Scientific Journal

Herald of Advanced Information Technology

MODELS AND METHODS FOR DIAGNOSING ZERO-DAY THREATS IN CYBERSPACE
Abstract:

The article is devoted to the development of models and methods for detecting Zero-Day threats in cyberspace to improve the  efficiency of detecting high-level malicious complexes that are using polymorphic mutators. The method for detecting samples by  antivirus solutions using a public and local multiscanner is proposed. The method for diagnosing polymorphic malware using Yara  rules is being developed. The multicomponent service that allows organizing a free malware analysis solution with a hybrid deploy 

ment architecture in public and private clouds is described. The cloud service for detecting malware based on open-source sandboxes  and MAS, allowing horizontal scalability in hybrid clouds, and showing high capacity during malicious and non-malicious object processing is designed. The main task of the service is to collect artifacts after dynamic and static object analysis to detect zero-day threats. The effectiveness of the proposed solutions is shown. Scientific novelty and originality consist in the creation of the follow ing methods: 1) detecting the sample by preinstalled antivirus solutions that allow static scanning in separate threads without requests  restrictions for increasing the malware processing speed and restrict public access to confidential files; 2) diagnosing polymorphic  malware using Yara rules, that allows detecting new modifications that are not detected by available solutions. The proposed hybrid  system architecture allows to perform a retrospective search by families, tracking changes in destructive components, collect the  malicious URLs database to block traffic to C&C servers, collect dropped and downloaded files, analyze phishing emails attach ments, integrate with SIEM, IDS, IPS, antiphishing and Honeypot systems, improve the quality of the SOC analyst, decrease the  incidents response times and block new threats that are not detected by available antivirus solutions. The practical significance of the  results is in the cloud service development that combines MAS Sandbox and a modified distributed Cuckoo sandbox, which allows to  respond to Zero-Day threats quickly, store a knowledge base for artifacts correlation between polymorphic malware samples, actively search for new malware samples and integrate with cyber protection hardware and software systems that support the Cuckoo API.

Authors:
Keywords
DOI
https://doi.org/10.15276/hait.02.2021.5
References

1. “WatchGuard’s Threat Lab Analyzes the Latest Malware and Internet Attacks”. Internet Security Re port - Q3 2020. – Available from: https://www.watchguard.com/wgrd-resource-center/security-report-q3- 2020. − [Accessed: Jan, 2021]. 

2. “Subscribe to the AV-TEST”. NewsletterWell-informed on Security. – Available from: https://www.av-test.org/en/statistics/malware/. − [Accessed: Jan, 2021]. 

3. “Global Sandboxing Market Size And Forecast To 2025”. – Available from: https: //www.verifiedmarketresearch.com/product/global-sandboxing-market-size-and-forecast-to-2025/. − [Ac cessed: Jan, 2021]. 

4. “Yara”. – Available from: http://virustotal.github.io/yara/. – [Accessed: Jan, 2021].

5. “Virustotal”. – Available from: https://www.virustotal.com/. – [Accessed: Jan, 2021].

6. “MySQL”. – Available from: https://github.com/mysql/. – [Accessed: Jan, 2021].

7. “Suricata”. – Available from: https://github.com/OISF/suricata/. – [Accessed: Jan, 2021].

8. “Cuckoo Sandbox repository”. – Available from: https://github.com/cuckoosandbox/cuckoo. – [Accessed: Jan, 2021]. 

9. “RBOT malware description”. – Available  from: https://www.adaware.com/myadaware/malware-descriptions/blog/rbot. – [Accessed: Jan, 2021].

10. Adamov, A. & Saprykin, A. “Analysis and Detection of Polymorphic Spyware”. Hakin9 Magazine.  Software Press. Warsow: 2013; Vol. 8 No. 01 Issue 01/2013 (61): 6–11. 

11.” Malware encyclopedia”. – Available from: https://www.adaware.com/malware-encyclopedia. − [Accessed: Jan, 2021]. 

12. Saprykin, A., Kiktenko, V., Galagan, S. & Kunitsky, A. “Diagnosis Method of Malicious Code in  Executable Files”. Proceedings of the 5th East-West Design and Test Workshop. Yerevan: Armenia. 7-10  Sept., 2007. 

13. Saprykin, A. S. “Neural Network Methods Detection of Malicious Code in Software Objects”. East ern European Journal of Advanced Technology. Kharkiv: Ukraine. 2009. No. 2/3 (38): 51–55.

14. Korablev, N. M. & Kushnarev, M. V. “Model of a Heuristic Analyzer of Malicious Programs Based  on an Artificial Immune Network”. Information Systems. 2013. No. 8(115): 216–222.

15. “AnyRun Sandbox”. – Available from: https://app.any.run/docs/. – [Accessed Jan, 2021].

16. “Hybrid Analysis Sandbox”. – Available from: https://www.hybrid-analysis.com/. – [Accessed: Jan,  2021]. 

17. “Cape Sandbox”. – Available from: https://capesandbox.com/. – [Accessed: Jan, 2021].

18. “Cuckoo Sandbox”. – Available from: https://cuckoo.cert.ee/. – [Accessed: Jan, 2021].

19. Surkov, S. S. “Reduction of the Harmful Effect of Critical Modes in the Operation Queue Environment for Authorization Protocols for Large Requests”. Applied Aspects of Information Technology. Publ. Nauka i Tekhnika. Odessa: Ukraine. 2020; Vol. 3 No.3: 145–153. DOI: https://doi.org/10.15276/aait.03.2020.3. 

20. Adamov, O. S., Hahanov, V. I., Chumachenko, S. V. & Abdullayev, V. G. “Blockchain Infrastruc ture to Protect Cybersystems”. Radioelectronics & Informatics. Kharkiv: Ukraine. 2018. No. 4 (83): 64–85. DOI: https://doi.org/10.30837/1563-0064.4(83).2018.184705. 

21. Rucinski, Andrzej, Kovalev, I. S., Drozd, M. O., Drozd, O. V., Antoniuk, V. V. & Sulima, Yu. Yu. “Development of Computer System Components in Critical Applications: Problems, Their Origins and  Solutions”. Herald of Advanced Information Technology. Publ. Nauka i TekhnikaOdessa: Ukraine. 2020.  Vol. 3 No. 4: 252–262. DOI: https://doi.org/10.15276/hait.04.2020.4. 

22. Surkov, S. S. & Martynyuk, O. M. “Improvement of Security for Web Services by Research and Development of OAuth Server”. Electrotechnic and Computer Systems. Odesa: Ukraine. 2016; Vol. 23(99): 99–105. DOI: https://doi.org/10.15276/eltecs.23.99.2016.16. 

23. Semenov, S. H., Havrylenko, S. Yu., Hloba, S. M. & Babenko, O. S. “Development of Computer  Viruses Detection System Based on ART-1 Neural Network”. Information Processing Systems, 2015; Vol.  10(135): 126–129. 

24. Adamov, O. S. & Hahanov, V. I. Signature-Qubit Methods Recognition Destructive Codes (in  Ukrainian). Radioelectronics & Informatics. Kharkiv: Ukraine. 2019. No.1 (84): 35–53. DOI:  https://doi.org/10.30837/1563-0064.1(84).2019.184719. 

25. Hahanov, Vladimir. “Cyber Physical Computing for IoT-driven Services”. New York: USA. Publ.  Springer. 2018. 279 p. DOI: https://doi.org/10.1007/978-3-319-54825-8. 

26. Carlsson, A. & Adamov, A. “A Sandboxing Method to Protect Cloud Cyberspace”. IEEE East-West  Design & Test Symposium (EWDTS). 2015. p. 1–3. DOI: https://doi.org/10.1109/EWDTS.2015.7493177. 27. Kolbitsch, C., Comparetti, P. M., Kruegel, C., Kirda, E., Zhou X.-Y. & Wang, X. “Effective and Ef ficient Malware Detection at the end Host”. Proc. USENIX Secur. Symp. Aug. 2009; Vol. 4 No. 1: 351–366. 28. Ding, Y., Xia, X., Chen, S. & Li, Y. “A Malware Detection Method Based on Family Behavior  Graph”. Comput. Secur. Mar. 2018; Vol.73: 73–86. DOI: https://doi.org/10.1016/j.cose.2017.10.007.
Published:
Last download:
4 Oct 2021

Contents


[ © KarelWintersky ] [ All articles ] [ All authors ]
[ © Odessa National Polytechnic University, 2018.]