Functional model of reverse engineering malware

Authors

  • Vasyl Tsurkan Institute of special communication and information protection of National technical university of Ukraine “Igor Sikorsky Kyiv polytechnic institute”, Kyiv, Ukraine https://orcid.org/0000-0003-1352-042X
  • Dmitry Voloshin Institute of special communication and information protection of National technical university of Ukraine “Igor Sikorsky Kyiv polytechnic institute”, Kyiv, Ukraine https://orcid.org/0000-0002-4600-2816

DOI:

https://doi.org/10.20535/2411-1031.2021.9.2.249915

Keywords:

malware, function model, IDEF0 graph, context diagram, decomposition diagram

Abstract

The process of reverse engineering malicious software is studied. Its focus on revealing the principles of hardware or software operation is shown. First of all, its structure, algorithms. At the same time, attention is focused on the transformation of binary instructions during reverse engineering into code mnemonics to establish the impact on both hardware and software. With this in mind, the relevant methods are analyzed. In particular, the study of hardware Trojans based on reference vectors. The applicability of reverse engineering to train the proposed hardware Trojan detection model has been established. At the same time, the importance of classifying malware, identifying its features, and affecting computer systems and networks is discussed. In addition, the problem of protection against extortionist programs is analyzed. As a result, it was found that the characteristic feature of the analyzed research is the multifaceted nature and, as a consequence, the informal nature of reverse engineering malicious software. This leads to a variety of interpretations of functions within the activity. To avoid this limitation, the use of graphic notation IDEF0 is proposed. An additional advantage of this choice is its formality. Due to this, a functional model of reverse engineering malicious software has been developed. It is based on the graph IDEF0. This allowed formalizing this activity by separating the functions of the upper and lower levels (creating a controlled environment, studying the behavior of malicious software, researching communication protocols, analyzing malicious code, creating malicious signatures). Present each of them with the definition of input, output data, constraints, resources, and establish relationships between them.

Author Biographies

Vasyl Tsurkan, Institute of special communication and information protection of National technical university of Ukraine “Igor Sikorsky Kyiv polytechnic institute”, Kyiv

candidate of technical sciences, associate professor, associate professor at the cybersecurity and application of information systems and technologies academic department

Dmitry Voloshin, Institute of special communication and information protection of National technical university of Ukraine “Igor Sikorsky Kyiv polytechnic institute”, Kyiv

master’s student

References

Abigail A. Reverse Engineering Research. [Online]. Available: http://dx.doi.org/10.13140/RG.2.2.28030.51520. Accessed on: Aug. 30, 2021.

APRIORIT: How to Reverse Engineer Software (Windows) the Right Way? [Online]. Available: https://www.apriorit.com/dev-blog/364-how-to-reverse-engineer-software-windows-in-a-right-way. Accessed on: Aug. 30, 2021.

G. Jain, S. Raghuwanshi, and G. Vishwakarma, “Hardware Trojan: Malware Detection Using Reverse Engineering and SVM”, in Intelligent Systems Design and Applications. ISDA 2017. Advances in Intelligent Systems and Computing, A. Abraham, P. Muhuri, A. Muda, and N. Gandhi (eds), Vol. 736, 2018, pp. 530-539, doi: https://doi.org/10.1007/978-3-319-76348-4_51.

B. Thakar, C. Parekh, “Reverse Engineering of Botnet (APT)”, in Information and Communication Technology for Intelligent Systems (ICTIS 2017). Vol. 2. ICTIS 2017. Smart Innovation, Systems and Technologies, S. Satapathy, and A. Joshi (eds), Vol 84, 2018, pp. 252-262, doi: https://doi.org/10.1007/978-3-319-63645-0_28.

S. Megira et al., “Malware Analysis and Detection Using Reverse Engineering Technique”, Journal of Physics: Conference Series 1140, pp. 1-13, 2018, doi: https://doi.org/10.1088/1742-6596/1140/1/012042.

S. Naveen, and T. Kumar Gireesh, “Ransomware Analysis Using Reverse Engineering”. Advances in Computing and Data Sciences. ICACDS 2019. Communications in Computer and Information Science, M. Singh, P. Gupta, V. Tyagi, J. Flusser, T. Ören, and R. Kashyap (eds), Vol. 1046, 2019, pp. 185-194, doi: https://doi.org/10.1007/978-981-13-9942-8_18.

Z. Сhen, B. Pan, and Y. Sun, “A Survey of Software Reverse Engineering Applications”. Artificial Intelligence and Security. ICAIS 2019. Lecture Notes in Computer Science, X. Sun, Z. Pan, and E. Bertino (eds), Vol. 11635, 2019, pp. 235-245, doi: https://doi.org/10.1007/978-3-030-24268-8_22,

M. Kedziora, P. Gawin, M. Szczepanik, and I. Jozwiak, “Malware Detection Using Machine Learning Algorithms and Reverse Engineering of Android Java Code”. International Journal of Network Security & Its Applications, Vol. 11, No.1, pp. 1-14, January 2019, doi: https://dx.doi.org/10.2139/ssrn.3328497.

G. Sharma, M. Mabrishi, K. Hiran, and R. Doshi, “Reverse Engineering for potential Malware detection. Android APK Smali to Java”, Journal of Information Assurance & Security, Vol. 15, Iss. 1, pp. 26–34, 2020.

A. See, M. Gehring, M. Mühlhäuser, M. Fischer, and S. Karuppayah, Malware Sight-Seeing : Accelerating Reverse-Engineering via Point-of-Interest-Beacons. [Online]. Available: https://arxiv.org/abs/2109.04065. Accessed on: Aug. 30, 2021.

D. Voloshin, “Functional approach to reverse engineering malware. In Proc. XXI International Scientific and Practical Conference Information Technology and Security, Kyiv, 2021, pp. 230-231.

V. Tsurkan, “Method of information security management systems functional analysis”, Cybersecurity: Education, Science, Technique, Vol. 4, Iss. 8, pp. 192-201, 2020, doi: https://doi.org/10.28925/2663-4023.2020.8.192201.

International Organization for Standardization. (2012, Sept. 15). ISO/IEC/IEEE 31320-1:2012. Information technology. Modeling Languages. Part 1: Syntax and Semantics for IDEF0. Geneva, 2012, 120 p.

PE Format. [Online]. Available: https://docs.microsoft.com/en-us/windows/win32/debug/pe-format. Accessed on: Aug. 30, 2021.

Executable and Linkable Format (ELF). [Online]. Available: http://www.skyfree.org/linux/references/ELF_Format.pdf. Accessed on: Aug. 30, 2021.

Downloads

Published

2021-12-30

How to Cite

Tsurkan, V., & Voloshin, D. (2021). Functional model of reverse engineering malware. Collection "Information Technology and Security", 9(2), 200–208. https://doi.org/10.20535/2411-1031.2021.9.2.249915

Issue

Vol. 9 No. 2 (2021)

Section

INFORMATION SECURITY RISK MANAGEMENT

License

Copyright (c) 2021 Information Technology and Security

Creative Commons License

This work is licensed under a Creative Commons Attribution 4.0 International License.

The authors that are published in this collection, agree to the following terms:

  1. The authors reserve the right to authorship of their work and pass the collection right of first publication this work is licensed under the Creative Commons Attribution License, which allows others to freely distribute the published work with the obligatory reference to the authors of the original work and the first publication of the work in this collection.
     
  2. The authors have the right to conclude an agreement on exclusive distribution of the work in the form in which it was published this anthology (for example, to place the work in a digital repository institution or to publish in the structure of the monograph), provided that references to the first publication of the work in this collection.
     
  3. Policy of the journal allows and encourages the placement of authors on the Internet (for example, in storage facilities or on personal web sites) the manuscript of the work, prior to the submission of the manuscript to the editor, and during its editorial processing, as it contributes to productive scientific discussion and positive effect on the efficiency and dynamics of citations of published work (see The Effect of Open Access).