MODELS AND METHODS FOR DIAGNOSING ZERO-DAYTHREATS IN CYBERSPACE

Abstract

The article is devoted to the development of models and methods for detectingZero-Daythreats in cyberspace to improve the efficiency of detecting high-level malicious complexes that are using polymorphic mutators. Themethod for detecting samplesby antivirus solutions using a public and local multiscanneris proposed. Themethod for diagnosing polymorphic malware using Yara rules is being developed. The multicomponent service that allows organizing a free malware analysis solution with a hybrid deploy-ment architecture in public and private clouds is described. The cloud service for detecting malware based on open-source sandboxes and MAS, allowing horizontal scalability in hybrid clouds, and showing high capacity during malicious and non-maliciousobjectprocessing is designed. The main task of the service is to collect artifacts after dynamic and static object analysis to detect zero-daythreats. The effectiveness of the proposed solutions is shown.Scientific novelty and originality consist in the creation of the follow-ing methods:1) detecting the sample by preinstalled antivirus solutions that allow static scanning in separate threads without requests restrictions for increasing the malware processing speed and restrict public access to confidential files;2) diagnosing polymorphic malware using Yara rules, that allows detecting new modifications that are not detected by available solutions.The proposed hybrid system architecture allows to perform a retrospective search by families, tracking changes in destructive components, collect the malicious URLs database to block traffic to C&C servers, collect dropped and downloaded files, analyze phishing emails attach-ments, integrate with SIEM, IDS, IPS, antiphishing and Honeypot systems, improve the quality of the SOC analyst, decrease the incidents response times and block new threats that are not detected by available antivirus solutions. The practical significance of the results is in the cloud service development that combines MAS Sandbox and a modified distributed Cuckoo sandbox, which allows to respond to Zero-Day threats quickly, store a knowledge base for artifacts correlation between polymorphic malware samples, actively search for new malware samples and integrate with cyber protection hardwareand software systems that support the Cuckoo API.