In the modern world, the use of IT is widespread in almost all spheres of life, which greatly facilitates the completion of everyday tasks. Services based on the use of IT actively use personal or corporate information, which makes them very convenient to use. We trust our personal data to software and mobile applications, store it in cloud environments, companies use IT to automate internal processes, and conveniently operate confidential documents, etc. Therefore, the issue of the security of such information is important and considering the trends in their development [ 1,2 ], and it is necessary to investigate new methods and approaches of detecting malware.

The problem of malicious software in particular lies in several aspects, namely: the total number of already existing ones; speed of appearance of new ones; speed of appearance of new types; also with new software and hardware comes new vulnerabilities comes too. Considering all these factors, it is

2023 Copyright for this paper by its authors. necessary to look for new ways of detecting malicious software, to use successes in other areas of IT to form a combined method that will effectively fulfil the task.

In paper [ 3 ], a thorough study was conducted on the dependence between the complexity of computer viruses and the probability of their detection. Thus, a comparison of the effectiveness of modern existing threat detection tools is carried out here, having previously divided them into the following categories: static threat detection [ 4 ], dynamic threat detection and modern web service solutions. Static tools include software analysers that can determine the application compilation time, check whether the application was packed by the UPX packager (which is often used for virus packaging [ 5 ]), check which functions and DLLs are used when the program is launched. Dynamic detection [ 6 ] is generally based on the use of a certain environment that allows you to observe its behaviour, namely: compare the status of registers [ 7 ], analyse the activity of processes and their impact on the operating system, and create an isolated environment for testing new software. Web service solutions usually use both detection approaches and are mostly free to use, but have one drawback, which is the maximum size of the file (software) that can be analysed.

One of the best methods for detecting malware is using sandboxes, as they provide full control over an isolated environment that will allow you to analyse the executable file. The main problem with the use of such tools is the significant need for computing resources. The purpose of this work is to present a method of testing software for anomaly behaviour by using a distributed sandbox system.

The article [ 3 ] presents a wide analysis of the use of modern tools for detecting malware, but if we analyse the test results for the selected set of malware, we can see that the largest percentage of detected threats is associated with the use of a sandbox, if we consider each technology separately. Symantec uses emulation technology to create an isolated environment, to test potentially malicious software. Emulators can use various techniques to search for viruses [ 8 ], in particular Cuckoo sandbox [ 9 ] uses the behavioural features of binary files. Independent studies performed by NSS Labs Breach Detection System Test in 2017. They showed the advantages of complete emulation of the system in the tasks of detecting malware. Lastline's sandbox, which uses emulation, has reached a 100% threat detection rate.

Therefore, emulation occupies an important place among the approaches that can protect computer systems. The following advantages of using this technology are determined: 1. Controlled environment for software testing. 2. Protection of hardware, operating systems, and the registry. 3. If malicious is detected, the sandbox is removed, which ensures the protection of the host. 4. Emulation technology eliminates incompatibility problems with software or hardware.

The disadvantages include the usual need for all software to constantly update, because older versions may contain security gaps and the fact that the sandbox technology requires large computing resources. It is important to take these features into account when creating a new tool for detecting malware. Also, before passing the malware check, the software will be considered as potential malware.

In addition to a large number of types of malwares, a large number of their pre-detection techniques are determined, which include: self-encryption and self-decryption, junk code, usage of equivalent instructions, block reordering [ 10 ], polymorphism, metamorphism, disguise and so on. Considering these tools from the point of view of using an emulator, such techniques are defined as anti-emulation, and are classified as obfuscation techniques. To detect emulation, the following are used: timing attacks, CPU semantics attacks, hardware characteristic attacks, fake API calls [ 11,12 ], structured exception handling. [ 13,14 ]

Timing CPU attacks include attacks that generally involve measuring the time required for a particular operation by the processor. These attacks are used to obtain cryptographic keys. Modern processors use the transition prediction module to build an effective order for executing instructions. Such attacks are aimed at confusing these queues, after which the processor will have to rebuild the execution queue [ 15 ].

CPU semantics attacks are aimed at analyzing the execution of instructions and their semantics. The developers of such attacks are guided by a well-formed set of instructions that will shift the execution of certain instructions so that important sensitive data remains in the cache.

Hardware characteristic attacks work with an attempt to use additional instructions to track changes in physical characteristics (such as electricity consumption), or to use error injections that will manipulate its behavior.

Fake API calls use scripts or programs that mimic the behavior of an authorized user or program and are used to search for system vulnerabilities.

Structured exception handling attacks uses an exploit to search for vulnerabilities in its mechanism, which involves overwriting the SEH chain, which will allow you to gain control of the program and execute needed code. A similar result can be obtained using a buffer overflow.

The attacks described above at first glance will not carry a threat, given that they are launched in a controlled environment. However, malware developers can use the results of their execution to analyze the external environment [ 16 ], and if emulation has been detected, then all malware actions are masked or stopped until the environment changes. Malware will wait for changes in the environment in which it operates in order to prevent it from being exposed and to continue performing its tasks. Taking into account these behaviors, it is proposed to introduce the concept of the sandbox state. The sandbox state accepts a certain set of characteristics that define it (command processing time, number of processes running, etc.) at a certain point in time. Define single state as, 1 then the set of states will depend on the number of characteristics ( ∗ ), so all state will be defined as: = { 1, 2 … 2}

One of the biggest advantages of using sandboxes is full control over it and its state, so in [ 17 ] the proposed sandbox analyzes potential malware at 3 basic levels, namely: static analysis, real-time analysis and network analysis of malware. Modern technologies like machine learning also used in order to increase the malware detection rate by sandboxes, and based on RF, NN, DT and SWM algorithms [ 18 ]. Heuristic scanning also used as additional method of malware detection that based on examining its behaviour and characteristics. This approach based on three procedures: pattern matching, automatic learning, and environment emulation. In paper [19] this approach was analysed and one of the key conclusions is that it has high rate of false positive report, but combining both technologies: heuristic scanning and sandbox may help to achieve more reliable security results. Using the sandbox, we can record its state, throughout the entire potential malware set of commands, follow the behavior of the executable file during its operation [20] or, for example, generate a hash value, each step taking into account the result of the previous state, as this happens when using smart contracts. Thus, we will form a kind of imprint of the potential malware execution in the sandbox.

Considering anti-emulation techniques and changing sandbox states, we can assume that if we provide each potential malware with the required number of sandboxes with all sets of states that cover the processing of all anti-emulation techniques, we will be able to detect malware.

This approach will increase the success of the detection of malware, but it has one drawback: it is necessary to provide a large amount of computing resources to maintain all sandbox states for potential malware. Therefore, it is necessary to suggest a model that will meet all the described requirements.

Distributed computing has begun to be used in many areas of life. They are used to model natural processes, test hypotheses, help determine whether scientific research is taking place in the right direction. They have various forms and uses different approaches in relation to their organization. With the widespread use of IoT, the amount of data has also increased, and the importance of its processing also leads to the wide development of distributed computing. Since the widespread use of distributed computing, it is necessary to find a way of involving it in the issues of data security.

To solve the problem, it is proposed to use a distributed computing system. But first we will characterize it. Since, that it is a huge number of various components that is used to create computers and workstations, we can determine that designing a heterogeneous distributed computing system will be the most optimal approach. In addition, such systems form the most effective, in terms of computing resources, solutions [21], and a distributed computing system based on the use of volunteer resources, at peak times, had computing power that was 10 times greater than IBM Summit [22].

Let’s define the main components of the model taking into account its features:  Server.  Set of intermediate servers.  Computing elements with an emulator for detecting malware.  Distributed signature database.

This system provides a single-entry point for all users, that is, a server. All users (who have access) will be able to transfer through a web client or with the help of the application to send executable files for checking. It is assumed that the system will have a large number of computing elements, so the server will process incoming files using intermediate servers ( = { 1, 2, … }, where – intermediate computing system, and – their number), which will control a certain number of computing devices ( = { 1, 2, … }, where – computing element, and – their number). The choice of an intermediate server is based on the current level of workload at the moment of each of them. After receiving the executable file, the intermediate server randomly distributes among all members of the network a set of states for which each of them is responsible, to cover all the necessary states (Fig. 1.). If a malware is detected, the intermediate server will update the signature database.

Each computing element during the operation of the system, in a certain period, will return one or more results of checks – imprints. All imprints are collected on the intermediate server, and the results are compared. Since each computing element uses the same emulator, it is expected that the imprint to be the same for all states of the same potential malware.

In general, each subsystem and its computing elements should work synchronously only in the middle of the subsystem itself since each subsystem works independently of each other. Also, for each subsystem, intermediate servers should be duplicated, since in case of failure of any of them, the computing elements should be able to send their results to the additional one.

Let's determine what answers the intermediate server can receive from its entire group:  The task is completed, the format of the answer is correct.  The task is completed, the format of the answer is not correct.  The computing element did not finish task according to the time provided, instead of answering, a special message arrives, the computing element perform test check again, and joins another group with other characteristics, the level of trust in it decreases.  Computation error notification.  The answer did not come (a decrease of trust level in database that stores information about existing computing elements is recorded).

Considering the received answers, the system should be able to constantly balance groups of computing elements, this will allow to perform the tasks efficient and secure. In addition, intermediate servers should check each other's work. Since, intermediate servers are part of controlled system, it is possible to use additional security approaches, so it is possible to use some kind of simplified checks. The simplified checking approach basically stands for partial checks, in which each intermediate server will choose a certain part of its completed tasks, and send them to the main server with a special mark. Such tasks will undergo a full cycle of checks by all computing elements of another subsystem. If one intermediate server has completed for example ten tasks, the other intermediate server can choose randomly few of them at random and complete them too, and if the results match both of intermediate servers can trust each other. These checks can also be initiated by the main server.

We can present the whole system as follows: where,

– abstract distributed malware detection system, = { 1 … , 11 … 1 , that perform potential malware analysis in different states, malware (1 …

– number of potential malwares, 1 … - number of states to check), intermediate servers that works with ,

– main server, – signature database.

The proposed abstract system will be as follows: 11 … 1 … 1 , 1 , } … – computing elements - potential 1 … –

Considering the heterogeneity of the proposed model [25,26], attention should also be paid to the correct distribution of the complexity of the tasks. The first task is to try to identify its current computing elements. The system can store certain information about them, such as IP address, processor model, number of physical and logical cores, amount of RAM, etc. You can supplement this data with behavioral features, system time, session duration, number of completed tasks and so on. By combining both sets of knowledge, you can try to identify each user the next time when it connects to the system. This is important for several reasons, in terms of the efficiency of using computing resources. The problem of stabilizing the system [27] in such conditions is very important, and it is these methods that will help to solve it in some aspects.

When adding a new computing element to an intermediate server, the following actions are performed: 1. The system records all possible characteristics about the new computing element. 2. Sends a set of already completed tasks with varying complexity. 3. Records the results of performed tasks and sets assessment of efficiency. 4. Checks the correctness of completed tasks, and if all tasks are completed correctly (assigns a trust level of computing element as 50%. 5. Adds a new element in specific group (algorithmically chooses the best group: chooses a group where there are not enough computing elements, or with an excess of such in other group – forms a new group, taking into account the rate of delay in packet transmission). 6. At a certain time interval, updates basic user information to have the most accurate data about computing element.

To organize the protection of the chosen computing model, various approaches are proposed, and one of them is based on the trust model [28]. Its use is appropriate for several reasons: the system cannot manage its participants; the system does not have access to the list of the installed software and used hardware on the side of the computing element, and as a result cannot control the process of performing the calculation. So, the system c annot hope for a guaranteed computed result. That is, the system does not trust any connected computing element to the system. The trust model is based on the rating of each client, which is based on many factors, depending on the specific implementation. Examples of such factors can be the number of correctly completed tasks, the ratio of the number of correctly completed tasks to incorrectly completed ones, the total time of successful work in the system, and so on. This approach allows you to solve certa in problems and, with the appropriate configuration, provide the necessary level of protection for both the entire system and the results of the calculation.

The rating model for organizing the protection of the presented computing system is a good practice [29] and is used in many modern tasks [30], since when using tools for controlling and changing the rating of users in the system can solve the issue of security of distributed computing and to a certain extent help with the effective distribution of tas ks between clients. A key solution in the issue of computational protection is based on usage of replication approach [ 31, 32], which is aimed at selecting number of computing elements for one task. As a result of execution, the server or intermediate server will track the results of the calculation and, based on the result of computing elements voting, make decisions on the correctness of the task as a whole group, relative to each user. The obtained data must be converted into a rating, which may change throughout the computing element work in the system. On the other hand, computing element’s rating will allow him to be evaluated as a whole, and plan future calculations accordingly. It will also reduce the cost of recalculation.

For example, at the beginning of work, the system cooperates with computing elements, after a some period of time, all of them received a positive assessment of their work (most of the tasks were completed correctly), so the system make a decision to divide this group into two sma ller groups, each of which contains /2 computing elements, and now the system can simultaneously perform twice as many calculations per unit of time. Another example of using the rating is the formation of groups of computing elements with low and high ratings, in which case the trusted client will play the role of the controller of calculations of the entire group, that is, when voting, it will have the highest priority and, as a result, influence the result of the calculation.

The use of the trust model in distributed computing issues, that considered in this paper is appropriate, which is why it is proposed to use an additional analysis in addition to classical calculation checks to improve the accuracy of its work. Authorization of the computing elemen t in the system does not give us a full guarantee of his ability to correctly and quickly perform the computing, so it is proposed to use other information that the user leaves about oneself. During the adding to system, the server can record data about the user's address, a unique identifier of the hardware and its features, language, connection time, average working session time, etc. The data set may vary depending on the technology stack used in designing of the computing system.

Behavioral features of the computing element – a set of data about the user that characterize his work during the calculations. The main idea of using such a characteristic is to constantly record information about the user's activity in the system, taking into account his resul ts in voting (Fig. 4.)

Voting settings will allow correctly distribute computing elements between subsystems. In case all customers send different results, it may be advisable to break down the current group and add them all in different subsystems. It is also needed to consider the situation when all trusted computing elements provide one computed answer, and other elements in the subsystem another computed answer. In this case, the trusted elements may be compromised, so the one of the possible scenarios may be: breaking down the current group and set usual status for trusted elements.

It is also necessary to consider the situation when the computational element returns constantly incorrect answers, which may mean the impact on it of viruses that affect the result, thereby slowing down the entire system. In this case, it is necessary to provide mechanisms for blocking its future participation in the system.

The result of trusted

element 1 The result of trusted

element 2 The result of trusted

element 3 The result of element 1 The result of element 2 The result of element N-1 The result of element N

Voting of trusted elements

Voting module

Task sending

back on recalculating

The calculation result is accepted

Usually, when organizing such calculations, the system forms groups of elements with one or more trusted elements. Such clients have the highest trust rating and can significantly influence the outcome of voting. Not only the success of the calculation, but also the rating of all elements in the current iteration of calculations will depend on the result of the vote. Therefore, it is advisable to include three or more trusted clients in the groups so that they first vote among themselves on their calculations, and then consider the results of other users.

Figure 5 shows an abstract computational module, it consists of a voting module that will evaluate the obtained results, a module for storing performed calculations that will be used to add new computing elements, and a computational planning module, the main task of which will be to plan the number of cycles required to perform one task, which will depend on the current state of the computing resources of the entire subsystem.

Presented methods for organizing distributed malware detection provide fault-tolerant working. As part of this work, detection is considered in a limited form, and needs more detail. The sandbox is currently under active development and records changes in its state due to the formation of hash values of all registers. In further work, it is planned to transfer the right to decide on the anomaly of the set of commands to an intermediate server, which will collect the hash values of all computing elements in its subsystem. The voting system at this stage of the system's operation does not consider the rating of computational elements, the decision is made on the basis of most of the answers received are true or false. This aspect requires detailed research defining an algorithm for updating the rating after completing the task, and adjusting it after providing the wrong answer, abnormal behavior, etc.

This paper presents a model of system for malware detection, based on the use of distributed computing technology to analyse the state of the sandbox. To identify it, it is proposed to use the concept of the state of the sandbox and monitor its state during the execution of executable files in them. The concept of sandbox states is considered, and ways of its use in malware detection issues are presented. The proposed model eliminates the issue of the computational complexity of the use of sandboxes, by using distributed computing based on heterogeneous computer systems. The main tasks of ensuring the stability and security of calculations, considering the dynamic topology of system, are presented it is proposed to use voting methods and a rating system. It is proposed to consider the identification of users based on behavioural characteristics and their basic information in order to involve them more quickly in the execution of calculations and with the provision of an appropriate level of protection for computing inside system.

[19] J. N. Odii, J. A. C. Hampo, F. O. Nwokoma, and T. U. Onwuama, Comparative Analysis of Malware Detection Techniques using Signature, Behavior and Heuristic, International Journal of Computer Science and Information Security (IJCSIS) 17, no. 7 (2019) 33-50. [20] A. Khalimov, S. Benahmed, R. Hussain, S.M.A Kazmi, A. Oracevic, F. Hussain, F. Ahmad, CA Kerrache, Container-based sandboxes for malware analysis: A compromise worth considering, Proceedings of the 12th IEEE/ACM International Conference on Utility and Cloud Computing (2019) 219-227. doi: 10.1145/3344341.3368810 [21] C. Hagleitner, D. Diamantopoulos, B. Ringlein, C. Evangelinos, C. Johns, R. N. Chang, B.

D'Amora, J. A. Kahle, J. Sexton, M. Johnston, E. Pyzer-Knapp, C. Ward, Heterogeneous Computing Systems for Complex Scientific Discovery Workflows, 2021 Design, Automation & Test in Europe Conference & Exhibition (2021) 13-18. doi: 10.23919/date51398.2021.9474061. [22] Folding@Home Network Breaks the ExaFLOP Barrier In Fight Against Coronavirus, 2020.

URL: https://www.tomshardware.com/news/folding-at-home-breaks-exaflop-barrier-fightcoronavirus-covid-19 [23] N. A. Ignatev, E. R. Navruzov, Estimates of the Complexity of Detecting Types of DDOS

Attacks. International Journal of Computing, 21 4 (2022) 443-449. doi: 10.47839/ijc.21.4.2779 [24] R. S., Kanavalli, A. Gupta, A. Pattanaik, S. Agarwal, Real-time DDoS Detection and Mitigation in Software Defined Networks using Machine Learning Techniques, International Journal of Computing, 21, 3 (2022), 353-359. doi: 10.47839/ijc.21.3.2691 [25] K. Censor-Hillel, R. Gelles, B. Haeupler, Making asynchronous distributed computations robust to noise, Distributed Computing 32 (2019) 405-421. doi: 10.1007/s00446-018-0343-5. [26] M. Dinitz, J.T. Fineman, S. Gilbert, C. Newport, Smoothed analysis of dynamic networks,

Distributed Computing, 31 (2017) 273-287. doi: 10.1007/s00446-017-0300-8 [27] C. Lenzen, J. Rybicki, Near-optimal self-stabilising counting and firing squads. Distributed

Computing 32.4 (2019) 339-360. doi: 10.1007/s00446-018-0342-6 [28] N. Ramu, P. Vijayakumar, DL Jegatha, R. Sivakumar, A novel trust model for secure group communication in distributed computing, Journal of Organizational and End User Computing (JOEUC) 32, no. 3 (2020). 1-14. doi: 10.4018/JOEUC.2020070101 [29] W. She, Q. Liu, Z. Tian, J.-S. Chen, B. Wang and W. Liu,, Blockchain trust model for malicious node detection in wireless sensor networks, IEEE Access 7 (2019) 38947-38956. doi: 10.1109/ACCESS.2019.2902811 [30] S. Guo, X. Hu, S. Guo, X. Qiu, F. Qi, Blockchain meets edge computing: A distributed and trusted authentication system, IEEE Transactions on Industrial Informatics 16, no. 3 (2019) 1972-1983. doi: 10.1109/TII.2019.2938001 [31] PS. Almeida, C. Baquero, Scalable eventually consistent counters over unreliable networks,

Distributed Computing 32, no. 1 (2017) 69-89. doi: https://doi.org/10.1007/s00446-017-0322-2 [32] S. Slimani, T. Hamrouni, F.B. Charrada, Service-oriented replication strategies for improving quality-of-service in cloud computing: a survey, Cluster Computing 24 (2021) 361-392. doi: 10.1007/s10586-020-03108-z