the call context has been determined. Also, based on the Сuckoo Sandbox, an extension has been developed that implements the method proposed by the authors. The article also reveals the possibility of porting the described system to work with samples of malware developed for various platforms. In particular, it is shown that the proposed methods can be adapted to platforms such as .NET or Android, while the improvements are technical, not fundamental. From a practical point of view, the system is a software package for a security specialist and allows for the rapid detection of previously unknown threats and, at the same time, through clustering, to identify a specific threat in order to implement the most ap-propriate protection measures against this threat. In the proposed form, it can be used as part of the enterprise infrastructure to ensure anti-virus security
References
1. Babenko L., Kirillov A. Malware detection by meta-information of used system functions, In Proceedings of the 10th International Conference on Security of Information and Networks, ACM. 2017, pp. 240-244. DOI: 10.1145/3136825.3136897.
2. Babenko L, Kirillov A. Development of method for malware classification based on statistical methods and an extended set of system calls data, In Proceedings of the 11th International Conference on Se- curity of Information and Networks. ACM. 2018, Art. no 8. DOI: 10.1145/3264437.3264478.
3. YAblokov V.V., Eliseev E.Yu. Patent № 2535175 C2 Rossiyskaya Federatsiya, MPK G06F 21/56. Sistema i sposob obnaruzheniya vredonosnogo programmnogo obespecheniya putem sozdaniya izolirovannoy sredy: № 2012156433/08: zayavl. 25.12.2012: opubl. 10.12.2014; zayavitel' Zakrytoe aktsionernoe obshchestvo "Laboratoriya Kasperskogo" [Patent No. 2535175 C2 Russian Federation, MPC G06F 21/56. System and method for detecting malware by creating an isolated environment: No. 2012156433/08 : Appl. 12/25/2012 : publ. December 10, 2014; Applicant Closed Joint Stock Company "Kaspersky Laboratory"].
4. Zaytsev O.V. Patent № 2430411 C1 Rossiyskaya Federatsiya, MPK G06F 21/00, G06F 12/00. Sistema i sposob obnaruzheniya vredonosnogo programmnogo obespecheniya: № 2010107437/08: zayavl. 02.03.2010: opubl. 27.09.2011; zayavitel' Zakrytoe aktsionernoe obshchestvo "Laboratoriya Kasperskogo" [Patent No. 2430411 C1 Russian Federation, MPC G06F 21/00, G06F 12/00. Mal-ware detection system and method: No. 2010107437/08: Appl. 03/02/2010: publ. 27.09.2011; Ap-plicant Closed Joint Stock Company "Kaspersky Laboratory"].
5. Pereberina A.A., Kostyushko A.V. Proektirovanie programmno-apparatnogo kompleksa dlya zapuska vredonosnogo programmnogo obespecheniya [Designing a hardware-software com-plex for launching malware], Tr. Moskovskogo fiziko-tekhnicheskogo instituta (natsional'nogo issledovatel'skogo universiteta) [Proceedings of the Moscow Institute of Physics and Technol-ogy (National Research University)], 2018, Vol. 10, No. 2 (38), pp. 114-130.
6. Lin C.H., Pao H.K., Liao J.W. Efficient dynamic malware analysis using virtual time control me-chanics, Computers & Security, 2018, Vol. 73, pp. 359-373. DOI: 10.1016/j.cose.2017.11.010.
7. Tokarev V.L., Sychugov A.A. Variant sistemy operativnogo obnaruzheniya malware [A variant of the malware detection system], Izvestiya Tul'skogo gosudarstvennogo universiteta. Tekhnicheskie nauki [Bulletin of the Tula State University. Technical science], 2017, No. 10, pp. 186-195.
8. Mirza Q.K.A., Awan I., Younas M. CloudIntell: An intelligent malware detection system, Future Generation Computer Systems, 2018, Vol. 86, pp. 1042-1053. DOI: 10.1016/j.future.2017.07.016.
9. Baptista I., Shiaeles S., Kolokotronis N. A novel malware detection system based on machine learning and binary visualization, 2019 IEEE International Conference on Communications Workshops (ICC Workshops). IEEE, 2019, pp. 1-6. DOI: 10.1109/ICCW.2019.8757060.
10. Belaoued M. et al. Malware detection system based on an in-depth analysis of the portable executable headers, International conference on machine learning for networking. Springer, Cham, 2018, pp. 166-180. DOI: 10.1007/978-3-030-19945-6_11.
11. Ali M. et al. MALGRA: Machine learning and N-gram malware feature extraction and detec-tion system, Electronics, 2020, Vol. 9, No. 11, pp. 1777. DOI: 10.3390/electronics9111777.
12. Kumara A., Jaidhar C.D. Automated multi-level malware detection system based on reconstructed semantic view of executables using machine learning techniques at VMM, Future Generation Computer Systems, 2018, Vol. 79, pp. 431-446. DOI: 10.1016/j.future.2017.06.002.
13. Feng P. et al. A novel dynamic Android malware detection system with ensemble learning, IEEE Access, 2018, Vol. 6, pp. 30996-31011. DOI: 10.1109/ACCESS.2018.2844349.
14. Hou S. et al. Make Evasion Harder: An Intelligent Android Malware Detection System, IJCAI, 2018, pp. 5279-5283. DOI: 10.24963/ijcai.2018/737.
15. Hunt G., Brubacher D. Detours: Binary interception of win32 functions. 3rd usenix windows nt symposium, 1999.
16. Or-Meir O. et al. Dynamic malware analysis in the modern era–A state of the art survey, ACM Computing Surveys (CSUR), 2019, Vol. 52, No. 5, pp. 1-48. DOI: 10.1145/3329786.
17. Egele M. et al. A survey on automated dynamic malware-analysis techniques and tools, ACM computing surveys (CSUR), 2008, Vol. 44, No. 2, pp. 1-42.
18. Jiang H., Turki T., Wang J.T.L. DLGraph: Malware detection using deep learning and graph embedding,/ 2018 17th IEEE international conference on machine learning and applications (ICMLA). IEEE, 2018, pp. 1029-1033. DOI: 10.1109/ICMLA.2018.00168.
19. Russinovich M.E., Solomon D.A., Ionescu A. Windows internals. Part 2. Pearson Education, 2012.
20. Pedregosa F. et al. Scikit-learn: Machine learning in Python, Journal of machine Learning research, 2011, Vol. 12, pp. 2825-2830. DOI: 10.1145/2089125.2089126.
21. Brahler S. Analysis of the android architecture, Karlsruhe institute for technology, 2010, Vol. 7, No. 8.
