WO2006022566A1 - Procede de protection de systemes informatiques contre des virus chiffres et polymorphes - Google Patents

Procede de protection de systemes informatiques contre des virus chiffres et polymorphes Download PDF

Info

Publication number
WO2006022566A1
WO2006022566A1 PCT/RU2004/000288 RU2004000288W WO2006022566A1 WO 2006022566 A1 WO2006022566 A1 WO 2006022566A1 RU 2004000288 W RU2004000288 W RU 2004000288W WO 2006022566 A1 WO2006022566 A1 WO 2006022566A1
Authority
WO
WIPO (PCT)
Prior art keywords
program
virus
encrypted
commands
data
Prior art date
Application number
PCT/RU2004/000288
Other languages
English (en)
Russian (ru)
Inventor
Vladimir Vladimirovich Nasypny
Original Assignee
Stochasto Asa
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Stochasto Asa filed Critical Stochasto Asa
Priority to EA200700350A priority Critical patent/EA200700350A1/ru
Priority to PCT/RU2004/000288 priority patent/WO2006022566A1/fr
Publication of WO2006022566A1 publication Critical patent/WO2006022566A1/fr

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements

Definitions

  • the technical field The invention relates to the field of computer technology, information systems and means of protection against unauthorized access.
  • the disadvantage of this known method is that the stochastic conversion of programs does not provide for the detection of viruses and software bookmarks in case of their penetration into stochastically converted programs, for example, at the stage of their development or initial entry into the system.
  • a method for comprehensive protection of distributed information processing in computer systems and a system for implementing the method International application N'PCT / RU 01/00272 from 05/05/2001.
  • verification of the program code using its conversion and logical inference is used here.
  • the source code of the program is converted into a logical output tree, which contains chains of sequentially executed commands.
  • Chains describe all sorts of trajectories of the program and the objective functions that are implemented. Using a special knowledge base, virus-targeted functions or program bookmarks are identified. In this case, the corresponding chains are excluded from the program, which, after stochastic conversion, is introduced into the computer system.
  • the disadvantage of this method is that it does not provide guaranteed detection of the most dangerous encryption and polymorphic viruses for computer systems.
  • Encrypted viruses are computer viruses that mask text strings and propagation instructions using encryption (decryption) procedures of their code in order to protect them from antivirus programs of signature scanners.
  • the structure of viruses includes an encryptor / decryptor and a code for commands to call it.
  • Polymorphic viruses are computer viruses that belong to the class of encrypted viruses and differ in that the decryptor in these viruses is constantly changing (mutating). This allows them to more reliably protect themselves from anti-virus signature scanners. Stochastic transformation of information; randomly changing the code of commands or data using special procedures using a randomly generated binary sequence. If the program that was newly received in the computer system is “infected” with an encrypted virus, the virus code is encrypted. In this case, the code of the encryptor / decryptor is present in the program in the clear. Often, virus command codes are masked using modified or original program data as commands. To “infect” the file of another program, an encryptor / decryptor is called, which decrypts the virus code. After that, the virus is activated and in the process of executing its code, a new file is searched and its “infection” occurs. Before writing to a new file, the virus is again encrypted using the encryption / decryptor code.
  • a polymorphic virus has a similar functioning algorithm with the difference that after the “infection” of each new file, an equivalent conversion or mutation of the code of the encryptor / decryptor occurs.
  • the object of the invention is to provide a method that effectively protects computer systems from encrypted and polymorphic viruses.
  • the executable file of each program entering the computer system is encrypted.
  • at least two different keys are used to encrypt separately a sequence of command codes with at least one key and a combination of data with at least one other key.
  • the stochastic method can be used. encoding information implemented using the encoder and decoder described in the above application N'PCT / RU 01/00272.
  • the application of this method involves stochastic byte conversion of command codes and data using one-time encryption tables. Simultaneously with the encryption of information, it is encoded with another stochastic code that detects errors.
  • the effect of the encrypted or polymorphic virus on the initial open source code and program data during execution is excluded, which is achieved by decrypting it using command-line decryption using the appropriate keys.
  • they provide random access to any of the commands (including when executing conditional or unconditional jump instructions) or to any memory location with data when they are accessed at their addresses for real-time processing of program execution after its launch without the need to decrypt other codes commands and data.
  • the encryptor / decryptor is called to decrypt the virus by appropriate modification of the program command codes or data.
  • the virus code Since the decryption of the commands and data of the virus is carried out excluding additional encryption of the entire program, executed in accordance with the claimed method when entering into a computer system, the virus code will be distorted. When a virus tries to use data as command codes, their distortion will occur due to the fact that instead of a key to decrypt data in accordance with the claimed method, a key will be used that was used to encrypt command codes. Therefore, after exposure of the virus to encrypted command codes or encrypted data, the fact of exposure is detected in the process of command-based decryption of commands using a stochastic code that detects errors by detecting distortion in them.
  • Distorted commands are defined as the body of the virus and block the execution of a section of the program containing the body of the virus to prevent infection of other programs in the computer system. Identification of distorted commands is carried out by command-based decryption of the program section with the initially detected distortion and implementation of the error detection function using the stochastic code. As the body of the virus, a program section containing distorted commands is accepted.
  • error detection in commands can be carried out in the processor itself using the code used on the computer that controls the correctness of commands or data.
  • this code is inferior in terms of the probability of an undetected error to the stochastic code presented above. Therefore, if errors are detected directly in the processor, some command distortions may not be detected (if during the distortion the code of the original command is transformed into the code of another command). Therefore, there may be a delay in detecting the virus.
  • using a stochastic code guaranteed detection of an encrypted or polymorphic virus occurs in this program and it excludes the possibility of “infection” with this virus of files of other programs.
  • the encryptor / decryptor is called before the part of the program is launched with the “body” of the virus (for its decryption) and after completion of the execution of the encrypted virus for subsequent encryption of its “body”. Based on this, by the logical connections of the detected "body” of the virus with other parts of the program, it is possible to identify the code of the encryptor / decryptor, the command to call it.
  • a developed language is used, based on an artificial intelligence apparatus (production rules, predicates and frames), as well as a deductive inference mechanism for synthesizing a finite program tree.
  • the production rule is understood as an element from one conditional operator: “If (condition), then (conclusion)”.
  • the condition of the rule consists of a set of predicates (statements), united by logical connectives “AND”.
  • the conclusion contains either a predicate or a predicate and a procedure associated with it. If all predicates of the condition are true, then the predicate of the conclusion is also true, while the procedure associated with it is updated.
  • conditional branch commands of the type "go (address), if" (predicate condition) or unconditional transitions "go (address)” to the form of production rules.
  • each conditional transition command is converted into two production rules using the indices of linear sections I ⁇ ,
  • each obtained production rule i is hashed to obtain a unique stochastic index of this rule I ⁇ j . w .
  • each trajectory can be represented as the following chain:
  • Ic- ( PP ) is the index of the production rule that is used to form a given program path
  • t It- ( Pr ) is the index of the linear section of the program
  • L- is the index of the result obtained by implementing the specified program path.
  • This trajectory is assigned the value of the index tL- ( P S) , which is formed by hashing the expression obtained above.
  • each selected program path is re-tested by calling it at the corresponding indexes
  • the source code of the program in encrypted form is restored by reverse converting the production rules into conditional and unconditional transition commands and restoring the original sequence of linear encrypted program sections. Moreover, its linear sections and conditional and unconditional jumps related to the virus. By eliminating the corresponding production rules, the teams of conditional and unconditional transitions are modified by which the encrypted or polymorphic virus is connected to the program itself, while maintaining its logical structure and the possibility of its execution.
  • the detected code of the encrypted or polymorphic virus is reencrypted using new keys to encrypt the commands and data for subsequent program launch.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Storage Device Security (AREA)

Abstract

La présente invention relève du domaine de l'informatique, des systèmes d'information et des moyens de protection contre un accès non autorisé. Cette invention permet d'accroître l'efficacité de la protection des systèmes informatiques contre des virus chiffrés et polymorphes. Pour ce faire, le procédé de cette invention consiste à coder le fichier exécutable de chaque programme composant le système informatique au moyen de différentes clés permettant de coder séparément la séquence de codes de commande et un ensemble de données. L'effet d'un virus chiffré ou polymorphe sur un code source ouvert et des données d'un programme pendant son exécution est supprimé au moyen du décodage dudit programme commande par commande. L'effet du virus chiffré ou polymorphe sur des codes de commande chiffrés ou des données chiffrées est repéré au moyen de la détection de distorsions dans ceux-ci, les commandes déformées étant définies comme un corps de virus, et l'exécution du programme contenant ce corps de virus est bloquée afin que d'autres programmes ne soient pas infectés.
PCT/RU2004/000288 2004-07-26 2004-07-26 Procede de protection de systemes informatiques contre des virus chiffres et polymorphes WO2006022566A1 (fr)

Priority Applications (2)

Application Number Priority Date Filing Date Title
EA200700350A EA200700350A1 (ru) 2004-07-26 2004-07-26 Способ защиты компьютерных систем от шифрующихся и полиморфных вирусов
PCT/RU2004/000288 WO2006022566A1 (fr) 2004-07-26 2004-07-26 Procede de protection de systemes informatiques contre des virus chiffres et polymorphes

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/RU2004/000288 WO2006022566A1 (fr) 2004-07-26 2004-07-26 Procede de protection de systemes informatiques contre des virus chiffres et polymorphes

Publications (1)

Publication Number Publication Date
WO2006022566A1 true WO2006022566A1 (fr) 2006-03-02

Family

ID=35967713

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/RU2004/000288 WO2006022566A1 (fr) 2004-07-26 2004-07-26 Procede de protection de systemes informatiques contre des virus chiffres et polymorphes

Country Status (2)

Country Link
EA (1) EA200700350A1 (fr)
WO (1) WO2006022566A1 (fr)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
RU2615317C1 (ru) * 2016-01-28 2017-04-04 Федеральное государственное казенное военное образовательное учреждение высшего образования "Академия Федеральной службы охраны Российской Федерации" (Академия ФСО России) Способ обнаружения кодов вредоносных компьютерных программ в трафике сети передачи данных, в том числе подвергнутых комбинациям полиморфных преобразований

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
RU2111620C1 (ru) * 1997-04-02 1998-05-20 Государственное унитарное предприятие Специализированный центр программных систем "Спектр" Способ шифрования блоков данных
RU2137185C1 (ru) * 1998-01-09 1999-09-10 Насыпный Владимир Владимирович Способ комплексной защиты процесса обработки информации в эвм от несанкционированного доступа, программных закладок и вирусов
RU2142674C1 (ru) * 1995-08-25 1999-12-10 Интел Корпорейшн Управление доступом с использованием параметризированной хэш-функции
US6330648B1 (en) * 1996-05-28 2001-12-11 Mark L. Wambach Computer memory with anti-virus and anti-overwrite protection apparatus

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
RU2142674C1 (ru) * 1995-08-25 1999-12-10 Интел Корпорейшн Управление доступом с использованием параметризированной хэш-функции
US6330648B1 (en) * 1996-05-28 2001-12-11 Mark L. Wambach Computer memory with anti-virus and anti-overwrite protection apparatus
RU2111620C1 (ru) * 1997-04-02 1998-05-20 Государственное унитарное предприятие Специализированный центр программных систем "Спектр" Способ шифрования блоков данных
RU2137185C1 (ru) * 1998-01-09 1999-09-10 Насыпный Владимир Владимирович Способ комплексной защиты процесса обработки информации в эвм от несанкционированного доступа, программных закладок и вирусов

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
RU2615317C1 (ru) * 2016-01-28 2017-04-04 Федеральное государственное казенное военное образовательное учреждение высшего образования "Академия Федеральной службы охраны Российской Федерации" (Академия ФСО России) Способ обнаружения кодов вредоносных компьютерных программ в трафике сети передачи данных, в том числе подвергнутых комбинациям полиморфных преобразований

Also Published As

Publication number Publication date
EA200700350A1 (ru) 2007-08-31

Similar Documents

Publication Publication Date Title
US9274976B2 (en) Code tampering protection for insecure environments
US8583939B2 (en) Method and apparatus for securing indirect function calls by using program counter encoding
US9602289B2 (en) Steganographic embedding of executable code
US10354064B2 (en) Computer implemented method and a system for controlling dynamically the execution of a code
KR101798672B1 (ko) 코드 불변식을 이용한 스테가노그래픽 메시징 시스템
US9053300B2 (en) Device and a method for generating software code
EP2656266B1 (fr) Améliorations apportées à la cryptographie à l'aide d'un code polymorphe
US9892661B2 (en) Steganographic embedding of hidden payload
KR101216995B1 (ko) 인덱스 테이블 기반 코드 암호화 및 복호화 장치 및 그 방법
KR20040039357A (ko) 컴퓨터 바이러스 검출 및 치료 방법과 시스템, 프로그램저장 매체, 암호형 데이터 해독 방법, 암호형 컴퓨터바이러스 치료 방법
Yu et al. Symbolic string verification: Combining string analysis and size analysis
CN111475168B (zh) 一种代码编译方法及装置
KR102316404B1 (ko) 확장자 랜덤화를 통한 랜섬웨어 피해 방어 방법, 이를 수행하기 위한 기록 매체 및 장치
Ceccato et al. Codebender: Remote software protection using orthogonal replacement
WO2006022566A1 (fr) Procede de protection de systemes informatiques contre des virus chiffres et polymorphes
Agosta et al. Information leakage chaff: feeding red herrings to side channel attackers
CN112332973B (zh) 一种细粒度的物联网设备控制流保护方法
EP3944106A1 (fr) Procédé d'obscurcissement de code de protection
CN114357391A (zh) 数据加、解密方法及计算机存储介质
Wang et al. An efficient control-flow based obfuscator for micropython bytecode
Balachandran et al. Obfuscation by code fragmentation to evade reverse engineering
KR101173761B1 (ko) 프로그램의 외부 공격에 대한 공격 방어 및 탐지를 위한 장치 및 방법
Piromsopa et al. Defeating buffer-overflow prevention hardware
Lipton et al. Provable virus detection: using the uncertainty principle to protect against Malware
CN116127455B (zh) 一种病毒防御方法、装置以及云端浏览器

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A1

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BW BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE EG ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NA NI NO NZ OM PG PH PL PT RO RU SC SD SE SG SK SL SY TJ TM TN TR TT TZ UA UG US UZ VC VN YU ZA ZM ZW

AL Designated countries for regional patents

Kind code of ref document: A1

Designated state(s): BW GH GM KE LS MW MZ NA SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IT LU MC NL PL PT RO SE SI SK TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG

DPEN Request for preliminary examination filed prior to expiration of 19th month from priority date (pct application filed from 20040101)
121 Ep: the epo has been informed by wipo that ep was designated in this application
NENP Non-entry into the national phase

Ref country code: DE

WWE Wipo information: entry into national phase

Ref document number: 200700350

Country of ref document: EA

122 Ep: pct application non-entry in european phase