INFORMATION TECHNOLOGY FOR DETECTING METAMORPHIC VIRUSES BASED ON THE ANALYSIS OF THE BEHAVIOR OF APPLICATIONS IN THE CORPORATE NETWORK
DOI:
https://doi.org/10.31891/CSIT-2020-1-8Keywords:
metamorphic virus, mutation, equivalent functional blocksAbstract
The problem of cybercrime is one of the greatest threats to the modern information world. Among a wide range of different types of malware, the leading place is occupied by viral programs that use mutations of their own software code, ie polymorphic and metamorphic viruses. The purpose of transforming your own code is for attackers to try to make their previous malware different (in terms of syntax, not in terms of semantics) with each new infection. According to a study conducted by Webroot in 2018, about 94% of all malware performs mutations in their software code. In addition, the problem of the prevalence of mutated software is complicated by the availability of free access to metamorphic generators, which allows you to import into malware metamorphic component. Therefore, the relevance of the development of new methods and information technologies focused on the detection of polymorphic and metamorphic software leaves no doubt. The paper proposed the information technology for detecting metamorphic viruses based on the analysis of the behavior of applications in the corporate network. The detection process is based on the analysis of API calls that describe the potentially dangerous behavior of the software application. After establishing the fact of suspicious behavior of the application, the disassembled code of the functional blocks of the suspicious application is compared with the code of the functional blocks of its modified version. Modified emulators are installed on network hosts to create a modified version of the software application. In order to increase the overall efficiency of detection of metamorphic viruses, information technology involves searching a match between the functional blocks of the metamorphic virus and its modified version. A fuzzy inference system is used to form a conclusion about the similarity of a suspicious program to a metamorphic virus. In case of insufficient manifestation of harmful behavior and in order to increase the level of reliability for the detection of metamorphic virus, other network hosts are involved.