Search

US-12619740-B2 - Simulation of malware with changing signatures

US12619740B2US 12619740 B2US12619740 B2US 12619740B2US-12619740-B2

Abstract

A computer-implemented method of simulating a propagation of a malware through a set of computer systems, the method comprising: identifying a simulated computer system infected with a simulated malware; determining a first signature of the simulated malware; determining that a mutation condition for the simulated malware has been met; and in response to determining that the mutation period has been met, changing the first signature of the simulated malware to a second signature.

Inventors

  • Alfie BEARD
  • Tom BOWMAN

Assignees

  • BRITISH TELECOMMUNICATIONS PUBLIC LIMITED COMPANY

Dates

Publication Date
20260505
Application Date
20230213
Priority Date
20220310

Claims (17)

  1. 1 . A computer-implemented method of simulating a propagation of a malware through a set of computer systems, the method comprising: identifying a simulated computer system infected with a simulated malware; determining a first signature of the simulated malware; determining that a mutation condition for the simulated malware has been met; and in response to determining that the mutation condition has been met, changing the first signature of the simulated malware to a second signature; wherein: the determining that the mutation condition has been met comprises determining that a mutation period for the simulated malware has elapsed; and the mutation period is a period of time that begins at a first time point indicating when the simulated computer system was first infected with the simulated malware.
  2. 2 . The method of claim 1 , wherein determining that the mutation period for the simulated malware has elapsed comprises: determining the first time point indicating when the simulated computer system was first infected with the simulated malware; and determining that the current time point is the same as or later than a sum of the first time point and the mutation period.
  3. 3 . The method of claim 1 , wherein the mutation period is fixed.
  4. 4 . The method of claim 1 , wherein the mutation period is variable.
  5. 5 . The method of claim 1 , further comprising obtaining the mutation condition for the simulated malware using the first signature.
  6. 6 . The method of claim 5 , wherein obtaining the mutation condition for the simulated malware comprises looking up the first signature in a list.
  7. 7 . The method of claim 6 , further comprising adding the second signature to the list.
  8. 8 . The method of claim 1 , wherein at least one of the first signature and the second signature comprises one or more digits, a string, or a hash.
  9. 9 . The method of claim 1 , further comprising randomly generating the second signature.
  10. 10 . A computer-implemented malware protection method to protect at least a subset of a set of computer systems from a malware, the method comprising: accessing a model of the set of computer systems; simulating a propagation of the malware through the set of computer systems using the model, wherein the simulating comprises identifying a simulated computer system infected with a simulated malware; determining a first signature of the simulated malware; determining that a mutation condition for the simulated malware has been met; and in response to determining that the mutation condition has been met, changing the first signature of the simulated malware to a second signature; wherein: the determining that the mutation condition has been met comprises determining that a mutation period for the simulated malware has elapsed; and the mutation period is a period of time that begins at a first time point indicating when the simulated computer system was first infected with the simulated malware; and identifying one or more malware protection measures to be deployed to one or more of the set of computer systems based on the simulating.
  11. 11 . The method of claim 10 , comprising: deploying the one or more malware protection measures to the one or more computer systems.
  12. 12 . A system simulating a propagation of a malware through a set of computer systems, the system comprising: one or more processors and a memory storing instructions that, when executed by the one or more processors so that the system for simulating the propagation of malware in a network is at least configured to: identify a simulated computer system infected with a simulated malware; determine a first signature of the simulated malware; determine that a mutation condition for the simulated malware has been met; and in response to the determination that the mutation condition has been met, change the first signature of the simulated malware to a second signature; wherein: the determination that the mutation condition has been met comprises a determination that a mutation period for the simulated malware has elapsed; and the mutation period is a period of time that begins at a first time point indicating when the simulated computer system was first infected with the simulated malware.
  13. 13 . The system of claim 12 , wherein, to determine that the mutation period for the simulated malware has elapsed, the system is at least further configured to: determine the first time point indicating when the simulated computer system was first infected with the simulated malware; and determine that the current time point is the same as or later than a sum of the first time point and the mutation period.
  14. 14 . The system of claim 12 , wherein the mutation period is fixed.
  15. 15 . The system of claim 12 , wherein the mutation period is variable.
  16. 16 . The system of claim 12 , wherein the system is further configured to randomly generate the second signature.
  17. 17 . A non-transitory computer-readable storage medium storing a computer program comprising instructions that, when executed by a processor, cause the processor to perform the method of claim 1 .

Description

CROSS-REFERENCE TO RELATED APPLICATIONS This application is the U.S. national phase of International Application No. PCT/EP2023/053486 filed Feb. 13, 2023 which designated the U.S. and claims priority to GB 2203355.9 filed Mar. 10, 2022, the entire contents of each of which are hereby incorporated by reference. TECHNICAL FIELD Embodiments described herein relate generally to simulations of malware propagation through computer networks. BACKGROUND Conventional malware protection mechanisms are reactive to the detection of malware in a network or the widespread distribution of anti-malware measures. Such approaches are known as “diagnosis and treatment”. Mitigation measures such as anti-malware or malware-specific protective measures may not be known for some time after an infection has been studied for its effects. Accordingly, it is beneficial to provide improvements in the simulation of the propagation of such infections through computer networks, thereby allowing for faster and more appropriate selection of malware protection mechanisms. SUMMARY OF INVENTION The present application relates to the field of a simulation of a network and, in particular, a network subject to a threat or attack such as malware or the like. The simulation is arranged to simulate the propagation of the threat through the network as each entity in the network (i.e. each device or machine) goes through a process of being susceptible to infection, then infected, then detected (i.e. infection is detected), then ultimately removed (e.g. the infection is either remediated, mitigated or the entity is disconnected/removed from the network). The present application particularly relates to the simulation of malware which is capable of changing its identifiable features in order to evade detection. Such malware may be, for example, polymorphic malware or metamorphic malware. Polymorphic techniques involve frequently changing identifiable characteristics like file names, hashes, types, encryption keys or any other detectable characteristic to make the malware unrecognisable to many detection techniques. The simulations of the present application apply a process of mutation to malware signatures during the simulation of propagation of the malware through a network. These simulations can be used to determine and deploy responsive measures in real-world systems with greater accuracy due to the simulation of the mutations. In accordance with a first aspect of the invention, there is provided a computer-implemented method of simulating a propagation of a malware through a set of computer systems, the method comprising: identifying a simulated computer system infected with a simulated malware; determining a first signature of the simulated malware; determining that a mutation condition for the simulated malware has been met; and in response to determining that the mutation period has been met, changing the first signature of the simulated malware to a second signature. Determining that the mutation condition has been met may include determining that a mutation period for the simulated malware has elapsed. Determining that the mutation period for the simulated malware has elapsed may include: determining a first time point indicating when the simulated computer system was first infected with the simulated malware; and determining that the current time point is the same as or later than a sum of the first time point and the mutation period. The mutation period may be fixed. The mutation period may be variable. The method may further include obtaining the mutation condition for the simulated malware using the first signature. Obtaining the mutation condition for the simulated malware may include looking up the first signature in a list. The method may further include adding the second signature to the list. At least one of the first signature and the second signature may include one or more digits, a string, or a hash. The method may further include randomly generating the second signature. In accordance with a second aspect of the invention, there is provided a computer-implemented malware protection method to protect at least a subset of a set of computer systems from a malware, the method comprising: accessing a model of the set of computer systems; simulating a propagation of the malware through the set of computer systems using the model, wherein the simulating comprises any one of the methods set out above; and identifying one or more malware protection measures to be deployed to one or more of the set of computer systems based on the simulating. The method may include deploying the one or more malware protection measures to the one or more computer systems. In accordance with a third aspect of the invention, there is provided a system including one or more processors and a memory storing instructions that, when executed by the one or more processors, cause the one or more processors to perform any one of the methods set out above. In accordan