=Paper=
{{Paper
|id=Vol-2853/paper46
|storemode=property
|title=Application of Multifactor Analysis for the Purpose of Detecting Malicious Software Implants of the Software in Local Computer Networks
|pdfUrl=https://ceur-ws.org/Vol-2853/paper46.pdf
|volume=Vol-2853
|authors=Vadym Paiuk,Volodymyr Kosenkov,Oleg Savenko,Andrii Nicheporuk,Olena Geidarova
|dblpUrl=https://dblp.org/rec/conf/intelitsis/PaiukKSNG21
}}
==Application of Multifactor Analysis for the Purpose of Detecting Malicious Software Implants of the Software in Local Computer Networks==
https://ceur-ws.org/Vol-2853/paper46.pdf
Application of Multifactor Analysis for the Purpose of Detecting
Malicious Software Implants of the Software in Local Computer
Networks
Vadym Paiuka, Volodymyr Kosenkova, Oleg Savenkoa, Andrii Nicheporuka,
and Olena Geidarovaa
a
Khmelnytskyi National University, Instytutska str., 11, Khmelnytskyi, 29016, Ukraine
Abstract
A study of the detection of harmful implants in software. They can be of two types. In
particular, in the first case, malicious implants in the software may be independent entities,
and in the second case, they may be part of certain malicious software. Other cases are not
considered in the work. The selected information systems of the network type, which operate
in local computer networks, were selected for the study. Accordingly, the presence of
harmful implants in the software is considered in local computer networks. The difficulty of
detecting such harmful implants in the software lies in its ability to be in a latent state. Such a
secretly included in the form of a module in the software under certain conditions can
provide unauthorized access to attackers. Functionally and physically as such an object can
be part of a software package. He performs the task. In addition, it can completely replace
certain parts of the software. Or it can replace a certain program completely. The difficulty in
detecting such malicious implants in software is that, for the most part, they make it possible
to maintain the functions of useful software even when available. These functions were in the
terms of reference for the project and they were required by the manufacturer. As a result,
important software features are included in the system, but they are only part of it, not all.
To solve such a scientific problem, it is proposed to use the methods of multifactor
analysis. Their use will indicate the presence of more important factors. This allows you to
apply the results to malware implants and they may be part of some malware. The
implementation of multifactor analysis methods is carried out in a network distributed
malware detection system. This implementation allows you to use a ready-made system,
which is tested, and add to it several methods aimed at detecting software implants. In
general, this increases the reliability of detection by this system. On the other hand, it
provides an opportunity to focus only on the added detection methods, as the distributed
system has already been tested using other methods.
In the considered scientific problem we will use a taxonomic indicator for comparison of
objects in which there is a large number of signs. That is, it can be an indicator of the
presence of software implants in the software on the local network. To identify it, the
application of the taxonomic method of processing statistical data of observations will allow
to detect it with a certain degree of reliability. As objects of analysis, software that operates
on local computer networks.
To confirm the proposed solutions, an experiment was performed with a distributed
detection system, which implemented methods of multifactor analysis. The result of an
experiment to identify software implants in software confirmed the viability of research and
proposed solutions.
Keywords 1
Software implant, multifactor analysis, malicious software, local computer network,
distributed detection system.
1
IntelITSIS’2021: 2nd International Workshop on Intelligent Information Technologies and Systems of Information Security, March 24–26,
2021, Khmelnytskyi, Ukraine
EMAIL: vadympaiuk@gmail.com (V. Paiuk); vladimirkosenkov@ukr.net (V. Kosenkov); savenko_oleg_st@ukr.net (O. Savenko);
andrey.nicheporuk@gmail.com (A. Nicheporuk); geydarova@ukr.net (O. Geidarova )
ORCID: 0000-0002-4104-745X (O. Savenko); 0000-0002-7230-9475 (A. Nicheporuk)
© 2021 Copyright for this paper by its authors.
Use permitted under Creative Commons License Attribution 4.0 International (CC BY 4.0).
CEUR Workshop Proceedings (CEUR-WS.org)
�1. Introduction
The use of modern information technologies in various fields is growing. This use of information
technology greatly simplifies many processes that required significant human resources. At the
expense of such technologies automation of many links of technological processes of information
processing is carried out. In addition, the new paradigm in the industry, which is based on the
development of Industry 4.0 and the active involvement of information technology in all possible
areas of human life and production, affects the positive dynamics of development. But in parallel with
these processes, there are many attackers who, using weak links in the protection of such
technologies, try to benefit. Therefore, the use of information technology, which does not address the
protection of information flows and information, encourages malicious activity. Of particular interest
to attackers are the banking sector, various financial institutions and industries. Therefore, the focus
on the organization of detection of malicious actions requires primarily organizations (enterprises)
that use information technology. Because they are important objects of profit from the point of view
of malefactors.
Intruders access to corporate computer network resources can be software implants that are
embodied in the software and hardware of computers and peripherals. They allow you to hide
unauthorized access to resources. This can be done mainly through a local computer network.
The object of detection will be considered a software implant [1]. Its location will be considered
local computer networks of enterprises. Software implants may not show up for a long time. This
significantly complicates their detection. At the initial stage of commissioning by the software
developer, checking it for the presence of software implants may be unsuccessful. That is, software
implants may not be detected. This will create a problem in the future when using such software. But
even if the software implant is not detected, it still has to manifest itself in a certain way, because it
must communicate with certain network resources to maintain its activity and receive commands from
them. If he did not communicate, then the attackers would not know where he is physically, at what
addresses and so on. This activity of the software implant will lead to certain signs of its
manifestation, which will change certain factors.
Software implants can store functions that are declared by the manufacturer, and they are
implemented as part of the functions that are part of the software package. That is, the functions of the
implant can also use the functions of a specific purpose of the software that is put into operation. This
indicates the possibility of dual use of functions, which complicates the search for program implants.
Such a scientific problem is really relevant. To solve it, it is necessary to develop a mathematical
apparatus and implement it in the methods of detecting software implants in software in computer
networks.
Such an object can be part of a software package that performs tasks, replace completely certain
parts of the software package, replace a certain required program.
2. Related works
Detection of software implants in local computer networks is carried out by various methods and
means. They depend on the specific types of malware. When software implants are detected, there is a
discrepancy between the results of software testing and the processes that may actually be caused by it
[1]. To hide software implants, attackers have developed many approaches, algorithms, techniques
and methods.
Malware-related security breaches damage users by at least $ 500 billion annually [1].
The number of malicious programs and their varieties is growing every year [2]. Attackers direct
their funds to organizations and enterprises that work with information technology in local computer
networks, because the financial and economic spheres motivate them the most.
There are many ways to penetrate the local networks of organizations and enterprises, some of
which are described in [3-7]. The paper analyzes the strategy of an attacker to use a software implant,
which is based on the use of software implants in computer software and peripherals.
The purpose of their strategy is for attackers to gain unauthorized access to system resources
through the local network. The software implant in the work is considered as a secretly implemented
�program or software module. It is embodied in the software and as a result poses a threat to the
information contained in the computer [8].
The paper considers as the object of study software implants that use the capabilities of software in
local computer networks of enterprises that are malicious. There is a difficulty in identifying such a
secretly operating software implant, because it does not appear during testing. Software developers
embody them in useful software applications, mixing functions. But under certain conditions, such
software implants can provide unauthorized access to the resources of entrepreneurs. In addition,
software implants can be inactive for a long time, which makes them difficult to detect. Such software
implants retain software functions. They can be implemented by some other functions that are part of
the software package [9-12]. Such strategies are also implemented by well-known Trojan programs.
But the object of study is such programs or program modules that are used in organizations, which are
introduced by software developers when creating them for malicious use. Their hiding in the
programs was carried out when handing over the finished software to the customer. Part of such a
software implant in programs may be related to malicious programs such as Backdoor [9-12], and part
provides other, than malicious programs such as Backdoor implementation mechanisms.
The analysis of hidden possibilities of modules in the developed software is paid attention in
works [13-18].
Malicious software is a malicious tool that launches a secret sharing feature. The structure and
internal algorithms of such a hidden function are given in [16]. To solve this problem, an algorithm
for detecting a hidden function was developed in [17].
Models of hidden schemes of exchange of functions are developed in scientific article [18]. They
are designed with a secure distributed data protocol.
In [19], the authors proposed a new method of detecting malware such as Backdoor. Artificial
neural networks and object classification were used for this purpose.
The main disadvantage of this solution is a small set of proven and reliable data sets [19]. This
may affect its adequacy and viability.
The model used by attackers is presented in a scientific paper [20]. It is used to hide the ways of
invasion. The authors explored the possibility of using this approach to detect other types of malware,
including Backdoor.
In [21], one of the methods of encoding code fragments with the help of specially designed
interrupts is analyzed and substantiated, which manipulate the state of execution time when triggered
and under certain conditions can continuously perform arbitrary calculations.
Problems of formalizing a terminal machine by modeling a program or system using a so-called
machine with a marked final state are proposed in a scientific paper in [22]. This allows you to
consider the software product as an emulator.
The complexity of this problem is analyzed using many tools in [23, 24]. For example, you can
consider a hardware component, a special program, or malware. And this is a pre-necessary method of
developing methods for their detection.
In works [25-27] special narrowly specialized approaches to detection of hidden software are
considered. The considered methods are focused on information protection.
An active type of malware that can implant software implants are botnets [28-32]. In [28-31] the
technique of detection of botnets on the basis of DNS-traffic is presented. Detect botnets based on a
bot group activity property in DNS traffic that appears after a short period of time in host group DNS
queries when trying to access C&C servers, migrate, run commands, or download malware updates.
In [28], a method of protection against DNS evasion for detecting botnets in corporate networks is
proposed.
One of the main elements that can be used to detect program implants are the functions of the
application programming interface. These functions can be analyzed dynamically, as presented in [33-
34]. Attackers often use the obfuscation function to mask malicious code. One of the most difficult to
detect is the function of metamorphic transformation [35]. In [35] it is shown how the use of
metamorphic transformations makes it possible to hide the program codes of functions.
In [36-38] the use of baits to detect abnormal and malignant manifestations was analyzed. The
obtained results have shown their effectiveness and can be used in the detection of software implants.
The use of known mathematical methods for processing various events that are associated with the
operation of software is presented in scientific papers in [39-47]. The considered methods can be used
�to identify software implants. The method of multifactor analysis for the detection of software
implants in a local computer network is presented in [43]. The basis of this method is a taxonomic
method of processing statistical data of observations, which is used in studies of various subject areas
[44, 45].
The various methods used for the detection process require the initial stages of data preparation for
processing, the purpose of which is to develop a comprehensive approach to the detection of software
implants. The scientific task of detecting software implants in local networks is relevant and
promising. One of the tasks that needs to be solved is to develop appropriate methods for creating
effective system components for detecting software implants in local networks based on the search for
abnormal manifestations, taking into account multifactor analysis.
3. The Approach to Application of Multifactor Analysis for the Purpose of
Detecting Malicious Software Implants in Local Computer Networks
In our case, the objects are computer networks, and the signs may be [30, 31]: the presence of
software modules that do not meet the purpose of the process; the presence of files related to
operating systems, and which form open processes that do not meet the purpose of the process; there
is a high intensity for I / O operations from a certain process, and so on. (11 signs are given, although
their number may be higher).
The basis for research is a matrix of observations X:
x11 x21 ... x1k ... x1n
x x22 ... x2 k ... x2 n
21
... ... ... ... ... ...
X = (1)
xi1 xi 2 ... xik ... xin
... ... ... ... ... ...
xω1 xϖ 1 ... xωk ... xωn
where xik is the number of manifestations of the k-th feature in the i-th object during the observation
period; n is the number of features; ω is the number of objects.
How isotonic and isomorphic (structural) ordering of objects, Chekanovsky's method for research of
subsets on homogeneity is resulted.
In economic research, a taxonomic indicator of the level of development is used to compare
objects that are characterized by a large number of features [43]. In our case, this may be an indicator
of the presence of software implants in the local network. And this will be a further development of
research, which is presented in [1].
The first stage is the standardization of features in the matrix (1) and its transformation into a
matrix Z.
- the expert constructs a square matrix of n×n pairwise comparisons of features, which has the
property of inverse symmetry a ji = 1 ;
aij
- eigenvectors of priorities are calculated, for which all elements of a row are multiplied and
the root of the n-th degree is taken from result, and then the received number is divided by the sum of
such numbers of a column and estimates of a vector of priorities ( x1 , x2 ,, xn ) are received;
- the matrix n×n is multiplied by the column of the priority vector and a column with (
y1 , y 2 ,, y n ) is obtained, which shows the degree of importance of each feature.
Then, before the transition from the matrix X to the matrix Z, the results of observations in the
matrix (1) must be multiplied by the coefficients y k , respectively.
In [42], the transition to the matrix Z is proposed in the following sequence:
� 𝑋𝑋𝑖𝑖𝑖𝑖 − 𝑋𝑋�𝑘𝑘
𝑍𝑍𝑖𝑖𝑖𝑖 = , (2)
𝑆𝑆𝑘𝑘
where
𝜔𝜔
1
𝑋𝑋�𝑘𝑘 = � 𝑋𝑋𝑖𝑖𝑖𝑖 , (3)
𝜔𝜔
𝑖𝑖=1
1
𝜔𝜔 2
1
𝑆𝑆𝑘𝑘 = � �(𝑋𝑋𝑖𝑖𝑖𝑖 − 𝑋𝑋�𝑘𝑘 )2 � . (4)
𝜔𝜔
𝑖𝑖=1
k = 1,2, n the value of the sign k for the unit i; X k is the arithmetic mean of the sign k; S k -
standard deviation of the sign k; Z ik is the standardized value of the characteristic k for the unit i.
Next, the so-called development standard is formed, which represents a point with
Z 01 , Z 02 ,, Z 0 n coordinates. These coordinates represent the standards or valid values of the features.
Then the distance between the points-units of the matrix Z and the point is determined by the
formula:
1
𝑛𝑛 2
2
С𝑖𝑖0 = ���𝑍𝑍𝑖𝑖𝑖𝑖 − 𝑍𝑍0𝑘𝑘 � � (𝑖𝑖 = 1, … , 𝜔𝜔). (5)
𝑘𝑘=1
At these distances, the indicator of the presence of software implants is calculated:
𝐶𝐶𝑖𝑖0
𝑑𝑑𝑖𝑖∗ = , (6)
𝐶𝐶0
where
𝐶𝐶0 = 𝐶𝐶0̅ + 2𝑆𝑆0 , (7)
𝜔𝜔
1
𝐶𝐶0̅ = � 𝐶𝐶𝑖𝑖0 , (8)
𝜔𝜔
𝑖𝑖=1
𝑛𝑛
1 1
𝑆𝑆0 = � �(𝐶𝐶𝑖𝑖0 − 𝑍𝑍0𝑘𝑘 )2 � .2
𝜔𝜔 (9)
𝑘𝑘=1
The indicator d i* can be in the range 0… .1. The closer this value is to zero, the more likely it
is that there will be no software implants in the facility.
The indicator is used to statically characterize a set of objects. For a more in-depth analysis,
you need to consider the dynamic characteristics of a single object and then a set of objects.
Then, based on the results of observations for several periods of time, a matrix of
observations X is formed for one object:
x11 x21 ... x1k ... x1n
x x22 ... x2 k ... x2 n
21
... ... ... ... ... ...
X = (10)
xi1 xi 2 ... xik ... xin
... ... ... ... ... ...
xt1 xt 2 ... xtk ... xtn
�where xik - the value of the sign k in the period i.
Then, as shown above, there is a process of standardization (matrix Z), the standard is built
P0 .
The taxonomic index d i* is determined by formula (6), where
1
𝑛𝑛 2
(11)
С𝑖𝑖0 = ��(𝑍𝑍𝑖𝑖𝑖𝑖 − 𝑍𝑍0𝑘𝑘 )2 � (𝑖𝑖 = 1, … , 𝑡𝑡),
𝑘𝑘=1
𝐶𝐶0 = 𝐶𝐶0̅ + 2𝑆𝑆0 , (12)
𝑡𝑡
1
𝐶𝐶0̅ = � 𝐶𝐶𝑖𝑖0 , (13)
𝑡𝑡
𝑖𝑖=1
1
𝑡𝑡 2
1 (14)
𝑆𝑆0 = � �(𝐶𝐶𝑖𝑖0 − С0 )2 � .
𝑡𝑡
𝑘𝑘=1
So, now the indicator d i* describes the dynamics of changes in the sets under study, but for
one object.
You can now proceed to the dynamic characterization of a set of objects. If you denote the
observation matrix of an object j by a symbol X j , the aggregate matrix for objects will remain as a
block matrix:
X 0 = [ X 1 , Z 2 , , Z ωn ] , (15)
Given that all objects in the network are of the same type - they are computers, the standard
P0 may remain from the previous analysis.
The generalized index d i* is determined by formula (6), where:
1
𝜔𝜔 𝑛𝑛 2
С𝑖𝑖0 = �� �(𝑍𝑍𝑖𝑖𝑖𝑖 − 𝑍𝑍0𝑘𝑘 )2 �
𝑖𝑖=1 𝑘𝑘=1
(𝑖𝑖 = 1, … , 𝑡𝑡). (16)
C0, S0 are defined by formulas (12), (13), (14).
Consider the variable n as the number of features; ω - number of objects; Zik - standardized
value of the sign k in the period t.
The calculated value d i* describes the process with the dynamic characteristics of all objects.
But according to [44-46], the directions of changes of individual components by the total value of the
indicator are not taken into account here. Therefore, in [42] it is proposed to replace the distance Ci0
with C(i0, j):
𝑛𝑛
2 1
С𝑖𝑖0,𝑗𝑗 = ���𝑍𝑍𝑖𝑖𝑖𝑖 − 𝑍𝑍0𝑘𝑘,𝑗𝑗 � � .2
𝑘𝑘=1 (17)
where i = 1, 2, …, t: j = 1, 2, …, ω; Z(0k, j) - coordinates of the development standard of the object j.
Then the dependence (16) for the square of the distance for the aggregate indicator and the square
of the distance for the individual indicators can be written as:
� 𝜔𝜔
С𝑖𝑖0 = � С2𝑖𝑖0,𝑗𝑗 .
2
(18)
𝑗𝑗=1
Taking into account Сi0 = С0 ∙ d i* and С(i0, j) = С(0, j) ∙ d ij the dependence between aggregate and
individual indicators will remain:
∑𝜔𝜔 2 ∗
𝑗𝑗=1 𝐶𝐶0,𝑗𝑗 ∙ 𝑑𝑑𝑖𝑖,𝑗𝑗
𝑑𝑑𝑖𝑖∗ = . (19)
𝐶𝐶02
The obtained formula allows to estimate the influence of individual taxonomic indicators of
objects d ij* on the general taxonomic indicator of the set of objects d i* . Here, as before, this figure is
in the range (0, 1).
The result of the indicator refers to one of the five intervals that allow us to assess the level of
possible presence of software implants.
4. Experiments and evaluation
For experiments, a distributed system [4, 30, 48-52] was used to detect malware, which will
include the ability to detect software implants based on implemented methods. An appropriate method
was implemented to check the efficiency of the classifier in the structure of the distributed system.
The result of the determination was the dependence of the percentage of detected botnets containing
software implants. Experimental studies were performed for the classifier without adding copies of
the created botnets, ie the test was performed without training the classifier on the created samples.
Botnets that use a strategy to gain complete control by activating their components were selected for
the experiment. That is, software implants were present at every computer station. The results of the
calculation of various indicators are presented in table 1. The experiments involved determining the
following metrics for the detection of bot nodes: 𝑃𝑃1 – percentage of harmful vectors belonging to a
certain class; 𝑃𝑃2 – the percentage of vectors of harmful actions belonging to this subclass of the class
in relation to all test vectors; 𝑃𝑃3 – the percentage of correctly detected botnet nodes; 𝑃𝑃4 – the
percentage of incorrectly classified botnet nodes as benign applications; 𝑃𝑃5 – the percentage of
incorrectly assigned bot nodes to one of the botnet classes.
Table 1.
Results of Experiments
Metrics –
C0 C1 C2 C3 C4 C5 C6 Mean
Class:
P1 , % 89,74 83,29 72,66 86,30 92,04 92,18 96,60 88,44
P2 , % 85,60 83,37 72,38 85,19 98,68 93,72 96,40 88,22
P3 , % 92,21 84,31 72,03 89,57 90,63 88,52 93,78 87,82
P4 , % 7,79 14,37 27,97 10,43 7,27 11,48 6,22 11,60
P5 , % 0 1,02 0 0 1,15 0 0 0,31
The result is approximately 26.7% of the total number detected. The intensity of manifestations of
software implants is much lower than the typical manifestations of botnets. Thus, software implants
used by botnets can be detected by distributed systems [30].
�5. Discussion and Future Work
Thus, software implants create problems for software users. This is especially true for
organizations and businesses. The advantage of attackers who use software implants is that they use
hidden software functions. The difficulty in detecting such program a implants is that the processes
occur in local networks. Attackers develop and use such tools in various malicious models.
6. Conclusions
On-premises software implants in software create problems for PC users. The proposed method for
detecting software implants allows you to assess the degree of availability in the software. The
application of the proposed solution in a distributed malware detection system has increased the
efficiency of software implant detection by 4% through the use of multidimensional analysis to detect
software implants in software on a local computer network.
The direction of further research will be the development of methods for detecting software
implants based on their behavioral signatures.
7. References
[1] G. Sanjam, C. Gentr, S. Halevi, M. Raykova, A. Sahai, B. Waters, Hiding Secrets in Software: A
Cryptographic Approach to Program Obfuscation. Communications of the ACM, 59 5 (2016)
113-120
[2] McAfee Mobile Threat Report Q1, 2019. URL: https://www.mcafee.com/enterprise/en-
us/assets/reports/rp-mobile-threat-report-2019.pdf
[3] K. Drozd, O. Zashcholkin, O. Martynyuk, J. Ivanova, J. Drozd, Development of Checkability in
FPGA Components of Safety-Related Systems, CEUR WS 2762 (2020) 30-42
[4] S. Lysenko, K. Bobrovnikova, S. Matiukh, I. Hurman, O. Savenko, Detection of the botnets’
low-rate DDoS attacks based on self-similarity, International Journal of Electrical and Computer
Engineering 10 4 (2020) 3651-3659
[5] B. Anderson, D. Quist, J. Neil, C. Storlie, T. Lane, Graph-based malware detection using
dynamic analysis. Journal in Computer Virology, 7 (2011) 247-258
[6] N. Runwal, R. M. Low, M. Stamp, Opcode Graph Similarity and Metamorphic Detection.
Journal in Computer Virology, 8 (2012) 37-52
[7] A. Nagaraju Metamorphic malware detection using base malware identification approach.
Journal Security and Communication Networks, 7 (2014) 1719-1733
[8] DSTU 3396.2-97 Protection of information. Technical protection of information. Terms and
definitions. State Committee of Ukraine, Kyiv (1997) [in Ukrainian].
[9] B. Chen, W. Carvalho, N. Baracaldo, H. Ludwig, B. Edwards, et al, Detecting Backdoor Attacks
on Deep Neural Networks by Activation Clustering. CEUR WS 2301 (2019)
[10] Adups Backdoor. URL: https://www.kryptowire.com/adups_security_analysis.html.
[11] K. Alminshid, M. N. Omar, Detecting backdoor using stepping stone detection approach, in:
Proceedings of 2013 Second International Conference on Informatics & Applications (ICIA),
Lodz, Poland, 2013, pp. 87-92
[12] J. Zaddach, A. Kurmus, D. Balzarotti, E.-O. Blass, A. Francillon, et al., Implementation and
Implications of a Stealth Hard-drive Backdoor, in. Proceedings. of 29th Annual Computer
Security Applications Conference, New Orleans, Louisiana, US, 2013.
[13] T. F. Dullien, Weird machines, exploitability, and provable unexploitability, IEEE Transactions
on Emerging Topics in Computing, 99 (2017) 1-15
[14] S. L. Thomas, T. Chothia, F. D. Garcia, HumIDIFy: A Tool for Hidden Functionality Detection
in Firmware, in: Proceedings of 14th International Conference on Detection of Intrusions and
Malware, and Vulnerability Assessment, Bonn, Germany, 2017, pp. 279-300
�[15] S. L. Thomas, T. Chothia, F. D. Garcia, Measuring the Importance of Static Data Comparisons to
Detect Backdoors and Undocumented Functionality, in: Proceedings of 22nd European
Symposium on Research in Computer Security. Oslo, Norway, 2017, pp. 513-531
[16] A. Schönegge, The Hidden Function Question Revisited, in: Proceedings of Algebraic
Methodology and Software Technology: 6th International Conference, AMAST '97. Sydney,
Australia, 1997, pp. 451-464
[17] The Secret Code of Software Validation….In 5 Easy Steps. URL:
https://www.cebos.com/blog/the-secret-code-of-software-validation-in-5-easy-steps/
[18] Y. Kawamoto, H. Yamamoto, Secret function sharing schernes and their applications to the
oblivious transfer, in: Proceedings of IEEE International Symposium on Information Theory,
2003, pp. 281-295
[19] B. Chen, W. Carvalho, N. Baracaldo, H. Ludwig, B. Edwards, et al, Detecting Backdoor Attacks
on Deep Neural Networks by Activation Clustering, CEUR Workshop 2301 (2019).
[20] J. Tarhio, E. Ukkonen, Approximate Boyer Moore String Matching. SIAM Journal on
Computing 22 2, (1993) 243-260
[21] Y. Kondratenko, N. Kondratenko, Soft Computing Analytic Models for Increasing Efficiency of
Fuzzy Information Processing in Decision Support Systems. Chapter in book: Decision Making:
Processes, Behavioral Influences and Role in Business Management, R. Hudson (Ed.), Nova
Science Publishers, New York, 2015, 41-78
[22] V. Proskurin, Software malicious implant in secure systems. URL: http://www.crime-
research.ru/library/progwir98.htm [in Ukrainian].
[23] O. V. Kaarin, Program protection theory and practice. MGUL, 2004 [in Russian].
[24] O. V. Kaarin, Computer system software security. MGUL, 2003 [in Russian].
[25] V. F. Shanugin, Protection of computer information. Effective methods and tools: a textbook.
DMK Press, 2008 [in Russian].
[26] V. F. Shanugin, Protection of information in computer systems and networks. DMK Press,
(2012) [in Russian].
[27] G. Balakrishnan, T. Reps, WYSINWYX: What You See Is Not What You eXecute. in:
Proceedings of ACM Transactions on Programming Languages and Systems, Vol. 32, Issue 6,
2010.
[28] S. Lysenko, K. Bobrovnikova, O. Savenko. A Botnet Detection Approach Based on The Clonal
Selection Algorithm, in: Proceedings of 2018 IEEE 9th International Conference on Dependable
Systems, Services and Technologies, DeSSerT-2018, Kyiv, Ukraine, 2018, pp. 424-428.
[29] S. Lysenko, O. Pomorova, O. Savenko, A. Kryshchuk and K. Bobrovnikova DNS-based Anti-
evasion Technique for Botnets Detection, in: Proceedings of the 8-th IEEE International
Conference on Intelligent Data Acquisition and Advanced Computing Systems: Technology and
Applications, Warsaw, 2015, pp. 453–458.
[30] S. Lysenko, K. Bobrovnikova, O. Savenko and A. Kryshchuk, BotGRABBER: SVM-Based Self-
Adaptive System for the Network Resilience Against the Botnets’ Cyberattacks,
Communications in Computer and Information Science, 1039 (2019) 127-143. doi: 10.1007/978-
3-030-21952-9_10
[31] O. Savenko, S. Lysenko, A. Kryschuk, Multi-agent based approach of botnet detection in
computer systems Communications in Computer and Information Science, 291 (2012) 171-180
[32] S. Taheri, A.M. Bagirov, I. Gondal, S. Brown. Cyberattack triage using incremental clustering
for intrusion detection system Internation Journal of Information Security, 19 (2020) 597–607.
doi: https://doi.org/10.1007/s10207-019-00478-3.
[33] O. Savenko, A. Nicheporuk, I. Hurman, S. Lysenko, Dynamic signature-based malware detection
technique based on API call tracing CEUR-WS 2393 (2019) 633-643
[34] A. Drozd, J. Drozd, S. Antoshchuk, V. Nikul, M. Al-dhabi, Objects and Methods of On-Line
Testing: Main Requirements and Perspectives of Development, in: Proceedings of IEEE East-
West Design & Test Symposium, Yerevan, Armenia, 2016, pp. 72 – 76. doi:
10.1109/EWDTS.2016.7807750
[35] O. Pomorova, O. Savenko, S. Lysenko, A. Nicheporuk Metamorphic Viruses Detection
Technique based on the Modified Emulators, CEUR-WS 1614 (2016) 375-383
�[36] T. Sochor, M. Zuzcak, Study of Internet Threats and Attach Methods Using Honeypots and
Honeynets, Computer Network 431 (2014 118–127
[37] T. Sochor, M. Zuzcak, Attractiveness Study of Honeypots and Honeynets in Internet Threat
Detection, Computer Networks 522 (2015) 69-81. doi: 10.1007/978-3-319-19419-6 7.
[38] P. Owezarski, A near real-time algorithm for autonomous identification and characterization of
honeypot attacks, in: Proceedings of the 10th ACM Symposium on Information, Computer and
Communications Security, ser. ASIA CCS ’15. New York, NY, USA: ACM, 2015, pp. 531–542.
[39] J. Mazel, P. Casas, P. Owezarski. Sub-Space Clustering and Evidence Accumulation for
Unsupervised Network Anomaly Detection, in: Proceedings of the Third International
Conference on Traffic Monitoring and Analysis, ser. TMA’11. Berlin: Springer-Verlag, 2011,
pp. 15–28.
[40] N. A. Rosli, W. Yassin, M.F. Faizal, S.R. Selamat Clustering Analysis for Malware Behavior
Detection using Registry Data. (IJACSA) International Journal of Advanced Computer Science
and Applications 10 12 (2019) 93-102.
[41] S. Bezobrazov, A. Sachenko, M. Komar, V. Rubanau, The method of artificial intelligence for
malicious applications detection in android OS, International Journal of Computing, 15(3) (2016)
184-190
[42] M. Kolisnyk, V. Kharchenko, I. Piskachova, Research of the attacks spread model on the smart
office’s router, International Journal of Computing, 19(4) (2020) 629-637.
[43] V. Pluta Comparative multidimensional analysis in economic research: methods of taxonomy
and factor analysis, Statistics, 1980 [in Russian]
[44] B. N. Igumnov, T. P. Zavgorodnyaya, Cybernetic bases of construction of economic systems for
the enterprises, TUP, 2000 [in Russian]
[45] G. Saat, K. Kerno, Analytical planning. Organization of systems: Translated from English, Radio
and communication, 1991 [in Russian]
[46] A. V. Andreychikov, O. N. Andreychikova Analysis, synthesis, planning solutions in economics,
Finance and Statistics, 2001 [in Russian]
[47] A. Melnyk, V. Melnyk, Remote Synthesis of Computer Devices for FPGA-Based IoT Nodes, in:
Proceedings of 2020 10th International Conference on Advanced Computer Information
Technologies, ACIT 2020, pp. 254-259
[48] A. Drozd, M. Lobachev, J. Drozd, “The problem of on-line testing methods in approximate data
processing,” Proc. 12th IEEE International On-Line Testing Symposium, Como, Italy, pp. 251–
256, 2006. DOI: 10.1109/IOLTS.2006.61.\
[49] J. Drozd, A. Drozd, M. Al-dhabi, “A resource approach to on-line testing of computing circuits,”
Proc. IEEE East-West Design & Test Symposium, Batumi, Georgia, 2015, pp. 276 – 281. DOI:
10.1109/EWDTS.2015.7493122
[50] Lysenko, S., Savenko, O., Bobrovnikova, K., Kryshchuk, A., Savenko, B.: Information
Technology for Botnets Detection Based on Their Behaviour in the Corporate Area Network. In:
International Conference on Computer Networks, 2017, pp. 166-181. Springer, Cham.
[51] Lysenko, S., Savenko, O., Bobrovnikova, K., Kryshchuk, A.: Self-adaptive System for the
Corporate Area Network Resilience in the Presence of Botnet Cyberattacks. In: International
Conference on Computer Networks, pp. 385-401. Springer, Cham (2018).
[52] Savenko O., Lysenko S., Nicheporuk A., Savenko B. Approach for the Unknown Metamorphic
Virus Detection. The 9-th IEEE International Conference on Intelligent Data Acquisition and
Advanced Computing Systems: Technology and Applications : Proceedings (Bucharest,
Romania, September 21–23, 2017). Bucharest, 2017. Vol. 1. Pp. 453–458.
�