RU22718U1 - DEVICE FOR IMPLEMENTATION AND MODELING OF COMPUTER VIRUS OF MUTANT - Google Patents

Abstract

A device for implementing and modeling a computer mutant virus, characterized in that it contains an event occurrence check unit, a sanction check unit, a mutation unit, a task switching unit, a permission input, a sanction input, a first task input, a second task input, a first event input, an input the second event, the input of the third event, the input of the fourth event, the output of the sanction request, the output of the virus, while the first input of the event occurrence check block is the input of the first event, the second input of the event occurrence check block Tia is the input of the second event, the third input of the event occurrence verification unit is the permission input, the second input of the presence of the sanction verification unit is the sanction input, the first information input of the task switching unit is the input of the first task, the second information input of the task switching unit is the input of the second task, the first input the mutation block is the input of the third event, the second input of the mutation block is the input of the fourth event, the output of the mutation block is connected to the third input of the presence check block ii, the output of the event occurrence verification unit is connected to the first input of the sanction availability verification unit and is the output of the sanction request, the output of the sanction presence verification unit is connected to the control input of the task switching unit, the output of which is the output of the virus.

Description

Utility Model Description

Device for the implementation and modeling of a mutant commuteri virus

Brief introduction.

1). Currently, the most widely used is the software implementation of computer viruses. However, a number of researchers, for example, 15 p. 76, pointed to the possibility of the existence of hardware viruses, for example, in the form of a permanent storage device for the initial loading of a computer of an electronic computer (computer). The proposed utility model is a hardware implementation of a computer virus of the mutant type “Trojan koi in the form of a device.

In the future, we will assume that one of the possible varieties of the mutant virus of the type “Trojan horse, which is not malicious, implements the operation algorithm presented in (Fig. 8).

2). The current Criminal Code of the Russian Federation (Criminal Code of the Russian Federation) contains a whole 28 chapter related to computer crimes (Presidential Decree of June 13, 1996 No. 63-FZ. Criminal Code of the Russian Federation was introduced from 1.1.1997). Crime under Article 273 of the Criminal Code

IPC G 09 at 23/02

(Creation, use and distribution of malware (malware) for computers), the most dangerous of those contained in chapter 28 of the Criminal Code, which is reflected in the punishment for it. In Art. 273 part 1 of the Criminal Code of the Russian Federation states that the creation of computer programs or changes to existing programs that obviously lead to the unauthorized destruction, blocking, modification or copying of information, disruption of the operation of the computer, the computer system or their network, as well as the use or distribution of such programs or machine carriers with such programs are punishable by deprivation of liberty for a term of up to three years with a fine in the amount of two hundred to five hundred minimum wages or in the amount of wages or other income convicted for a period of two to five months. Here are two important points: unauthorized actions and harmfulness.

The proposed utility model is not malicious (at least the author does not know anything about the fact that it is malicious and all his studies say that it is not harmful), so in the proposed utility model all its actions are strictly authorized by the user, from which permission must be obtained the operation of the virus (utility model} and the sanction for the actions taken. More detailed technical and legal

analysis can be found in the author’s works, for example, 14.27 and, in particular, in joint work with legal colleagues 28.

The issue of harmfulness was already considered by ROSPATENT with a positive decision to issue certificates 22,23D4,25,26 of the Russian Federation to computer viruses in the form of a program. We especially note the viruses MIF-X-02 - Self-modifying virus MUT-MIF-IKS-02, which changes its descriptor 25 and MIF-X-03 of the type "Trojan koi 26, which are a software implementation for the hardware virus mutant MIF-X-58, the proposed device. Note that in the technique it is customary to assign known identifiers to known viruses, so that it would be possible to somehow distinguish viruses from each other. For this, unique labels (identifiers) were invented, for example, MIF-X-02, MIF-X-03, MIF-X-58, etc. for viruses. These labels do not carry any meaning, they are simply unique names of viruses.

3) .Since the proposed utility model is not malicious and allows you to solve the problem of simulation of a computer virus of a mutant of the Trojan horse type and as a result, to obtain the technical result necessary to develop effective means of protection from malicious viruses, it’s impossible

recognize the claimed device, contrary to morality or public order, etc.

The utility model relates to the field of scientific and mathematical modeling devices in mathematics for studying and building mobile agents (robots) that search for information, for example, on the Internet, as well as for studying the behavior of highly intelligent computer viruses of mutants that destroy, for example, factual data and the computing systems themselves in order to build highly reliable antivirus software and hardware protection tools, for example, for the Internet or for automated factual and information retrieval systems (AFIPS).

The MIF-X-58 device can be used where the developer needs to provide prompt and effective study of the behavior of computer viruses with damaging effects on computer systems and factual data, for example, on the Internet or AFIPS to select and develop protection tools and counteract mutant viruses.

The MIF-X-58 device is MALICIOUS as: 1). Introducing the MIF-X-58 into the infected device (by connecting its inputs and outputs (Fig. 23)) at a known, modern level

The development of technology cannot be brought about by the proposed MIF-X-58 device itself (in the case of programs, this is sometimes possible) and is performed only by the user himself, and therefore, with his permission and permission to introduce (infect) the selected device.

2), it does not lead to unauthorized destruction, blocking, modification or copying of information, disruption of the operation of the computer, the computer system or their network, etc .; 3). It was not made operational for any computer (known to the auto-applicant);

4). It was used for the personal needs of the author-applicant in order to study the behavior of various highly intelligent computer viruses of mutants; 5). The proposed device is not a program; Note that if confirmation is not received (sanction) from the user, the MIF-X-58 mutant virus does not perform any unauthorized actions, for example, modification or copying of information.

The analysis of available publications showed that for the proposed device in the field of technology there are no analogues, i.e. means (devices) of the same purpose 21 p.53 - for scientific and

mathematical modeling in mathematics of a computer virus mutant of the type “Trojan horse.

As a result, not a single tool (device) was discovered specifically for modeling and for the computer virus of the mutant of the type “Troyaisk koi. Despite this, we will nevertheless give known means (devices) that are close in design or other solutions, or close in purpose.

Only 7 sources were found in the database (DB) on CD-ROM disks with a description of 5 methods and 3 devices dedicated to computer viruses and related, for example, to protect or detect viruses, when recording, transmitting or duplicating data:} ZAYAEKA: RU No. 94024365 A1 cl. IPC G 11 V 7/00 (recording method and protection) - database 1996;

2} LATENT: RU .№2137185 C1 cl. IPC G 06 F 12/14, 12/16; Publ. 05/10/1991 (method of protection against viruses) - database 1999; B}. APPLICATION: RU No. 98114938 A cl. IPC N 04 L 12/56, G 06 F 15/16 (data transmission method) - database 2000;

4), APPLICATION: RU No. 99106780 A cl. IPC G 06 F 12/16 (method for detecting and removing viruses - DB 2001;

5), APPLICATION: RU No. 93035551 A cl. IPC G 06 F 12/14; Publ. 30.11.1994 (computer protection device against unauthorized access) 1994 database;

6) LATENT: RU No. 2170494 C2 class. IPC H 04 L 12/56, G 06 F 15/16; Publ. 05/10/2000 (method and microcomputer system for automatic safe and direct data transfer) - database 2001; 1}. PATENT: RU No. 2155373 C2 class. IPC G 06 F 11/14, 15/16; Publ. 27.08.2000 (computer backup system operating with open files) - database 2000;

Each of these 7 methods and devices does not allow the input of input data (its transfer to the device) for modeling: input of permission, input of sanction, input of the first task, input of the second task, input of the first event, input of the second event, input of the third event, input of the fourth events, as well as execute the conclusion of the sanction request and the results of the virus and does not allow checking whether the virus has permission to work, the occurrence of a given event and the presence of the virus sanction for switching tasks, and does not allow switching for dachas, does not allow mutation, and as a result of this does not allow simulation of a computer virus mutant of the type “Trojan horse. Closer to the MIF-X-58 virus are the following devices.

.; g // LX5 / (/ 7

A utility model 1 is known for a RG-information system simulating an algorithm for the occurrence and development of diseases of non-infectious nature, which is a device containing a control unit, a display unit, computer-based data processing and storage units: an organism norm state unit, a condition formation unit for the assimilation and maintenance of the disease information essence , a block of the information stage (essence) of a disease, three blocks of disease factors, a block of a pre-disease stage and a block of an emerging disease.

This device allows you to solve only one very insignificant part of the task, namely - to simulate the occurrence and development of diseases of non-infectious nature inherently close to imitation modeling.

This device does not allow the input of input data (its transfer to the device) for modeling: input is allowed, input sanction, enter the first task, enter the second task, enter the first event, enter the second event, enter the third event, enter the fourth event, and also execute the output of the sanction request and the results of the virus’s operation and does not allow checking the availability of the virus’s work permit, the occurrence of a given event and the presence of the virus’s sanction to commute tasks, does not allow commutation

tasks, does not allow the mutation, and as a result of this does not allow simulation of a computer virus mutant of the type “Trojan horse.

Also known is a demo device according to statistics 2, comprising a housing made in the form of a transparent box inside which is a set of volumetric elements of the same mass and size in the form of disks. Disks have contacts, and resistors are placed inside the disk. A transparent box covers the camera with cells for placing disks. In each cell there are contact terminals that form a series electrical circuit connected to a measuring device.

The placement of the disks is characterized by a binomial distribution, which is verified experimentally by repeatedly shaking and recording the number of cases for which the first type of elements appear in the drive cassette.

This device allows you to solve only part of the task, namely, to simulate only one binomial distribution inherently close to simulation.

This device does not allow the input of initial data (their transfer to the device) for modeling: input resolution, input

sanctions, input of the first task, input of the second task, input of the first event, input of the second event, input of the third event, input of the fourth event, as well as the output of the sanction request and the results of the virus and does not allow checking whether the virus has permission to work, the specified events and the presence of sanction to the virus for switching tasks, does not allow switching tasks, does not allow mutations, and as a result of this does not allow simulation of a computer virus of the Trojan type mutant s horse.

Another 3 training device is known, which allows to demonstrate a binomial distribution containing a diffuser in the form of hexagonal prisms arranged in a checkerboard pattern, the output channel of the hopper with a simulator in the form of granular particles, a recorder in the form of a collector with cells and a deflecting device.

This device allows you to solve only one part of the task, namely, to perform the simulation of the Binomial distribution, which is inherently close to simulation.

This device does not allow the input of initial data (their transmission to the device) d.sh1 modeling: input permission, input

sanctions, input of the first task, input of the second task, input of the first event, input of the second event, input of the third event, input of the fourth event, as well as the output of the sanction request and the results of the virus and does not allow checking whether the virus has permission to work, the specified events and the presence of sanction to the virus for switching tasks, does not allow switching tasks, does not allow mutations, and as a result of this does not allow simulation of a computer virus of the Trojan type mutant s horse.

Also known is a device 4 for modeling the selection of frequencies of radio transmitting stations, comprising an adder, computing units, models of transmitters and receivers, control, synchronization and signaling units, an OR element.

This device allows you to solve only one part of the task, namely, using an OR element to implement a fragment of the task switching unit.

This device does not allow input of input data (its transfer to the device) for modeling: input of permission, input of sanction, input of the first task, input of the second task, input of the first event, input of the second event, input of the third event, input of the fourth event, as well as execute the conclusion of the sanction request and the results

operation of the virus and does not allow checking the availability of permission for the virus, the occurrence of a given event and the presence of sanctions for the virus to switch tasks, does not allow switching tasks, does not allow mutation, and as a result does not allow simulation of a computer virus of the Trojan type mutant horse.

A utility model 5 is also known. An expert system comprising an input unit for inputting expert estimates, a unit for summing up ratings, a unit for determining ratings, an input unit for applicant data, and an information output unit.

This device allows you to solve only part of the task, namely, in the information output unit, to output the results of simulation modeling (the results of the virus).

This device does not allow input of input data (its transfer to the device) for modeling: input of permission, input of sanction, input of the first task, input of the second task, input of the first event, input of the second event, input of the third event, input of the fourth event, as well as execute the conclusion of the sanction request and does not allow checking whether the virus has permission to work, the occurrence of a given event and the presence of the virus sanction for switching tasks

allows switching tasks, does not allow mutations, and as a result of this, allows simulation of a computer virus of the mutant type “Trojan horse.

Another useful model 6 is also known - a device for modeling two-dimensional vectors of dependent random variables with an arbitrary correlation coefficient, containing 17 pieces of multiplication blocks, seven summation blocks, seven subtraction blocks, six division blocks, two square root calculation blocks, four exponent calculation blocks, and four blocks for calculating the natural logarithm, a control unit, four sensors for simulating uniform distribution and two sensors for simulating normal distribution.

This device allows you to solve only part of the task, namely, with the help of blocks of simulation of uniform and normal distribution, with some restrictions, simulate some of the work of a computer virus, for example, the results of solving the second problem.

This device allows inputting input data (transferring it to the device) for modeling: input of permission, input of sanction, input of the first task, input of the first event, input of the second event, input of the third event, input of the fourth event, and

PERFORM the output of the sanction request and the results of the virus and does not allow checking whether the virus has permission to work, the occurrence of a given event and the presence of the virus sanction for switching tasks, does not allow switching tasks, does not allow mutations, and as a result does not allow simulation computer virus mutant type "Trojan horse.

Quite close to the proposed device is utility model 7 (almost nrototin) A device for modeling membership function values, containing a constant setting unit, a summing unit, a multiplication unit, four comparison blocks, four NOT elements, three AND elements, an OR element. This device allows you to solve only part of the task, namely, by means of a comparison unit, IE elements, AND elements, OR element, in special cases, to implement fragments of an event occurrence check block, a sanction presence check block, and a task switching block.

This device does not allow input of input data (its transfer to the device) for modeling: input of permission, input of sanction, input of the first task, input of the second task, input of the first event, input of the second event, input of the third event, input of the fourth

events, as well as execute the output of the sanction request and the results of the virus’s operation and does not allow the full verification of the availability of the virus’s work permit, the occurrence of the specified event and the presence of the virus’s authorization to switch tasks, does not allow the task switching in the full volume, does not allow mutation, and as a result of this does not allow simulation of a computer virus mutant of the type “Trojan horse. When developing means of protection against computer viruses, sometimes simulation is carried out to study the behavior of a computer mutant virus and evaluate the future characteristics of protection systems before actually building them.

The proposed yaolzny model solves the problem of simulation of a computer virus mutant of the type “Trojan horse. And as a consequence of this, the class of tasks being solved is expanding.

As a result of mathematical, simulation modeling, the behavior (work) of computer viruses of mutants of the “Trojan horse.

In mathematics 20 pp. 29-30, pp. 135-136, pp. 206-208, it is customary to distinguish among models analytical models and so-called simulation models, for example, devices or entire systems.

The work (behavior) of computer viruses of mutants of the Trojan horse type can be modeled in different ways (algorithms) and, in particular, using the algorithm shown in Fig. 8, which imitates the ImV () model of a computer virus of the Trojan type mutant

X ImV (Q, Cl, C2, C3, C4, C, Z1, Z2, E, W, M), where ImV is a simulation model that can be in practice

implemented in various ways, for example, programmatically (programming language GPSS, SIMULA, etc.), or hardware in the form of a digital device, etc .;

Q - permission for the mutant virus to work (Resolution) (- logical zero if the virus is NOT AUTHORIZED and the logical unit if the virus is AUTHORIZED to work); C1 is the code of the 1st event (Event), which is next,

current event in a computer system;

C2 - code of the 2nd event (Event2), the onset of which the virus expects; SZ-code of the 3rd event (Event3), the onset of which the virus expects to change - to mutate to another state: (in other words, this event leads to the fact that the internal state of the virus changes so that under certain conditions it can lead to

for example, to switching tasks);

C4 - code of the 4th event (Event4), the onset of which the virus expects,

to change - mutate to another state: (other

in words, this event causes the internal state of the virus

changes so that under certain conditions it can’t lead,

for example, to switching tasks);

C- sanction code (Sanction) for virus switching tasks

(- logical zero if the virus is REFUSED to switch tasks and C is a 1 logical unit if the virus is ALLOWED to transmit tasks);

Z1 - the results of solving the 1st problem (Task) by some hypothetical device infected with a computer virus; Z2 - the results of solving the 2nd problem (Task 2), which can be solved both by the mutant virus itself, and by some hypothetical device in a computer system;

E, W, M are the internal parameters of the model (intermediate data), where E is the result (in the form of a logical unit () or logical zero ()) of the occurrence of the event (Event 2) that the virus expects, provided that the virus is ALLOWED to work

();

logical zero ()) to verify the existence of a sanction, provided that the virus is AUTHORIZED to work () and an event (Event) has occurred,

which the virus expects; M is the result of a mutation (in the form of a logical unit () or

logical zero ());

Q, C1, C2, C3, C4, C, Z1, Z2 are the inputs of the ImVQ model; X is the output of the simulation model (the result of the simulation of the computer virus mutant in the form of a two-dimensional vector X (xi, X2), where xi is the output of the virus such that if the specified event (Event) has occurred and there is a Resolution and Saique for virus II, the virus itself is in the appropriate state when) and if there is ATTENTION at least a Permission or Syaction for the virus or a given event (Event) has occurred and the virus itself is in the corresponding state when, and X2 is the output of the authorization request such that, (logical unit}, if the virus requests tells Saiktia to switch tasks or {logical zero} if the virus is blocked and, accordingly, it already needs to request Saiktia to switch tasks.

In practice, getting the initial data for the ImV () model, as a rule, does not cause problems. So, as events C1, C2, C3, C4, use events from the real flow of computer events

systems (for example, the corresponding outputs of decoders, registers, triggers, etc.), and as the results of solving problems Z1, Z2, for example, the contents of memory blocks, registers, or outputs of corresponding logic circuits from a real computer system are used. Since Q and C are adjustable parameters in the ImV () model, they are set by the experimenter performing the simulation.

Feeding different inputs of the model, we obtain the outputs (results) of the simulation model corresponding to these inputs in the form of X (xi, X2). Further, according to these results, it is possible to determine various parameters of computer viruses of mutants. For example, by measuring the time to obtain these results, it is possible to determine the reaction time of the mutant virus and determine under what conditions the mutant virus ceases to be operational without having time to make a decision.

In the end, you can dial a sufficient sample to evaluate (as is customary in probability theory and mathematical statistics 8,16,17,18), for example, such an important parameter as the average reaction time of the mutant virus.

To achieve the technical result named as a useful model, an event occurrence check block, a sanction check block, a mutation block, a task switching block, permission input v, a sanction input, a first task input, a second task input, a first event input, a second event input, an input the third event, the input of the fourth event, the output of the sanction request, the output of the virus, while the first input of the event occurrence verification unit is the input of the first event, the second input of the event occurrence verification unit is the input of the second event ia, the third input of the event occurrence verification block is the permission input, the second input of the sanction presence verification block is the sanction input, the first information input of the task switching block is the input of the first task, the second information input of the task switching block is the input of the second task, the first input of the mutation block is the input of the third event, the second input of the mutation block is the input of the fourth event, the output of the mutation block is connected to the third input of the sanction check block, the output of the check block occurs Ia events connected to the first input of the check for authorization and approval request is output, the output authorization unit checks the presence connected to a control input of switching tasks, the output of which is the output of the virus, which enables simulation of a computer virus mutant type "Trojan horse. and: u // s -S3 /

Signs that distinguish the proposed device from the closest known to it according to the certificate of the Russian Federation No. 8145 IPC G 09 V 23/02 7 characterize the presence of an event occurrence verification unit, a sanction presence verification unit, a mutation unit, a task switching unit, permission input, authorization input , the entrance of the first task, the entrance of the second task, the entrance of the first event, the entrance of the second event, the entrance of the third event, the entrance of the fourth event, the output of the sanction request, the output of the virus, while the first input of the event occurrence check block is I am the input of the first event, the second input of the event occurrence check unit is the input of the second event, the third input of the event occurrence check unit is the permission input, the second input of the sanction check unit is the sanction input, the first information input of the task switching unit is the input of the first task, the second information input the task switching unit is the input of the second task, the first input of the mutation unit is the input of the third event, the second input of the mutation unit is the input of the fourth event, output mutations unit connected to the third input of the check for authorization, checking occurrence output unit events connected to the first input of the check for authorization and approval request is output, the output authorization checking unit availability connected to the control input of

task switching, the output of which is the output of the virus, which allows simulation of a computer virus of the mutant of the Trojan Horse.

The proposed utility model is illustrated by drawings. shown in FIGS. 1-10.

Figure 1 shows a block diagram of a utility model. The given block diagram reflects the set of necessary blocks and the connection between the blocks. The block diagram shows: block 1 for checking the occurrence of an event on three inputs, block 2 for mutations for two inputs, block 3 for checking for authorization for three inputs, block 4 for switching tasks to three inputs (where U is the control input for block 4 for switching tasks; 1- the first information input of task switching unit 4; 2 - the second information input of task switching unit 4), as well as the following eight inputs of the proposed device: Resolution - permission input, Sanction - sanction input, Task - input of the first task, Task - input of the second task, Event - input of the first event, Event - input of the second event, Event3 - input of the third event, Event4 - input of the fourth event, and also shows the following two outputs of the proposed device: Zanros sanctions - the output of the sanction request. Virus exit - Virus exit. Note that, processing tools

.; e // J-i3 / cP

data coming from the output of the proposed device: Request for authorization - the output of the request for authorization is not shown.

Figure 2 shows the conditional block diagram of the connection of two hypothetical devices, where none of them has yet been infected with a virus (the proposed device). The block diagram conventionally shows: The device is a hypothetical first device that has two outputs (compatible with the corresponding two inputs of the proposed device): Event is the output of the first event, Task is the output of the first task, and also shown: The device is a hypothetical second device, when this output (task) of the device is connected to the corresponding input (task) of the device. Other inputs and outputs of hypothetical devices (Device and Device) and their connections are not shown.

Fig. 3 shows a conditional block diagram of the connection of the proposed device (virus) and two hypothetical devices (Device and Device), where one of them (Device) is already infected with the mutant virus (proposed device), the other (Device) has not yet been infected. The block diagram schematically shows: The device is a hypothetical first device that has two outputs (compatible with the corresponding two inputs of the proposed device): Event - output of the first event, Task - output of the first

tasks, also shown: Device - a hypothetical second device, while the virus output is connected to the corresponding input (Task) of the Device, the output (Task) of the Device is connected to the corresponding input of the first task (proposed device), the output (Event) of the Device is connected to the corresponding the input of the first event (proposed device), as well as the Sanction Request is shown - the output of the sanction request (proposed device) and six inputs of the proposed device: Event - input of the second event, Resolution - input of permission, Ca Nction - entry sanction. Task - input of the second task, EventNoZ - input of the third event, Event4 - input of the fourth event. Other inputs and outputs of hypothetical devices (Device and Device) and their communication, as well as data processing tools coming from the output of the proposed device: Zanros sanctions - the output of the sanction request is not shown.

Figure 4 shows a block diagram of a utility model for a special case of its industrial implementation in the form of a digital device on logical elements. The block diagram shows:

a block for checking the occurrence of an event on three inputs (highlighted by a dashed frame and implemented using one AND element on three inputs), a mutation block on two inputs (highlighted by a dashed frame and implemented using a single RS-trigger, check unit

oiOO // 3/24

authorization for three inputs (marked with a dashed frame and implemented with the help of one AND element for three inputs), a task switching unit (where Y is the control input of the task switching unit) with three inputs (highlighted with a dashed frame and implemented with two AND elements for two input, one OR element for two inputs and one IE element), as well as the following eight inputs of the proposed device: Permission - ow; permission code, Sanction sanction input, Task - input of the first task, Task - input of the second task. Event is the input of the first event, Event is the input of the second event, which always has a logical unit, Event3 is the input of the third event, Event4 is the input of the fourth event, and the following two outputs of the proposed device are also shown: Request for authorization - output for request for authorization, Output for virus - the output of the virus. Note that, the means of processing data coming from the outputs of the proposed device: Request for authorization - the output of the request for authorization and the Output of the virus — the output of the virus is not shown.

Figure 5 shows a block diagram of the algorithm of the unit for checking the occurrence of an event.

Figure 6 shows the block diagram of the algorithm of the unit for checking the availability of sanctions.

l} - // 3 (f

Figure 7 shows a block diagram of the algorithm of the task switching unit.

On Fig shows a block diagram of the algorithm of the simulation model of a computer virus type "Trojan horse.

Figure 9 shows three truth tables of device blocks (when implemented as a digital device on logical elements), each of which (as is customary in computer design theory 12 p.5) represents a logical function implemented using the corresponding sets of logical elements .

In FIG. 10 shows a block diagram of the algorithm for the operation of the mutation unit.

The proposed utility model works as follows. Consider her (Fig. 1) work on the example of simulation in mathematics of the behavior of the computer virus mutant MIF-X-58 of the type “Trojan Koi as a result of which the X - output of the simulation model is formed (the result of simulation in the form of a two-dimensional vector X (xi, X2) ) according to the above simulation model ImV () and algorithms (Figs. 5,6,7,8,10). Before starting work, the mutant virus, for example, has the following internal state:.

Ui - // 3 5b / (

the following initial data for simulation: Q permission for the virus (Resolution) is received (in the form of a logical zero or logical unit) at the permission input, C1 is the code of the 1st event (Event) is received at the input of the first event, C2 is the code of the 2nd event (Event) arrives at the input of the second event, SZ-code of the 3rd event (Event3) enters the input of the third event, C4- code of the 4th event (Event4) enters the input of the fourth event, C-code of sanction (Saique) is received (in the form of logical zero or logical units} entry sanctions, Z1- result The dates of the solution of the 1st problem (Problem) are input to the first task, Z2 - the results of the solution of the 2nd problem (Problem) are input to the second task.

In the unit for checking the occurrence of an event (Fig. 1), in accordance with its operation algorithm (Fig. 5), a check is made for the availability of a work permit for the virus and verification of the occurrence of a given event C2 by comparing C2 with the current event C1. As a result, E - the result of the checks is transmitted as a logical zero (if the Resolution is not received and (or) the Event and Event events do not match) or as a logical unit (if the Resolution is received and the Events and Event2 events coincide) to the first input of the presence check block sanctions and the exit request sanctions (Fig., 8).

(Fig. 10) is carried out, for example, storing (installation and storage) of the internal state of the mutant virus (in the form of a logical unit () or logical zero ()) in accordance with the contents at the input of this block.

In the block for verifying the presence of sanction (Fig. 1), in accordance with its operation algorithm (Fig. 6), the presence of the Sanction for switching is checked. Task 2 instead of Task, provided that permission is obtained for the virus to work and the events coincided and the condition of the mutant virus is. As a result, W - the result of the check is transmitted as a logical zero (if either (and) or (and)) or as a logical unit (if and) to the control input of the task switching unit (Fig, 1.8).

In the task switching unit (Fig. 1), in accordance with its operation algorithm (Fig. 7), the output of the task switching unit (which is also the virus output) is formed in the form of Z1-results of solving the 1st problem (Task) or in the form of Z2 - the results of solving the 2nd problem (Task) depending on the contents of W supplied to the control input of the task switching unit. So, if, then Z1-content of the input of the first task (Task) is transmitted to the output of the virus, and if, then the Z2-content of the input of the second task (Task2) is transmitted to the virus output (Task2) (Fig. 1.8).

Note that the proposed device performs only strictly authorized actions and is not malicious. Indeed, it has two inputs for this: the permission input and the sanction input, as well as one output, the output of the authorization request for requesting authorization to switch tasks.

If the Permission to operate the mutant virus is not obtained or is not available for the mutant virus. The sanction for switching the results of solving problems or the mutant virus is in the state, then in this case the output of the virus receives the results of solving the 1st problem (Task). In this case, the virus does not violate the natural course of work of a computer system (computer). This mutation () of the virus does not lead to the replacement of the results of solving one problem with the results of solving another problem.

If the Permission to operate the mutant virus has been obtained and is available for the Sanction sanction mutant virus to switch the results of solving the problems and the specified Event has occurred, as well as the state of the mutant virus, then in this case the results of the solution of the 2nd problem are received (Problem 2). In this case, the mutant virus authorized (having obtained permission in advance to work and permission to commute the results of solving problems) violates the natural course of work of a computer system (computer).

j; 7 // jr3 / cP

After conducting a series of experiments using a simulation model and measuring the reaction time of a computer mutant virus, we can finally obtain a representative sample of two-dimensional vectors X (xi, X2) and estimate parameters from this sample, for example, the average reaction time of a computer virus of the Trojan horse mutant type. Thus, the proposed utility model allows us to solve the problem - simulation of a computer virus mutant of the type “Trojan horse. With the help of mathematical, simulation modeling implemented in the proposed utility model, it becomes possible to simulate the operation of a computer virus mutant of the type “Trojan horse.

sgg: 2 // zuz / sr

The proposed utility model may be industrially applicable (feasible) as follows.

Accept) 1 Simulation model: ImV () can be implemented using different algorithms and, in particular, according to the following algorithms obtained by the author, presented in Figs. 5-8. In FIG. Figure 8 shows the algorithm for operating the simulation model, which can be implemented, for example, programmatically using a standard, programmable hardware accelerator (for example, a personal computer). In this case, the work of all blocks of the model is performed using programs written in a programming language (for example, SI 14, C ++, S + S (version 2.0), or another 22-26.15) on a personal computer. As a result, the output of the sanction request and the output of the virus are formed. The experimenter (being the person who gives permission and authorization for the mutant virus to work) for the ImV () model, he chooses Q and C - adjustable parameters in the simulation process. As examples of a possible software implementation of the computer virus model, one can cite non-malicious viruses that were specially developed by the author and for which ROSPATENT issued certificates 22-26 of the Russian Federation. Particularly not malicious viruses MIF-X-02 - Self-modifying

MIF-IKS-02 mutant virus, which changes its descriptor 25 and MIF-X-03 of the Trojan horse type 26, which are a pro-maximum implementation for the hardware MIF-X-58 mutant virus of the proposed device. Thus, the proposed software implementation of the utility model allows us to solve the problem of simulation of a computer virus mutant of the type “Trojan horse.

Example 2. This example (Fig. 4) illustrates the operation of the utility model (Fig. 1) for modeling cases when

the corresponding eight (one-bit binary) inputs of the proposed device are received (figure 4): Resolution (in the form of logical zero or logical unity1) -by. permission input, Sanction (in the form of a logical zero or logical unit} - to the input of the sanction, Task (in the form of a logical zero or logical unit} - to the input of the first task, Problem 2 (as a logical zero or logical unit} - to the input of the second task. Event (in the form of a logical zero or logical unit} - to the input of the first event, Event2 - to the input of the second event, which always receives a logical unit, Event3 (in the form of a logical zero or logical unit} - to the input of the third event, Event4 (in the form logical zero or logical units} - at the input of the fourth event.

has two (one-bit double) outputs: the output of the sanction request and the output of the virus.

Almost every block of the utility model (Fig. 1), with the exception, for example, of a mutation block, is a digital digital device (Fig. 4), constructed using, for example, known standard microcircuits of logic elements, inverters (NOT elements), OR elements, elements And, selectors, multiplexers, etc. schemes of which are given in works 9-13,19. The truth tables for these logical elements - inverters, OR elements, AND elements are given, for example, in work 10 p. 36, p. 41, p. 42. All blocks are connected in one digital circuit.

The unit for checking the occurrence of an event (Fig. 1) can be made in the form of a combinational circuit (Fig. 4) on logic elements - one And element per input tr 9,10,11,12,13,19.

The unit for verifying the presence of sanction (Fig. 1) can be made in the form of a combinational circuit (Fig. 4) on logic elements - one And element per input tr 9,10,11,12,13,19.

The task switching unit (Fig. 1) can be performed using a suitable selector-multiplexer

9,10,11,12,13,19 or in the form of a combinational circuit (Fig. 4) on logic elements: two AND elements on two inputs, one OR element

on two inputs and one element NOT 9,10,11,12,13,19.

The mutation block (Fig. 1) can be performed using a standard, well-known RS-trigger 9,10,11,12,13,19 (Fig. 4).

As an element base for the implementation of blocks, known microcircuits, for example, 155 series or the like, 11.19 can be used.

For example, the AND element for three inputs used in the event event verification unit (Fig. 4) can be implemented using two elements: one AND element for three inputs and one inverse output and one NOT element connected in series so (see Fig. 3 -For work 12 p.73), that the output of the AND element to three inputs is inverted by the NOT element using, for example, one 155LA4 microcircuit containing three And three-input elements and an inverse output and one 155LN1 single chip containing six NOT 11 s .59, p. 67.

And, for example, the And element for two inputs used in the task switching unit (Fig. 4) can be implemented using, for example, one 155LI1 chip containing four And elements on two inputs 11 p. 59, p. 67.

And, for example, an OR element for two inputs used in the task switching unit (Fig. 4) can be implemented using.

for example, one 155LL1 chip containing four OR elements on two inputs 11 p. 60, p. 74.

For example, an RS-trigger can be implemented using, for example, one 155LAZ chip containing four AND-NOT elements on two inputs 11 p. 58, p. 62 connected as shown in Fig. 3-4 a) in operation 12 s .74,

In the unit for checking the occurrence of an event, it is implemented (using a logical function with the truth table shown in Fig. 9 (nerve table)) the presence of permission and the occurrence of a given event.

In the block for verifying the presence of a sanction, it is implemented (using a logical function with the truth table presented in Fig. 9 (second table)) the verification of the presence of a sanction for switching tasks.

In the task switching unit, it is implemented (using a logical function with the truth table shown in Fig. 9 (third table)) that the result of solving one of the problems is transmitted to the output of the task switching unit, which is the output of the virus.

In the proposed device (figure 4):

the input of the first event is connected to the first input of the 1st element And,

the input of the second event is connected to the second input of the 1st element And,

to logical unit) RS-flip-flop,

the fourth event input is connected to the R input (setting to logical zero) of the RS-trigger

RS trigger output is connected to the third input of the 2nd AND element, the permission input is connected to the third input of the 1st AND element, the sanction input is connected to the second input of the 2nd AND element, the input of the first task is connected to the first input of the 3rd AND element , the input of the second task is connected to the first input of the 4th element And, while the output of the 1st element And is connected to the output of the sanction request and to the first input of the 2nd element And, the output of which is connected to the control input of the task switching unit, the control input of the block task switching is connected to the input of the element NOT, the output of which о is connected to the second input of the 3rd AND element, the output of which is connected to the first input of the OR element, the output of which is the virus output, the control input of the task switching unit is connected to the first input of the 4th AND element, the output of which is connected to the second input of the OR element.

The device in the form of a digital circuit (figure 4) works as follows.

Consider the case when the mutant virus is in a state. If at the 3rd input of the 1st element And (figure 4) there is a signal in

3-GZ /

them

as a logical zero (- the virus is NOT ALLOWED to work), then the output of the 1st element And (), the 2nd element And (), the 4th element And there will be a signal in the form of a logical zero, while the output of the element is NOT there will be a signal in the form of a logical unit and the output of the 3rd AND element, as well as the output of the NLI element will correspond to the contents of the input of the first task, which is transmitted to the virus output,

If at the 2nd input of the 2nd element And (figure 4) there is a signal in the form of a logical zero (- the virus is REFUSED in switching tasks), then the output of the 2nd element And (), the 4th element And will be present the signal is in the form of a logical zero, while the output of the element will NOT have a signal in the form of a logical unit, and the output of the 3rd element H, as well as the output of the NLN element will correspond to the contents of the input of the first task, which is transmitted to the virus output.

If at all 3 inputs of the 1st element H (Fig. 4) there is a signal in the form of a logical unit (- the virus is ALLOWED to work and the event that the virus is waiting for has already occurred (the Event code matches the code of the specified Event2)), then the virus output Of the 1st element H, a Sanction Request is formed in the form of a logical unit.

which goes to the output of the sanction request. Until such a sanction has arrived at the sanction entry in the form of a logical unit, the virus output will correspond to the contents of the input of the first task. After this sanction arrives at the 2nd input of the 2nd AND element (Fig. 4) in the form of a logical unit (- the virus is ALLOWED to switch tasks), the virus output will already correspond to the contents of the input of the second task.

Similarly, other combinations of input signals of the proposed device are considered.

The case when the mutant virus is in a state is considered in a similar way.

Time t - delay 9 s.65, s.82 of the entire proposed device (Fig. 1) will be determined by the following formula:

(1) + 1 (2) + g (3) + K4), where

t (l) is the delay time of the event verification unit; t (2) is the delay time of the block of the association; t (3) is the delay time of the sanction check block; t (4) is the delay time of the task switching unit.

The proposed device correct output result

of the proposed device - the virus output will be formed no earlier than after time t.

Thus, the proposed hardware implementation of the utility model in the form of a combination of an digital device, with

using the RS-trigger allows you to solve the problem of simulation of a computer virus mutant of the type “Trojan horse.

This does not exhaust the whole variety of possibilities for the application (construction) of the proposed utility model.

Used Source

1. Certificate for utility model of the Russian Federation No. 14305 class. IPC G 09 V 23/28, publ. 07/10/2000 Bull. No. 19.

2. The author's certificate of the USSR No. 1591062 class. IPC G 09 V 23/02, publ. 09/07/90 Bull. No. 33.

3. The author's certificate of the USSR No. 1460736 class. IPC G 09 V 23/00, publ. 02/23/89 Bul. Number 7.

4. The author's certificate of the USSR No. 660080 class. IPC G 09 V 23/00, publ. 04/30/79 Bul. No. 16.

5. Certificate for utility model of the Russian Federation No. 13107 class. IPC G 06 F 15/00, publ. 03/20/2000 Bull. Number 8.

6. Certificate for utility model of the Russian Federation No. 15800 class. IPC G 06 F 7/58, publ. 10.11.2000 Bull. No. 31.

; U). (F

IPC G 09 in 23/02, publ. 10.16.1998 (almost a prototype).

8. Feller V. Introduction to the theory of probabilities and its applications. In 2 volumes. T.1: Trans. from English.-M.: Mir, 1984.

9.Evreinov E.V., Butylsky Yu.T., Mamzelev I.A. et al. Digital and Computer Engineering: Textbook for High Schools. - M: Radio and Communications, 1991.

Y. Hawkins G. Digital Electronics for Beginners: Per. from English.-M.: Mir, 1986. 11.Tarabrin B.V., Lunin L.F., Smirnov Yu.P. and others. Integral

microcircuits.-M: Energoatomizdat, 1985.

12.Soloviev G.P. Arithmetic devices of Computer-M: Energy, 1978. 13. Bureev L.N., Dudko A.L., Zakharov V.P. The simplest micro-computer-M:

Energoatomizdat, 1989.-216p. I.Kulik S.D. Introduced viruses have no chance. Analytical model

factographic search on the global Internet // INTERPOL in

Russia No. 1 (29). - M .: ZAO IPK R1interkrim-press, 2000. S.43-44. 15.Kozlov D.A., Parandovsky A.A., Parandovsky A.K. Encyclopedia

computer viruses.-M. : “SOLOP-P -457s. 16.Levkovich V.L. Probability Theory.-Minsk: AN BSSR, 1952. 17. Ventzel E.S., Ovcharov L.A. Probability Theory and its Engineering

applications.-M .: Spider, 1988. 18.Abchuk V.A., Matveychuk F.A., Tomashevsky L.P. Reference for

19.Shilo V.L. Popular digital circuits.-M.: Radio and communications, 1987-3 52s.

20.Lopatnikov L.I. Economics and Mathematics Dictionary.-M.: Nauka, 1987. 21. Korchagin A.D., Kazakova V.K., Polishchuk E.P., Razumovskaya N.N.,

Sabo da L.V. Recommendations on the preparation of documents for an application for the grant of patents for an invention and certificates for a utility model.-M.: FIPS, 2000.-150s.

22. Certificate for the program of the Russian Federation .lVo2000610206 Self-modifying virus mutant MIF-IKS-01, changing its signature (MIF-X-01) / S.D. Kulik (Russia) .- No. 2000610049; Application 01/27/2000; Zaregistr. 03/22/2000. Publ. 2000 FIPS, Bull. No. 2 (31).

23. Certificate for the program of the Russian Federation JV22000610474 The smallest computer mutant virus in the world in the form of the classic B-ZERO computer program (U-GEKO) / S.D. Kulik (Russia). 2000610311; Application 04/04/2000; Zaregistr. 06/02/2000. Publ. 2000 FIPS, Bull. No. 3 (32).

24. Certificate for the program of the Russian Federation No. 2000610418 MIF-IKS-78 mutant virus, changing its signature (MIF-X-78) / S.D. Kulik (Russia) .- No. 2000610258; Application 03/23/2000; Zaregistr. 05/23/2000. Publ. 2000 FIPS, Bull. No. 3 (32).

Ui-)

Self-modifying mutant virus MIF-IKS-02, changing its descriptor (MIF-X-02) / S.D. Kulik (Russia) .- No. 2000610526; Application 06/02/2000; Zaregistr. 08/01/2000. Publ. 2000 FIPS, Bull. No. 4 (33).

26. Certificate on the program of the Russian Federation. No. 2000610700 Self-modifying virus "Troyaisk koi MIF-IKS-03, calculating Ln (n) according to the Stirlipg formula (MIF-X-03) / S.D. Kulik (Russia) .- .№ 2000610527; Application 06/02/2000; Zaregistr. 08/01/2000. Publ. 2000 FRShS, Byul. No. 4 (33).

27. Development of software for the search for factual data on the Internet. Research and development of a model of factographic data retrieval: Report on R&D / MEPhI. Head Kulik S.D. Performers: Kulik S.D., Kozlov V.M. - Report on the topic No.80-3-029-511 (interim), -M.: MEPhI, 2000, No. GR 01200102159, Inv.No 02.2.00101863 -78s.

28. Kulik S. D., Frolov D. B. Legal issues of the development of viruses and search robots AFIPS // Security of information technology No. 1. - M .: MEPhI, 2001. P.40-45.

Claims (1)

A device for implementing and modeling a computer mutant virus, characterized in that it contains an event occurrence check unit, a sanction check unit, a mutation unit, a task switching unit, a permission input, a sanction input, a first task input, a second task input, a first event input, an input the second event, the input of the third event, the input of the fourth event, the output of the sanction request, the output of the virus, while the first input of the event occurrence check block is the input of the first event, the second input of the event occurrence check block Tia is the input of the second event, the third input of the event occurrence verification unit is the permission input, the second input of the sanction check unit is the sanction input, the first information input of the task switching unit is the input of the first task, the second information input of the task switching unit is the input of the second task, the first input the mutation block is the input of the third event, the second input of the mutation block is the input of the fourth event, the output of the mutation block is connected to the third input of the presence check block ii, the output of the event occurrence verification unit is connected to the first input of the sanction presence verification unit and is the output of the sanction request, the output of the sanction presence verification unit is connected to the control input of the task switching unit, the output of which is the virus output.