Models and methods for diagnosing Zero-Day threats in cyberspace
DOI:
https://doi.org/10.15276/hait.02.2021.5Keywords:
Zero-Day Threats, Sandbox, Cloud Service, Antivirus, Diagnostics, Detection, Malware, Polymorphic Codes, Scanner, EmulatorAbstract
The article is devoted to the development of models and methods for detecting Zero-Day threats in cyberspace to improve the efficiency of detecting high-level malicious complexes that are using polymorphic mutators. The method for detecting samples by antivirus solutions using a public and local multiscanner is proposed. The method for diagnosing polymorphic malware using Yara rules is being developed. The multicomponent service that allows organizing a free malware analysis solution with a hybrid deployment architecture in public and private clouds is described. The cloud service for detecting malware based on open-source sandboxes and MAS, allowing horizontal scalability in hybrid clouds, and showing high capacity during malicious and non-malicious object processing is designed. The main task of the service is to collect artifacts after dynamic and static object analysis to detect zero-day threats. The effectiveness of the proposed solutions is shown. Scientific novelty and originality consist in the creation of the following methods: 1) detecting the sample by preinstalled antivirus solutions that allow static scanning in separate threads without requests restrictions for increasing the malware processing speed and restrict public access to confidential files; 2) diagnosing polymorphic malware using Yara rules, that allows detecting new modifications that are not detected by available solutions. The proposed hybrid system architecture allows to perform a retrospective search by families, tracking changes in destructive components, collect the malicious URLs database to block traffic to C&C servers, collect dropped and downloaded files, analyze phishing emails attachments, integrate with SIEM, IDS, IPS, antiphishing and Honeypot systems, improve the quality of the SOC analyst, decrease the incidents response times and block new threats that are not detected by available antivirus solutions. The practical significance of the results is in the cloud service development that combines MAS Sandbox and a modified distributed Cuckoo sandbox, which allows to respond to Zero-Day threats quickly, store a knowledge base for artifacts correlation between polymorphic malware samples, actively search for new malware samples and integrate with cyber protection hardware and software systems that support the Cuckoo API.