WO2006022566A1 - Procede de protection de systemes informatiques contre des virus chiffres et polymorphes - Google Patents
Procede de protection de systemes informatiques contre des virus chiffres et polymorphes Download PDFInfo
- Publication number
- WO2006022566A1 WO2006022566A1 PCT/RU2004/000288 RU2004000288W WO2006022566A1 WO 2006022566 A1 WO2006022566 A1 WO 2006022566A1 RU 2004000288 W RU2004000288 W RU 2004000288W WO 2006022566 A1 WO2006022566 A1 WO 2006022566A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- program
- virus
- encrypted
- commands
- data
- Prior art date
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
Definitions
- the technical field The invention relates to the field of computer technology, information systems and means of protection against unauthorized access.
- the disadvantage of this known method is that the stochastic conversion of programs does not provide for the detection of viruses and software bookmarks in case of their penetration into stochastically converted programs, for example, at the stage of their development or initial entry into the system.
- a method for comprehensive protection of distributed information processing in computer systems and a system for implementing the method International application N'PCT / RU 01/00272 from 05/05/2001.
- verification of the program code using its conversion and logical inference is used here.
- the source code of the program is converted into a logical output tree, which contains chains of sequentially executed commands.
- Chains describe all sorts of trajectories of the program and the objective functions that are implemented. Using a special knowledge base, virus-targeted functions or program bookmarks are identified. In this case, the corresponding chains are excluded from the program, which, after stochastic conversion, is introduced into the computer system.
- the disadvantage of this method is that it does not provide guaranteed detection of the most dangerous encryption and polymorphic viruses for computer systems.
- Encrypted viruses are computer viruses that mask text strings and propagation instructions using encryption (decryption) procedures of their code in order to protect them from antivirus programs of signature scanners.
- the structure of viruses includes an encryptor / decryptor and a code for commands to call it.
- Polymorphic viruses are computer viruses that belong to the class of encrypted viruses and differ in that the decryptor in these viruses is constantly changing (mutating). This allows them to more reliably protect themselves from anti-virus signature scanners. Stochastic transformation of information; randomly changing the code of commands or data using special procedures using a randomly generated binary sequence. If the program that was newly received in the computer system is “infected” with an encrypted virus, the virus code is encrypted. In this case, the code of the encryptor / decryptor is present in the program in the clear. Often, virus command codes are masked using modified or original program data as commands. To “infect” the file of another program, an encryptor / decryptor is called, which decrypts the virus code. After that, the virus is activated and in the process of executing its code, a new file is searched and its “infection” occurs. Before writing to a new file, the virus is again encrypted using the encryption / decryptor code.
- a polymorphic virus has a similar functioning algorithm with the difference that after the “infection” of each new file, an equivalent conversion or mutation of the code of the encryptor / decryptor occurs.
- the object of the invention is to provide a method that effectively protects computer systems from encrypted and polymorphic viruses.
- the executable file of each program entering the computer system is encrypted.
- at least two different keys are used to encrypt separately a sequence of command codes with at least one key and a combination of data with at least one other key.
- the stochastic method can be used. encoding information implemented using the encoder and decoder described in the above application N'PCT / RU 01/00272.
- the application of this method involves stochastic byte conversion of command codes and data using one-time encryption tables. Simultaneously with the encryption of information, it is encoded with another stochastic code that detects errors.
- the effect of the encrypted or polymorphic virus on the initial open source code and program data during execution is excluded, which is achieved by decrypting it using command-line decryption using the appropriate keys.
- they provide random access to any of the commands (including when executing conditional or unconditional jump instructions) or to any memory location with data when they are accessed at their addresses for real-time processing of program execution after its launch without the need to decrypt other codes commands and data.
- the encryptor / decryptor is called to decrypt the virus by appropriate modification of the program command codes or data.
- the virus code Since the decryption of the commands and data of the virus is carried out excluding additional encryption of the entire program, executed in accordance with the claimed method when entering into a computer system, the virus code will be distorted. When a virus tries to use data as command codes, their distortion will occur due to the fact that instead of a key to decrypt data in accordance with the claimed method, a key will be used that was used to encrypt command codes. Therefore, after exposure of the virus to encrypted command codes or encrypted data, the fact of exposure is detected in the process of command-based decryption of commands using a stochastic code that detects errors by detecting distortion in them.
- Distorted commands are defined as the body of the virus and block the execution of a section of the program containing the body of the virus to prevent infection of other programs in the computer system. Identification of distorted commands is carried out by command-based decryption of the program section with the initially detected distortion and implementation of the error detection function using the stochastic code. As the body of the virus, a program section containing distorted commands is accepted.
- error detection in commands can be carried out in the processor itself using the code used on the computer that controls the correctness of commands or data.
- this code is inferior in terms of the probability of an undetected error to the stochastic code presented above. Therefore, if errors are detected directly in the processor, some command distortions may not be detected (if during the distortion the code of the original command is transformed into the code of another command). Therefore, there may be a delay in detecting the virus.
- using a stochastic code guaranteed detection of an encrypted or polymorphic virus occurs in this program and it excludes the possibility of “infection” with this virus of files of other programs.
- the encryptor / decryptor is called before the part of the program is launched with the “body” of the virus (for its decryption) and after completion of the execution of the encrypted virus for subsequent encryption of its “body”. Based on this, by the logical connections of the detected "body” of the virus with other parts of the program, it is possible to identify the code of the encryptor / decryptor, the command to call it.
- a developed language is used, based on an artificial intelligence apparatus (production rules, predicates and frames), as well as a deductive inference mechanism for synthesizing a finite program tree.
- the production rule is understood as an element from one conditional operator: “If (condition), then (conclusion)”.
- the condition of the rule consists of a set of predicates (statements), united by logical connectives “AND”.
- the conclusion contains either a predicate or a predicate and a procedure associated with it. If all predicates of the condition are true, then the predicate of the conclusion is also true, while the procedure associated with it is updated.
- conditional branch commands of the type "go (address), if" (predicate condition) or unconditional transitions "go (address)” to the form of production rules.
- each conditional transition command is converted into two production rules using the indices of linear sections I ⁇ ,
- each obtained production rule i is hashed to obtain a unique stochastic index of this rule I ⁇ j . w .
- each trajectory can be represented as the following chain:
- Ic- ( PP ) is the index of the production rule that is used to form a given program path
- t It- ( Pr ) is the index of the linear section of the program
- L- is the index of the result obtained by implementing the specified program path.
- This trajectory is assigned the value of the index tL- ( P S) , which is formed by hashing the expression obtained above.
- each selected program path is re-tested by calling it at the corresponding indexes
- the source code of the program in encrypted form is restored by reverse converting the production rules into conditional and unconditional transition commands and restoring the original sequence of linear encrypted program sections. Moreover, its linear sections and conditional and unconditional jumps related to the virus. By eliminating the corresponding production rules, the teams of conditional and unconditional transitions are modified by which the encrypted or polymorphic virus is connected to the program itself, while maintaining its logical structure and the possibility of its execution.
- the detected code of the encrypted or polymorphic virus is reencrypted using new keys to encrypt the commands and data for subsequent program launch.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Storage Device Security (AREA)
Abstract
Priority Applications (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
EA200700350A EA200700350A1 (ru) | 2004-07-26 | 2004-07-26 | Способ защиты компьютерных систем от шифрующихся и полиморфных вирусов |
PCT/RU2004/000288 WO2006022566A1 (fr) | 2004-07-26 | 2004-07-26 | Procede de protection de systemes informatiques contre des virus chiffres et polymorphes |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
PCT/RU2004/000288 WO2006022566A1 (fr) | 2004-07-26 | 2004-07-26 | Procede de protection de systemes informatiques contre des virus chiffres et polymorphes |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2006022566A1 true WO2006022566A1 (fr) | 2006-03-02 |
Family
ID=35967713
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/RU2004/000288 WO2006022566A1 (fr) | 2004-07-26 | 2004-07-26 | Procede de protection de systemes informatiques contre des virus chiffres et polymorphes |
Country Status (2)
Country | Link |
---|---|
EA (1) | EA200700350A1 (fr) |
WO (1) | WO2006022566A1 (fr) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
RU2615317C1 (ru) * | 2016-01-28 | 2017-04-04 | Федеральное государственное казенное военное образовательное учреждение высшего образования "Академия Федеральной службы охраны Российской Федерации" (Академия ФСО России) | Способ обнаружения кодов вредоносных компьютерных программ в трафике сети передачи данных, в том числе подвергнутых комбинациям полиморфных преобразований |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
RU2111620C1 (ru) * | 1997-04-02 | 1998-05-20 | Государственное унитарное предприятие Специализированный центр программных систем "Спектр" | Способ шифрования блоков данных |
RU2137185C1 (ru) * | 1998-01-09 | 1999-09-10 | Насыпный Владимир Владимирович | Способ комплексной защиты процесса обработки информации в эвм от несанкционированного доступа, программных закладок и вирусов |
RU2142674C1 (ru) * | 1995-08-25 | 1999-12-10 | Интел Корпорейшн | Управление доступом с использованием параметризированной хэш-функции |
US6330648B1 (en) * | 1996-05-28 | 2001-12-11 | Mark L. Wambach | Computer memory with anti-virus and anti-overwrite protection apparatus |
-
2004
- 2004-07-26 EA EA200700350A patent/EA200700350A1/ru unknown
- 2004-07-26 WO PCT/RU2004/000288 patent/WO2006022566A1/fr active Application Filing
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
RU2142674C1 (ru) * | 1995-08-25 | 1999-12-10 | Интел Корпорейшн | Управление доступом с использованием параметризированной хэш-функции |
US6330648B1 (en) * | 1996-05-28 | 2001-12-11 | Mark L. Wambach | Computer memory with anti-virus and anti-overwrite protection apparatus |
RU2111620C1 (ru) * | 1997-04-02 | 1998-05-20 | Государственное унитарное предприятие Специализированный центр программных систем "Спектр" | Способ шифрования блоков данных |
RU2137185C1 (ru) * | 1998-01-09 | 1999-09-10 | Насыпный Владимир Владимирович | Способ комплексной защиты процесса обработки информации в эвм от несанкционированного доступа, программных закладок и вирусов |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
RU2615317C1 (ru) * | 2016-01-28 | 2017-04-04 | Федеральное государственное казенное военное образовательное учреждение высшего образования "Академия Федеральной службы охраны Российской Федерации" (Академия ФСО России) | Способ обнаружения кодов вредоносных компьютерных программ в трафике сети передачи данных, в том числе подвергнутых комбинациям полиморфных преобразований |
Also Published As
Publication number | Publication date |
---|---|
EA200700350A1 (ru) | 2007-08-31 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US9274976B2 (en) | Code tampering protection for insecure environments | |
US8583939B2 (en) | Method and apparatus for securing indirect function calls by using program counter encoding | |
US9602289B2 (en) | Steganographic embedding of executable code | |
US10354064B2 (en) | Computer implemented method and a system for controlling dynamically the execution of a code | |
KR101798672B1 (ko) | 코드 불변식을 이용한 스테가노그래픽 메시징 시스템 | |
US9053300B2 (en) | Device and a method for generating software code | |
EP2656266B1 (fr) | Améliorations apportées à la cryptographie à l'aide d'un code polymorphe | |
US9892661B2 (en) | Steganographic embedding of hidden payload | |
KR101216995B1 (ko) | 인덱스 테이블 기반 코드 암호화 및 복호화 장치 및 그 방법 | |
KR20040039357A (ko) | 컴퓨터 바이러스 검출 및 치료 방법과 시스템, 프로그램저장 매체, 암호형 데이터 해독 방법, 암호형 컴퓨터바이러스 치료 방법 | |
Yu et al. | Symbolic string verification: Combining string analysis and size analysis | |
CN111475168B (zh) | 一种代码编译方法及装置 | |
KR102316404B1 (ko) | 확장자 랜덤화를 통한 랜섬웨어 피해 방어 방법, 이를 수행하기 위한 기록 매체 및 장치 | |
Ceccato et al. | Codebender: Remote software protection using orthogonal replacement | |
WO2006022566A1 (fr) | Procede de protection de systemes informatiques contre des virus chiffres et polymorphes | |
Agosta et al. | Information leakage chaff: feeding red herrings to side channel attackers | |
CN112332973B (zh) | 一种细粒度的物联网设备控制流保护方法 | |
EP3944106A1 (fr) | Procédé d'obscurcissement de code de protection | |
CN114357391A (zh) | 数据加、解密方法及计算机存储介质 | |
Wang et al. | An efficient control-flow based obfuscator for micropython bytecode | |
Balachandran et al. | Obfuscation by code fragmentation to evade reverse engineering | |
KR101173761B1 (ko) | 프로그램의 외부 공격에 대한 공격 방어 및 탐지를 위한 장치 및 방법 | |
Piromsopa et al. | Defeating buffer-overflow prevention hardware | |
Lipton et al. | Provable virus detection: using the uncertainty principle to protect against Malware | |
CN116127455B (zh) | 一种病毒防御方法、装置以及云端浏览器 |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AK | Designated states |
Kind code of ref document: A1 Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BW BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE EG ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NA NI NO NZ OM PG PH PL PT RO RU SC SD SE SG SK SL SY TJ TM TN TR TT TZ UA UG US UZ VC VN YU ZA ZM ZW |
|
AL | Designated countries for regional patents |
Kind code of ref document: A1 Designated state(s): BW GH GM KE LS MW MZ NA SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IT LU MC NL PL PT RO SE SI SK TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG |
|
DPEN | Request for preliminary examination filed prior to expiration of 19th month from priority date (pct application filed from 20040101) | ||
121 | Ep: the epo has been informed by wipo that ep was designated in this application | ||
NENP | Non-entry into the national phase |
Ref country code: DE |
|
WWE | Wipo information: entry into national phase |
Ref document number: 200700350 Country of ref document: EA |
|
122 | Ep: pct application non-entry in european phase |