Savenko O. The Theory and Practice of Creating Distributed Malware Detection Systems on Local Area Networks

The dissertation is devoted to the solution of the actual scientific and technical problem of development of the theory and practice of creation of the distributed systems of detection of malware in local computer networks in order to increase its reliability of detection. Addressing this is important in all areas where LANs are being used extensively. In the work the advanced model of architecture of the distributed system of detection of malware in local computer networks is developed, based on complex consideration of the requirements of distribution, decentralization, multilevel and self-organization, and the model of architecture of its typical components on the basis of the Strengths components with representation of components which they may be in operation. It allowed to take into account the presence of software modules in different states and became the basis for determining the security status of the whole distributed system and its components. A method of interaction between components of a distributed multilevel malware detection system was developed on the basis of maintaining its integrity and determining the order of knowledge transfer between its components and using established analytical dependencies between the security levels of software modules and the security level of the whole distributed multilevel system. The method is the basis for the development of a linking piece of software that organizes the interaction of the components of a distributed multilevel malware detection system on local computer networks. Algebraic systems and algebras have been developed with the introduction of multiple malware operations, which became the basis for creating behavioral signatures of malware for their formalized representation in detection systems. The method of discovery of botnets in local computer networks was developed, the essence of which is to carry out active monitoring of system events and coordinated interaction of components of the distributed system when making a decision, made it possible to create tools that are able to integrate into the distributed system and to classify botnets for them behavioral signatures formed by the functions embedded in their components. The method of detecting malware on local computer networks has been developed, which consists in combining the work of software agents that detect malware in individual computer systems, according to the methods implemented in them: dynamic formation of behavioral signatures by tracking calls by example software interface, finding polymorphic and metamorphic program code, scanning executable programs by creating them autonomously these processes and related software agents in a distributed system. A method for detecting malware is based on the dynamic formation of behavioral signatures by tracking API-calls. It can be used to detect other types of virus programs, including new versions of existing viruses. The method involves the formation of a signature of a viral program based on the trace of API-calls, which allows to detect a viral program represented by a developed behavioral signature from the signature base. The behavioral signature includes critical API-calls by malicious activity groups and reflects the frequency of their occurrence, as well as the nature of the interaction of the critical API-features of the viral program and describes the relationship between the critical API-functions. This makes it possible to differentiate virus programs from useful applications not only in the presence of critical API challenges, but also in their interaction with each other. Classification is used to detect this. For the file-based API that uses entanglement techniques, a method for detecting polymorphic and metamorphic viruses has been developed based on an analysis of obfuscation functions. The peculiarity of the method is the analysis of the software object and its modified versions, obtained from different modules, and further analysis based on the search for equivalent functional blocks. This allows a more detailed analysis of the software object code for the presence of polymorphic and metamorphic viruses.