CC BY
54
METHOD OF USE OF SELF-MODIFICATION FILES FOR SECURE COMMUNICATION IN THE EXPERT SYSTEM
Shterenberg Stanislav Igorevich,
postgraduate student, Saint-Petersburg State University of Telecommunications. prof. Bonch-Bruevich, St. Petersburg, Russia, shterenberg.stanislaw@yandex.ru
Kaflanov Rustam Ilyasovich,
Military Space Academy, St. Petersburg, Russia, kaflanfromk@gmail.com
Druzhin Alexey Sergeyevich,
Military Space Academy, St. Petersburg, Russia, rujin.aleks@yandex.ru
Marchenko Stanislav Sergeyevich,
Military Space Academy, St. Petersburg, Russia, markstas55@gmail.com
Keywords: iself-modification; steganography; expert systems; information technology; data transmission.
Describes the application of the principle techniques for hidden embedding information that can then be applied to the expert system. Expert System, which is being discussed in this article is the concept of the software, which shall carry i_ a significant part of the functions instead of the operator's safety. Expert systems are designed to solve classification O problems in a narrow subject area based on the base knowledge generated by interviewing qualified and presented the o; classification system classification rules If-Then. In systems security information technology expert systems used in intelligent systems information security based on steganographic model and they contain, as a rule, implicit conversion op-<C erators to a command code of each application. Of course, this refers to a specific file system and application software. The advantage of Expert System is the ability to describe the experience of experts and information security in the form of rules, i.e. in expert systems expertise is represented in the form available for the analysis of If-Then rules or decision tree, and the process is similar to the inference human reasoning. The process of describing the sequence of reasoning rules If-Then implemented in chains of straight lines and backward reasoning. In the first case, by analogy with mung ins, data-driven, based on the principle of data availability: if the rules are willing to part If all values of parcels, the rule is activated and formed the conclusion contained in the part of Then. The advantage of the approach is the potential for parallelization search box rules across the knowledge base Expert System and disadvantage - the expenses of computing power of information technology to the processing of ready-made rules without regard to their need for a particular purpose. Given the need to ensure the hidden and timely transmission of data in today's expert systems, it is possible to assume that the use of self-modification technology files, namely a hidden code conversion program, it is important for the development of technologies in the field of artificial intelligence.
www.h-es.ru
h&es research
71
First of all, the principle should be weighed against the effect of any programs related to self-modification, with computer viruses. It is these types of malicious software fall under the definition of self-replicating programs. Often the spread of viruses takes place with the assistance of unsuspecting users about this by running or copying of infected programs. Processes are automated spread of viruses and to the document or spreadsheet ah hidden macros that contain viruses. And when you open the message is automatically launch attachments. This macros launched for execution, it creates the possibility of the spread of viruses. Some e-mail programs allow you to create agents that automatically send out messages or process on behalf of the user. Viruses use these opportunities and distribution are no longer constrained by the slowness of the people. On the Internet, millions of mobile agents (carriers and spreaders of viruses) able to visit a large number of sites and infect new agents. These viruses multiply at a rate that is limited only by time delays in the network and data intensive.
Thus, the ability of viruses to spread requires a review of methods of protection, and the results of simulation of the processes of their distribution - neutralize viruses at a rate exceeding the rate of their distribution. Is able to provide a sufficiently rapid response to new viruses must consist in the exclusion of the end users of a chain response.
Self-modification files, provides effective protection against fast-spreading and breeding of pathogens. The analogy between computer and conventional viruses leads to the idea of creating it steganographic techniques based on self-modifying code for the Internet environment, the ability to automatically generate and disseminate information for the detection and removal of viruses within minutes of their discovery. Consider a set of criteria to be met by such ES [1].
Computer expert system should also contain components innate and adaptive immune defense. By analogy with the innate immunity for expert systems are needed generalized mechanisms of recognition of harmful changes, as well as specific mechanisms of recognition and removal of viruses in adaptive immunity. Formulate a set of requirements that data base made to prevent the rapid spread of viruses.
1. Innate immunity. The expert system must be able to detect and recognize a large number of unknown viruses, such as file, boot sector, and macro viruses. It is also important that it is adapted to the known virus, you have called a failure in its work. Less important viruses with low capacity to spread, such as overwriting viruses.
2. Adaptive immune itet. Having a copy of the virus, namely the self-modifying code, EC should be able to automatically generate a prescription for its detection and, if possible, to remove all instances of the virus.
3. Delivery and distribution of antiviral prescriptions e. Should be able to deliver antiviral prescription infected ES and promote the dissemination of information in local and global networks.
4. Performance. Creation and delivery of antiviral prescriptions should be implemented faster spread of the virus (by car in less than 10 min. from the time of detection
of the virus, the spread requirements in the network for no more than 30 min., in a global network - no more than a day). As the EC requirements become more stringent.
5. Modular build-up. Analysis. With the rapid spread of the virus is exposed to attack a large number of machines in a number of networks. Therefore, ES you need high performance, ensuring the processing of at least 1,000 simultaneous requests for analysis of viruses.
6. Updates. EC should update anti-virus databases of tens of millions of computers on a daily basis.
7. Safety and reliability. Antivirus requirement formed by ES must be sufficiently reliable and distributed online without human intervention. The frequency of positive results and the precision of the classification of viruses should be adequate to the level of experienced developers of antivirus software.
8. Security. In the process of virus samples data base protected against interception and reading by a third party. It is important to ensure the safety of all prescriptions generated ES on the end user's machine.
9. Consumer control. Consumers should be able to manual or automatic control of sending virus samples, etc. Information from computers, as well as admission requirements for detection / neutralization of viruses and deliver them to users.
Existing anti-virus software satisfies only a small part of requirements. Creation and implementation of a reliable system of protection against fast-spreading virus requires compliance with all these requirements. It is important to consider the example of self-modification of files and additional hidden code in the implementation. It is important to note that should remain primarily integrity and immutability of information during its transmission [1].
The use of steganography tools for implementation of self-modifying code is quite promising prospects for several reasons. Firstly, information hiding in executable files have a high level of secrecy - in most cases the original and modified file Bud e t be the same size and functionality. Secondly, steganalysis of the container and the attack on it is difficult because of the nature embedding information into an executable file.
All the previously proposed methods for embedding information in the executable file can be divided into two categories: the attachment to the compilation of the final file and after it. When investing to compile meant that investing in the executable file will be at the level of its source code (such as C or C ++). Investing after compiling involves modifying the machine code (or rather, the operating code) precompiled file. It should be noted that the more secure attachment is to compile the information, since the introduction of data after compilation is unstable, since the same algorithm that introduces the data can be used for their removal and replacement. Despite this, it is an attachment after compilation for the digital watermark embedding for the purpose of tracing the leak of information - to form an individual code and then compile it will take far more time than his simple modification [2, 3].
Next will be considered previously proposed methods of embedding information into an executable file - how to compile it, and after it. Among these methods, some apply only in one case, but more often they are valid for the first event, and for the second.
Search for investment opportunities in the various systems is closely related to the redundancy of the system and environment. If digital steganography is excessive, for example, the number of shades of gray, which the human eye is unable to distinguish, for the computer steganography (more precisely, for executable files) is redundant syntax of programming languages themselves, on which the program is executed. A striking example can serve such equivalent operation as the operations of addition and subtraction. The processor cannot distinguish the operation A = A + 2 and A = A - (- 2) - they give the same result, a preparation method thereof is not important. This is mainly based methods and embedding in the executable file. Nevertheless, besides the verbosity of the code can be used redundancy when building the PE file format.
As mentioned earlier, the replacement operations of addition and subtraction on the contrary does not affect the course of the program (assuming that the arguments have been restated for the new operation), which allows you to hide a bit of a hidden message. Similarly, the modified command shift register «rol - ror» assembly language, to which we shall return.
If two chips when they do not destroy the permutation algorithm program, these shifts may also be used for embedding information. It should be noted that in such rearrangements should pay attention, do not break if they perform an initial algorithm.
These methods are valid replacements for virtually any programming language. Next will be discussed in more detail the possibility of modifying assembly language code
A=Q; A=5;
B=2; 8=A-2;
i 1
B=2; B=A-2;
A=Q; A=5;
X
Fig. 1. Example of correct and incorrect transposition of code elements
and an example of investment in the executable file.
Modification of assembly code relates to methods for investments after compilation, ie modified to be a ready-executable.
As shown in Fig. 2 file modification will take place in three stages: first, the original image is processed to separate the disassembler code from data obtained will be analyzed for listing can be replaced, after which the byte code of the source file to be modified in accordance with the received changes. When the assembly language code modifications can be made as follows: the replacement instructions on the reverse with the subsequent recalculation of the arguments, the modification instructions by replacing byte addressing mode and register / modifier (abbreviated bytes ModRM) and the treatment of conditional branches.
In assembly language, the term "equivalent instruction" includes single instruction or sequence of instructions that perform the same operation, and having the same length. If the number of instructions equal to the equivalent N, then the replacement of one of these instructions to their equivalent can be put log_2 N bits hidden message [4].
Many instruction having two operands, opcode contain a bit that indicates which of the operands is a source, and a receiver (direction bit). These instructions are: add, adc,
disassembler
embedding
Fig. 2. The algorithm file modification
www.h-es.ru h&es research 73
cmp, mov, or, sub, sbb, xor. For example, instructions add reg, r / m and add r / m, reg bit value different directions, and respectively have different opcode. The first statement sends the value of a register or memory (depending on the contents of the byte ModRM) in the register reg. The second sends the value of the register reg register or memory. Thus, if the two operands participate register, the mov instruction can be encoded by any of the present methods.
Table 1
Equivalent Variants Of The Add Edx, Ecx Instruction Encoding
add еах, ebx
add r/m, reg add reg, r/m
Opcode ModRM byte Opcode ModRM byte
0000 0011 10111010 0000 0101 11100001
03 BA 05 El
Some instructions that operate with immediate values can be changed to the reverse. In this case the direct value of the replacement instructions should be restated. Examples of the reciprocal instruction can act instructions add, sub, rol and ror [5].
For instructions, add and sub immediate value is recalculated according to the formula:
var2 = (not var1 + 1)mod2^size (1)
For instructions and rol ror:
var2 = (size-var1)mod size (2)
Where var1 and var2 - direct relevance to reverse the instructions, size - the size of the register, which is made on the shift operation.
Table 2
Examples of equivalent instructions
Equivalent instructions add-sub Equivalent instructions rol-ror
add eax, 0000003ah (58 или 00111010b) rol eax, 15
sub eax, ffffffcôh (-58 или 11000110b) ror eax, 17
In some cases, the equivalent instructions differently alter the flags register eflags. Therefore, replacing one instruction to another should only be up to the next instruction, changing flags, flag values do not affect the progress of the program, there are no instructions, depending on the register eflags, such as conditional jumps [6].
If comparison instructions swap the operands, the instructions will set the opposing flags. But if, in addition to replace the operands and instructions of conditional branch that operates on the necessary flags, it does not af-
Code order ] cmp eax> ebx
ja label 1 <code block. 1> jmp label2 label 1: <code block 2> label2:
Fig. 3. The equivalent sequence of instructions with the changed order of the independent functional blocks of code
fect the progress of the program. Furthermore, it is possible not only to replace one conditional branch but the order of several functionally independent elements of the code.
Embedding information into executable files can be carried out for different purposes, but the use of the executable file as a container for the information hiding can be justified - not just statistics, but also allowed for the transmission of information greatly depend on the volume of code constituting the program algorithm, and from the environment in which the program was established. Expert systems do not have such strict requirements for secrecy stegosystem, classic stegosystem, and investing in binaries meets these "non-strict" requirements.
This article explores the principles of application techniques for embedding hidden information that can be applied to the expert system. The study mapped the different characteristics of viral malware applications self-modifying code. Based on the foregoing, it is proposed that for investments self-modifying code into the executable code by replacing the synonyms that are used for instructions that perform the same operation, and having the same length. The idea behind the semantic replacement of operators will allow to distract the "attacker" to test the integrity of individual sections of the executable output in the expert system. To notice a hidden attachment that was embedded in the file, it will be difficult due to the fact that the changes within a file will not affect the size or functionality of the executable code. The proposed method is simple to implement and does not require extra costs.
In conclusion, we can say that this article demonstrates the success of the semantic operators replacement of equivalent Assembly code. This method can be used for concealed attachment and further use in the formation of expert systems.
Literature
1. Andrianov V.I., Romanov G.G., Shterenberg S.I. Expert systems in the field of information security in the collection: Actual problems of information and telecommunications in Science and Education IV International scientific-technical and scientific-methodical conference: a collection of scientific articles 2 volumes. 2015. Pp. 193197.
2. Shterenberg S.I. Andrianov V.I., Lipatnikov V.A. Ko-starev S.V. RPA (rationable progressimo aggredi). The certificate on Official Registration of the Computer Program. No. 2015611539, 2015.
3. Romanov G.G., Vitkova L.A., Andrianov V.I., Shteren-berg S.I. Interface expert system Rex. The certificate on Official Registration of the Computer Program. No. 2015661877, 2015.
4. Shin D., Kim Y., Byun K., Lee S. Data Hiding in Windows Executable Files. Center for Information Security Technologies. Korea University, Seoul, 2008. P. 51.
5. Shterenberg S.I., Vitkova L.A., Andrianov V.I. Methods of using the empty sections of executable code for stegovlozheni-
ya self-developing in a distributed system of unambiguous identification. Control systems and information technology. 2015. Vol. 59. No. 1.1. Pp. 189-194.
6. Shterenberg S.I., Krasov A.V., Ushakov I.A. Analysis of using equivalent instructions at the hidden embedding of information into the executable files. Journal of Theoretical and Applied Information Technology. 2015. Vol. 80. No. 1. Pp. 28-34.
For citation:
Shterenberg S.I., Kaflanov R.I., Druzhin A.S., Marchenko S.S. Method of use of self-modification files for secure communication in the expert system. H&ES Research. 2016. Vol. 8. No. 1. Pp. 71-75.
МЕТОДИКА ПРИМЕНЕНИЯ САМОМОДИФИКАЦИИ ФАЙЛОВ ДЛЯ СКРЫТОЙ ПЕРЕДАЧИ ДАННЫХ В ЭКСПЕРТНОЙ СИСТЕМЕ
Штеренберг Станислав Игоревич,
г. Санкт-Петербург, Россия, shterenberg.stanislaw@yandex.ru
Кафланов Рустам Ильясович,
г. Санкт-Петербург, Россия, kaflanfromk@gmail.com
Дружин Алексей Сергеевич,
г. Санкт-Петербург, Россия, rujin.aleks@yandex.ru
Марченко Станислав Сергеевич,
г. Санкт-Петербург, Россия, markstas55@gmail.com
Аннотация
В данной статье описывается принцип применения методик по стегонографическому вложению информации, который в дальнейшем можно применить к экспертной системе. Экспертная система, о которой ведется речь в данной статье, носит понятие программного обеспечения, которая должно выполнять значительную часть функций вместо оператора безопасности. Экс-пертные системы предназначены для решения классификационных задач в узкой предметной области исходя из базы знаний, сформированной путем опроса квалифицированных специалистов и представленной системой классификационных правил If-Then. В системах обеспечения безопасности информационных технологий экспертные системы используются в интеллектуальных системах защиты информации на основе стеганографических моделей и содержат они, как правило, скрытое преобразование командных операторов к коде каждого приложения. Разумеется, здесь подразумевается конкретно файловая система и прикладное про-
граммное обеспечение. Дос-тоинство ЭС состоит в возможности описания опыта специалистов информационной безопасности в виде правил, т.е. в экспертных системах опыт специалистов представляется в доступной для анализа форме системы правил If-Then или дерева решений, а процесс логического вывода сходен с характером человеческих рассуждений. Процесс описания последовательности рассуждений правилами If-Then реализован в цепочках прямых и обратных рассуждений. В первом случае, по аналогии с машинами, управляемыми данными, в основу положен принцип готовности данных: если для части If правила готовы все значения посылок, то правило активируется и формируется заключение, содержащиеся в части Then. Достоинством подхода является потенциальная возможность распараллеливания поиска готовых правил по всей базе знаний экспертной системы, а недостатком - затраты вычислительных мощностей информационных технологий на обработку всех готовых правил без учета их необходимости для решения конкретной задачи. Исходя из необходимости обеспечивать скрытую и своевременную передачу данных в современных экспертных системах, возможно предположить, что применение технологии самомодификации файлов, а именно скрытое преобразование кода программ, важно для развития технологий в области искусственного интеллекта.
Ключевые слова: самомодификация; стеганография; экспертные системы; информационные технологии; передача данных.
Информация об авторах:
Штеренберг С.И., аспирант Санкт-Петербургского государственного университета телекоммуникаций имени профессора М.А. Бонч-Бруевича;
Кафланов Р.И., Дружин А.С., Марченко С.С., Военно-космическая академия имени А.Ф. Можайского.
Для цитирования:
Штеренберг С.И., Кафланов Р.И., Дружин А.С., Марченко С.С. Методика применения самомодификации файлов для скрытой передачи данных в экспертной системе. Наукоемкие технологии в космических исследованиях Земли. 2016. Т. 8. № 1. С. 71-75.
www.h-es.ru
h&es research
75
