Development of the method and program model of the static analyzer of harmful files

Article Sidebar

PDF (Українська)
Published: Sep 11, 2017
DOI: https://doi.org/10.20998/2522-9052.2017.1.08
Keywords:
malicious software, signature, Python, portable execute, malicious application, API functions, harmful files

Main Article Content

Svitlana Gavryilenko
National Technical University "Kharkiv Polytechnic Institute", Kharkiv
Dmitriy Saenko
National Technical University "Kharkiv Polytechnic Institute", Kharkiv

Abstract

The subject of research in this article is the methods of analyzing malicious software. The goal is to improve the secure functioning of computer systems (CS) and protect them from the effects of computer viruses. Research target: the research of modern means of software antivirus protection; analysis of the methods of creating a file signature; the development of a software model for static file detection, based on the analysis of the PE structure; the generation of tables of features that are inherent to families of viruses such as Worms, Backdor, Trojan; the obtainment binary signatures of malicious and secure software. The methods used are: analysis of the code in a Hex file, file hashing algorithms. The following results are obtained. The PE-structure of the file has been analyzed; sections have been selected for further analysis. A software model of static file detection has been developed and the analysis of secure and malicious files has been performed. Features in the form of strings and API functions have been selected; a bitmask has been formed for further file analysis. 3500 files of malicious and safe software has been scanned, their analysis has been performed. Signatures of each malicious file have been encoded and stored in the signature database. Using the developed software model, a study has been made of the possibility of detecting modifications to malicious software. Conclusions. A method and software model of static detection of malicious files has been developed, which allow automatic obtainment of a set of file features and draw a conclusion about the severity of the file.

Article Details

How to Cite
Gavryilenko, S., & Saenko, D. (2017). Development of the method and program model of the static analyzer of harmful files. Advanced Information Systems, 1(1), 44–48. https://doi.org/10.20998/2522-9052.2017.1.08
Issue
Vol. 1 No. 1 (2017): Advanced Information Systems
Section
Methods of information systems protection
Author Biographies

Svitlana Gavryilenko, National Technical University "Kharkiv Polytechnic Institute", Kharkiv

Candidate of Technical Sciences, Associate Professor, Professor of the Department of Computing Science and Programming

Dmitriy Saenko, National Technical University "Kharkiv Polytechnic Institute", Kharkiv

student of the Department of Computing Science and Programming

References

Polugodovoy otchet po IB ot Cisco [Semi-annual report on information security from Cisco], available at: http://www. securitylab.ru/blog/personal/ Informacionnaya_bezopasnost_v_detalyah/316275.php (last accessed February 28, 2017).

Shelukhin, O.I., Sakalema, D.Zh. and Filinov, A.S. (2013), Obnaruzhenie vtorzheniy v kompyuternyie seti [Intrusion Detection into Computer Networks], Moskva : Hot line-Telecom, 220 p.

Semenov. S.G., Davydov, V.V., and Gavrilenko, S.Yu (2014), Zaschita dannyih v kompyuterizirovannyih upravlyayuschih sistemah (monografiya) [Data Protection in Computer-Aided Control Systems (monograph)] , “LAP LAMBERT ACADEMIC PUBLISHING” Germany, 236 p.

Igray, kak “Laboratoriya Kasperskogo” [Play as "Kaspersky Lab"], available at: http://www.kaspersky.ru/about/ news/product/2017/kompaniya-otkryvayet-dostup-k-svoyey-baze-znaniy-o-kiberugrozakh-v-ramkakh-novogo-biznes-servisa (last accessed February 28, 2017).

Lukatsky, A.V. (2001), Obnaruzhenie atak [Attack Detection], St. Petersburg : VHV-Petersburg, 624 p.

Kaspersky, K. (2006), Zapiski issledovatelya kompyuternyih virusov [Notes of a researcher of computer viruses], St. Petersburg: Peter, 316 p.

Goshko, S.V. (2009) Tehnologii borbyi s kompyuternyimi virusami [Technologies to combat computer viruses], Moscow: Solon-Press, 352 p.

Semеnov, S., Gavrilenko, S. and Chelak V. (2016), “Developing parametrical criterion for registering abnormal behavior in computer and telecommunication systems on the basis of economic test”, Actual problems of economics, Kiev, Vol 4 (178), рр. 451–459.

Tolstikhin I.O. (2009), Razrabotka metodov klassifikatsii zlovrednyih ispolnyaemyih faylov [Development of classification methods for malicious executable files], available at: http://www.machinelearning.ru/wiki/images/ 5/58/Tolst09techrep.pdf (last accessed February 28, 2017).

Ero Carrera (2007), Win32 Static Analysis in Python, available at: http://2006.recon.cx/en/f/lightning-ecarrera-win32-static-analysis-in-python.pdf (last accessed February 28, 2017).

Sikorski, M. (2012) A. Honig Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software: San Francisco, 802 p.

AntivIrusnI tehnologIyi: v poshukah panatseyi [Antivirus technologies: in search of a panacea], available at: http://zillya.ua/antivirusni-tekhnologi%D1%97-v-poshukakh-panatse%D1%97 (last accessed February 28, 2017)

John Snow (2016), Sozdaem PE-virus №1 [Create PE-virus No.1], available at: https://xakep.ru/2007/04/23/37880/ (last accessed February 28, 2017).

Obnaruzhenie, osnovannoe na signaturah [Signature-based detection], available at: http://mind-control.wikia.com/wiki (last accessed February 28, 2017).

PE Detective, available at: http://ntcore.com/pedetective.php (last accessed February 28, 2017).

Antivirusnyie dvizhki [Antivirus engines], available at: https://fcenter.ru/online/ softarticles/utilities/12214 (last accessed February 28, 2017).