ARCHITECTURE AND MEANS OF A MULTIAGENT SYSTEM FOR DETECTION OF POLYMORPHIC VIRUSES IN COMPUTER NETWORKS

Abstract

The work first developed the architecture of a multi-agent system for detecting polymorphic viruses, which, by cascading delegation of authority, analyzes the environment, investigates the rate of spread, detects, classifies polymorphic viruses, and uses various decision-making strategies, taking into account the types of threats. The structure of this system includes intelligent agents (IA): AI «Analysis», AI «Spread Rate», AI «Detection», AI «Classification», AI «Decision-Making», which perform established roles and interact with each other. AI «Analysis» checks the system for suspicious or malicious actions by analyzing the file system, RAM, network traffic, and process behavior; includes collecting information related to software and conducting in-depth analysis to determine the nature of the threat, its source, and possible impact. The «Spread Rate» AI models the process of spreading polymorphic viruses based on the Lotka-Volterra model (in which α is the probability that the number of polymorphic viruses will increase; β is the probability that polymorphic viruses of different levels of complexity will be detected using the selected methods, technologies and tools; γ is the probability that some of the selected methods, technologies and tools will not be effective in detecting polymorphic viruses of different levels of complexity as a result of the emergence of their new varieties; δ is the probability that polymorphic viruses of different levels of complexity will require the complex use of the selected methods, technologies and tools, as well as the latest approaches) and determines which methods for detecting polymorphic viruses should be used. The «Detection» AI uses a set of methods for detecting polymorphic viruses (the number of methods is determined by the «Spread Rate» AI): string search algorithms, data mining, sandbox analysis, machine learning, structural function development method, PLN. The «Classification» AI performs a fuzzy classification of detected polymorphic viruses («Detection» AI) according to 6 levels of their complexity according to the algorithm: determining the characteristics of detected polymorphic viruses and forming a logical inference tree; describing linguistic variables; determining the membership functions of linguistic terms; forming a knowledge base of the fuzzy inference system; determining the probability of the studied file belonging to polymorphic viruses of different levels of complexity; fuzzy classification of polymorphic viruses. The «Decision-Making» AI uses different decision-making strategies (alert, block, quarantine, delete), taking into account the types of threats.