RU2762079C1 - Method for detecting malware and malware components - Google Patents

Abstract

FIELD: computing.

SUBSTANCE: invention relates to the field of computing for the analysis of malicious software. The effect is achieved due to the fact that a set of decomposed elements, which are functionally related by the structure of the input program (message), are analyzed taking into account databases containing information about known malicious and safe elements, after which the safe elements are loaded into the places provided for them in the input structure. programs (messages), and potentially malicious elements are subjected to the next decomposition into many smaller, structurally related, decomposed elements, which, in turn, are analyzed taking into account the mentioned databases, and the smaller decomposed safe elements obtained at this stage are loaded into their designated places in the structure of the related many smaller decomposed elements, and potentially malicious smaller decomposed elements are subjected to the next decomposition into many even smaller, structurally related, decomposed elements, repeating the operation until a sub-element of the malware code is identified or a specified number of decompositions are performed.

EFFECT: increasing the likelihood of detecting malicious programs and elements without using the dynamic detection mode while simplifying the method.

3 cl, 1 dwg

Description

The invention relates to the identification and analysis of data transmitted over an unsecured communication network, namely, to the identification, detection and analysis of malicious software, i.e. malware and elements.

A binary file is often transferred between multiple computing devices over uncontrolled networks. The computing device that accepts the binary usually has no knowledge of whether it contains malware.

As the technologies and infrastructure of computer networks improve, the volume and speed of data transmitted between devices on a computer network has recently increased, and they include a class of data called malware (malware).

One of the means of identifying and removing the VI is the well-known antivirus software that uses sequential search and a rule-based standard analytical approach for searching. However, the code of the VI can be changed frequently by the author, as a result of which known search sequences and rule-based analysis may not always be able to detect continuously updated VIs. Thus, the inability to detect new or unknown viruses can be attributed to the disadvantages of the known anti-virus software.

These problems are also solved by known methods of detecting a suspicious mode of operation of a program and evaluating it using antivirus software. If the antivirus software finds significant correlations of the code or behavior with already known malicious codes, it considers that a new virus or VI has been found.

The aforementioned methods for detecting VIs fall under the generic term "heuristic". Heuristic analysis assumes that the analyzed program is launched in some isolated and safe environment, and the method records information about its execution. The heuristic method examines and evaluates the maximum possible amount of information, which makes it possible to draw conclusions about the legitimacy of the analyzed program or, otherwise, about its non-standard or, most likely, malicious purpose. Heuristic analysis works regardless of whether a particular code has been analyzed or not. In addition, it can recognize new viruses and programs - "Trojans".

The main disadvantage of heuristic methods is the insufficient reliability of the analysis, since the line between correct and harmful software operation can be undefined, since the degree of similarity with already known malicious code or anomalous behavior can be deliberately hidden by the author. At the same time, checking the program in a safe environment, when you can be firmly sure that no harm will be done, is associated with a significant investment of time. In addition, one should take into account the set of various techniques of the authors of the IP, aimed at creating obstacles to the implementation of the analysis of a heuristic type in order to prevent it.

The known method (RU 2417429, publ. 2011.04.27) minimizes the possibility of an attacker using vulnerabilities in the software installed on the target computer. The method is carried out by examining network traffic and identifying the malicious code before it can be executed and / or installed. Network traffic is monitored by a security component installed on the target computer. When a message is received for the computing system, the features of the data included in the message are compared with the features of an exploit (code that exploits vulnerabilities in software produced by third parties) used to identify the malicious code. Exploit indications are presented to the security component by the security service, which collects information about the malicious code. When comparing data in a message with signs of an exploit, they are guided by the rules that instruct the security component to take the appropriate action on the received message. However, in the known method, there is no possibility of selective monitoring of the interpreted objects of websites, and not of all traffic at the transport level, while there is no possibility of analyzing individual interpreted files.

There is a known heuristic method for analyzing a code (RU 2526716, publ. 2014.08.27), which includes the following actions: analyzing a program containing a sequence of program instructions, determining whether each instruction in the sequence satisfies any group of suspiciousness criteria, assigning a quantitative an instruction-level score for each instruction that meets any of the suspiciousness criteria, summing the scores to yield a program-level score and determining whether or not the program-level score thus calculated exceeds a predetermined threshold, and if of such an excess, a message is generated, indicating the fact of the detection of the airspace. The known method is characterized by all the above-mentioned disadvantages of heuristic methods, the main of which is the insufficient reliability of the detection of malicious elements.

The closest to the proposed method is a method for detecting malicious programs and elements (RU 2613535, publ. 2017.03.16), involving the analysis of a program or messages that meet a criterion or group of criteria of suspicion indicating the detection of malicious elements, according to which the server, browser or channel communications between them, a filtering system is built in, which analyzes the transmitted documents, taking into account the database containing information about the known safe elements, and if there are potentially harmful elements in the document that are not present in the said database, the resulting document is decomposed into many elements with potentially harmful content, from which files are formed, the number of which correlates with the number of decomposed elements, after which a composition of files is created from decomposed elements, which are subjected to dynamic detection, carried out using programs that, before They should ensure that malicious codes are triggered while working with the corresponding type of interpreted files, in particular, with vulnerable versions of Microsoft Office, in order to track deviations from the normal behavior of the client program as a result of the actions of malicious elements, while the document is detected and transmitted to the browser after deletion from it detected malicious elements, then check its validity. In addition, if malicious elements are detected, they are included in the database of malicious elements, and the rest of the elements in the database of safe elements, and additionally, they automatically disinfect the site.

The disadvantages of the known method include the need to use dynamic detection, which carries the risk of spreading a malicious infection in the working system, while its use complicates the method, increases the time required and requires additional resources.

The main task solved by the claimed invention is to create an effective method for detecting malicious programs and elements, capable of detecting malicious programs and elements with a high probability without resorting to dynamic detection. Increasing the probability of correct detection of EPs, moreover, without using the dynamic detection mode, is an urgent task today.

The technical result of the proposed method is to increase the likelihood of detecting malicious programs and elements without using the dynamic detection mode while simplifying the method, reducing time and resources.

The specified technical result is achieved by a method for detecting malicious programs and elements, providing for the analysis of a program or transmitted messages using a filtering system that analyzes documents taking into account a database containing information about known safe elements, and if the document contains potentially malicious elements that meet a criterion or a group of suspicious criteria decompose the resulting document into a set of elements with potentially malicious content, from which files are formed, the number of which correlates with the number of decomposed elements, in which, unlike the known, there are many decomposed elements that functionally connected by the structure of the input program (messages) are analyzed taking into account the databases containing information about known malicious and safe elements, after which the safe elements are loaded onto the they are placed in the structure of the input program (message), and potentially malicious elements are subjected to another decomposition into many smaller, structurally related elements, which, in turn, are analyzed taking into account the mentioned databases, and the smaller decomposed safe ones obtained at this stage elements are loaded to their intended places in the structure of a connected set of smaller decomposed elements, and potentially harmful smaller decomposed elements are subjected to the next decomposition into many even smaller, structurally related, decomposed elements, repeating the operation until the moment when a subelement of the malicious code is determined program, or the specified number of decompositions will be performed.

In the case when a subelement of the malware code is not found, the volume of the decomposed elements is changed at the first stage by K times, and at the next by 1 / K times, where K is determined from experience, mainly equal to 2, and the process of searching for signatures is carried out under new conditions in changed scale.

In one embodiment of the method, the detected sub-element of the malware code is included in a message containing the results of the analysis performed to detect the malicious element.

In another embodiment of the method, in the case when the decision is not made, and doubts about the presence of the VI element remain, an additional procedure is used: having determined a subelement of the code, presumably a malicious program, it is replaced by an unconditional transition to the next one obtained at the previous stage of decomposition, a smaller, decomposed one. an element in the structure of a connected set of smaller decomposed elements and, together with the supposed sub-element of the malware code, is transmitted to the output of the system that implements the method.

The method is carried out as follows.

An analysis of the received program or messages that meet the criterion or group of criteria for suspicion is carried out, taking into account the databases containing information about known malicious and safe elements.

The elements, the security of which has been established as a result of checking the information obtained from the databases, are loaded into their designated places in the structure of the input program or message. In the event that potentially harmful elements are present in the document, then they proceed to the stage of decomposition of the resulting document into a set of decomposed elements and analysis, continuing the process until the condition is fulfilled: a specified number (cycles) of decomposition has been passed.

If as a result of the specified decomposition cycles "passed" and "code not found", i.e. there are no potentially harmful elements in the document, then the output and transmission of the verified input document to the consumer is performed.

In another embodiment of the proposed method, in the event that a sub-element of the malware code is not found, the scale is changed, for example, first, the volume of the decomposed elements of the file is increased, then the volume of the decomposed elements is reduced to clarify the location of the code element of the malware, which makes it possible to find previously undetected ( uncorrelated) areas.

In another embodiment of the proposed method, if a sub-element of the code of a malicious program is not found in the databases of both safe and malicious program elements, an unconditional transition to the next element is carried out from the associated set of smaller decomposed elements obtained as a result of the next stage decomposition of the source file, which, together with a sub-element of the code, on which no decision has been made, is sent to the output and in this form is presented as the result of the detection of the element of the malicious program.

The proposed method is schematically shown in the drawing, where the stages of its implementation, their content, their sequence and connections between them are clearly presented in the form of a block diagram with the following designations:

1 - analysis of a program or messages that meet a criterion or a group of criteria for suspiciousness, taking into account information about malicious and safe elements obtained from databases;

2 and 3 - databases storing information about known malicious 2 and safe 3 elements;

4 - the stage of decomposition of the received document (program or message), which contains potentially harmful elements, providing for the division of the document into many decomposed elements,

5 - a stage at which a set of decomposed elements, functionally related by the structure of an input program or message, are analyzed taking into account databases that include information about known malicious and safe elements;

6 - the stage of loading the selected safe elements to their designated places in the structure of the input program or message;

7 - the next decomposition of potentially harmful elements into many smaller structurally related decomposed elements;

8 - analysis of many of the above-mentioned small, structurally related, decomposed elements, taking into account databases storing information about known malicious and safe elements,

9 - loading safe smaller decomposed elements to their designated places in the structure of a connected set of smaller decomposed elements;

10 - another decomposition of potentially harmful smaller decomposed elements into many even smaller, structurally related, decomposed elements;

11 - condition check: is a subelement of the malware code defined or not?

12 - checking the condition: passed the specified number (cycles) of decomposition or not?

13 - inclusion of the detected sub-element of the code of a malicious program in the message showing the results of identifying the malicious element;

14 - changing the volume of decomposed elements in the event that a subelement of the malware code was not found:

15 - at the first stage in K times;

16 - at the next stage 1 / K times;

17 - replacement of a sub-element of a malicious program's code with an unconditional jump to the next decomposed element in the structure of a linked set of smaller decomposed elements. Presentation of the analysis results in this form, the purpose of which is to detect a malicious program or its element (subelement), and the transmission of these results, including the file as a structure of an associated set of safe elements (disinfected file) and a malicious program code element to exit.

The essential distinguishing features of the proposed method are as follows:

1 - decomposition of the received document (program, message) containing potentially harmful elements, with the formation of a set of decomposed elements functionally related by the structure of the input program (message), which are analyzed taking into account databases that include data on known malicious and safe elements, as the need to be carried out repeatedly;

2 - loading safe elements to their designated places in the structure of the input program (message);

3 - decomposition of potentially harmful small elements obtained at the first stage of decomposition into many even smaller, structurally related by the program, elements; which are analyzed taking into account the aforementioned databases, which include information about known malicious and safe elements. The decomposition process continues until a subelement (an element not subject to further fragmentation) of the malicious program code is identified, or a specified number of iterations is performed, i.e. the required number of decomposition cycles was carried out. This operation, repeated many times, allows to reliably localize the malicious code (down to the element).

In addition, this approach allows, at the request of the consumer, to limit the number of iterations and reduce the analysis time, which can be specified in the initial data of the method;

4 - loading safe increasingly small decomposed elements obtained at the second and subsequent stages of decomposition to their designated places in the structure of a connected set of increasingly small decomposed elements, from which file variants are formed. Thus, if the received document contains potentially harmful elements, its decomposition into many elements allows separating the safe elements from the identified malicious ones, while the latter are not transmitted to the user's computer.

5 - inclusion of the detected sub-element of the code of a malicious program in the message containing the results of the analysis, the purpose of which is to detect the malicious element;

6 - change in the volume of decomposed elements at the first stage by K times, and at the next stage by 1 / K times, if the subelement of the malware code is not found. This increases (decreases) the amount of decomposed elements and makes it possible to increase the likelihood of detecting a malicious program in databases. In this case, when the desired malicious element is either masked or distributed over several elements, the scaling effect is triggered. The K factor can be determined using a set of statistics.

7 - replacing the procedure for detecting a sub-element of a malicious program's code with an unconditional transition to the next, smaller, decomposed element in the structure of a connected set of smaller decomposed elements, presenting the result of "dissection" of the detected malicious program in this form and transmitting it along with the sub-element of the malicious code contained in it programs for the output of the system that implements the method.

The above distinctive essential features of the proposed method in combination with the essential features of the prototype provide effective detection of EPs without using the dynamic detection mode. The proposed method can be implemented in an automatic mode, subject to the issuance of a report to the operator indicating the specific element (s) of the airspace and a description of the method (option) of its elimination.

Thus, the implementation of the proposed method ensures the safety of computing devices due to the automated analysis of the input file and a high probability of detecting the IP without the use of the dynamic detection mode, while this mode can optionally be implemented in simplified and lightened conditions.

Claims (3)

1. A method for detecting malicious programs and elements, providing for the analysis of a program or transmitted messages using a filtering system that analyzes documents taking into account databases containing information about known safe elements, and in the event that the transmitted document contains potentially malicious elements that satisfy a criterion or a group of suspicious criteria, decompose the resulting document into a set of elements with potentially malicious content, from which files are formed, the number of which correlates with the number of decomposed elements, characterized in that the set of decomposed elements that are functionally connected by the structure of the input program ( messages) are analyzed taking into account the databases containing information about known malicious and safe elements, after which the safe elements are loaded into the places provided for them in the structure of the input program (messages), and potentially malicious elements are subjected to another decomposition into many smaller, structurally related, decomposed elements, which, in turn, are analyzed taking into account the mentioned databases, and the smaller decomposed safe elements obtained at this stage are loaded onto their intended places in the structure of a connected set of smaller decomposed elements, and potentially harmful smaller decomposed elements are subjected to the next decomposition into many even smaller, structurally related, decomposed elements, repeating the operation until the moment when a sub-element of the malware code is determined, or it is executed a given number of decompositions. 2. A method for detecting malicious programs and elements according to claim 1, characterized in that if the sub-element of the malware code is not found, the volume of the elements to be decomposed is changed at the first stage of decomposition by K times, and at the next stage by 1 / K times. 3. A method for detecting malicious programs and elements according to claim 1, characterized in that the definition of a sub-element of the code of a malicious program is replaced by an unconditional jump to the next smaller decomposed element in the structure of a linked set of smaller decomposed elements, which, together with the identified sub-element of the code of the malicious program, is transferred to the output of the system that implements the method.

Images