CASPIAN JOURNAL
MANAGEMENT AND HIGH TECHNOLOGIES
DETECTION OF CRYPTOGRAPHIC VIRUSES BEHAVIOR SIGNS IN THE WORK OF THE COMPUTER SYSTEM
 |
Read | Nazarov Anton V., Marenkov Aleksandr N., Kaliev Artur B. DETECTION OF CRYPTOGRAPHIC VIRUSES BEHAVIOR SIGNS IN THE WORK OF THE COMPUTER SYSTEM // Caspian journal : management and high technologies. — 2018. — №1. — pp. 196-204. |
/196-204.jpg)
Nazarov Anton V. - student, Astrakhan State University, 20Р° Tatishchev St., Astrakhan, 414056, Russian Federation, anton_25.10@mail.ru
Marenkov Aleksandr N. - Cand. Sci. (Engineering), Astrakhan State University, 20Р° Tatishchev St., Astrakhan, 414056, Russian Federation, marenkovan17@gmail.com
Kaliev Artur B. - student, Astrakhan State University, 20Р° Tatishchev St., Astrakhan, 414056, Russian Federation, arthur19970824@gmail.com
The article gives grounds for the urgency and practical significance of the problem of identifying signs of the work of viruses-encoders in computer systems. The authors describe main stages of viruses-cryptographers’ infection of a computer system. Existing methods of malicious software search were proven to have low efficiency in terms of detection of new versions of viruses-cryptographers, if they have not yet been studied and information about them is not included in the database of anti-virus software. The authors propose a new approach to detect the cryptographic viruses that cannot be detected by existing anti-viruses yet. Heuristic analysis of changes in the computer system parameters when the attack on it by a virus-encoder takes place serves as a basis for the approach. The article gives detailed results of a practical experiment, which consisted in studying the work of virus-encoders and their influence on various parameters of a computer system. The aim of the experiment was to identify the parameters that changes their values significantly under the influence of viruses-encoders compared to their values in the normal operation of the system. In particular, parameters of the physical and logical disks, memory, processor, general system parameters (197 parameters altogether) were studied. The significance of the differences for the studied parameters was estimated using the Kolmogorov-Smirnov test and Student’s t-test. The article proves that the parameters of the computer system that have a statistically significant value change (according to the above criteria) in the course of the computer system operation, can be used to monitor the functioning of the computer system; to identify the signs of encryption of the hard disk by the viruses-cryptographers that are not detected by antivirus; to abort the process of infection of the computer system at the early stages.
Key words: компьютерная система, информационная безопасность вредоносные программы, выявление вирусов, вирусы-шифровальщики, поведенческие признаки, эвристический анализ, вычислительные эксперименты, статистическая значимость, computer system, information security,