INFORMATION SYSTEM FOR METAMORPHIC MALWARE DETECTION AND IDENTIFICATION IN LOCAL NETWORK
DOI:
https://doi.org/10.31891/2219-9365-2023-76-18Keywords:
metamorphic malware, obfuscation, modified emulatorsAbstract
The paper proposes an information system for detection and identification of metamorphic viruses in a local computer network. The presented information system is based on two methods, namely the method of detecting metamorphic viruses based on the analysis of program behavior using modified emulators in the local network and the identification method based on the search and comparison of equivalent functional blocks between programs. Both methods are based on the concept of comparing copies of metamorphic viruses, the result of which is the definition of a set of features used to detect metamorphic viruses.
The functioning of the system involves sending a suspicious program in a protected container to other hosts in the network in order to run it in modified emulators and manifest malicious activity. In order to create a variable execution environment for modified emulators, a number of parameters and settings that change on each computer system in a local computer network are proposed. A system of fuzzy logical inference is used to form a conclusion about the similarity of a suspicious program to a metamorphic virus. Thus, a feature of the proposed information system is that in the case of insufficient manifestation of malicious behavior and increasing the level of reliability to detect metamorphic malware, other network hosts are involved. A number of experiments were conducted to assess the accuracy of detection and the level of false positives in the detection of metamorphic viruses. Metamorphic generators NGVCK, VCL32, G2 and MetaPHOR were used to create a test sample of metamorphic malware. According to the results of the experiments, the highest level of detection accuracy was recorded for metamorphic viruses created using the G2 generator, which is 0.97. The lowest level of detection accuracy was for the NGVCK-generated metamorphic malware, which is 0.8671. At the same time, it should be noted that the lowest level of errors of the 1st kind was recorded for the metamorphic malware VCL32 (0.0587), however, for the rest of the metamorphic samples, this indicator did not exceed the value of 0.0641.