MODELS AND METHODS FOR DIAGNOSING ZERO-DAY THREATS IN CYBERSPACE

The article is devoted to the development of models and methods for detecting Zero-Day threats in cyberspace to improve the efficiency of detecting high-level malicious complexes that are using polymorphic mutators. The method for detecting samples by antivirus solutions using a public and local multiscanner is proposed. The method for diagnosing polymorphic malware using Yara rules is being developed. The multicomponent service that allows organizing a free malware analysis solution with a hybrid deployment architecture in public and private clouds is described. The cloud service for detecting malware based on open-source sandboxes and MAS, allowing horizontal scalability in hybrid clouds, and showing high capacity during malicious and non-malicious object processing is designed. The main task of the service is to collect artifacts after dynamic and static object analysis to detect zero-day threats. The effectiveness of the proposed solutions is shown. Scientific novelty and originality consist in the creation of the following methods: 1) detecting the sample by preinstalled antivirus solutions that allow static scanning in separate threads without requests restrictions for increasing the malware processing speed and restrict public access to confidential files; 2) diagnosing polymorphic malware using Yara rules, that allows detecting new modifications that are not detected by available solutions. The proposed hybrid system architecture allows to perform a retrospective search by families, tracking changes in destructive components, collect the malicious URLs database to block traffic to C&C servers, collect dropped and downloaded files, analyze phishing emails attachments, integrate with SIEM, IDS, IPS, antiphishing and Honeypot systems, improve the quality of the SOC analyst, decrease the incidents response times and block new threats that are not detected by available antivirus solutions. The practical significance of the results is in the cloud service development that combines MAS Sandbox and a modified distributed Cuckoo sandbox, which allows to respond to Zero-Day threats quickly, store a knowledge base for artifacts correlation between polymorphic malware samples, actively search for new malware samples and integrate with cyber protection hardware and software systems that support the Cuckoo API.

Polymorphic Malware Detection by Image Conversion Technique

This model implements ways to detect polymorphic malware. This model uses a dynamic approach to detect the polymorphic malware. The objective is to increase the accuracy and efficiency of the detection as this malware can morph themselves, making it difficult to trace through anti-malware systems. As the tracing is going to be difficult the detection and classification system needs to be flexible that can able to detect the malware in every possible environment. This objective can be achieved by giving the system a superintelligence, this can be done by using the Convolutional Neural Networks (CNNs) in our system. This method records the pattern or the traces made by the polymorphic malware. The pattern is in the form of the image which is formed by converting the binary format of the hash codes. The generated images are then sent to the training module, based on this training module the Convolutional Neural Networks gives the result for any testing data.