Ludmila K. Babenko

Classification of polymorphic and metamorphic malware samples based on their behavior

This work proposes a new method of malware classification based on behavior features. We developed a proximity measure for programs, which takes into account WinAPI calls, their arguments, and files handled by these programs. Cluster analysis is used for grouping. The method was tested with actual malware samples.

Algebraic analysis of GOST encryption algorithm

This paper is devoted to the investigation of GOST algorithm with regard to its resistance against algebraic cryptanalysis. GOST algorithm is a state standard of Russian Federation. Its characteristic feature is the use of variable S-blocks and simple mathematical operations. It is considered that any initial values of S-blocks provide enough strength to resist any attacks. The general idea of algebraic analysis is based on the representation of initial encryption algorithm as a system of multivariate quadratic equations, which define relations between a secret key and a cipher text. Extended linearization method is evaluated as a method for solving the nonlinear system of equations. The most challenging problem of the analysis is caused by addition modulo 2n in GOST. In order to make the analysis simpler we have considered a simplified scheme for GOST, in which the operation of addition modulo 2n is replaced by the addition modulo 2 (denoted as GOST+). We have proposed an analysis algorithm of GOST according to experimental data. The research has shown that 32-round GOST is described by a system of 5376 quadratic equations, which characterize dependencies between inputs and outputs of S-blocks. The total number of variables is 2048 and the system contains 9472 monomials. Generation of the system for a single-round GOST demands circa 14 hours (with AMD Athlon X2DualCore processor 3800+, 1Gb RAM).

Research about strength of GOST 28147-89 encryption algorithm

The present study considers the improvement of existing cryptanalytical methods in relation to Russian standard of GOST 28147-89 symmetric encryption. This paper researches encryption transformations in GOST 28147-89 algorithm constructed on the principles of Feistel network simplifying attacks by methods of differential and algebraic cryptanalysis. Finally, for fixed encryption keys plain texts were obtained reducing 32 encryption rounds to 16.

Two simplified versions of Kuznyechik cipher (GOST R 34.12-2015)

Kuznyechik cipher is a new symmetric block cipher declared as a state standard in Russian Federation. The cipher is based on SP (Substitution Permutation) network principle, the block size is 128 bits, the key size is 256 bits, and encryption takes nine rounds. Round subkeys are generated from the original secret master key with Feistel scheme. Many modern standard including DES and AES have simplified versions. These versions can be used in education in order to demonstrate encryption and decryption operations to students. In addition to that, simplified versions are used for simulation of various attack scenarios and cryptanalysis methods. In this paper we propose two simplified versions of Kuznyechik algorithm. The first one is extremely simple and can be used in education. All transformations can even be performed manually in reasonable time. The second version is more complicated. This one is designed for simulation of different types of attacks and we offer it for the demonstration of Kuznyechiks basic principles.

Development of method for malware classification based on statistical methods and an extended set of system calls data

In this paper, we propose a method for malware classification, by applying a statistical methods to an extended data set of system function calls, it becomes possible to improve the classification quality of malware samples. Applying the method of classification with unsupervised learning, it is possible to achieve a quality of classification comparable with classification methods based on supervised learning, including neural networks. Thus, the proposed method allows to perform detection of previously unknown families and more efficiently to detect unknown samples of small families.

Malware detection by meta-information of used system functions

The method of detecting malicious software proposed in this paper makes it possible to detect malicious samples as a separate class, without reference to the specific features of a particular family. To solve this problem, we use a set of quantitative characteristics, developed on the basis of qualitative data on the test sample, obtained as a result of static and behavioral analysis of samples. At the same time, a key role in the formation of the feature space is played by meta-information about the system functions used, obtained as a result of behavioral analysis. According to the results of experimental studies, it was revealed that the error in the clustering of malware samples is up to 42% less than in competing classification methods.

Differential ananlysis of 3 round Kuznyechik

In January 2016, a new block encryption standard came into force in the Russian Federation - GOST R 34.12-2015. It includes two algorithms of encryption. The first cipher was previously known under the name GOST28147-89 (or simply GOST). The second algorithm was called Kuznyechik. Kuznyechik is a new symmetric encryption algorithm, based on the SP-network. Up to now there are no publications about the differential properties of the algorithm Kuznyechik. We are the first to examine the properties of main operations and suggest a scheme of 3 rounds differential analysis of cipher Kuznyechik. We examined the differential properties of the non-linear transformation S and the linear transformation L and found out that its possible a situation when, 1 non-zero byte difference, being a result of the transformation L, is expanded into 16 non-zero bytes, then it passes through the S-boxes, and then collapses again into 1 nonzero byte. The developed scheme allows to affect the active S-boxes a minimum number of times. As a result, for the suggested scheme the possibility of finding the correct pairs of texts is equal to 2-108. We also developed the algorithm of finding a secret key, the complexity of which is equal to 6*2−120. In this way, the total complexity of the analysis, including searching for the correct pairs of texts and bits of the secret encryption key is equal to 2108 + 6*2120 encryptions. Also the article contains theoretical calculations of the time required to implement an attack using the most powerful supercomputers in the world [2].

Modeling of Algebraic Analysis of GOST+ Cipher in SageMath

In this paper we present results of algebraic analysis of GOST⌖ algorithm in SageMath environment. Using the GOST⌖ as the example we explore basic stages of algebraic analysis of any symmetric block cipher based on Feistel network. We construct sets of boolean equations for five encryption rounds and determine the number of known text pairs for which the key can be found with the probability of 1. The algebraic analysis of five rounds of GOST⌖ allowed to find a 160-bit encryption key with the probability of 1 for five known text pairs within 797.21 s; the search for the solution took 24.66 s.

Cryptanalysis of factoring-based fully homomorphic encryption

This paper deals with fully homomorphic cryptosystems exploiting the problem of big integers factoring. We give a short review of them and highlight two main types of such fully homomorphic cryptosystems (FHCs): polynomial-based and matrix-based. The main focus of the discussion is placed on one recently proposed polynomial-based FHC. Its construction is recalled, but mainly we concentrate on security issues. And here our contribution is twofold. First, we review a known-plaintext attack (KPA) proposed in literature on this FHC. We give the general idea of KPA, the probability of its success and the number of pairs (plaintext, ciphertext) necessary to break the FHC. Second, we discuss how the reviewed KPA may be extended in order to decrease the necessary number of pairs. On a high level the proposed extension of KPA may be applied not only to this concrete FHC, but to all reviewed here FHCs. Our KPA essentially uses non-uniformity of probabilistic distribution over plaintexts to obtain a high probability of success. And instead of missing pairs it requires an additional sequence of ciphertexts produced on the same key.

Instrumental System for Analysis of Information Systems Using Smart Cards Protection

Modern smart card is a multi-purpose tool that is used in many areas of science and technology [5]. Microprocessor cards are used for access control, e-commerce, identification and authentication, used as personal data protected storages, as the core of e-passports and documents. In circulation there are tens of millions of devices simultaneously, and it is all the more credible by both the producers and by users [7]. All this leads to increase of attention from both developers (to protect information) and intruders. In this context, the problem of the development of new software and hardware solutions for smart cards and security analysis using their information systems (IS), including research methods, modeling, statistical estimation, as well as specialized software tools is important.