ANALYSIS WORKS ALGORITHMS INFORMATION PROTECTION ON THE BASIS OF SELF-MODIFYING CODE WITH HIDDEN EMBEDDING
Shterenberg Stanislav Igorevich,
postgraduate student Saint-Petersburg State University of Telecommunications prof. Bonch-Bruevich, St. Petersburg, Russia, [email protected]
Keywords: self-modification; computer viruses; locally-computer networks; steganography; data protection.
In today's world, most organizations in their work actively use locall computer networks to handle a variety of information. To transfer information from one network node to another communication channels with high bandwidth are used. Existing data protection does not always quickly cope with the tasks of the i_ successful transformation of steganography. Any local-area network requires U additional special controls in addition to those which are available in standard network operating systems. Typically, the network management system is operating in automatic mode, performing the most simple steps to network manage-<t ment automatically, and providing complex solutions to take the person on the basis of the information provided by the system.
The work reviews on control kind of mathematical models of propagation self-modifying programs in networks, allowing to take into account "steganography" period the of information introduction in the files. The work describes approaches to respond to the abnormal state of the network, resulting from the implementation of the attack and the choice of effective security solutions. The problems of predicting the spread of self-modifying code at the locall computer networks nodes at small time intervals. The task of developing a method for managing local area network based on short-term forecasting the spread of self-modifying programs, allowing information security management authority to make decisions in a timely manner to restore the information required network security levels based on the current short-term and predictable spread of virus attacks is relevant for today's adaptive information security tools. An important point is to designated the task to implement the self-modifying application. Under this application is generally defined as any semi-resident program in the process of starting a polymorphic features include conversion of land code. This means that in a single moment in time, self-modifying program automatically replaces the former algorithm of works on any random pre-registered in the code. The complexity of such operations is not currently high, but it contributes to the set of malicious software. However, if you apply a particular polymorphism in steganography, it is possible to create a reliable means of protecting information on factors violations integrity of the information in the local area network.
Introduction
Process LAN control short-term prediction on the basis of self-modifying code spread across the network nodes can be represented as a closed loop consisting of separate phases (Figure 1). The first four phases of the cycle is determined processing and analysis, and the rest - the control cycle [1].
Processing and analysis cycle solves the problem of generalization, process and determine the status of self-modify code proliferation by nodes on the network at a given time, the transfer of this information in the Network Operations Center (NOC). Cycle Management is responsible for forecasting the self-modify code network nodes spread and adoption of appropriate decisions in terms of the data.
A closer look at the steps involved with forecasting self-modify code proliferation network nodes. In order to predict the spread of the self-modify code, it was decided to use one of the methods on the basis of the methodology of forecasting models: Model Predictive Control (MPC). This methodology is already nearly half a century (since the late 60's, early 70's) applied to control various technological and chemical processes in the petroleum refining industry, medicine, energy, robotics, etc., a testament to its effectiveness and versatility of use proved by time.
The process of developing the LAN control method based on short-term forecasting self-modify code proliferation can be divided into the following stages: a description of the model self-modify code proliferation in the LAN, the criteria for the safe condition of the LAN, the calculation of the control law.
One of the advantages of the methodology by using predictive models is the ability to study multifactorial process in advance mode. In this connection, based on an analysis [2], the prediction method is selected based on
the state space model: State-Space Model Predictive Control (SSMPC).
To apply SSMPC method is necessary to make a mathematical model of the control object, later used to predict the output of information network on the basis of past and current values (value) and the estimated optimal control in the future impacts. These impacts are computed by the optimizer, which also takes into account quality criteria (which takes into account the error in the future), and restrictions on the process variables describing the object of control.
The selected model should encompass the dynamics of the process to accurately predict future output values, be simple to implement and understand.
Implementation
Consider LAN management process shown in fig. 1.
The spread of the self-modify code to the LAN on the time interval [0, T] is described by the epidemiological model under the following assumptions:
1. N - the total number of machines in the LAN. LAN consisting of N nodes can be described by a matrix of the form G ={0,1}N2,
G -Í 1,1
G" I 0 ,t
1, if nodes i and j are interconnected if nodes i and j are not connected
(1)
2. An arbitrary node in the network can be in one of three states: vulnerable S, and infected I insensitive R.
3. Distribution of copies of the self-modify code is described by the function /(S(t), I(t), R(t), B, tt. P
restore' far.knots.net'
overview.knots.net-
), where S(t) - the number of network nodes visible, I(t) - the number of infected hosts, R(t) - the number of network nodes refractory, B =(#1(t),... , pm(t)) - vector known violator of the network settings, P, ,„„„ „„. - the likeli-
far.knots.net
Fig. 1. The process of managing a LAN network control center
hood of a vulnerable network node lesions, t - the aver' restore
age time required for the transition of the node into a hidden state appreciable, t . , - the average time required
rr ' overview.knots.net ° ^
for the self-modify code LAN node hidden embedding.
4. Self-modify code is distributed over the network without user intervention, and reassembly hidden embedding the same self-modify code impossible.
In the simplest case fi determined by the average speed of network scanning malware (v) and the size of its ad-
dress space (N.p):
fi=VsX
N
N:
(2)
Ф
The following conclusions can be drawn based on the analysis of this model:
1. Distribution of the self-modify code is only possible if
*o=f>i
2. S(t), J(t), R(t) - monotonically increasing, mono-tonically decreasing and unimodal functions, respectively.
Equations (1) and (2) allow more accurate to describe the state of the LAN, moving away from the traditional approach, describing the only state in the individual time-to-peer, allowing more extensively evaluate the pace and spread area of self-modify code [3]. In describing the process model will use the equations describing the process of the emergence and changes in the number of time (state) node pairs [the AB], as well as triples of nodes [ABC], where A and B take values from the set {S, I, R}. Enter the following parameters: t - characterizes the rate of spread of the self-modify code related to nested node contact with vulnerable, n - the average number of neighboring nodes per single node, ^ - value that characterizes the ratio of the number of triangles to triples. ^ is a measure of the inter-connectedness of the local node's neighbors. If the value ^ - large, it can be said that the elements of a pair (top) will be connected to a large number of common nodes, if ^ - small that it can be said that the network is dominated compounds intended for transmission over long distance
information (fig. 2). Parameters n and ^ properly characterize the basic structure of the network.
For fig. 2a ^=0.7 and triangles in the most general case, while for fig. 2b ^ =0.2 and the network structure are not so obvious [4, 5].
Based on this model cannot be the existence of two different pairs of nodes, however, eliminating the symmetry, we introduce the necessary differential management to describe the self-modify code proliferation status on the LAN:
(3)
Distribution of self-modify code on LAN nodes and personal computers can be divided into three stages:
1. The relatively slow (but nevertheless exponential) increase in self-modify code presence (self-modify code rate) to a threshold level of 0.05, defined as k „ . =I/N.
' self-modify code
The rate of doubling the share of computer is ln(2)/#.
2. The phase distribution in the maximum range
0,05 < k
< 0,95. The duration is determined by
self-modify code
approximately 5,89/fi.
3. Saturation, k ,, ,., , > 0,95. At this site infected
self-modify code
nodes advantageously contacted with each other at random scan address space, so the surviving nodes may remain "clean" for a long time is uncertain.
To achieve the saturation threshold k ,, ,, = 0,95
self-modify code
it takes time
iln[19(.
^self-modify code-begin
H
(4)
where k - distribution of self-modify code in
self-modify code.begin
the LAN at the initial time t0.
From these data it can be concluded that a safe state for the self-modify code to the network can be regarded as a state in which the proportion of the presence of self-modify code in computer or network node will not exceed 5%.
Calculation of control law via SSMPC method includes the following steps. At each step SSMPK algorithm for the prediction horizon fixed length sequence of control actions
Fig. 2. Examples of a network consisting of a hundred nodes (N = 100), the average number of connections per node is equal to 5 (n = 5).
calculated by minimizing the objective function includes calculating the output data of the system at time (t + 1). Optimization of this function is a nonlinear programming problem, which is solved with respect to restrictions imposed on the inputs and outputs of the system. The control sequence is transmitted NOC further time horizon is shifted one step further and calculated the following control actions. This technique was called "Operation using receding horizon prediction» (Receiding Horizon Control). To apply SSMPC method must use the information on the object model discussed in the first stage.
Let x=([I], [SI], [II], [S], [SS]) - vector of control actions, u=(u1, u2) - вектор управляющих воздействий. vector control actions. The output vector characterizing the distribution self-modify code across a network is J=([I], [SI]). his vector represents the number of infected nodes, and the number of links to infected sites vulnerable. Let the continuous numerical time axis is divided into an infinite number of finite intervals equal to At. Distribution of self-modify code will be considered at time t=kAt, where k e Z. Assume that the control actions u , u2 remain constant over the time interval [kAt,(k+1)At]. Then the equations of input and output values can be represented as follows:
x(k+1)=F(x(k),u(k)) y(k+1)=h(x(k+1))
(5)
(6)
where x(k) e R5 - vector of state variables, u e R2 - vector control actions, y(k)e R2 - vector output values. In general:
x(k+j|k) =
=F(x(k+j-1|k),(u1(k+j-1|k), u2(k+j-1|k))), (7)
y(k+j|k)=h(x(k+j|k)), j=0, 1, 2, ..., P-1,
where P - forecasting horizon length. The objective function to be minimized is of the form:
(8)
where X1, X2, X3, X4 - parameters affecting the spread of the hidden embedding, Au.(k+j | k)=u.(k+j | k)-u.(k+j-1| k) -predicted impact force managed on time k+j, calculated at a point of time k.
Based on these data, the network will form a control algorithm based on short-term forecasting the spread of self-modify code. During take raw data [J] = 0, [S] = 0; the number of machines with the presence of embedded self-modify code is 0.
Algorithm network management method based on short-term forecasting SMC proliferation is shown in fig. 3.
Fig. 3. Algorithm for LAN control method based on short-term forecasting the spread of self-modify code.
Conclusion
Using this algorithm allows to generate control actions, according to the set objectives (the proportion of infected nodes must not exceed 5%) at the same time take into account the spread of self-modify code on the network in real time, each control step takes into account the actual data dissemination self-modify code on nodes network. When calculating the control law used forecasting hidden embedding self-modify code, and the resulting control values provide a so-called "proactive management", which allows you to advance to take effective measures to counter the spread of potential viruses, rather than reacting to the situation only after the next step the attacker or threat implemented by malicious software.
References
1. Kucher V.A., Atroschenko V.A., Vidovsky L.A., Trofi-mov V.M. Model of information security management processes of computer networks // Science journal KubGAU. 2009. No. 110 (6). Pp. 1779-1787. (In Russian).
2. Rohloff K. Stochastic Behavior of Random Constant Scanning Worms // Computer Communications and Networks, 2005. ICCCN 2005. Proceedings. 14th International Conference on 17-19 Oct. 2005. Pp. 339-344. URL:
http://citforum.ru/security/virus/ch_dinamic/ (date of access 15.04.2016).
3. Zakharchenko A.A. Chervodinamika: causes and consequences // Information Security. Confident. 2004. No. 2. URL: http://citforum.ru/security/virus/ch_di-namic/ (date of access 28.03.2016). (In Russian).
4. Andrianov V.I., Romanov G.G, Shterenberg S.I. Aktual'nye problemy infotelekommynikatsii v nauke i obrazovanii IV Mezhdunarodnaya naychno-
tekhnicheskaya i naychno-metodicheskaya konferentsiya [Expert in the field of information security systems, In: Recent infotelecommunications problems in science and education IV International scientific-technical and scientific-methodical conference: collection of scientific articles]. 2015. Pp. 193-197. (In Russian).
5. Shterenberg S.I. A method for constructing a search engine for primitive adaptive programs of action. H&ES Research. 2015. Vol. 7. No. 4. Pp. 52-57. (In Russian).
For citation:
Shterenberg S.I. Analysis works algorithms information protection on the basis of self-modifying code with hidden embedding. H&ES Research. 2016. Vol. 8. No. 2. Pp. 86-90.
АНАЛИЗ РАБОТЫ АЛГОРИТМОВ ЗАЩИТЫ ИНФОРМАЦИИ НА ОСНОВЕ САМОМОДИФИЦИРУЮЩЕГОСЯ КОДА С ПРИМЕНЕНИЕМ СТЕГОВЛОЖЕНИЯ
Штеренберг Станислав Игоревич,
г. Санкт-Петербург, Россия, [email protected]
Аннотация
В современном мире большинство организаций в своей работе активно используют локально-вычислительные сети для обработки различной информации. Для передачи информации от одного узла сети другому используются каналы передачи информации с большими пропускными способностями. Существующие средства защиты информации не всегда оперативно справляются с задачами успешного стеганографического преобразования. Любая локально-вычислительная сеть требует дополнительных специальных средств управления помимо тех, которые имеютсяв стандартных сетевых операционных системах. Обычно система управления сетью работает в автоматизированном режиме, выполняя наиболее простые действия по управлению сетью автоматически, а сложные решения предоставляя принимать человеку на основе подготовленной системой информации.
В работе рассмотрен вид управления на основе математической модели распространения самомодифицирующихся программ в сетях, позволяющей учитывать «стеганогра-фический» период внедрения информации в файлы. В работе описаны подходы реагирования на аномальное состояние сети, возникающее в результате реализации атаки и выбор эффективного решения системы безопасности. Рассмотрены вопросы прогнозирования распространения самомодифицирующегося кода на узлы локально-
вычислительной сети на малых промежутках времени. Задача разработки способа управления локально-вычислительными сетями на основе краткосрочного прогнозирования распространения самомодифицирующихся программ, позволяющего органу управления информационной безопасностью своевременно принимать решения по восстановлению требуемого уровня информационной безопасности сети на основе текущего и краткосрочно прогнозируемого распространения вирусных атак является актуальной для современных адаптивных средств защиты информации.
Важным пунктом обозначается задача по реализации самомодифицирующегося приложения. Под таким приложением как правило понимается любая полурезидентная программа в процесс запуска функций которой входит полиморфное преобразование участков кода программы. Это значит, что в отдельный момент времени, самомодифицирующаяся программа автоматически заменяет прежний алгоритм работы на любой случайный заранее прописанный в коде. Сложность подобных операций на данный момент не высока, однако она способствует развитию множеству вредоносных программных средств. Однако, если особенности полиморфизма применитьв стеганографии, то есть возможность для создания надежных средств защиты информации от фактора нарушения целостности информации в локально-вычислительной сети.
Ключевые слова: самомодификация; компьютерные вирусы; локально-вычислительные сети; стеганография; защита информации
Информация об авторе:
Штеренберг С.И., аспирант Санкт-Петербургского государственного университета телекоммуникаций имени профессора М.А. Бонч-Бруевича.
Для цитирования:
Штеренберг С.И. Анализ работы алгоритмов защиты информации на основе самомодифицирующегося кода с применением стеговложения. Наукоемкие технологии в космических исследованиях Земли. 2016. Т. 8. № 2. С. 86-90.