RU2818022C1 - Method of detecting and counteracting distribution of malicious programs in computer network - Google Patents

Abstract

FIELD: safety of computer systems.

SUBSTANCE: technical result is achieved by implementing a method of detecting and countering the distribution of malicious programs in a computer network, in which a topology of a computer network is formed, malware is distributed over n-assets of the computer network, a directed graph of the trajectories of the implementation of the malicious program with respect to the n-th asset is formed, generating malware detection conditions, detecting malware using detection conditions, making a decision on isolating a fragment of a computer network from n-assets infected with a known malware, setting up a z-th antivirus program, comparing the malware detection conditions with the z-th antivirus program settings, adjusting the z-th antivirus program settings, determining the level of information security risk from unknown malicious programs for n-assets of a computer network, comparing the level of information security risk with the required value, computer network information security incidents are investigated.

EFFECT: reduced level of damage to a computer network.

1 cl, 1 dwg

Description

The invention relates to the field of computer system security.

Interpretation of terms used in the application

A computer network (CN) is understood as a network in which hardware and software components located on network computers interact and coordinate their actions only by sending messages (Babichev S.L. Distributed systems: textbook. A manual for universities / S.L. Babichev , K.A. Konkov. - M.: Yurayt, 2020. - 507 p., p. 15).

A malicious program (VP) is a program capable of self-replication (automatic propagation without user intervention) and infection of file objects (Kholmogorov, V. PRO VIRUSES. 2nd edition. Popular scientific edition / Valentin Kholmogorov. - St. Petersburg: Strata LLC ", 2017. - 162 pp. Kozlov, D.A. Encyclopedia of computer viruses / Kozlov D.A., Parandovsky A.K. - M.: Solon-R, 2010. 457 pp.; Klimentyev, K.E. Computer viruses and antiviruses: a programmer’s view. - M.: DMK Press, 2013. - 656 pp.

Assets mean information, software, equipment, licenses, contracts, services, etc. (GOST R ISO/IEC 19770-1-2021. Information technology. IT asset management. Part 1. IT asset management systems. Requirements).

A device implemented in the invention “Computer security system based on artificial intelligence” is known, RF patent No. 2750554, G06N 5/02, G06F 21/50, G06F 21/51, G06F 21/53, G06F 21/54, G06F 21/ 55, G06F 21/56, G06F 21/57, publ. 06/29/2021, bulletin. No. 6. The device consists of implementing the following actions: protect and instantly respond in real time, recognize the purpose and function of external code, block it in the event of malicious intent or lack of a justified purpose, analyze threats on their own without recourse to past data, form a hypothetical scenario of an event in security system, carry out the process of intelligently creating new hybrid forms from existing forms, detect malicious intent, determine the relationship of information, identify patterns of behavior associated with the security system, conduct regular background checks for several suspicious events in the security system, store and index events in the security system, their signs and response to them, develop intelligence, study big data and recognize signatures of malware, simulate potential varieties of this software, provide an additional level of security, and assess their own potential in forming an objective solution.

The device implemented in the invention “System for detecting computer attacks with adaptive changes in complex rules” is known, RF patent No. 2782711, G06F 21/50, publ. 01.11.2022, bulletin. No. 31. The device consists of implementing the following actions: at the preparatory stage, normalized values and signatures are formed, normalized parameter values are entered and saved in the database, signatures characterizing various computer attacks are entered, they are stored in the signature block of the computer attack detection device; at the operation stage, statistical data of flows is isolated and analyzed, compared with signatures in order to identify computer attacks, a control command is generated for additional activation of signatures, based on the received control command, the values of incoming and outgoing traffic and the existing database of unabridged signatures, classify the attack, transmit a message about classified attack, decide to disable the selected non-activated signature.

There is a known method implemented in the invention “Method for identifying potential threats to information security based on information about software vulnerabilities”, RF patent No. 2705460, G06F 21/57, G06N 3/02, publ. 07.11.2019, bulletin. No. 31. The method consists of obtaining a list of known vulnerabilities and threats, creating artificial neural networks (ANN), obtaining a set of training samples of vulnerabilities for each ANN, training the created ANN by entering training samples generated for each ANN, obtaining a list of vulnerabilities identified in the information network, submitting signs each vulnerability identified in the information network to the input of each created ANN, receiving at the output the probability of the implementation of the corresponding threat, forming a list of potential threats ranked by probability of implementation.

The closest prototype analogue to the claimed one in its technical essence and functions performed is the method implemented in the scientific article “Proposal for assessing the spread of computer viruses in a local computer network” (A.S. Belov, M.M. Dobryshin, D.E. Shugurov. Aerospace instrumentation. - No. 6 - 2021. - P. 38-48). The prototype method consists of forming the CS topology, distributing VPs, forming VP detection conditions, detecting known VPs using detection conditions, setting up (updating) an anti-virus program, adjusting the settings of the anti-virus program, investigating information security incidents of a CS fragment from n -assets of infected VPs.

A technical problem in this area is the high level of damage to the CS in the conditions of the spread of VP due to the impossibility of forming an oriented graph of trajectories of VP implementation in relation to the n -th asset, making a decision to isolate a fragment of the CS from n -assets infected with a known VP, comparing the conditions for detecting VP with settings of the z -th anti-virus program, determining the level of information security risk from unknown VPs for n - assets of the CS, comparing the level of information security risk with the required value.

The technical result is to reduce the level of damage to the computer system in the context of the spread of malware due to the formation of an oriented graph of VP implementation trajectories in relation to the n -th asset, making a decision to isolate a fragment of the computer system from n -assets infected with a known malicious program, comparing the conditions for detecting a malicious program with the settings of the z -th asset anti-virus program, determining the level of information security risk from unknown VPs for n -CS assets, comparing the level of information security risk with the required value.

The technical problem is solved by creating a method for detecting and countering the spread of malware in a computer system, which allows reducing the level of damage to the computer system by forming an oriented graph of trajectories for the implementation of a malicious program in relation to the n -th asset, making a decision on isolating a fragment of the computer system from n -assets infected with a known malicious program, comparing conditions detecting VPs with the settings of the z -th anti-virus program, determining the level of information security risk from unknown VPs for n -CS assets, comparing the level of information security risk with the required value.

The technical problem is solved by the fact that the method of detecting and counteracting the spread of VPs in a CS consists of forming a CS topology, distributing VPs across the n -assets of the CS, forming VP detection conditions, detecting VPs using detection conditions, setting up (updating) the z -th anti-virus program, investigate incidents of information security CS, according to the invention, supplemented with the following actions: form a directed graph of VP implementation trajectories in relation to the n -th asset, make a decision to isolate a fragment of the CS from n -assets infected with a known VP, compare the conditions for detecting VP with the settings of the z -th anti-virus program, determine the level of information security risk from unknown VPs for n -CS assets, compare the level of information security risk with the required value.

The analysis of the state of the art made it possible to establish that there are no analogues characterized by sets of features identical to all the features of the claimed method. Consequently, the claimed invention meets the patentability condition of “novelty”.

The results of a search for known solutions in this and related fields of technology in order to identify features that coincide with the features of the claimed invention that are distinctive from the prototypes, showed that they do not follow explicitly from the prior art. The prior art determined by the applicant does not reveal the impact of the essential features of the claimed invention on achieving the specified technical result. Therefore, the claimed invention meets the patentability requirement of “inventive step”.

The “industrial applicability” of the method is due to the presence of an element base on the basis of which devices that implement this method can be made.

The claimed method is illustrated by a drawing that shows:

Fig. 1 - flowchart of processes for detecting and countering the spread of malware on a computer network.

The claimed method can be implemented in the form of a flow diagram of the processes of detecting and combating the spread of malware in a computer network, shown in Fig. 1.

In block 1, the initial data necessary for the formation of the CS are set (entered), namely: the number n - assets of the CS (information, software, equipment, licenses, contracts, services, etc.) - N (0); the number of n -assets of the CS performing their functions at time t - N ( t ); number of infected assets at the initial moment of time n - assets - ; average time to restore the working (performing its functions) state of the asset - ; the average time for the nth asset to be transferred to a non-working (not performing its functions) state when it is infected with a virus - ; permissible value of the level of damage to the CS - .

In block 2, the computer network topology is formed. The topology of the CS is described by the composition (assets) and connectivity of the CS (1. Proposal for assessing the spread of computer viruses in a local computer network.” A.S. Belov, M.M. Dobryshin, D.E. Shugurov. Aerospace instrumentation. - No. 6. - 2021. - From 38-48; 2. Device for simulating infection by a computer virus of a local computer network. RF patent for utility model No. 202083 G06F 21/57 (2013.01), G06F 21/577, H04L 63/145 (2020.08), publ. 01/29/2021. Bulletin No. 4).

In block 3, the VP is distributed over the n -assets of the CS. In this case, the location of critical infection is selected ( nth _critical asset) and the nth assets directly related to the nth _critical asset determine the purpose (functions) of the VP. In each n -th asset, _{the critical} and n -th assets form a list of IP (MAC) addresses with which messages are exchanged. (Proposal for assessing the spread of computer viruses in a local computer network." A.S. Belov, M.M. Dobryshin, D.E. Shugurov. Aerospace instrumentation. - No. 6. - 2021. - P 38-48; Infection modeling device computer virus of a local computer network. RF utility model No. 202083 G06F 21/57 (2013.01), G06F 21/577, H04L 63/145 (2020.08), published 01/29/2021. Determine the number of infected assets at time t n - I _n ( t ) using the formula:

In block 4, a directed graph of trajectories of VP implementation in relation to the nth asset is formed. At the same time, they use the CS topology, known vulnerability databases of CS assets (for example, OVAL ) using vulnerability scanners (for example, PVS , DAST , MiniFuzz , SAST) . Create many vulnerabilities of CS assets . The identified vulnerabilities of the nth asset are grouped according to their belonging to the lth OSI layer. The graph of VP implementation trajectories includes: source - the current state of the nth asset; stock is the sth property of the nth asset; the vertices of the graph are identified vulnerabilities. The weight of the graph edge determines the probability of using the ly -th vulnerability when implementing the h -th trajectory of the VP , the weight of the vertex determines the probability of the z -th antivirus program missing the VP that implements the ly -th vulnerability . Open sources are used as sources of possible EP propagation trajectories ( MITRE ATT@CK , CAPEC , ATT@CK , OWASP , STIX , WASC , etc.). The degree of implementation of IS CS threats is determined by finding the probability of the implementation of a VP aimed at changing the s -th property of the n -th asset for each h -th trajectory of the VP ( ):

In block 5, the conditions for detecting VP are formed. Detection conditions mean normalized values and signatures (characteristic features of known malware) generated in the database. They configure the main and additional signatures, configure the intensity of message transmission between the n -th _critical asset and the n -th assets, configure filtering rules for incoming and outgoing information flows, and the frequency of checking hard drives (Computer attack detection system with adaptive change of complex rules, RF patent No. 2782711 , G06F 21/50, publ. 01.11.2022, bulletin No. 31).

In block 6, known VPs are detected using detection conditions. At the same time, statistical data of information flows are isolated and analyzed, compared with signatures, a control command is formed for additional activation of signatures, based on the received control command, the values of the information flow (incoming, outgoing) and the existing signature database, classify the VP, transmit a message about the known VP classification (System for detecting computer attacks with adaptive changes in complex rules, RF patent No. 2782711, G06F 21/50, publ. 01.11.2022, bulletin No. 31). A fragment of the CS infected with a known VP is formed according to the rule: place of critical infection ( nth _critical asset) and nth assets directly related to the nth _critical asset.

In block 7, a decision is made to isolate a fragment of the CS from n -assets infected with a known VP. The decision is made according to the rule: isolate/not isolate. When making a decision to isolate a fragment of the CS, go to block 8. When deciding not to isolate a fragment of the CS, go to block 11.

A fragment of the CS is isolated from assets infected with a known EP at time t - U _n ( t ). The number of assets isolated from the CS by time t is determined according to the expression:

Where - share of assets isolated from the CS.

Isolation of the CS fragment is carried out using the Microsoft Hyper-V hardware virtualization system. The system is based on a hypervisor - lower-level software that directly interacts with the hardware of the asset. A driver (virtual switch) is connected to the physical CS adapter, virtual network adapters are installed in the virtual machine and in the managing operating system of the n -asset (server), connected to the virtual switch, assigned individual IP addresses, subnet masks and gateway addresses. Connect one of the physical network adapters of the server to the virtual machine, at the same time set the required configuration of network protocols and connect the adapter connector with a cable to the CS switch (A.K. Blagorazumov. Isolation of enterprise computer networks using server virtualization / A.K. Blagorazumov, I. G. Kirpichev, D.V. Petrov // Scientific Bulletin of MSTU GA. - Volume 22. - No. 6. - P. 100-107).

In block 8, the z -th antivirus program is configured (updated). Anti-virus program settings mean the settings of the main functional modules of anti-virus programs: anti-virus scanner, resident module, firewall, web anti-virus, mail anti-virus, anti-rootkit, preventive protection module, update module, quarantine, etc. At the same time, launch the installation distribution and enter the activation code , update the anti-virus databases of the installation distribution, scan CS assets (Kholmogorov, V. PRO VIRUSES. 2nd edition. Popular scientific edition / Valentin Kholmogorov. - St. Petersburg: Strata LLC, 2017. - 162 pp. Page 139- 150; www.recoverymaster.ru).

In block 9, the conditions for detecting VPs are compared with the settings of the z -th antivirus program. If the detection conditions do not match the settings of the anti-virus program, then go to block 13. If the detection conditions match the settings of the anti-virus program, then go to block 10.

In block 10, the settings of the z -th antivirus program are adjusted. The adjustment involves direct configuration of additional modules of the anti-virus program and (or) the use of other methods for detecting and countering malware in various combinations (signature detection, behavioral analysis, heuristic analysis, proactive protection (HIPS), repackaging, obfuscation, anti-debugging) (Kholmogorov, V. PRO VIRUSES. 2nd edition. Popular scientific edition / Valentin Kholmogorov. - St. Petersburg: Strata LLC, 2017. - 139-150.

The number of n -assets that by time t are immune to a known EP after adjustment:

Where - the share of assets that by time t are immune to a known virus after adjusting the settings of the z -th antivirus program.

After adjusting the settings of the z -th antivirus program, go to block 13.

In block 11, the level of information security risk from unknown VPs is determined for n -assets of the CS. The level of information security risk is determined using the CS damage indicator (GOST R 53111 - 2008 Stability of operation of a public communication network. Requirements and verification methods. Page 16, pp. 5-6).

The level of damage at time t is determined by the product of the difference between one and the ratio of the number of working (performing their functions) assets to the total number of KS assets - and the probability of implementing a VP aimed at changing the s -th property of the n -th asset for each h -th trajectory of the VP ( ):

In this case, the number of working assets at time t is determined by the formula:

When determining damage, the number of isolated and restored CS assets during time t is taken into account:

In block 12 the risk level is compared with the required value . If the level of damage is below the required value, then proceed to block 13. If the level of damage is higher than the required value, then proceed to block 7 to isolate the considered fragment of the CS.

In block 13, information security CS incidents are investigated: they detect, process and evaluate VPs, conduct legal examinations, respond to new VPs, disseminate information, carry out anti-crisis actions, etc. (Miloslavskaya N.G. Management of information security incidents and business continuity. / N. G. Miloslavskaya, M.Yu. Senatorov, A.I. Tolstoy // Textbook for universities - 2nd edition, revised - M.: Hot Line-Telecom, 2016. - 170 pp., p. 22 ; 2. GOST R ISO/IEC 27000-2021 Information technologies. Methods and means of ensuring information security. General overview and terminology - M.: Standardinform, 23 p., pp. 1-3. GOST R ISO/IEC TO 18044-2007 Information technology. Methods and means of ensuring security. Management of information security incidents. - M.: Standartinform, 2009. - 92 p., pp. 41-62).

The effectiveness of the proposed method was assessed by comparing the level of damage for the prototype method and for the proposed method.

Initial data for the experiment:

total number of assets (CS equipment) - 11;

initial infection of asset No. 4;

number of vulnerable assets - 5.

Limitations and assumptions: all vulnerabilities are exploited by VP; probability of implementing a VP aimed at changing the s -th property of the n -th asset for each h -th trajectory of the VP - const ;

For the prototype method, when,, the number of working assets at a point in timetwill be equal the number of assets that by the timet are not infected and have not been infected, then the possible damage to the CS is equal to:

For the proposed method, with, the number of working assets at a point in timetwill be equal the number of assets that by the timet are not infected according to formula (6) is equal to 7, then the possible damage to the CS is equal to:

The effect of the claimed method is determined by:

.

Thus, the technical problem is solved.

Claims (1)

A method for detecting and countering the spread of malicious programs in a computer network, which consists in forming the topology of a computer network, distributing malicious programs across n- assets of a computer network, forming a directed graph of trajectories of the implementation of a malicious program in relation to the n -th asset, and forming conditions for detecting malicious programs , detect malware using detection conditions, decide to isolate a fragment of a computer network from n -assets infected with a known malware, configure the z -th antivirus program, compare the malware detection conditions with the settings of the z -th antivirus program, adjust the z -th settings antivirus program, determine the level of information security risk from unknown malware for n -assets of a computer network, compare the level of information security risk with the required value, and investigate information security incidents of a computer network.