<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE article PUBLIC "-//NLM//DTD JATS (Z39.96) Journal Publishing DTD v1.3 20210610//EN" "JATS-journalpublishing1-3.dtd">
<article article-type="research-article" dtd-version="1.3" xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xml:lang="ru"><front><journal-meta><journal-id journal-id-type="publisher-id">mais</journal-id><journal-title-group><journal-title xml:lang="ru">Моделирование и анализ информационных систем</journal-title><trans-title-group xml:lang="en"><trans-title>Modeling and Analysis of Information Systems</trans-title></trans-title-group></journal-title-group><issn pub-type="ppub">1818-1015</issn><issn pub-type="epub">2313-5417</issn><publisher><publisher-name>Yaroslavl State University</publisher-name></publisher></journal-meta><article-meta><article-id pub-id-type="doi">10.18255/1818-1015-2024-2-152-163</article-id><article-id custom-type="elpub" pub-id-type="custom">mais-1851</article-id><article-categories><subj-group subj-group-type="heading"><subject>Research Article</subject></subj-group><subj-group subj-group-type="section-heading" xml:lang="ru"><subject>Computer System Organization</subject></subj-group></article-categories><title-group><article-title>Об исследовании одного способа выявления аномального выполнения программы</article-title><trans-title-group xml:lang="en"><trans-title>On the study of one way to detect anomalous program execution</trans-title></trans-title-group></title-group><contrib-group><contrib contrib-type="author" corresp="yes"><contrib-id contrib-id-type="orcid">https://orcid.org/0000-0002-1491-524X</contrib-id><name-alternatives><name name-style="eastern" xml:lang="ru"><surname>Косолапов</surname><given-names>Юрий Владимирович</given-names></name><name name-style="western" xml:lang="en"><surname>Kosolapov</surname><given-names>Yury V.</given-names></name></name-alternatives><email xlink:type="simple">itaim@mail.ru</email><xref ref-type="aff" rid="aff-1"/></contrib><contrib contrib-type="author" corresp="yes"><contrib-id contrib-id-type="orcid">https://orcid.org/0009-0007-4565-6950</contrib-id><name-alternatives><name name-style="eastern" xml:lang="ru"><surname>Павлова</surname><given-names>Татьяна Александровна</given-names></name><name name-style="western" xml:lang="en"><surname>Pavlova</surname><given-names>Tatjyana A.</given-names></name></name-alternatives><email xlink:type="simple">tapavlova@sfedu.ru</email><xref ref-type="aff" rid="aff-1"/></contrib></contrib-group><aff-alternatives id="aff-1"><aff xml:lang="ru"><institution>Южный федеральный университет</institution><country>Россия</country></aff><aff xml:lang="en"><institution>Southern Federal University</institution><country>Russian Federation</country></aff></aff-alternatives><pub-date pub-type="collection"><year>2024</year></pub-date><pub-date pub-type="epub"><day>13</day><month>06</month><year>2024</year></pub-date><volume>31</volume><issue>2</issue><fpage>152</fpage><lpage>163</lpage><permissions><copyright-statement>Copyright &amp;#x00A9; Косолапов Ю.В., Павлова Т.А., 2024</copyright-statement><copyright-year>2024</copyright-year><copyright-holder xml:lang="ru">Косолапов Ю.В., Павлова Т.А.</copyright-holder><copyright-holder xml:lang="en">Kosolapov Y.V., Pavlova T.A.</copyright-holder><license xml:lang="ru" license-type="creative-commons-attribution" xlink:href="https://creativecommons.org/licenses/by/4.0/" xlink:type="simple"><license-p>Данная работа распространяется под лицензией Creative Commons Attribution 4.0.</license-p></license><license xml:lang="en" license-type="creative-commons-attribution" xlink:href="https://creativecommons.org/licenses/by/4.0/" xlink:type="simple"><license-p>This work is licensed under a Creative Commons Attribution 4.0 License.</license-p></license></permissions><self-uri xlink:href="https://www.mais-journal.ru/jour/article/view/1851">https://www.mais-journal.ru/jour/article/view/1851</self-uri><abstract><p>Разработка более точных и адаптивных методов обнаружения вредоносного кода является критической задачей в контексте постоянно эволюционирующих угроз кибербезопасности. Это требует постоянного внимания к новым уязвимостям и методам атак, а также поиска инновационных подходов к обнаружению и предотвращению киберугроз. В работе исследуется алгоритм обнаружения исполнения вредоносного кода в процессе защищаемой программы. Этот алгоритм основан на ранее предложенном подходе, когда легитимное исполнение защищаемой программы описывается профилем разностей адресов возврата вызываемых функций, называемым также профилем расстояний. Введено такое понятие, как позиционное расстояние, которое определяется разницей между номерами вызовов в трассе программы. Основным изменением стала возможность добавления в профиль расстояний между адресами возврата не только соседних функций, а также нескольких предыдущих с заданным позиционным расстоянием. Кроме модификации алгоритма обнаружения, в работе разработано средство автоматизации построения профиля расстояний и экспериментально исследуется зависимость вероятности ложного обнаружения нетипичного расстояния от длительности обучения для четырех известных браузеров. Эксперименты подтверждают, что при незначительном увеличении времени проверки число нетипичных расстояний, обнаруживаемых предложенным алгоритмом, может быть существенно меньше числа нетипичных расстояний, выявляемых базовым алгоритмом. Однако следует отметить, что при этом эффект перехода от базового алгоритма к предложенному, как показали результаты, зависит от характеристик конкретной защищаемой программы. Исследование подчеркивает важность постоянного совершенствования методов обнаружения вредоносного кода, чтобы адаптировать их к изменяющимся угрозам и условиям эксплуатации программного обеспечения. В итоге это позволит обеспечить более надежную защиту информации и систем от кибератак и других киберугроз.</p></abstract><trans-abstract xml:lang="en"><p>Developing more accurate and adaptive methods for detecting malicious code is a critical challenge in the context of constantly evolving cybersecurity threats. This requires constant attention to new vulnerabilities and attack methods, as well as the search for innovative approaches to detecting and preventing cyber threats. The paper examines an algorithm for detecting the execution of malicious code in the process of a protected program. This algorithm is based on a previously proposed approach, when the legitimate execution of a protected program is described by a profile of differences in the return addresses of called functions, also called a distance profile. A concept has been introduced called positional distance, which is determined by the difference between the call numbers in the program trace. The main change was the ability to add to the profile the distances between the return addresses of not only neighboring functions, but also several previous ones with a given positional distance. In addition to modifying the detection algorithm, the work developed a tool for automating the construction of a distance profile and experimentally studied the dependence of the probability of false detection of an atypical distance on the training duration for four well-known browsers. Experiments confirm that with a slight increase in verification time, the number of atypical distances detected by the proposed algorithm can be significantly less than the number of atypical distances detected by the basic algorithm. However, it should be noted that the effect of the transition from the basic algorithm to the proposed one, as the results showed, depends on the characteristics of the specific program being protected. The study highlights the importance of continually improving malware detection techniques to adapt them to changing threats and software operating conditions. As a result, this will ensure more reliable protection of information and systems from cyber attacks and other cyber threats.</p></trans-abstract><kwd-group xml:lang="ru"><kwd>эксплойты</kwd><kwd>защита программ</kwd><kwd>аномальное выполнение программы</kwd></kwd-group><kwd-group xml:lang="en"><kwd>exploits</kwd><kwd>program protection</kwd><kwd>abnormal program execution</kwd></kwd-group></article-meta></front><back><ref-list><title>References</title><ref id="cit1"><label>1</label><citation-alternatives><mixed-citation xml:lang="ru">K. Lee, J. Lee, and K. Yim, “Classification and analysis of malicious code detection techniques based on the APT attack,” Applied Sciences, vol. 13, no. 5, p. 2894, 2023.</mixed-citation><mixed-citation xml:lang="en">K. Lee, J. Lee, and K. Yim, “Classification and analysis of malicious code detection techniques based on the APT attack,” Applied Sciences, vol. 13, no. 5, p. 2894, 2023.</mixed-citation></citation-alternatives></ref><ref id="cit2"><label>2</label><citation-alternatives><mixed-citation xml:lang="ru">A. Hofmeyr, S. Forrest, and A. Somayaji, “Intrusion detection using sequences of system calls,” Journal of computer security, vol. 6, no. 3, pp. 151–180, 1998.</mixed-citation><mixed-citation xml:lang="en">A. Hofmeyr, S. Forrest, and A. Somayaji, “Intrusion detection using sequences of system calls,” Journal of computer security, vol. 6, no. 3, pp. 151–180, 1998.</mixed-citation></citation-alternatives></ref><ref id="cit3"><label>3</label><citation-alternatives><mixed-citation xml:lang="ru">D. Wagner and P. Soto, “Mimicry attacks on host-based intrusion detection systems,” in Proceedings of the 9th ACM conference on Computer and communications security, 2002, pp. 255–264.</mixed-citation><mixed-citation xml:lang="en">D. Wagner and P. Soto, “Mimicry attacks on host-based intrusion detection systems,” in Proceedings of the 9th ACM conference on Computer and communications security, 2002, pp. 255–264.</mixed-citation></citation-alternatives></ref><ref id="cit4"><label>4</label><citation-alternatives><mixed-citation xml:lang="ru">Y. Kosolapov, “On one method for detecting exploitation of vulnerabilities and its parameters,” Sistemy i Sredstva Informatiki [Systems and Means of Informatics], vol. 31, no. 4, pp. 48–60, 2021.</mixed-citation><mixed-citation xml:lang="en">Y. Kosolapov, “On one method for detecting exploitation of vulnerabilities and its parameters,” Sistemy i Sredstva Informatiki [Systems and Means of Informatics], vol. 31, no. 4, pp. 48–60, 2021.</mixed-citation></citation-alternatives></ref><ref id="cit5"><label>5</label><citation-alternatives><mixed-citation xml:lang="ru">Y. Kosolapov, “On the Detection of Exploitation of Vulnerabilities That Leads to the Execution of a Malicious Code,” Automatic Control and Computer Sciences, vol. 55, pp. 827–837, 2021.</mixed-citation><mixed-citation xml:lang="en">Y. Kosolapov, “On the Detection of Exploitation of Vulnerabilities That Leads to the Execution of a Malicious Code,” Automatic Control and Computer Sciences, vol. 55, pp. 827–837, 2021.</mixed-citation></citation-alternatives></ref><ref id="cit6"><label>6</label><citation-alternatives><mixed-citation xml:lang="ru">R. Batra, “API monitor.” 2013, Accessed: Apr. 21, 2024. [Online]. Available: http://www.rohitab.com/apimonitor.</mixed-citation><mixed-citation xml:lang="en">R. Batra, “API monitor.” 2013, Accessed: Apr. 21, 2024. [Online]. Available: http://www.rohitab.com/apimonitor.</mixed-citation></citation-alternatives></ref><ref id="cit7"><label>7</label><citation-alternatives><mixed-citation xml:lang="ru">A. Kechahmadze and Y. Kosolapov, “Method for detecting exploits based on the profile of differences between function call addresses,” Informatika i sistemy upravleniya, vol. 73, no. 3, pp. 106–116, 2022.</mixed-citation><mixed-citation xml:lang="en">A. Kechahmadze and Y. Kosolapov, “Method for detecting exploits based on the profile of differences between function call addresses,” Informatika i sistemy upravleniya, vol. 73, no. 3, pp. 106–116, 2022.</mixed-citation></citation-alternatives></ref><ref id="cit8"><label>8</label><citation-alternatives><mixed-citation xml:lang="ru">“Exploit Protection Reference.” 2023, Accessed: Apr. 21, 2024. [Online]. Available: https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/exploit-protection-reference?view=o365-worldwide.</mixed-citation><mixed-citation xml:lang="en">“Exploit Protection Reference.” 2023, Accessed: Apr. 21, 2024. [Online]. Available: https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/exploit-protection-reference?view=o365-worldwide.</mixed-citation></citation-alternatives></ref><ref id="cit9"><label>9</label><citation-alternatives><mixed-citation xml:lang="ru">A. Sweigart, “PyAutoGUI documentation.” 2021, Accessed: Apr. 21, 2024. [Online]. Available: https://readthedocs.org/projects/pyautogui/downloads/pdf/latest/.</mixed-citation><mixed-citation xml:lang="en">A. Sweigart, “PyAutoGUI documentation.” 2021, Accessed: Apr. 21, 2024. [Online]. Available: https://readthedocs.org/projects/pyautogui/downloads/pdf/latest/.</mixed-citation></citation-alternatives></ref><ref id="cit10"><label>10</label><citation-alternatives><mixed-citation xml:lang="ru">Y. Ding, T. Wei, H. Xue, Y. Zhang, C. Zhang, and X. Han, “Accurate and efficient exploit capture and classification,” Science China. Information Sciences, vol. 60, pp. 052110:1–052110:17, 2017.</mixed-citation><mixed-citation xml:lang="en">Y. Ding, T. Wei, H. Xue, Y. Zhang, C. Zhang, and X. Han, “Accurate and efficient exploit capture and classification,” Science China. Information Sciences, vol. 60, pp. 052110:1–052110:17, 2017.</mixed-citation></citation-alternatives></ref></ref-list><fn-group><fn fn-type="conflict"><p>The authors declare that there are no conflicts of interest present.</p></fn></fn-group></back></article>
