According to research [ 1 ] of IDC firm and the University of Singapore, malwarerelated security breaches cause users worldwide damage of at least on $ 500 billion annually. Moreover, the number of malicious software is growing every year [ 2 ]. The most relevant for the benefit of attackers are organizations and enterprises that operate information technology on local computer networks. There are many ways to gain entry into the local computer networks of businesses (organizations) for the purpose of unauthorized access to information in them. One way for attackers to access enterprises (organizations) information resources is to use undocumented capabilities in the software and hardware of computers and peripherals that allows unauthorized access to system resources, typically, via a local network. This is achieved through the using of software implants, which primary purpose is to provide unauthorized access to sensitive information.

Software implant is a secretly implemented program which poses a threat to the information contained on the computer [ 3 ]. The software implant can be implemented as a separate malware, or as undocumented software code in the software.

We will consider the software implants that use undocumented software features on the local computer networks of enterprises (organizations) as an object of research. The difficulty of detecting such a secretly functioning software object, which under certain conditions is capable of providing unauthorized access, is due to the absence of its activity during a long time. As a rule, such software implants allow to keep software features and are implemented by some else of the features included in the software package.

An enterprise may use ready-made software that already has software implants, or software made to order, which has been poorly verified upon commissioning. Software that runs inside enterprise LANs is typically a distributed, which makes software implants are active on all computers on the network. This increases the threat to businesses and organizations. Software implants can be used to create botnets [ 4 ], implement trojans, or produce metamorphic or polymorphic components [ 5 ], and so on. Therefore, the scientific problem of detecting software implants on the local area networks is relevant.

One of the primary tasks that need to be addressed is to develop appropriate methods for creating effective components of a comprehensive system for detecting software implants on local area networks. 2

Software implants detection studies are presented in many ways that depend on the considering of specific malware types. The main problem that accompanies the process of software implants detection is the discrepancy between what the user sees and what actually happens [ 1 ]. To achieve these results, the attackers have developed quite a few tools and approaches.

The most common research in this area is Backdoor malware detection studies [612]. In [ 6 ] authors proposed a new approach to detecting and removing Backdoor malware using neural networks. The experimental results obtained are based on the classification made. The work focuses on such type of attack that allows attackers to insert a hidden function or hidden program code into a malicious action model. Detection of such types of malware is difficult task, because unexpected behavior occurs only when there is a launch to execute a hidden function or program code known only to the attacker. The adequacy of the proposed solution requires more convincing evidence since a small set of validated and reliable datasets was used [ 6 ].

In [ 8 ] presents a model used by intruders to hide the invasion path. One of these techniques is done by using multiple hosts on the network, which can be detected using the approach suggested by the authors. Authors explored the opportunity the use of this approach to detect others type of malware, including Backdoor. The study shows that the proposed approach can produce a very low rate of false negative and false positive and allow to reduce the detection time of the scanning process.

In [ 9 ] it is analyzed and substantiated that, due to the complexity of the studied topic, there are few effective solutions. One way analyzed by the authors is to encode code fragments using specially designed interrupts that, when triggered, manipulate the run time state and, under certain conditions, can perform arbitrary computations without fail.

In [ 10 ] proposes to solve the problem of formalizing a terminal machine by modeling a program or system using a so-called machine with a designated end state that allows one to treat the software fragment as an emulator. Also authors have developed the concept of a multi-step game where an attacker and a defender get to take turns interacting that allows thinking about it as the system with states and transitions between them.

In works [ 11, 12 ] analyze the complexity of the problem with using many tools. This could jeopardize the platform by other means. For example, this is may be a hardware component, a custom program or a piece of malware. And this is a prerequisite for development methods for detecting them. A significant obstacle to the effectiveness of this approach is the lack of test samples.

Another equally malicious tool is the implementation of the software and the launch of the secret exchange feature. The features of such a hidden function are presented in [ 13 ]. To address this in [ 14 ] developed five steps to identify a hidden function in software.

In [ 15 ], models of hidden schemes of function exchange are considered and analyzed. They take into account the availability of the secure protocol of distributed information transmission. The reliability of such a protocol under the conditions of existence of hidden functions is investigated.

Another type of malicious software which can introduce software implants is a botnets [ 16, 17 ]. In [ 16 ] a technique for botnet detection based on a DNS-traffic is presented. Botnets detection based on the property of bots group activity in the DNStraffic, which appears in a small period of time in the group DNS-queries of hosts during trying to access the C&C-servers, migrations, running commands or downloading the updates of the malware. The method takes into account abnormal behaviors of the hosts’ group, which are similar to botnets: hosts’ group does not honor DNS TTL, carry out the DNS-queries to non-local DNS-servers. Method monitors large number of empty DNS-responses with NXDOMAIN error code.

In [ 17 ] a DNS-based anti-evasion technique for botnets detection in the corporate area networks is proposed. Authors have combine of the passive DNS monitoring and active DNS probing and have construct BotGRABBER detection system for botnets in corporate area network, which uses such evasion techniques as cycling of IP mapping, “domain flux”, “fast flux”, DNS-tunneling. BotGRABBER system is based on a cluster analysis of the features obtained from the payload of DNS-messages and uses active probing analysis.

In [ 18-26 ] it is shown how the use of metamorphic transformations makes it possible to hide program codes of functions. Along with polymorphic technologies [ 27 ], these methods are quite effective and widely used by attackers.

The works in [ 28-30 ] analyzed the use of known mathematical methods for processing events related to software operation. The discussed methods can be used to detect software implants that use undocumented software features, but only after the process of processing big data obtained during monitoring has been completed.

Thus, software implants that use undocumented software features [ 31-36 ] pose a problem for computer users, especially when they can be distributed on local computer networks. Known detection methods target to specific subclasses or typical classes of malware and are not sufficiently represented in related works. The various mathematical methods used for detection process, means require the initial stages of preparation of the data for processing, which aims to design a comprehensive approach of detection. 3

In order to detect software implants that use undocumented software features, let's build profiles of computer systems (CS) based on behavior of software in which it is executed. Because the client side of the software is the same, they should have similar behavioral profiles. System profiles can be clustered in the local area networks (LANs) into CS groups that use typical parts of specialized software. Such profiles can range from one to 5-10, because specialized software has a narrow focus and, therefore, cannot be sprayed for various purposes. We define these profiles as formalized models of software behavior in CS. After some time of functioning of the specialized software and the available software in the CS the statistics is collected, that is use for the refinement of profiles. Developing a formal representation of behavior profiles is based on a numerical expression of the features. After receiving profiles, the system functions and, on a daily start, analyzes the similarity of profiles and results of the functioning of the software in the CS. The presence of clustering profiles allows to more accurately identifying possible anomalies in the CS that belong to certain groups.

To detect software implants that use undocumented software features in LANs, it is important to create a set of their behavioral signatures. In order to form a database of behavioral signatures, appropriate models of software implants were developed based on scenarios of their functioning. The implementation of software implants that use undocumented software features at different stages of the software life cycle can occur by the following scenarios: 1. Work of attackers inside software development team. 2. Creation of dynamically formed commands or parallel computing processes.

Scenarios of introducing of software implants that use undocumented software features are directly dependent and affect on their structure, so they may be separate entities or parts of another entity. Let's present all scenarios as graphs and formalize them with respect to the structure of the software implants that use undocumented software features, as well as all possible combinations of them.

As an example, on the fig. 1 has shown a graph of an irregular Markov process. two or more files. Suppose with equal probability arrives in pairs on states S4, S5, S6, S7. The states S8, S9, S10, S11 will be counted. For example, if more information is obtained from states S10, S11, then it will indicate that software implants that use undocumented software features are placed in several working files of the program.

We detect software implants that use undocumented software features by manifestations which are based on file analysis and network activity. These manifestations depend on the models of functioning and structure incorporated in them. These features are: presence of software modules that do not meet the purpose of the process; presence of operating system objects that are open by the process but do not conform to the purpose of the process; high intensity of input/output operations for a certain process; a high CPU or internal memory usage from a certain process; the similarity of the file name to the system file name; the operating system process executable file is not in the common directory; the system process is run on behalf of the local user; code enforcement in the data area, which is enabled for all processes, is disabled for the certain process; the system process has a directory other than what it must be for that process; the absence of digital signature in the executable; high network activity of the process, which must run locally, etc. However, to improve detection efficiency, it is need tools that allow to establish the fact of the threat without the intervention of a network administrator who may not be able to process certain attributes for various reasons. Software implants that use undocumented software features may use masking tools on the system, making it difficult to detect them. On the technical side software implants use programming methods that are not common when creating standard software, so these features can also be additional attribute to identify them. In particular, for a Windows executable, these features can be: an additional section at the end of the file; an entry point indicates a transition to the middle of a section that is not a code section; the entry point correspond to a jump command that specifies a jump for the code section; the presence of features that indicates a code section, which is not a code section. Similarly for other environments on the CS, information from which may be related with RAM.

Let's describe the models of software implants that use undocumented software features on LANs: 1. software implants are injected in the software, stores all or selected pieces of software, entered or displayed in the hidden area of local or remote external direct access memory; the object of storage may be keyboard inputs, documents that will be printed; this model requires external storage, which must be organized in such a way as to ensure that it is stored for a specified period of time and can be further removed and hidden from other users or processes; 2. software implants are embedded in network or telecommunication software; As a rule, this software is always active, so software implants control the processing of information on the computer, performing installation and deletion other implants, as well as removing the accumulated information; software implants that use undocumented software features can trigger events for previously implemented implants; 3. software implants that use undocumented software features transmit information stored by an attacker (such as keyboard input) into a communication channel, or store it without relying on the guaranteed possibility of further reception or removal; software implants may also initiate continuous access to information, leading to an increase in signal-to-noise ratio when intercepting side radiation; 4. software implants that use undocumented software features distort data streams that occur during applications running (source streams), or distort input streams of information, or initiate (or suppress) errors that occur when running applications; 5. software implants which do not produce direct affect on software. The main purpose is to maximize the resulting "residual" information for further study; the attacker either obtains these fragments using the implants of the previous models, or directly accesses the computer in the guise of repair or diagnosis.

To detect software implants that use undocumented software features it is need to detect anomalies in a particular CS based on searching of deviations from the mean values of the behavior profiles. Thus, it is need to develop a detection method based on a combination of anomaly detection technologies and behavioral signature matching.

The implementation of the detection of software implants that use undocumented software features is based on the further development of information technology, which will include profile models, models of software implants and method of anomaly detection and theirs applying on LANs to investigate specialized software.

To determine the software profile in the CS, we use the system call monitor [ 42 ]. First, let's form API call sequences for each of the processes over a long time and build a software profile in the CS. After profile creation their clusterization is done. And the last step, if it is possible to divide profiles by more than one class, analysis of the obtained classes of CS is conducted.

For the study we use the anomaly search scheme. In order to reduce the number of input, grouping of similar values was done. The resulting profile scheme is a partial case of multidimensional analysis, where multiple objects are considered on many grounds. When processing statistic data in multivariate analysis [ 4, 5, 6 ], taxonomic methods have been used that do not require expert evaluation but are based only on observation results. The input for the study is the observation matrix: where n is the number of features observed on the objects; s is number of objects; xik – the number of manifestations of k-th feature in i-th object during the observation period. The features normalization is carried out according to:

After applied formula 2 the matrix V was created:

Vik = xik s ∑i =1 xik V11  V21  ...

V =  Vi1  ...  Vs1

According to matrix (4), it is possible to arrange the objects by isotonic metric, that is, by the rank that characterizes the object by the set of features. Next stage involves structural (isomorphic) ordering of objects. To do this, with the matrix X, the matrix Z is formed by using formulas (4) and (5): W1    W2   ...  W =   Wi   ...    WS  n

Wi = ∑i =1Vik Zik =  Z11  Z 21  ...

Z =   Zi1  ...   Z s1 xik s ∑i =1 xik

n / ∑i =1 xik s ∑i =1 xik Z 21 Z 22 ...

Zi2 ...

Z s1 ... ... ... ... ... ...

Z1k Z 2k ...

Zik ...

Z sk ... ... ... ... ... ...

The diagram shows that the objects 1, 2, 6, 7 are grouped together and have the smallest deviation (with all group) from the main diagonal. In our case, these may be computers that have specialized software installed. Objects 5 and 3 are form own two subsets that are far from the main diagonal. At the same time the outermost objects belong to numbers 4 and 8.

Thus, it is possible to divide software profiles in the CS into classes and, further, conduct analyzes the deviations in the classes with purpose of anomalies searching. 4

In order to conduct series of experiments a distributed system [ 43 ] for detecting malware was used. Software implants that use undocumented software features were developed as part of each of the typical botnets. The purpose of the experiments was verification of the botnets detection method, the efficiency of the classifier in the structure of the distributed system and determination of the dependence of the percentage of detected nodes of the botnets, which had contained software implants. To perform the experiments, 28 botnets and codes of known detected botnets were constructed [ 44 ]. All generated botnets were grouped by classes. From generated botnets 25 structural elements in three stages of operation and 81 functions were allocated.

The experiment was conducted for the classifier without adding instances of the created botnets and with them, that is, the check was performed without training the classifier on the created samples and with the preliminary classification of the samples by classes. The second variant is necessary to check the accuracy of classifying the same samples from which this class is built. This is important because during monitoring API functions may occur errors. The monitoring time of the CS in LAN was 350 hours for each instance of the botnet of each of the two classifiers. It is should be noted that the functionality of the botnet nodes was simplified and did not include the attack option. The botnet nodes only worked in control and support modes of own functioning. Thus, for a distributed system the objects of research were running processes on CS. In order to conduct the experiment botnets that use the strategy of obtaining full control by activating their components were selected. That is software implants that use undocumented software features were presents on each CS. In order to obtain software profile in the CS we perform API monitoring call. Based on the obtained profiles the features vectors are formed. After feature vector creation their clusterization is done. The results of calculation different metrics are presented in table. 2.

The experiments involved determining the following metrics for the detection of bot nodes:

P1,1 – the percentage of vectors of malicious actions belonging to certain class relative to all test samples that the system assigned to this class with previous training; P1,2 – similar to metric P1,1 , but without previous training;

P2,1 – the percentage of malicious action vectors belonging to a given subclass of a class relative to all test vectors that the system assigned to that subclass of the class in the test sample (those that were correctly assigned to the subclasses) with previous training;

P2,2 – similar to metric P2,1 , but without previous training; P3,1 – the percentage of correctly detected botnet nodes with previous training P3,2 – similar to metric P3,1 , but without previous training;

P4,1 – the percentage of incorrectly classified botnet nodes as benign applications (type I error) with previous training;

P4,2 – similar to metric P4,1 , but without previous training;

P5,1 – the percentage of incorrectly assigned bot nodes to one of the botnet classes (type III error), with previous training;

P5,2 – similar to metric P5,1 , but without previous training.

The results of evaluating the efficiency of detection the software of botnets' nodes based on the work of two classifiers for the entered classes and subclasses in the classifier are shown in table 2.

Metrics P1,1 , % P1,2 , % P2,1 , % P2,2 , % P3,1 , % P3,2 , % P4,1 ,% P4,2 ,% P5,1 ,% P5,2 ,%

As a result of the experiment correctly clasterized 66% of test samples for the classifier without the entered vectors of artificially generated botnets and 88% for the classifier to which the vectors were previously added by performing its training. The percentage of features that the distributed system used to detect botnets and have related to manifestations of software implants, is approximately 27% of the overall detected. The intensity of manifestations of software implants is significantly lower than typical manifestations of botnets. Thus, software implants that use undocumented software features within botnets can be detected by distributed systems [ 43 ] and the direction of such research is promising.

Software implants that use undocumented software features used on local area networks can be developed and used in various malicious models. Important task is further developing formal profiles and its behavioral signatures. The combination of these components will allow you to get metrics to investigate the presence of this type of malware. 6

Software implants that use undocumented software features used on local area networks can cause significant harm to users of personal computers, especially to businesses that use computer networks and use specialized software.

The obtained class divisions according to the developed solution will allow to perform further analysis of deviations for anomalies search in the classes. The use of developed models of Software implants that use undocumented software features in distributed detection systems [ 43 ] has made it possible to improve the detection efficiency of the botnets they were part of.

The direction of further research is the specification and definition of the many functions that will form elements of Software implants that use undocumented software features, with the aim of representation of theirs behavioral signatures to improve detection efficiency.