Identification of malware activities with rules Bartosz Jasiul, Joanna ´ Sliwa, Kamil Gleba Military Communication Institute, C4I Systems’ Department, ul. Warszawska 22a, 05-130 Zegrze, Poland Email: {b.jasiul, j.sliwa, k.gleba}@wil.waw.pl Marcin Szpyrka AGH University of Science and Technology, Department of Applied Computer Science, al. Mickiewicza 30, 30-059 Kraków, Poland Email: mszpyrka@agh.edu.pl Abstract—The article describes the method of malware ac- tivities identification using ontology and rules. The method supports detection of malware at host level by observing its behavior. It sifts through hundred thousands of regular events and allows to identify suspicious ones. They are then passed on to the second building block responsible for malware tracking and matching stored models with observed malicious actions. The presented method was implemented and verified in the infected computer environment. As opposed to signature-based antivirus mechanisms it allows to detect malware the code of which has been obfuscated. I. I NTRODUCTION O VERWHELMING number of computer systems are connected to each other by global network – Internet, which allows to produce results beyond those achievable by the individual systems alone. Outcomes of cooperative work and accessibility of information are perceived and appreciated probably by all its users. The advantages of this technology are available, unfortu- nately, also for hostile goals. The number of cyber threats arises rapidly from 23 680 646 in 2008 [1] to 1 595 587 670 in 2012 [2], and this is nowadays one of the most vexing problems in computer system security [3]. At the end of 2012 Kaspersky Lab, the Russian producer of antivirus software, reported that [4] it currently detects and blocks more than 200 000 new malicious programs every day, a significant increase from the first half of 2012, when 125 000 malicious programs were detected and blocked each day on average. Although awareness about necessary security appliances seems to be common and the tools used for that purpose are getting more and more advanced, the number of successful attacks targeted on computer systems is growing [5]. They are mostly related to denial of offered services, gaining access or stealing private data, financial fraud, etc. Moreover, the evolution towards cloud computing, increasing use of social networks, mobile and peer-to-peer networking technologies that are intrinsic part of our life today, carrying many con- veniences within our personal life, business and government, gives the possibility to use them as tools for cyber criminals and potential path of malware propagation [6]. Computer Work has been partially financed byby the National Centre for Research and Development project no. PBS1/A3/14/2012 "Sensor data correlation module for detection of unauthorized actions and support of decision process" and the European Regional Development Fund the Innovative Economy Operational Programme, INSIGMA project no. 01.01.02-00-062/09. systems are prone to cyber attacks even though a number of security controls are already deployed [7], [8]. Cyber criminals are focused on finding a way to bypass security controls and gain access into the protected network. For that reason organizations, companies, governments and institutions as well as ordinary citizens all over the world are interested in detection of all attempts of malicious actions targeted on their computer networks and single machines [9]. Malicious activity detection starts with application of var- ious techniques, the success rate of which depends on the reliability of the malware model. Usually they are based on code signatures. Security controls (e.g. antivirus tools) might be maladjusted because signatures of new threats are not identified yet. Hackers often use existing parts of code in order to implement new types of malware. This allows, in return, to quickly develop signatures of new dangerous software. Therefore, the more signatures are deployed the more malicious codes are identified. On the other hand, one of the methods for misleading signature-based detection systems is code obfuscation, the aim of which is generating – from already existing code – a new application that cannot be assessed yet as risky by security controls [10]. This technique is simple to be used and potentially successful. One of the countermeasures in this case is to follow behaviors of malicious software in order to identify them and eliminate from the protected system. According to the study conducted in 2012 by the Verizon RISK Team [11] with cooperation from many national federal organizations, including e.g. Australian Federal Police, Irish Reporting and Information Security Service, and United States Secret Service new techniques that speed up the process of malware detection to hours are necessary. Authors of the report [12] indicate that antivirus products should be supported by malware behavioral analysis tools in order to detect those of attacks for which signatures were not established. An existing example of appliance that uses behavioral analysis for advanced persistent threats detection is Digital DNA by HB- Gary that extends the capabilities of McAfee Total Protection antivirus [13]. Detailed technical specifications of this solution have not been released for public. The product brochure ex- plains that multiple low level behaviors are identified for every running program or binary. This leads to conclusion that each application is observed from behavioral perspective. McAfee is proud that the solution allowed to detect last year more 0-day Proceedings of the 2014 Federated Conference on Computer Science and Information Systems pp. 101–110 DOI: 10.15439/2014F265 ACSIS, Vol. 2 978-83-60810-58-3/$25.00 c  2014, IEEE 101