{"id":2299,"date":"2021-01-18T20:00:31","date_gmt":"2021-01-18T18:00:31","guid":{"rendered":"http:\/\/journals.khnu.km.ua\/vestnik\/?p=2299"},"modified":"2021-02-16T10:39:10","modified_gmt":"2021-02-16T08:39:10","slug":"%d0%bc%d0%b5%d1%82%d0%be%d0%b4-%d0%b2%d0%b8%d1%8f%d0%b2%d0%bb%d0%b5%d0%bd%d0%bd%d1%8f-%d1%88%d0%ba%d1%96%d0%b4%d0%bb%d0%b8%d0%b2%d0%be%d0%b3%d0%be-%d0%bf%d1%80%d0%be%d0%b3%d1%80%d0%b0%d0%bc%d0%bd","status":"publish","type":"post","link":"https:\/\/journals.khnu.km.ua\/vestnik\/?p=2299","title":{"rendered":"\u041c\u0435\u0442\u043e\u0434 \u0432\u0438\u044f\u0432\u043b\u0435\u043d\u043d\u044f \u0448\u043a\u0456\u0434\u043b\u0438\u0432\u043e\u0433\u043e \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043d\u043e\u0433\u043e \u0437\u0430\u0431\u0435\u0437\u043f\u0435\u0447\u0435\u043d\u043d\u044f \u0448\u043b\u044f\u0445\u043e\u043c \u0430\u043d\u0430\u043b\u0456\u0437\u0443 \u043c\u0435\u0440\u0435\u0436\u043d\u043e\u0433\u043e \u0442\u0440\u0430\u0444\u0456\u043a\u0443 \u0442\u0430 \u043f\u043e\u0432\u0435\u0434\u0456\u043d\u043a\u0438 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043d\u043e\u0433\u043e \u0437\u0430\u0431\u0435\u0437\u043f\u0435\u0447\u0435\u043d\u043d\u044f \u0432 \u043a\u043e\u043c\u043f\u2019\u044e\u0442\u0435\u0440\u043d\u0438\u0445 \u0441\u0438\u0441\u0442\u0435\u043c\u0430\u0445"},"content":{"rendered":"

<\/p>\n

\u041c\u0415\u0422\u041e\u0414 \u0412\u0418\u042f\u0412\u041b\u0415\u041d\u041d\u042f \u0428\u041a\u0406\u0414\u041b\u0418\u0412\u041e\u0413\u041e \u041f\u0420\u041e\u0413\u0420\u0410\u041c\u041d\u041e\u0413\u041e \u0417\u0410\u0411\u0415\u0417\u041f\u0415\u0427\u0415\u041d\u041d\u042f \u0428\u041b\u042f\u0425\u041e\u041c \u0410\u041d\u0410\u041b\u0406\u0417\u0423 \u041c\u0415\u0420\u0415\u0416\u041d\u041e\u0413\u041e \u0422\u0420\u0410\u0424\u0406\u041a\u0423 \u0422\u0410 \u041f\u041e\u0412\u0415\u0414\u0406\u041d\u041a\u0418 \u041f\u0420\u041e\u0413\u0420\u0410\u041c\u041d\u041e\u0413\u041e \u0417\u0410\u0411\u0415\u0417\u041f\u0415\u0427\u0415\u041d\u041d\u042f \u0412 \u041a\u041e\u041c\u041f\u2019\u042e\u0422\u0415\u0420\u041d\u0418\u0425 \u0421\u0418\u0421\u0422\u0415\u041c\u0410\u0425<\/p>\n

METHOD FOR MALWARE DETECTION BASED ON THE NETWORK TRAFFIC ANALYSIS AND SOFTWARE BEHAVIOR IN COMPUTER SYSTEMS<\/p>\n

<\/a>\u0421\u0442\u043e\u0440\u0456\u043d\u043a\u0438: 7-11. \u041d\u043e\u043c\u0435\u0440: \u21164, 2020 (287)<\/strong><\/p>\n

\u0410\u0432\u0442\u043e\u0440\u0438:<\/strong>
\n\u041a.\u042e. \u0411\u041e\u0411\u0420\u041e\u0412\u041d\u0406\u041a\u041e\u0412\u0410, \u0414.\u041e. \u0414\u0415\u041d\u0418\u0421\u042e\u041a
\n\u0425\u043c\u0435\u043b\u044c\u043d\u0438\u0446\u044c\u043a\u0438\u0439 \u043d\u0430\u0446\u0456\u043e\u043d\u0430\u043b\u044c\u043d\u0438\u0439 \u0443\u043d\u0456\u0432\u0435\u0440\u0441\u0438\u0442\u0435\u0442<\/p>\n

K. BOBROVNIKOVA, D. DENYSIUK
\nKhmelnytskyi National University<\/p>\n

DOI:<\/strong> https:\/\/www.doi.org\/10.31891\/2307-5732-2020-287-4-7-11<\/a>
\n\u0420\u0435\u0446\u0435\u043d\u0437\u0456\u044f\/Peer review :<\/strong> 15.10.2020 \u0440.
\n\u041d\u0430\u0434\u0440\u0443\u043a\u043e\u0432\u0430\u043d\u0430\/Printed :<\/strong> 02.11.2020 \u0440.<\/p>\n

\u0410\u043d\u043e\u0442\u0430\u0446\u0456\u044f \u043c\u043e\u0432\u043e\u044e \u043e\u0440\u0438\u0433\u0456\u043d\u0430\u043b\u0443<\/strong><\/p>\n

\u00a0 \u00a0 \u00a0\u0412 \u0440\u043e\u0431\u043e\u0442\u0456 \u043f\u0440\u0435\u0434\u0441\u0442\u0430\u0432\u043b\u0435\u043d\u043e \u043c\u0435\u0442\u043e\u0434 \u0432\u0438\u044f\u0432\u043b\u0435\u043d\u043d\u044f \u0448\u043a\u0456\u0434\u043b\u0438\u0432\u043e\u0433\u043e \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043d\u043e\u0433\u043e \u0437\u0430\u0431\u0435\u0437\u043f\u0435\u0447\u0435\u043d\u043d\u044f \u0448\u043b\u044f\u0445\u043e\u043c \u0430\u043d\u0430\u043b\u0456\u0437\u0443 \u043c\u0435\u0440\u0435\u0436\u043d\u043e\u0433\u043e \u0442\u0440\u0430\u0444\u0456\u043a\u0443 \u0442\u0430 \u043f\u043e\u0432\u0435\u0434\u0456\u043d\u043a\u0438 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043d\u043e\u0433\u043e \u0437\u0430\u0431\u0435\u0437\u043f\u0435\u0447\u0435\u043d\u043d\u044f \u0432 \u043a\u043e\u043c\u043f\u2019\u044e\u0442\u0435\u0440\u043d\u0438\u0445 \u0441\u0438\u0441\u0442\u0435\u043c\u0430\u0445. \u041c\u0435\u0442\u043e\u0434 \u0491\u0440\u0443\u043d\u0442\u0443\u0454\u0442\u044c\u0441\u044f \u043d\u0430 \u043a\u043b\u0430\u0441\u0438\u0444\u0456\u043a\u0430\u0446\u0456\u0457 \u043c\u043d\u043e\u0436\u0438\u043d API-\u0432\u0438\u043a\u043b\u0438\u043a\u0456\u0432, \u0432\u0438\u043b\u0443\u0447\u0435\u043d\u0438\u0445 \u0437 \u043f\u043e\u0431\u0443\u0434\u043e\u0432\u0430\u043d\u0438\u0445 \u0433\u0440\u0430\u0444\u0456\u0432 \u043f\u043e\u0442\u043e\u043a\u0456\u0432 \u043a\u0435\u0440\u0443\u0432\u0430\u043d\u043d\u044f \u0434\u043b\u044f \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043d\u0438\u0445 \u0434\u043e\u0434\u0430\u0442\u043a\u0456\u0432, \u0442\u0430 \u0432\u0438\u043a\u043e\u0440\u0438\u0441\u0442\u043e\u0432\u0443\u0454 \u0430\u043d\u0430\u043b\u0456\u0437\u00a0 DNS-\u0442\u0440\u0430\u0444\u0456\u043a\u0443 \u043a\u043e\u043c\u043f\u2019\u044e\u0442\u0435\u0440\u043d\u043e\u0457 \u043c\u0435\u0440\u0435\u0436\u0456. \u0412 \u044f\u043a\u043e\u0441\u0442\u0456 \u043a\u043b\u0430\u0441\u0438\u0444\u0456\u043a\u0430\u0442\u043e\u0440\u0430 \u0437\u0430\u0441\u0442\u043e\u0441\u043e\u0432\u0430\u043d\u0430 \u043a\u043e\u043c\u0431\u0456\u043d\u0430\u0446\u0456\u044f \u0433\u043b\u0438\u0431\u043e\u043a\u043e\u0457 \u043d\u0435\u0439\u0440\u043e\u043d\u043d\u043e\u0457 \u0442\u0430 \u0440\u0435\u043a\u0443\u0440\u0435\u043d\u0442\u043d\u043e\u0457 \u043d\u0435\u0439\u0440\u043e\u043d\u043d\u043e\u0457 \u043c\u0435\u0440\u0435\u0436. \u0417\u0430\u0441\u0442\u043e\u0441\u0443\u0432\u0430\u043d\u043d\u044f \u0440\u043e\u0437\u0440\u043e\u0431\u043b\u0435\u043d\u043e\u0433\u043e \u043c\u0435\u0442\u043e\u0434\u0443 \u0434\u043e\u0437\u0432\u043e\u043b\u0438\u043b\u043e \u043f\u0456\u0434\u0432\u0438\u0449\u0438\u0442\u0438 \u0434\u043e\u0441\u0442\u043e\u0432\u0456\u0440\u043d\u0456\u0441\u0442\u044c \u0432\u0438\u044f\u0432\u043b\u0435\u043d\u043d\u044f \u0448\u043a\u0456\u0434\u043b\u0438\u0432\u043e\u0433\u043e \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043d\u043e\u0433\u043e \u0437\u0430\u0431\u0435\u0437\u043f\u0435\u0447\u0435\u043d\u043d\u044f \u0432 \u043a\u043e\u043c\u043f\u2019\u044e\u0442\u0435\u0440\u043d\u0438\u0445 \u0441\u0438\u0441\u0442\u0435\u043c\u0430\u0445.
\n\u041a\u043b\u044e\u0447\u043e\u0432\u0456 \u0441\u043b\u043e\u0432\u0430:<\/strong> \u0448\u043a\u0456\u0434\u043b\u0438\u0432\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043d\u0435 \u0437\u0430\u0431\u0435\u0437\u043f\u0435\u0447\u0435\u043d\u043d\u044f, \u043a\u043e\u043c\u043f\u2019\u044e\u0442\u0435\u0440\u043d\u0456 \u0441\u0438\u0441\u0442\u0435\u043c\u0438, \u0434\u043e\u0441\u0442\u043e\u0432\u0456\u0440\u043d\u0456\u0441\u0442\u044c \u0432\u0438\u044f\u0432\u043b\u0435\u043d\u043d\u044f, \u043a\u0456\u0431\u0435\u0440\u0430\u0442\u0430\u043a\u0430, \u043c\u0435\u0440\u0435\u0436\u043d\u0438\u0439 \u0442\u0440\u0430\u0444\u0456\u043a.<\/p>\n

\u0420\u043e\u0437\u0448\u0438\u0440\u0435\u043d\u0430 \u0430\u043d\u043e\u0442\u0430\u0446\u0456\u044f \u0430\u043d\u0433\u043b\u0456\u0439\u0441\u044c\u043a\u043e\u044e \u043c\u043e\u0432\u043e\u044e<\/strong><\/p>\n

\u00a0 \u00a0 \u00a0The paper presents a method for malware detection by analyzing network traffic and software behavior in computer systems. The method is based on the classification of API call sets extracted from the constructed control flow graphs for software applications, and based on the analysis of DNS traffic of the computer network. As a classifier a combination of deep neural network and recurrent neural network is used. The proposed method consists of two stages: the deep neural network and the recurrent neural network learning stage and the malware detecting stage. The steps of the malware detecting are: construction of a set of graphs of control flows for software applications in computer system; construction of the set of used APIs based on the set of graphs of control flows; construction of a set of frequencies of API on the basis of a set of graphs of control flows; construction of a set of API sequences based on a set of graphs of control flows; extraction of features from network DNS-traffic; construction of a test sample; processing a test sample using a deep neural network; processing a test sample using a recurrent neural network; combinations of malware detection results using a deep neural network and a recurrent neural network; malicious software removal. Experimental studies were carried out, the results of which showed that the use of a deep neural network makes it possible to obtain the reliability of malicious software detection at the level from 94.75 to 98.66%, the use of a recurrent neural network – from 96.63% to 99.17%. The combination of the results of the classification of deep and recurrent neural networks allows achieving the best results, in which the reliability of malicious software detection is at the level of 97.29 to 99.42%. The usage of the developed method allowed to increase the reliability of malware detection in computer systems.
\nKeywords:<\/strong> malware, computer systems, detection efficiency, cyberattack, network traffic.<\/p>\n

References<\/strong><\/p>\n

    \n
  1. McAfee Labs Threats Reports. Insights into malware, ransomware, and other cybersecurity threats from the McAfee threat research team. URL: https:\/\/www.mcafee.com\/enterprise\/ru-ru\/threat-center\/mcafee-labs\/reports.html. \u2013 2.07.2020.<\/li>\n
  2. 2020 State of Malware Report. URL: https:\/\/resources.malwarebytes.com\/files\/2020\/0 2\/2020_State-of-Malware-Report.pdf. \u2013 2.07.2020.<\/li>\n
  3. Statistics. URL: https:\/\/statistics.securelist.com\/en. \u2013 2.07.2020.<\/li>\n
  4. Xiao F. Malware detection based on deep learning of behavior graphs \/ F. Xiao, Z. Lin, Y. Sun, Y. Ma \/\/ Mathematical Problems in Engineering. \u2013<\/li>\n
  5. Idrees F. Pindroid: a novel android malware detection system using ensemble learning methods \/ F. Idrees, M. Rajarajan, M. Conti, T. Chen, Y. Rahulamathavan \/\/ Computers & Security. \u2013 \u2013 Vol. 68. \u2013 \u0420. 36\u201346.<\/li>\n
  6. Chaba S. Malware Detection Approach for Android systems Using System Call Logs \/ S. Chaba, R.\u00a0Kumar, R. Pant, M. Dave \/\/ arXiv preprint arXiv:1709.08805. \u2013 2017.<\/li>\n
  7. McLaughlin N. Deep android malware detection \/ N. McLaughlin, J. Martinez del Rincon, B. Kang \/\/ Proc. of the Seventh ACM on Conference on Data and Application Security and Privacy. \u2013 \u2013 \u0420. 301\u2013308.<\/li>\n
  8. Varsha M. Identification of malicious android app using manifest and opcode features \/ M. Varsha, P. Vinod, K. Dhanya \/\/ Journal of Computer Virology and Hacking Techniques. \u2013 2016. \u2013 Vol. 13, Issue 2. \u2013 \u0420. 125\u2013138.<\/li>\n
  9. Onwuzurike L. MaMaDroid: Detecting Android Malware by Building Markov Chains of Behavioral Models \/ L.\u00a0Onwuzurike, E. Mariconti, P. Andriotis, E. D. Cristofaro \/\/ ACM Trans. Sec. \u2013 2019. \u2013 Vol. 22, No. 2. \u2013 \u0420. 1\u201334.<\/li>\n
  10. Mirzaei O. Triflow: Triaging android applications using speculative information flows \/ O. Mirzaei, G.\u00a0Suarez-Tangil, J. Tapiador, J.M. de Fuentes \/\/ Proc. of the 2017 ACM on Asia Conference on Computer and Communications Security. \u2013 \u2013 \u0420. 640\u2013651.<\/li>\n
  11. Canadian Institute for Cybersecurity. Botnet dataset. URL: https:\/\/www.unb.ca\/cic\/datasets\/botnet.html \u2013 5.12.2019.<\/li>\n<\/ol>\n","protected":false},"excerpt":{"rendered":"","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[23],"tags":[],"_links":{"self":[{"href":"https:\/\/journals.khnu.km.ua\/vestnik\/index.php?rest_route=\/wp\/v2\/posts\/2299"}],"collection":[{"href":"https:\/\/journals.khnu.km.ua\/vestnik\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/journals.khnu.km.ua\/vestnik\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/journals.khnu.km.ua\/vestnik\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/journals.khnu.km.ua\/vestnik\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2299"}],"version-history":[{"count":7,"href":"https:\/\/journals.khnu.km.ua\/vestnik\/index.php?rest_route=\/wp\/v2\/posts\/2299\/revisions"}],"predecessor-version":[{"id":3723,"href":"https:\/\/journals.khnu.km.ua\/vestnik\/index.php?rest_route=\/wp\/v2\/posts\/2299\/revisions\/3723"}],"wp:attachment":[{"href":"https:\/\/journals.khnu.km.ua\/vestnik\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2299"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/journals.khnu.km.ua\/vestnik\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2299"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/journals.khnu.km.ua\/vestnik\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2299"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}