DEVELOPMENT OF AUTOMATED MALWARE DETECTION SYSTEM
Abstract
When research in the field of malware detection, the authors focus exclusively on detection methods, ignoring how these methods could practically be implemented. On the other hand, there are works that reveal some technical details of the implementation or optimization of the process of analyzing the malware sample and collecting data on its work. However, it is necessary to combine the results of the concepts of experimental systems and the implementation possibilities that are available. The purpose of the work is description of the implementation of an automated malware detection system based on the method proposed earlier by the authors, thus supplementing the results of previous studies and putting into practice the proposed method for detecting and clustering malware. As a result, the technical requirements for the developed system for detecting malware is described, due to the previously proposed method of detection and clustering. A comparison of existing behavioral analysis tools was made, Сuckoo Sandbox was chosen as the most suitable one, its main advantage is the open source code, which made it possible to refine both its client part and server part. In particular, the list of controlled system functions has been expanded, the source module of the call has been determined, and the call context has been determined. Also, based on the Сuckoo Sandbox, an extension has been developed that implements the method proposed by the authors. The article also reveals the possibility of porting the described system to work with samples of malware developed for various platforms. In particular, it is shown that the proposed methods can be adapted to platforms such as .NET or Android, while the improvements are technical, not fundamental. From a practical point of view, the system is a software package for a security specialist and allows for the rapid detection of previously unknown threats and, at the same time, through clustering, to identify a specific threat in order to implement the most appropriate protection measures against this threat. In the proposed form, it can be used as part of the enterprise infrastructure to ensure anti-virus security.
References
Proceedings of the 10th International Conference on Security of Information and Networks,
ACM. 2017, pp. 240-244. DOI: 10.1145/3136825.3136897.
2. Babenko L, Kirillov A. Development of method for malware classification based on statistical
methods and an extended set of system calls data, In Proceedings of the 11th International
Conference on Se- curity of Information and Networks. ACM. 2018, Art. no 8. DOI:
10.1145/3264437.3264478.
3. YAblokov V.V., Eliseev E.Yu. Patent № 2535175 C2 Rossiyskaya Federatsiya, MPK G06F
21/56. Sistema i sposob obnaruzheniya vredonosnogo programmnogo obespecheniya putem
sozdaniya izolirovannoy sredy: № 2012156433/08: zayavl. 25.12.2012: opubl. 10.12.2014;
zayavitel' Zakrytoe aktsionernoe obshchestvo "Laboratoriya Kasperskogo" [Patent No.
2535175 C2 Russian Federation, MPC G06F 21/56. System and method for detecting malware
by creating an isolated environment: No. 2012156433/08 : Appl. 12/25/2012 : publ. December
10, 2014; Applicant Closed Joint Stock Company "Kaspersky Laboratory"].
4. Zaytsev O.V. Patent № 2430411 C1 Rossiyskaya Federatsiya, MPK G06F 21/00, G06F 12/00.
Sistema i sposob obnaruzheniya vredonosnogo programmnogo obespecheniya: № 2010107437/08:
zayavl. 02.03.2010: opubl. 27.09.2011; zayavitel' Zakrytoe aktsionernoe obshchestvo "Laboratoriya
Kasperskogo" [Patent No. 2430411 C1 Russian Federation, MPC G06F 21/00, G06F 12/00. Malware
detection system and method: No. 2010107437/08: Appl. 03/02/2010: publ. 27.09.2011; Applicant
Closed Joint Stock Company "Kaspersky Laboratory"].
5. Pereberina A.A., Kostyushko A.V. Proektirovanie programmno-apparatnogo kompleksa dlya
zapuska vredonosnogo programmnogo obespecheniya [Designing a hardware-software complex
for launching malware], Tr. Moskovskogo fiziko-tekhnicheskogo instituta (natsional'nogo
issledovatel'skogo universiteta) [Proceedings of the Moscow Institute of Physics and Technology
(National Research University)], 2018, Vol. 10, No. 2 (38), pp. 114-130.
6. Lin C.H., Pao H.K., Liao J.W. Efficient dynamic malware analysis using virtual time control mechanics,
Computers & Security, 2018, Vol. 73, pp. 359-373. DOI: 10.1016/j.cose.2017.11.010.
7. Tokarev V.L., Sychugov A.A. Variant sistemy operativnogo obnaruzheniya malware [A variant
of the malware detection system], Izvestiya Tul'skogo gosudarstvennogo universiteta.
Tekhnicheskie nauki [Bulletin of the Tula State University. Technical science], 2017, No. 10,
pp. 186-195.
8. Mirza Q.K.A., Awan I., Younas M. CloudIntell: An intelligent malware detection system, Future
Generation Computer Systems, 2018, Vol. 86, pp. 1042-1053. DOI: 10.1016/j.future.2017.07.016.
9. Baptista I., Shiaeles S., Kolokotronis N. A novel malware detection system based on machine
learning and binary visualization, 2019 IEEE International Conference on Communications
Workshops (ICC Workshops). IEEE, 2019, pp. 1-6. DOI: 10.1109/ICCW.2019.8757060.
10. Belaoued M. et al. Malware detection system based on an in-depth analysis of the portable
executable headers, International conference on machine learning for networking. Springer,
Cham, 2018, pp. 166-180. DOI: 10.1007/978-3-030-19945-6_11.
11. Ali M. et al. MALGRA: Machine learning and N-gram malware feature extraction and detection
system, Electronics, 2020, Vol. 9, No. 11, pp. 1777. DOI: 10.3390/electronics9111777.
12. Kumara A., Jaidhar C.D. Automated multi-level malware detection system based on reconstructed
semantic view of executables using machine learning techniques at VMM, Future Generation
Computer Systems, 2018, Vol. 79, pp. 431-446. DOI: 10.1016/j.future.2017.06.002.
13. Feng P. et al. A novel dynamic Android malware detection system with ensemble learning,
IEEE Access, 2018, Vol. 6, pp. 30996-31011. DOI: 10.1109/ACCESS.2018.2844349.
14. Hou S. et al. Make Evasion Harder: An Intelligent Android Malware Detection System, IJCAI,
2018, pp. 5279-5283. DOI: 10.24963/ijcai.2018/737.
15. Hunt G., Brubacher D. Detours: Binary interception of win32 functions. 3rd usenix windows
nt symposium, 1999.
16. Or-Meir O. et al. Dynamic malware analysis in the modern era–A state of the art survey, ACM
Computing Surveys (CSUR), 2019, Vol. 52, No. 5, pp. 1-48. DOI: 10.1145/3329786.
17. Egele M. et al. A survey on automated dynamic malware-analysis techniques and tools, ACM
computing surveys (CSUR), 2008, Vol. 44, No. 2, pp. 1-42.
18. Jiang H., Turki T., Wang J.T.L. DLGraph: Malware detection using deep learning and graph
embedding,/ 2018 17th IEEE international conference on machine learning and applications
(ICMLA). IEEE, 2018, pp. 1029-1033. DOI: 10.1109/ICMLA.2018.00168.
19. Russinovich M.E., Solomon D.A., Ionescu A. Windows internals. Part 2. Pearson Education, 2012.
20. Pedregosa F. et al. Scikit-learn: Machine learning in Python, Journal of machine Learning
research, 2011, Vol. 12, pp. 2825-2830. DOI: 10.1145/2089125.2089126.
21. Brahler S. Analysis of the android architecture, Karlsruhe institute for technology, 2010,
Vol. 7, No. 8.
