Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

система киберзащиты

540 views

Published on

security

Published in: Technology
  • Be the first to comment

  • Be the first to like this

система киберзащиты

  1. 1. Intelligent Cyber Defense System based on Artificial Immune and Neural Networks Brest State Technical University, Brest, Belarus Intelligent Information Technologies Department Prof. Vladimir Golovko, Dr. Sergei Bezobrazov
  2. 2. Application Domain Malware Detection Intrusion Detection Mobile Devices Protection Personal Encryption Cloud Computing Security
  3. 3. Achievements Artificial Neural Network Artificial Immune System Intelligent Cyber- Defense System Malware Detection Intrusion Detection Mobile Devices Protection  IDAACS ‘07, IDAACS ’09, IDAACS ’11, IDAACS ’13, IDAACS ‘15  Patent No. 74822 “The Method of Computer Attacks Detection using Artificial Neural Immune System” UA  Kaspersky Lab’s grant “Prototype of Intelligent Self- Organized System for Executable Code Classification”  Belarusian Ministry of Education grants
  4. 4. 20 Malware Detection
  5. 5. Malware, short for malicious software, is any software used to disrupt computer operations, gather sensitive information, or gain access to private computer systems. Malware is defined by its malicious intent, acting against the requirements of the computer user. Malware Files Submissions (www.virustotal.com) Total Malware New Malware
  6. 6. Module of Generation of Detectors Module of Selection of Detectors Module of Detection of Malware Module of Cloning and Mutation of Detectors Module of Forming of Immune Memory Detectors Matured Detectors Selected Detectors Detector that “found” malware Set of similar Detectors “best” Detector Malware Module of Identification of Malware List of Files Module of Training of Detectors List of Files Module of Preprocessing of Data from File Preprocessed Data Under-test File Training Data Test Data The Structure of the System for Malware Detection Class of Malware
  7. 7. The Structure of the Immune Detector for Malware Detection 1 2 3 n 1 2 m 1 2 Yj Yi X ωci ωij . . . p m-1 Kohonen layer ANN Detector Learning Data Data, Metadata, API functions, etc. Test Data Checking m = p + r, where p – the number of the first neurons which correspond to legitimate files; r – the number of last neurons, which correspond to malicious files. Clear Malicious
  8. 8. Evolution of the Immune Detectors Initial Immune Detector Creation of Learning Sample Training of Clones Detector that found malicious code Creation of Clones by Cloning process Calculation Fitness Function Data from found malware    L k j k ij k iji lZE 1 2 1 2 ,)( 2 1 where Zij k is j-th output unit of i-th clone for k- th pattern; lij k is reference output value for i-th clone.Detectors – Clones
  9. 9. Some Experimental Results Malware Kaspersky antivirus ESET NOD32 Dr.WEB NNAIS (500 detectors) Worm.Brontok.q Worm Win32/Brontok Worm Malware Worm.NetSky.q Worm Win32/NetSky Worm Malware Worm.Rays Worm Clear Clear Malware Worm.Zafi.d Clear NewHeur_PE Clear Malware Worm.Zafi.f Clear NewHeur_PE Clear Malware Worm.Bozori.a Clear Win32/Bozori Clear Malware Worm.Bozori.k Clear Win32/Bozori Clear Malware Worm.Lovesan.a Worm Win32/Lovesan Worm Malware Worm.Maslan.a Worm Win32/Maslan Worm Malware Worm.Mytob.a Clear Win32/Mytob Clear Malware Worm.Sasser.a Worm Clear Clear Malware Trojan.Agent.y Trojan Clear Clear Clear Trojan.Dialer.eb Trojan Clear Clear Malware Trojan.Small.kj Trojan Clear Clear Malware Trojan.Psyme.y Clear Clear Clear Malware Trojan.Adload.a Trojan Clear Clear Malware Trojan.Bagle.f Clear Win32/Bagle Clear Malware Trojan.INS.bl Trojan Win32/Trojan Trojan Malware Trojan.INS.gi Trojan Win32/Trojan Trojan Malware Trojan.Ladder.a Trojan Win32/Trojan Trojan Malware Trojan.Small.da Trojan Win32/Trojan Trojan Malware Trojan.Small.dde Trojan Win32/Trojan Trojan Malware Trojan.Small.dg Trojan Win32/Trojan Trojan Malware
  10. 10. 20 Network Intrusion Detection
  11. 11. An intrusion detection system is a device or software application that monitors network or system activities for malicious activities or policy violations and produces reports to a management station. IDS come in a variety of “flavors” and approach the goal of detecting suspicious traffic in different ways. Network Intrusions
  12. 12. The Structure of the System for Intrusion Detection Network traffic 41 parame- ters 12 principal componen ts Preprocessing traffic Detector 1 Detector 2 Detector 3 Detector N Traffic analysis, intrusion detectionNormal connection Attack Lock connection Output message Immune detector Traffic parameters Adaptation 12 principal compone ntsTraining sampling Detectors training Detectors creation Detectors selection Test sampling Detectors destruction Creating & training & selecting detectors ... РСА Traffic analyser
  13. 13. Distribution of Information According to the components Number of components 1 2 3 4 5 6 The amount of information, % 52,40 71,67 88,37 91,49 94,21 95,90 Number of components 7 8 9 10 11 12 The amount of information, % 96,96 97,71 98,27 98,73 99,00 99,18 Number of components 13 14 15 16 17 18 The amount of information, % 99,33 99,47 99,59 99,67 99,75 99,81 Number of components 19 20 21 22 23 24 The amount of information, % 99,87 99,90 99,93 99,94 99,95 99,96 Number of components 25 26 27 28 29 30 The amount of information, % 99,97 99,98 99,98 99,99 99,99 99,99 Number of components 31 32 33 34 35 36 The amount of information, % 99,99 99,99 99,99 99,99 99,99 99,99 Number of components 37 38 39 40 41 The amount of information, % 99,99 100 100 100 100
  14. 14. Mobile Devices Protection
  15. 15. Mobile Threats Year 2014:  295,500 new mobile malicious programs, 2.8 times as many as in 2013.  12,100 mobile banking Trojans, 9 times as many as last year.  53% of attacks involved mobile Trojans targeting users’ money (SMS-Trojans, banking Trojans).  19% of Android users encountered a mobile threat at least once over the year.  Mobile malware attacks were registered in more than 200 countries worldwide 2011 was the year of mobile malware formation, especially on Android-based devices; 2012 was when they developed and 2013 was when they reached maturity. In 2014 mobile malware focused on financial issues: the number of mobile banking Trojans was nine times greater than in the previous year and developing in this area is continuing at an alarming rate
  16. 16. Permission-based Detection Before installing an application, Play Store displays all required permissions: a game may need to enable vibration or save data to an SD card, for example, but should not need to read SMS messages or access the phonebook. After reviewing these permissions, the user can choose to accept or refuse them, installing the application only if they accept. The sandboxing and permissions system lessens the impact of vulnerabilities and bugs in applications, but developer confusion and limited documentation has resulted in applications routinely requesting unnecessary permissions, reducing its effectiveness. Felt et al. performed studies to examine where they indicated that current Android permission warnings do not help most users make correct security decision.
  17. 17. Every application must have an AndroidManifest.xml file (with precisely that name) in its root directory. The manifest file presents essential information about your app to the Android system, information the system must have before it can run any of the app's code. Android application package (APK) is the package file format used by the Android operating system for distribution and installation of application software and middleware. APK files are analogous to other software packages such as MSI packages in Microsoft Windows. To make an APK file, a program for Android is first compiled, and then all of its parts are packaged into one file. APK files are a type of archive file, specifically in zip format packages based on the JAR file format. Android APK
  18. 18. Permission-based methods State-of-the-Art  Felt et al. performed studies to examine where they indicated that current Android permission warnings do not help most users make correct security decision. The authors developed the tool, Stowaway, that applies static analysis on the collected sample applications, and then they map the permission with each operation. The aim of this is to detect over-privileged permissions in Android applications.  Chen et al. proposed Pegasus, in an attempt to detect malicious applications that are characterized by the temporal order in which an application uses APIs and permissions. They constructed Permission Event Graph with static analysis and implemented models of the Android event-handling mechanism and APIs.  Enck et al. constructed 9 permission rules called Kirin that classifies an application as potentially malicious if the application requests certain combinations of permissions that match the rules. The rules are defined by security requirement engineering.
  19. 19. The Structure of the System Permissions extraction from AndroidManifest.xml Permission Vector creation Permission Vector analyzing 0 0 0 0 1 0 0 0 0 1 1 … 1 0 0 0 0 1 2 3 4 5 6 7 8 9 10 11 … 148 149 150 151 152 Architecture of the System Process of data extraction Example of the Permission Vector
  20. 20. Classification/Detection Neural Network Immune Detector Permission Vector 1 2 3 n 1 2 m 1 2 Yj Yi ωci ωij . . . p m-1 Kohonen Layer Malicious App Benign App 0 1 Results  http:/vxheaven.org – 271092 samples in the collection for Windows platforms  A few Android malware samples available in free access (such as:  Android.Trojan.SLocker.DZ  Android.Wroba.x  Android.Podac  Android.Titan.1  Android.Pincer etc.)  The tests results on the limited database confirm the “right-to- life” of the proposed method  But we have to test it on the biggest database
  21. 21. Proposed System Characteristics High Level of the Implementation of Artificial Intelligent Methods High Rate of Unknown Cyber Attacks Detection Self-organized, Adaptation to the Changeable Environment Automatic Classification of Detected Cyber Attacks The Same Principles for Malware Protection, Intrusion Protection and Mobile Devices Protection
  22. 22. Contacts gva@bstu.by Head of the Intelligent Information Technologies Department Prof. Vladimir Golovko bescase@gmail.com Associated Professor of the Intelligent Information Technologies Department Dr. Sergei Bezobrazov

×