Algebraic Structures Induced by the Insertion and Detection of Malware

Abstract

Since its introduction, researching malware has had two main goals. On the one hand, malware writers have been focused on developing software that can cause more damage to a targeted host for as long as possible. On the other hand, malware analysts have as one of their main purposes the development of tools such as malware detection systems (MDS) or network intrusion detection systems (NIDS) to prevent and detect possible threats to the informatic systems. Obfuscation techniques, such as the encryption of the virus’s code lines, have been developed to avoid their detection. In contrast, shallow machine learning and deep learning algorithms have recently been introduced to detect them. This paper is devoted to some theoretical implications derived from these investigations. We prove that hidden algebraic structures as equipped posets and their categories of representations are behind the research of some infections. Properties of these categories are given to provide a better understanding of different infection techniques.

1. Introduction

Nowadays, the daily life of human being is significantly affected by computers and informatic systems, making cybersecurity one of the main concerns to be addressed by government agencies and companies to protect users from diverse threats arising from Internet use. Such threats are mainly provoked by malware, i.e., a malicious software designed to perform some unauthorized, often harmful or undesirable acts. Computer viruses, trojan horses, worms, and ransomware are examples of malware [1,2,3,4].

According to Cohen [5], who is considered the pioneer researcher in computer viruses, a virus is a program that is able to infect other programs by modifying them to include a possibly evolved copy of itself. Cohen wrote the first program of this type which is currently known as the Stoned boot virus. Another example of a computer virus is Stuxnet [6] considered the first cyber-warfare weapon ever.

Perhaps the simplest kind of malware is a Trojan horse which tries to appeal to and interest the user with some useful functionality to entice the user to run the program. In particular, they have been used to steal passwords. Rootkits, AIDS TROJAN DISK, Qbot (malware specialized in stealing user data) and TrickBot (malware focused on stealing financial data) are examples of Trojan horses.

Worms are also examples of malware. They are network viruses, primarily replicating on networks. Usually, these programs execute themselves automatically on a remote machine with minimal user intervention. Particularly, worms do not require a host program. SQL Slammer, Melissa (which is a macrovirus), Morris, as well as Netbus, Subseven, Deep Throat, Back Orifice and Concept, are some of the most known worms [1].

Ransomware is a kind of malware which encrypts data on a computer to prevent users from accessing their computer files or systems. Cybercriminals hold the data until a ransom is paid. It is worth pointing out that the FBI has observed that one of the most frequent attacks carried out over the last few years by cybercriminals is realized via some ransomware. Wannacry, LockBit, Cryptolocker, Sodinokibi/REvil, and Phobos are examples of this type of attack. According to Ploszek et al. [7], crypto Ransomware is the most dangerous among the different Ransomware attacks. These attacks allow the encryption of images, videos and any valuable user files.

At the beginning of the antivirus industry, malware detection was based on heuristic features that identified particular malware by creating a reliable fingerprint. During the detection, an antiviral engine checked the presence of the malware fingerprint in a file against known malware fingerprints stored in the antivirus database. String Scanning, Wildcards and Mismatches are examples of the first virus detection programs. Wildcards were used to detect the metamorphic virus w32/Regswap. These techniques allowed finding the sequence 83EB 0274 1683 EBOE 74OA 81EB 0301 0000 which identifies the w32/Beast virus [1].

Fingerprints associated with infected files were sensitive to small changes in files. Furthermore, malware writers invented metamorphic and polymorphic viruses, which give rise to hundreds of thousands of new virus versions, making the previous detection approaches ineffective. In this line, malware detection systems have been developed based on traditional machine learning (support vector machines, decision trees, naive Bayes classifier, etc.) and deep learning algorithms based on recurrent neural networks (RNNs) [8,9].

It is worth pointing out that several authors need to be more convinced of the RNN’s effectiveness for intrusion detection due to their vulnerability against adversarial attacks. These authors have preferred the use of images and to train convolutional neural networks to learn feature malware [10,11,12]. Another advancement in dealing with the use of machine learning in NIDS was proposed by Iglesias and Criado [13], who used time series, visibility graphs and multiplex networks to analyze the behavior of attackers’ computers. They pointed out that tools such as Snort used to analyze network traffic and protocol have disadvantages (e.g., no zero-day attacks detection [14]) to network intrusion detection.

Kaspersky [15] developed detection malware tools based on machine learning techniques. In such a case, hash functions, and unsupervised learning confluent to extract file features that can be computed quickly and directly retrieved from the structure of the executable, like a file format description. Authors refer to [16,17] for good surveys regarding recent trends of the deep learning use for malware detection, in particular, for descriptions of cloud-based malware detection, mobile-device-based malware detection, and IoT-based malware detection.

1.1. Motivations

Currently, there needs to be more malware investigations dealing with its relation to the theory of representation of algebras. A comprehensive algebraic study of malware insertion detection will give rise to a better understanding of different cyber-attacks; works in this direction have been proposed by Webster [18]. This paper proves that attacks of type Linux/Slapper or Scalper and some other metamorphic attacks in confluence with detection techniques as those presented by Kaspersky based on machine learning methods give rise to categories of representations of partially ordered sets. In particular, obfuscation techniques associated with metamorphic attacks define categorical equivalences between these categories.

1.2. Contributions

The main results of this paper are Theorems 2–4, and Corollary 1. Theorems 2 and 3 prove that some malware insertion-detection algorithms associated with some hierarchical attacks define particular families of partially ordered sets (posets).

Corollary 1 proves that posets introduced in Theorem 3 define hierarchical attacks without hidden malware.

Theorem 4 proves that malware insertion-detection algorithms give rise to categorical equivalences between categories of representations of posets.

This paper is structured as follows; Main definitions and notation are given in Section 2, we present an overview of definitions and notation regarding malware (Section 2.1) and posets (Section 2.2). We present the main results in Section 3. Section 4 gives an example of the results obtained in Section 3. Concluding remarks are given in Section 5.

2. Preliminaries

This section is devoted to revising basic definitions and notation regarding malware insertion and detection, as well as, partially ordered sets and their $\mathbb{F}$-linear representations [1,2,3,4,19,20,21,22].

2.1. Malware

As explained in the introduction, malware is malicious software designed to perform some unauthorized, often harmful or undesirable acts [1]. The development of malware research has encouraged the introduction of sophisticated infection-detection malware techniques. Recently discovered computer viruses and worms such as Stuxnet [6] and its variations are examples of the research progress on the subject.

2.1.1. Computer Viruses

The typical structure of a computer virus consists of the following three subroutines [1]:

• Infect-executable. This routine finds available executable files to infect them by copying its code.
• Do-damage or Payload. This is responsible for delivering the malicious part of the virus.
• Trigger-Pulled. Determines whether all the conditions required to deliver the payload are satisfied.

In the earlier stages of the antivirus industry, malware detection on computers had as a main goal to create a reliable fingerprint of a malicious file via its heuristic features. For instance,

• Code fragments.
• Hashes of code fragments or the whole file.
• File properties.
• Combinations of these features.

The obtained fingerprint is compared with those stored in an antivirus database. However, malware writers introduced new versions of code virus for which the fingerprint approach is inefficient. Currently, computer viruses include decryptors to hide their functionality, encryption keys can be generated in different ways, such as constant, random but fixed, sliding, and shifting, often the encryption is carried out by applying an xor operation (e.g., W95/Memorial virus). However, other encryption techniques dealing with symmetry key cryptography (e.g., the IDEA family of viruses) and public-key cryptography have been used to encrypt viruses. Polymorphic and metamorphic computer viruses are examples of the use of decryptors.

Polymorphic viruses can mutate their decryptors to a high number of different instances that can take millions of different forms. The 1260 virus is an example of a polymorphic virus, it includes two sliding keys to decrypt its body and some junk instructions, which are nothing but garbage in the code [1].

Metamorphic viruses create new virus generations that look different. They have one single-code body that carries data as code.

Formally speaking a metamorphic virus can be defined as follows [4]:

Let ${\Psi }_P(d,p)$ be a function computed by a computer program P. Then a pair v and $v^{\prime }$ of recursive functions are said to be a metamorphic virus if it satisfies the following identities:

$${\Psi }_{v\left(\delta \right)}(d,p)=\left\{\begin{array}{cc}D(d,p),\hfill & \mathrm{if}T(d,p),\hfill \\ {\Psi }_{\delta }(d,p\left(v^{\prime }\left(S\left(p\right)\right)\right)),\hfill & \mathrm{if}I(d,p),\hfill \\ {\Psi }_{\delta }(d,p)\hfill & \mathrm{otherwise}.\hfill \end{array}\right.$$

and

$${\Psi }_{v^{\prime }\left(\delta \right)}(d,p)=\left\{\begin{array}{cc}{D}^{\prime }(d,p),\hfill & \mathrm{if}T(d,p),\hfill \\ {\Psi }_{\delta }(d,p\left(v^{\prime }\left(S^{\prime }\left(p\right)\right)\right)),\hfill & \mathrm{if}{I}^{\prime }(d,p),\hfill \\ {\Psi }_{\delta }(d,p)\hfill & \mathrm{otherwise}.\hfill \end{array}\right.$$

where $(d,p)$ is a running environment consisting of data d and programs p stored on computers. $D(d,p)$, $D^{\prime }(d,p)$, and $S\left(p\right)$ are recursive functions. Whereas, $T(d,p)$ is called the injury condition and $I(d,p)$, $I^{\prime }(d,p)$ are called infection conditions.

The difference between polymorphic and metamorphic viruses is that each form of a polymorphic virus has the same kernel and forms associated with metamorphic viruses have their own kernel.

As an example, the following are two generations of the metamorphic virus W95/Regswap:

1.

5A                pop   edx                        58                   pop, eax

2.

BF04000000      mov   edi, 0004h               BB04000000      mov   ebx, 0004h             

3.

8BF5            mov  esi, ebp                    8BD5              mov  edx, ebp

4.

B80C000000     mov   eax, 000Ch            BF0C000000     mov   edi, 000Ch

5.

81C288000000  mov   add, edx, 0088h      81C088000000   mov   add, eax, 0088h

6.

8B1A            mov  ebx, [edx]                8B30                 mov  esi, [eax]

7.

899C8618110000   mov   [$\delta$]                      89B4BA18110000   mov  [${\delta }^{\prime }$]

8.

$\delta =$esi+eax*4+00001118, ebx      ${\delta }^{\prime }=$edx+edi*4+00001118, esi.

Figure 1 shows examples of different generations produced by metamorphic viruses.

Konstantinou [4] implemented a Hidden Markov Method to detect metamorphic attacks. He implemented (via a virus construction kit) code obfuscation techniques, like instruction reordering and garbage insertion, to produce the metamorphic versions of a virus. We remind the readers that, instruction substitution, instruction permutation, garbage code, variable substitution, and altering control flow are examples of obfuscation techniques. They have been used by viruses and worms as Evol (2000), Zmist, Zperm, Regswap, and Methaphor [1,2,3,4].

Some computer worms like Linux/Scalper develop so-called hierarchical attacks to control remote networks. In such a case, each infected node receives crucial information, such as the IP address of the adversary host and the addresses of the infected nodes. This type of information is provided to the remaining nodes until all target network nodes are infected.

Classical approaches to detect malware based on its fingerprint became ineffective due to its vulnerability to zero-day attacks. Recently, Kaspersky [15] implemented machine learning methods to detect packed routines. Their method consists of analyzing file features resistant to small changes. According to this approach, the machine learns suitable hash values $h\left(x\right)$ associated with scanned files, and a similarity function is defined to determine whether or not two of these files are similar.

Similar files constitute a so-called hash bucket. These hash buckets classify the scanned files into two regions, named simple regions or hard regions. Files in simple regions of a hash bucket are either pure benign or pure malware, and no further feature analysis is required. Similarity pairs in these regions are of the form $(h\left(x_1\right),0)$ or $(0,h\left(x_2\right))$. In hard regions of a hash bucket, the files can be benign and malware, and deep feature analysis is developed for more precise detection. Similarity pairs in hard regions are of the form $(h\left(x_1\right),h\left(x_2\right))$.

Suppose the infection builds a hierarchical network, as in the case of a scalper attack. Each node contains benign and malware files in simple and hard regions. If vectors consisting of bits are used to denote such files, then a fixed node $N_i$ has a structure $\mathfrak{c}\left(N_i\right)$ of the form.

$$\begin{array}{cc}\hfill \mathfrak{c}\left(N_i\right)& ={\mathfrak{S}}_i\cup {\mathfrak{H}}_i,1\le i\le s_i,f_{rs},g_{ln},h_{l^{\prime }n}\in \{0,1\}.\hfill \\ \hfill {\mathfrak{S}}_i& =\{f_{1i},f_{2i},\dots ,f_{mi}\}.\hfill \\ \hfill {\mathfrak{H}}_i& =\{(g_{l_1\left((t_i+j)\right)},h_{l_1^{\prime }\left((t_i+j)\right)}),(g_{l_1+1\left((t_i+j)\right)},h_{l_1^{\prime }+1\left((t_i+j)\right)}),\dots ,(g_{l_1+r_i\left((t_i+j)\right)},h_{l_1^{\prime }+r_i\left((t_i+j)\right)})\},\hfill \\ \hfill {\mathfrak{H}}_{i,1}& =\{g_{l_1\left((t_i+j)\right)},g_{l_1+1((t_i+j)},\dots ,g_{l_1+r_i\left((t_i+j)\right)}\},\hfill \\ \hfill {\mathfrak{H}}_{i,2}& =\left\{h_{l_1^{\prime }\left((t_i+j)\right)}\right),h_{l_1^{\prime }+1\left((t_i+j)\right)}),\dots ,h_{l_1^{\prime }+r_i\left((t_i+j)\right)}\left)\right\}.\hfill \end{array}$$

(1)

where ${\mathfrak{S}}_i$ (${\mathfrak{H}}_i$) denote the set of simple (hard) files contained in $N_i$. It is assumed that all the files have the same size.

Figure 2 shows the entries of the matrix $\mathfrak{c}\left(N_i\right)=\left(\begin{array}{cc}{\mathfrak{S}}_i& 0\\ 0& {\mathfrak{H}}_{i,1}\\ 0& \mathbf{i}{\mathfrak{H}}_{i,2}\end{array}\right)$ of the node $N_i$, where ${\mathfrak{S}}_i$, ${\mathfrak{H}}_{i,1}$ and ${\mathfrak{H}}_{i,2}$ are matrix blocks of suitable size associated with files ${\mathfrak{S}}_i$ and ${\mathfrak{H}}_i$ (see identities (1)). In this case, we add as many zeroes as possible to satisfy restrictions related to the inclusion of garbage instructions and size of the files. We also assume the notation $g+\mathbf{i}{h}^{\prime }$ for each pair of the form $(g,h^{\prime })$.

Obfuscation techniques as xor and row and column permutations can be applied to the elements of the node $\mathfrak{c}\left(N_i\right)$ to obtain new versions of the detected viruses.

A node $N_i$ in a hierarchical attack is said to be strong (weak) if its files belong to a simple (hard) region. Files in a strong node are either of pure benign type or pure malware type. We let ⊙ (⊖) denote a strong ($weak$) node in a hierarchical attack.

Henceforth, we will assume that nodes associated with a hierarchical attack have the structure given by the matrix shown in Figure 2.

2.1.2. Using Information Theory to Detect and Insert Malware

As we have seen in previous sections, polymorphisms make infeasible static detection of viruses. We remind the reader that there are two kinds of polymorphisms (those obtained by data encryption and those obtained by data compressing). Machine learning methods have been developed to detect different file features such as N-grams, statistical features, and entropy. Particularly, entropy features are based on the entropy computation of the file or some of its areas. Bearing in mind that benign files tend to have low entropy values, whereas obfuscated or packed files tend to have high entropy values [23].

Lyda and Hamrock [24] introduced the idea of using entropy (over the entire file) to classify packed malware. It is worth noting that nowadays, distinguishing between packed and non-packed executable files is a strong line of investigation for malware analysts. For instance, Mantovani et al. [23] implemented a machine-learning classifier based on the union of features to identify different forms of packing. Lee et al. [25] used machine learning to recover original files from backup system files (infected with ransomware) via entropy techniques. Perdisci et al. [26] proposed studying specific packer features in the portable executable file format. Whereas, Ugarte-Pedrero et al. [27] suggested that entropy is the main feature of detecting packed files. They used the Zeus botnet, one of the first bot families to adopt low entropy packing schemes.

Raphel et al. [28] used entropy to recognize polymorphic samples which use xor-based encoders. Their approach is based on five steps (extraction of files or appropriated file fragments, computation and concatenation of such fragments, computation of the entropy for concatenated fragments and construction of a suitable similarity distance matrix).

We also recall that Lim et al. [29] proposed to analyze the different files as vectors or streams of bytes to analyze some statistical features.

Entropy has also been used as a helpful feature to insert malicious files. In such a case, the analyst splits a target file into shares or chunks to insert a low entropy pattern of bytes between each share; then, the malicious file is reconstructed in memory to bypass the action of high entropy file detectors. Menéndez et al. [30,31] used the entropy-based tools EnTS and EEE to detect and conceal malicious files into executables. They also used VirusTotal to reproduce the behavior of some anti-virus engines. Detect It Easy (DIE), PEiD, PackerID, NFD, ExeScan, and Manalyze are popular tools to analyze malware. In particular, DIE and PEiD have a component for entropy analysis [23,32].

Nowadays, an interesting problem in cryptography is proving the leakage resilience of cryptographic implementations. Side-channel attacks (SCA) may be one of these implementations’ most significant threats [33]. In this kind of attack, a secret key implemented in a device (e.g., a smart card) is retrieved by analyzing the side channel signals obtained from its physical implementation. Low entropy masking schemes (LEMS) have been introduced to guarantee high security against SCA attacks with less randomness than traditional masking schemes. Analysis of these types of schemes has been implemented by Li et al. [34], who studied leakage characteristics of multiplicative LEMS. Whereas Zhang et al. [35] trained deep learning assisted with a new metric to improve SCA attacks. Security of LEMS has also been studied by Grosso et al. [36], Ye et al. [37], and Zhang et al. [38].

Network security and channel capacity have been studied by Hua et al. [39], Adesso et al. [40], And Yilmaz et al. [41], who introduced a method to estimate the maximum amount of information leakage by some signals generated by the execution of some instructions in a processor.

2.2. Partially Ordered Sets and Their Representations

A partially ordered set or poset is a pair $(\mathcal{P},\le )$, where $\mathcal{P}$ is a possibly empty set endowed with a relation ≤, which is

• Reflexive, i.e., $x\le x$, for any $x\in \mathcal{P}$,
• Antisymmetric, i.e., $x\le y$ and $y\le x$ implies $x=y$, for any $x,y\in \mathcal{P}$.
• Transitive, i.e., $x\le y$ and $y\le z$ implies $x\le z$, for any $x,y,z\in \mathcal{P}$.

Henceforth, if there is no confusion, we will write $\mathcal{P}$ instead of the pair $(\mathcal{P},\le )$ to denote a poset.

Often, finite posets are described by their Hasse diagram, which is a system of sets with the form $\{\mathcal{P};{\mathfrak{C}}_r,\mathfrak{L}\}$, where r is a fixed positive real number (small enough) and for each point $p\in \mathcal{P}$, it is defined a unique point $(x_0,y_0)\in {\mathbb{R}}^2$ and a unique circle $c\in C_r$ with center $(x_0,y_0)$ and radius r.

The set $\mathcal{L}$ consists of non-horizontal lines connecting circles of $C_r$, according to the following rule:

• A line l connects two circles c and $c^{\prime }$ with centers $(x_0,y_0)$ and $(x_0^{\prime },y_0^{\prime })$ associated with points p and $p^{\prime }$ in $\mathcal{P}$ if and only if p and $p^{\prime }$ is a covering (i.e., if there is $z\in \mathcal{P}$ such that $x\le z\le y$ then $x=z$ or $y=z$).

As an example, Figure 3 shows a Hasse diagram of a finite partially ordered set $\mathcal{P}=\{a,b,c,d,e,f\}$ such that $a<d$, $b<d$, $b<e$, $c<e$, and $c<f$.

A poset $\mathcal{P}$ is said to be a chain if for pair of points $x,y\in \mathcal{P}$, it holds that $x\le y$ or $y\le x$ (i.e., any pair of points in a chain are comparable). A poset $\mathcal{P}$ is an antichain if its points are incomparable.

The width $w\left(\mathcal{P}\right)$ of a poset $\mathcal{P}$ is the size of its largest antichain (e.g., the width of a chain is 1).

If R is a commutative ring and $\mathcal{P}$ is a finite poset then a $\mathcal{P}$-subspace U is a system of modules with the form

$$U=(U_0;U_x\mid x\in \mathcal{P})$$

(2)

where $U_0$ is an R-module, $U_x$ is a submodule of $U_0$ for any $x\in \mathcal{P}$, and

$$U_x\subseteq U_y\mathrm{provided}\mathrm{that}x\le y\mathrm{in}\mathcal{P}.$$

(3)

If R is a field then a $\mathcal{P}$-subspace is said to be an R-linear representation (or representation) of the poset $\mathcal{P}$ [19,20,21,22].

If $U=(U_0;U_x\mid x\in \mathcal{P})$ and $V=(V_0;V_x\mid x\in \mathcal{P})$ are representations of a poset $\mathcal{P}$ then their sum $U\oplus V$ is a representation given by the following identity.

$$U\oplus V=(U_0\oplus V_0;U_x\oplus V_x\mid x\in \mathcal{P}).$$

(4)

The representation 0 has 0 as ground vector space. Furthermore, a representation U is said to be indecomposable if whenever $U=U_1\oplus U_2$ then either $U_1=0$ or $U_2=0$. Otherwise, U is said to be decomposable.

A morphism between two representations $U=(U_0;U_x\mid x\in \mathcal{P})$ and $V=(V_0;V_x\mid x\in \mathcal{P})$ is an R-linear map $\phi :U_0\to V_0$ such that $\phi \left(U_x\right)\subseteq V_x$. $\phi$ is an isomorphism if $\phi \left(U_x\right)=V_x$, for any $x\in \mathcal{P}$.

The composition of morphisms between representations is given by the usual composition of R-linear morphisms. The identity morphism associated with a representation U is denoted $1_U$ such that if $\phi :U\to V$ is a morphism then $\phi 1_U=\phi =1_V\phi$.

We let $\mathrm{rep}\mathcal{P}$ denote the category of representations of a poset $\mathcal{P}$, which is a Krull-Schmidt category.

$\underline{\dim }U$ denotes the dimension of a representation U of a poset $\mathcal{P}$. It is an integral vector of the form

$$\underline{\dim }U=(d_0;d_x\mid x\in \mathcal{P})$$

(5)

where $d_0$ is the dimension ${\dim }_R{U}_0$ of the vector space $U_0$ as vector space. Whereas, $d_x={\dim }_R{U}_x/{\displaystyle \sum _{z\in x_{▴}}}{U}_z$, for any $x\in \mathcal{P}$.

$$\begin{array}{cc}\hfill x_{△}& =\{z\in \mathcal{P}\mid z\le x\}, x_{▴}=x_{△}\setminus \left\{x\right\}.\hfill \\ \hfill x^{▿}& =\{z\in \mathcal{P}\mid x\le z\}, x^{▾}=x^{▿}\setminus \left\{x\right\}.\hfill \end{array}$$

(6)

One of the problems regarding the theory of representation of posets consists of giving a complete description of the indecomposable representations of the categories $\mathrm{rep}\mathcal{P}$ defined by finite posets $\mathcal{P}$.

Up-to-date, the algorithms of differentiation have been the main tool to classify posets, the algorithm of differentiation with respect to a maximal point introduced by Nazarova and Roiter and the algorithm of differentiation with respect to a suitable pair of points are the most remarkable algorithms to reach such a classification. They are functors with the main goal of reducing the dimension of the posets involved in the classification process.

The following is the definition of the algorithm of differentiation with respect to a suitable pair of points also known as $D-I$ or $DI$ [19]: Let a and b be two points in a finite poset ${\mathcal{P}}_{(a,b)}$ then the pair $(a,b)$ is said to be suitable for $DI$, if ${\mathcal{P}}_{(a,b)}$ can be written as a sum of the form

$${\mathcal{P}}_{(a,b)}=a^{▿}+b_{△}+C$$

(7)

where $C=c_1<c_2<\dots <c_n$ is an n-point chain ($n\ge 0$).

The derived poset ${\mathcal{P}}_{(a,b)}^{\prime }$ is a subset of the modular lattice generated by ${\mathcal{P}}_{(a,b)}$ such that

$${\mathcal{P}}_{(a,b)}^{\prime }=({\mathcal{P}}_{(a,b)}+C^{+}+C^{-}+b_{△})\setminus \left\{C\right\}$$

(8)

where $C^{+}$ and $C^{-}$ are n-point chains such that $C^{+}=c_1^{+}<c_2^{+}<\dots <c_n^{+}$, and $C^{-}=c_1^{-}<c_2^{-}<\dots <c_n^{-}$. $c_i^{-}<c_i^{+}$ for all $1\le i\le n$, $a<c_1^{+}$. Points in $\mathcal{P}\setminus \left\{C\right\}$ inherit the relations given by ${\mathcal{P}}_{(a,b)}$. In particular, relations between these points and points $c_i^{+}$ and $c_i^{-}$ are given by the relations between them and points $c_i$.

Figure 4 shows Hasse diagrams of a poset ${\mathcal{P}}_{(a,b)}$ with a suitable pair of points and its corresponding derived poset.

Differentiation $DI$ or $D_{(a,b)}:\mathrm{rep}{\mathcal{P}}_{(a,b)}\to \mathrm{rep}{\mathcal{P}}_{(a,b)}^{\prime }$ is defined by the following identities for a representation $U=(U_0;U_x\mid x\in {\mathcal{P}}_{(a,b)})$:

$$\begin{array}{cc}\hfill D_{(a,b)}\left(U\right)& =U^{\prime }=(U_0^{\prime };U_x^{\prime }\mid x\in {\mathcal{P}}_{(a,b)}^{\prime }),\hfill \\ \hfill U_0^{\prime }& =U_0,\hfill \\ \hfill U_{c_i^{+}}^{\prime }& =U_{c_i}+U_a,\hfill \\ \hfill U_{c_i^{-}}^{\prime }& =U_{c_i}\cap U_b,\hfill \\ \hfill U_x^{\prime }& =U_x,\mathrm{for}\mathrm{the}\mathrm{remaining}\mathrm{points}x\in {\mathcal{P}}_{(a,b)}^{\prime },\hfill \\ \hfill {\phi }^{\prime }& =\phi \in {\mathrm{Hom}}_R(U,V),\mathrm{for}\mathrm{any}\mathrm{morphism}\text{-}\mathrm{linear}\mathrm{transformation}\phi :U\to V\in \mathrm{rep}\mathcal{P}.\hfill \end{array}$$

(9)

The following theorem is the main result regarding $DI$. For each i, $1\le i\le n$, $p(a,c_i)=(U_0;U_x\mid x\in {\mathcal{P}}_{(a,b)})$ is an indecomposable representation for which, $U_0=R$ is a field. $U_x=R$ is a field, for any $x\in {\{a,c_i\}}^{▿}$. It is zero for the remaining points in the poset.

Theorem 1

(Theorem 5.6, [19]). The two-point differentiation with completion functor $F_{(a,b)}=C_{(a,b)}{D}_{(a,b)}$ induces a categorical equivalence between quotient categories

$$\mathrm{rep}\mathcal{P}/\langle p(a,c_1),p(a,c_2),\dots ,p(a,c_n)\rangle \stackrel{\sim }{\to }\mathrm{rep}{\overline{\mathcal{P}}}_{(a,b)}^{\prime }/\langle p\left(a\right)\rangle .$$

(10)

where $\langle p(a,c_1),p(a,c_2),\dots ,p(a,c_n)\rangle$ ($p\left(a\right)$) is the ideal consisting of morphisms which pass through direct sums of objects $p(a,c_i)$ ($p\left(a\right)$).

The Matrix Problem

The indecomposable representations of a poset $\mathcal{P}$ can be obtained as solutions of a matrix problem. To do that, we note that each representation of $\mathcal{P}$ gives rise to a matrix $M=M_{\mathcal{P}}$ (a matrix representation) whose columns are partitioned into strips $M_x$ labeled by the points of the poset. Columns contained in the strip associated $M_x$ consists of coordinates with respect to a fixed basis $\mathcal{B}$ of $U_0$ of generators of the subspace $U_x$. In this case, if $C_x$ is the set of columns in the strip $M_x$ then $span{C}_x=U_x$.

If M and $M^{\prime }$ are matrix representations of a poset $\mathcal{P}=\{x_i\mid 1\le i\le n\}$ with $M=\begin{array}{|ccc|}\hline M_{x_1}& \dots & M_{x_t}\\ \hline\end{array},$ $M^{\prime }=\begin{array}{|ccc|}\hline M_{x_1}^{\prime }& \dots & M_{x_t}^{\prime }\\ \hline\end{array}$ then the direct sum $M\oplus M^{\prime }$ of M and $M^{\prime }$ is given by the formula

$$M\oplus M^{\prime }=\begin{array}{|ccccccc|}\hline M_{x_1}& ⋮& 0& \dots & M_{x_t}& ⋮& 0\\ 0& ⋮& M_{x_1}^{\prime }& \dots & 0& ⋮& M_{x_t}^{\prime }\\ \hline\end{array}$$

Two representations M and $M^{\prime }$ are said to be equivalent if one can be obtained from the other using the following admissible transformations:

• Elementary transformations of rows of the whole matrix.
• Elementary column transformations of the columns within each vertical strip.
• Addition of columns of a strip $M_{x_i}$.

Equivalent matrices give rise to isomorphic representations of the associated poset.

3. Main Results

We remind readers that an equipped poset $\mathfrak{P}$ is a poset whose points define a partition of the form $\mathfrak{P}={\mathfrak{P}}^{\ominus }+{\mathfrak{P}}^{\odot }$. If $x\in {\mathfrak{P}}^{\odot }$ ($x\in {\mathfrak{P}}^{\ominus }$) then x is said to be a strong point (weak point). Relations R in equipped posets are partitioned into two sets $R={\mathfrak{R}}^{\ominus }+{\mathfrak{R}}^{\odot }$, if a pair $(x,y)\in {\mathfrak{R}}^{\odot }$ ($(x,y)\in {\mathfrak{R}}^{\ominus }$) then we write $x⊴y$ ($x⪯y$). In such a case if $x\le y$, i.e., $(x,y)\in R$ and $y⊴z$, i.e., $(y,z)\in {\mathfrak{R}}^{\circ }$ then $x⊴z$. Also, if $x⊴y\le z$ then $x⊴z$ [20,22].

We assume that the hierarchical attack (see Figure 2) model satisfies the following additional condition:

1.

All the files associated with the malware infecting a network belong to an isolated strong node denoted M.

2.

Each infected node x is encoded by finite sets of $\{0,1\}$-vector columns, ${\mathfrak{S}}_x\cup {\mathfrak{H}}_x$. Columns in ${\mathfrak{S}}_x$ encode either benign files or malware. Columns in ${\mathfrak{H}}_x$ encode hidden malware in hard regions.

3.

The files in the malware node M are distributed among a fixed set of weak nodes $N_0,N_1,N_2,\dots N_n$, where $N_0$ denotes the initial stage of the infection (hidden malware associated with hard regions are contained in ${\mathfrak{H}}_0$). $\mathfrak{c}\left(N_j\right)={\mathfrak{S}}_j\cup {\mathfrak{H}}_j\subset {\mathfrak{S}}_{j+1}\cup {\mathfrak{H}}_{j+1}$, for any $0\le j\le n-1$.

4.

If a node P in the attacked network is infected by a node $N_j$ for some $0\le j\le n$ then it holds that ${\mathfrak{S}}_0\cup {\mathfrak{H}}_0\subset {\mathfrak{S}}_p$, where P is encoded by ${\mathfrak{S}}_p\cup {\mathfrak{H}}_p$. Particularly, if P is also infected by a weak node $N_j$, it holds that either ${\mathfrak{S}}_j\cup {\mathfrak{H}}_j\subset {\mathfrak{S}}_p\cup {\mathfrak{H}}_p$ or ${\mathfrak{S}}_j\cup {\mathfrak{H}}_j\subset {\mathfrak{S}}_p$.

The following result proves that a hierarchical attack structured by matrices $\mathfrak{c}\left(N_i\right)$ (Figure 2) defines an equipped poset.

Theorem 2.

A hierarchical attack defined by a strong node M as defined above and weak nodes $N_0,N_1,\dots ,N_n$ with the structure given by a matrix $\mathfrak{c}\left(N_i\right)$ (see Figure 2) and conditions (1)–(4) defines an equipped poset.

Proof. 

We note that nodes in the infected network are the points in the equipped poset $\mathfrak{P}$. Strong nodes correspond to strong points, and weak nodes correspond to weak points in $\mathfrak{P}$. The stages of the infection start in $N_0$, continue to $N_1$ and so on. Since, for any pair of weak nodes $N_i$ and $N_j$, $i<j$ it holds that ${\mathfrak{S}}_i\cup {\mathfrak{H}}_i\subset {\mathfrak{S}}_j\cup {\mathfrak{H}}_j$ with $H_j\ne ⌀$ then $N_i$ and $N_j$ are weakly related. Moreover, $N_0,N_1,N_2,\dots ,N_n$ constitute a weak chain, in the sense that its points and relations between them are weak, we write $C=N_0⪯N_1⪯N_2\prec \dots \prec N_n$. Condition (3) proves that relations between weak points $N_j$ and another point in $\mathfrak{P}$ are either weak or strong. Whereas, relations between $N_0$ and points $x\in \mathfrak{P}\setminus C+M$ are strong. Finally, we note that by definition the strong point M is incomparable with the other points of the poset $\mathfrak{P}$. Therefore, $\mathfrak{P}$ can be written as a sum with the form $\mathfrak{P}=N_0^{▿}+C+M$. Where $N_0^{▿}=\{x\in \mathfrak{P}\mid N_0⊴x\}$. Figure 5 shows an example of an equipped poset induced by a hierarchical attack. Double (single) lines denote strong (weak) relations. In this case, N represents an arbitrary set of infected nodes related to the weak chain $N_0⪯N_1⪯\dots ⪯N_n$. □

If $N_x$ is a node infected by a hierarchical attack with files of type $f_{ij}$, $(g_{kl},h_{mn})$ for suitable indexes $i,j,k,l,m,n$, then $spa{n}_{{\mathbb{Z}}_2}\{f_{ij},g_{kl)},h_{mn}\}$ is said to be the hull of $N_x$, we let $\widetilde{U_{N_x}}$ denote the hull of the node $N_x$. Note that, $span\{{\mathfrak{S}}_x\cup {\mathfrak{H}}_x\}=U_x\subseteq \widetilde{U_{N_x}}$. $\widetilde{U_{N_x}}=U_{N_x}$ if and only if $N_x$ is strong.

$U_x^{-}$ denotes the strong subspace $span\left\{{\mathfrak{S}}_x\right\}$ of the subspace $U_x$. In such a case, $\widetilde{U_x^{-}}=spa{n}_{{\mathbb{Z}}_2+\mathbf{i}{\mathbb{Z}}_2}\left\{{\mathfrak{S}}_x\right\}$.

According to the definition of a hierarchical attack and its properties (1)–(4). We note that hidden malware associated with hard regions can be pinpointed by xoring files in $U_{N_0}$ with files in weak nodes $U_{N_j}$. In such a case, it is built the span sum $\widetilde{U_{N_0}}+U_{N_j}$, $0\le j\le n$.

The detection procedure determines the matrix $\mathfrak{D}$ shown in Figure 6, labeled above by the infected nodes ($N_i$, M and N) of a network. The bottom part (under the bold line) is labeled by corresponding symbols $N_i^{-},N_i^{+}$. Such symbols denote subspaces spanned by columns whose entries are elements over ${\mathbb{Z}}_2+\mathbf{i}{\mathbb{Z}}_2$. We let $U_x$ denote the subspace associated with a point x.

$U_{N_{i-1}^{-}}\subset U_{N_i^{-}}$, $1\le i\le n$ (these columns are denoted with the symbol ∗), these subspaces encode pure malware (and weak relations) associated with nodes $N_i$. $U_{N_j^{+}}\subset U_{N_{j+1}^{+}}$, $1\le j\le j-1$. Columns associated with symbols $H_i$ encode hidden malware pinpointed by the detection process. Such malware can be inserted into the node $N_0$ by adding some garbage entries denoted $\mathfrak{I}$ in the matrix $\mathfrak{D}$. Relations between subspaces associated with points $x\in \mathfrak{P}\setminus C=\{N_0⪯N_1⪯\dots N_n\}$ keep without changes their relations with the other points of $\mathfrak{P}$.

Relations between the infected files allow us to give the next result.

Theorem 3.

The insertion-detection matrix $\mathfrak{D}$ constitute an equipped poset ${\mathfrak{P}}^d=C^{+}+C^{-}+M+N$. Where, $C^{+}=N_0^{+}⊴N_1^{+}⪯\dots ⪯N_n^{+}$ and $C^{+}=N_0^{-}⪯N_1^{-}⪯\dots ⪯N_n^{-}$ are chains, M and N and their relations are defined as for the poset $\mathfrak{P}$.

Proof. 

By definition, point $N_0^{+}$ is a strong point. Furthermore, since files associated with the nodes $N_i^{-}$ constitute malware satisfying the condition $U_{N_{i-1}^{-}}\subset U_{N_i^{-}}$, $1\le i\le n$, then points $N_j^{-}$, $0\le j\le n$ constitute a weak chain. In particular, $N_j^{-}⪯M$, for any j. The same argument for subspaces $N_j^{+}$ allow us to infer that $N_0^{+}⊴N_1^{+}$. Since $N_i^{+}⪯N_{i+1}^{+}$, $1\le i\le n-1$, it holds that $N_0^{+}⊴N_i^{+}$. Moreover, $N_j^{-}⪯N_j^{+}⪯N_{j+1}^{+}$, for any $0\le j\le n-1$, $N_n^{-}⪯N_n^{+}$. Since relations between points $N_j^{-}$, $N_j^{+}$ and points in subset $N\cup \left\{M\right\}$ are inherited by the relations that these points have with points $N_0,\dots ,N_n$. The following Figure 7 shows the poset ${\mathfrak{P}}^d$ defined by the insertion-detection matrix $\mathfrak{D}$. □

Corollary 1.

The hierarchical attack defined by an equipped poset of type ${\mathfrak{P}}^d$ has no hidden malware.

Proof. 

The malware used in this type of attack is encoded by subspaces $U_{N_j^{-}}$ and $H_j$ which are induced by simple regions. □

In a more general setting, we can define a functor ${\mathcal{D}}_{(N_0,M)}$ induced by a hierarchical attack defined by an equipped poset of type $\mathfrak{P}$ and its associated detection algorithm defined by a corresponding equipped poset ${\mathfrak{P}}^d$. The following Figure 8 shows the poset $\mathfrak{P}$ and its detector ${\mathfrak{P}}^d$.

If we replace the field ${\mathbb{Z}}_2$ for the real numbers field and ${\mathbb{Z}}_2+\mathbf{i}{\mathbb{Z}}_2$ for the complex numbers field. Then $(\mathbb{R},\mathbb{C})$-column transformations between rows and columns of the matrices induced by the linear structure of posets $\mathfrak{P}$ and ${\mathfrak{P}}^d$ give rise to categories of representations of the equipped posets $\mathfrak{P}$ and ${\mathfrak{P}}^d$. In such a case, a representation U of an equipped poset $\mathfrak{P}$ is a system of $\mathbb{C}$-subspaces of the form $U=(U_0,U_x\mid x\in \mathcal{P})$, with $U_x\subseteq U_y$ ($\widetilde{U_x}\subset U_y^{-}$) provided that $x⪯y$ ($x⊴y$).

A morphism $\phi :U\to V$ between two representations U and V of an equipped poset $\mathcal{P}$ is a $\mathbb{C}$-linear transformation such that $\tilde{\phi }\left(U_x\right)\subset V_x$. Note that, $\tilde{\phi }(u+\mathbf{i}v)=\phi \left(u\right)+\mathbf{i}\phi \left(v\right)$, for any pair of appropriated vectors. $\phi$ is an isomorphism if and only if $\tilde{\phi }\left(U_x\right)=V_x$ for any $x\in \mathfrak{P}$.

Each representation U over the pair of fields $(\mathbb{R},\mathbb{C})$ of an equipped poset can be represented by a matrix $\mathfrak{M}$ with entries over $\mathbb{C}$ separated into vertical strips $({\mathfrak{M}}_x;x\in \mathfrak{P})$ labeled by the points of $\mathfrak{P}$. Columns in ${\mathfrak{M}}_x$ are generators of $U_x$.

The matrix problem associated with an equipped poset $\mathfrak{P}$ is defined as follows:

Two matrix representations of an equipped poset are said to be equivalent, if one can be obtained from the other via the following admissible transformations:

• Elementary transformations over $\mathbb{C}$ of rows of whole matrix.
• Elementary column transformations over $\mathbb{C}$ within each vertical strip.
• Additions of columns of a strip $M_x$ to the columns of $M_y$ if $x⪯y$.
• Independent additions of the real and imaginary part of the columns of a strip $M_x$ to the real and imaginary parts of a strip $M_y$ if $x⊴y$.

Note that, if $\mathfrak{P}=c_1\prec c_2\prec \dots c_{n-1}\prec c_n$ is a weak chain then ⌀, $\mathfrak{P}\left(c_i\right)$, $1\le i\le n$, $T\left(c_i\right)$, and $T(c_i,c_j)$, $1\le i<j\le n$ are its only indecomposable representations, where

• $P\left(c_i\right)=(\mathbb{C};{\left(P\left(c_i\right)\right)}_x\mid x\in \mathfrak{P})$, ${\left(P\left(c_i\right)\right)}_x=\mathbb{C}$, $x=c_j$, $i\le j$, ${\left(P\left(c_i\right)\right)}_x=0$, if $j<i$.
• $P(⌀)=(\mathbb{C};{\left(P\left(c_i\right)\right)}_x=0\mid x\in \mathfrak{P})$.
• $T\left(c_i\right)=(\mathbb{C};{\left(T\left(c_i\right)\right)}_x\mid x\in \mathfrak{P})$, ${\left(T\left(c_i\right)\right)}_x=span\left\{{(1,\mathbf{i})}^t\right\}$, $x=c_j$, $i\le j$, ${\left(T\left(c_i\right)\right)}_x=0$, if $j<i$.
• $T(c_i,c_j)=(\mathbb{C};{\left(T(c_i,c_j)\right)}_x\mid x\in \mathfrak{P})$, ${\left(T(c_i,c_j)\right)}_x=span\left\{{(1,\mathbf{i})}^t\right\}$, $x=c_s$, $i\le s<j$, ${\left(T(c_i,c_j)\right)}_x=\tilde{\mathbb{C}}=span\{{(1,0)}^t,{(0,1)}^t\}$, if $j\le s\le n$. ${\left(T(c_i,c_j)\right)}_x=0$, if $s<i$.

Theorem 4.

The insertion-detection matrix $\mathfrak{D}$ defined over the pair of fields $(\mathbb{R},\mathbb{C})$ associated with the equipped posets $\mathfrak{P}$ and ${\mathfrak{P}}^d$ induces the functor ${\mathfrak{D}}_{(N_0,M)}:\mathrm{rep}\mathfrak{P}\to \mathrm{rep}{\mathfrak{P}}^d$ such that for $U=(U_0;U_x\mid x\in \mathfrak{P})\in \mathrm{rep}\mathfrak{P}$ it holds that

$$\begin{array}{cc}\hfill {\mathfrak{D}}_{(N_0,M)}\left(U\right)& =(U_0^d;U_x^d\mid x\in \mathfrak{P}),\hfill \\ \hfill U_0^d& =U_0,\hfill \\ \hfill U_{N_i^{+}}^d& =\widetilde{U_{N_0}}+U_{N_i},0\le i\le n,\hfill \\ \hfill U_{N_i^{-}}^d& =U_{N_i}\cap U_M,0\le i\le n,\hfill \\ \hfill U_x^d& =U_x,\mathit{for}\mathit{the}\mathit{remaining}\mathit{points}x\in \mathfrak{P},\hfill \\ \hfill {\phi }^d:U^d\to V^d& =\phi :U\to V,\mathit{for}\mathit{any}\mathit{linear}\mathit{map}\text{-}\mathit{morphism}\phi :U_0\to V_0.\hfill \end{array}$$

(11)

Moreover, $D_{(N_0,M)}$ is a categorical equivalence between the quotient categories $\mathfrak{C}=\mathrm{rep}\mathfrak{P}/\mathcal{J}$ and ${\mathfrak{C}}^d=\mathrm{rep}{\mathfrak{P}}^d/{\mathcal{J}}^d$. Where, for fixed $U,V\in \mathrm{rep}\mathfrak{P}$, $\mathcal{J}$ is the ideal of $\mathrm{rep}\mathfrak{P}$ consisting of morphisms $\phi :U\to V$ that pass through direct sums of the indecomposable objects $P\left(N_0\right)$, $T\left(N_0\right)$, and $T(N_0,N_i))$, i.e., $\mathcal{J}=\langle P\left(N_0\right),T\left(N_0\right),T(N_0,N_i))\mid 1\le i\le n\rangle$. The ideal ${\mathcal{J}}^d$ is defined in the same fashion, i.e., ${\mathcal{J}}^d=\langle N_0^{+}\rangle$.

Proof. 

Firstly, we note that ${\mathfrak{D}}_{(N_0,M)}^d$ is an additive functor provided that for all morphisms $\phi :U\to V$ and $\psi :V\to W$, it holds that, ${\mathfrak{D}}_{(N_0,M)}^d\left(\psi \phi \right)\left(U_x\right)\subseteq W_x$, for any $x\in \mathfrak{P}$, $D_{(N_0,M)}^d\left(1_U\right)=1_{U^d}$, and for any $U,V\in \mathrm{rep}\mathfrak{P}$, $Hom(U,V)$ is a $\mathbb{C}$-vector space by definition.

Note that, for fixed $U,V\in \mathrm{rep}\mathfrak{P}$, it holds that, $J(U,V)\subset Hom(U,V)\subseteq Hom(U^d,V^d)$ and $\mathcal{J}(U,V)\subset {\mathcal{J}}^d(U,V)$. Moreover, if $[X,Y]$ denotes the morphism-subspace of $Hom(U,V)$ whose elements satisfy the condition

$$\phi \in [X,Y]\mathrm{if}\mathrm{and}\mathrm{only}\mathrm{if}X\supseteq \ker \phi \mathrm{and}\mathrm{img}\phi \subset Y.$$

(12)

Then it is easy to see that for fixed $U,V\in \mathrm{rep}\mathfrak{P}$, and a morphism $\phi :U\to V$ it holds that

$$\begin{array}{cc}\hfill Hom(U^d,V^d)& =Hom(U,V)+\mathcal{J}(U^d,V^d),\hfill \\ \hfill Hom(U,V)\cap \mathcal{J}(U^d,V^d)& =\mathcal{J}(U,V).\hfill \end{array}$$

(13)

Thus, any linear morphism $\delta :\mathfrak{C}(U,V)\to {\mathfrak{C}}^d(U^d,V^d)$ is an isomorphism.

The density of the functor ${\mathfrak{D}}_{(N_0,M)}$ follows from the same ideas used to carry out a hierarchical attack to the network defined by the equipped poset $\mathfrak{P}$. In such a case, we consider that $U_{N_0^{+}}^d=U_{N_0^{+}}^d\cap U_M\oplus X_0$, where $X_0$ is complementary subspace, $X_0=span\{z_1,z_2,\dots ,z_s\}$. For these vectors we define corresponding vectors $w_1,w_2,\dots ,w_s$.

We note that for each i, $1\le i\le n$. Any subspace $U_{N_i^{+}}^d$ of the poset ${\mathfrak{P}}^d\cup \{N_0^{+}⊴M\}$ can be written in the form

$$U_{N_i^{+}}^d=U_{N_{i-1}^{+}}^d\oplus U_{N_i^{-}}^d\oplus H_i\oplus Y_i$$

(14)

where $Y_i$ denotes an appropriated complementary subspace. Note that, $H_i\subset U_{N_0^{+}}\cap U_M$ (corresponds to hidden malware) and $U_{N_i^{-}}\subset U_M$ (corresponds to pure malware).

Let $\{h_{i1},h_{i2},\dots ,h_{i{n}_i}\}$ be a fixed basis then it is possible to define vectors of the form $e_{i1}+\mathbf{i}{h}_{i1},\dots ,e_{i{n}_i}+\mathbf{i}{h}_{i{n}_i}$, for some suitable vectors $e_{i1},\dots ,e_{i{n}_i}$.

Let ${\mathfrak{I}}_0=span\{w_1,\dots ,w_s,e_{i1},\dots ,e_{i{n}_i}\mid 1\le i\le n\}$ and $\{y_{i1},\dots ,y_{i{m}_i}\}$ a basis of the subspace $Y_i$ then the representation $L\in \mathrm{rep}\mathfrak{P}$ such that

$$\begin{array}{cc}\hfill L_0& =U_0^d\oplus {\mathfrak{I}}_0,\hfill \\ \hfill L_{N_0}& =U_{N_0^{+}}^d\cap U_M\oplus span\{z_1+\mathbf{i}{w}_1,z_2+\mathbf{i}{w}_2,\dots ,z_s+\mathbf{i}{w}_s\}\oplus \underset{j=1}{\sum ^{n_i}}\underset{i=1}{\sum ^n}{e}_{ij}+\mathbf{i}{h}_{ij},\hfill \\ \hfill L_{N_i}& =U_{N_{i-1}}\oplus U_{N_i^{-}}^d\oplus H_i\oplus \underset{j=1}{\sum ^{n_i}}\underset{i=1}{\sum ^n}{e}_{ij}+y_{ij},\hfill \\ \hfill L_x& =U_x^d\mathrm{for}\mathrm{the}\mathrm{remaining}\mathrm{points}x\in \mathfrak{P}.\hfill \end{array}$$

(15)

is such that $L^d=U^d\oplus {\left(P\left(N_0^{+}\right)\right)}^{{\dim }_{\mathbb{C}}{\mathfrak{I}}_0}$. We are done. □

4. Experimental Data

This section applies Theorems 3 and 4 and Corollary 1 to insert and detect images. Firstly, we show a 256 × 256 original image I extracted from specialized datasets such as FERET and Kagle. We then create subspaces associated with a poset $\mathcal{P}=N_0\prec N_1\prec N_2\prec N_3\prec N_4\prec N_5\cup \left\{M\right\}$ as follows:

• The subspace $U_{N_0}$ associated with the weak point $N_0$ is given by a linear combination of images with the form

  $$U_{N_0}=\underset{i=0}{\sum ^9}D{W}_{(0,i)}+A_{10}+0.01M_{10}$$

  (16)

  where $D{W}_{(0,i)}={\alpha }_i{A}_i+{\beta }_i{M}_i$, $0.01\le {\alpha }_i,{\beta }_i\le 0.02$.
• For $1\le j\le 5$, each subspace $U_{N_j}$ (associated with a weak point $N_j$) is given by linear combinations of images with the form

  $$U_{N_j}={\gamma }_j{N}_{j-1}+{\delta }_j{M}_{10+j}+A_{10+j},0.01\le {\gamma }_j,{\delta }_j\le 0.02.$$

  (17)
  The embedded images $M_j$, $0\le j\le 15$ span the subspace $U_M$ (associated with the strong point M). They are considered malware for images $A_j$, the construction of the subspace $U_{N_j}$ is considered the infection stage.
• For the detection process, we note that the subspaces $U_{N_j^{-}}$ are given by the images $M_{10+j}$ (i.e., $U_{N_j^{-}}=span\left\{M_{10+j}\right\}$), $1\le j\le 5$. These constructions constitute the first step for the detection process.
• The second step of the detection process consists on building subspaces $U_{N_j^{+}}$ given by linear combinations of images with the form

  $$U_{N_j^{+}}=\underset{i=0}{\sum ^{10+j}}{\alpha }_j{A}_j+\underset{i=0}{\sum ^{10+j}}{\delta }_j{M}_j.$$

  (18)
  If $t\in \{0,\dots ,5\}$ and for $0\le j\ne t\le 5$, it holds that $0.01\le {\delta }_j\le 0.02$, ${\delta }_t=1$ then $U_{N_j^{+}}$ reveals $M_t$ as a kind of malware infecting the image, $A_j$.

Figure 9, Figure 10, Figure 11, Figure 12, Figure 13 and Figure 14 show examples of images $A_j$ (original images), associated with subspaces $U_{N_j}$, $U_{N_j^{-}}$ (first step), and $U_{N_j^{+}}$ (denoted $H_j$ in the second step) for $0\le j\le 5$. We compare the associated histograms. We note that the histograms associated with the second step suggest embedded malware.

5. Concluding Remarks and Future Work

Hierarchical attacks designed for peer-to-peer remote control via metamorphic worms induce different algebraic structures. On the one hand, the infection process defines so-called equipped posets. These posets constitute a mathematical model of a hierarchical attack where the nodes are either weak or strong, accordingly of whether the node represents an infection with either hidden malware or pure malware. Pure malware is relatively easy to detect, whereas hidden malware requires deep scanning analysis. Modeling such an analysis gives rise to categories of representations of equipped posets over the pair of fields $(\mathbb{R},\mathbb{C})$, and malware insertion-detection defines a categorical equivalence between quotient categories.

Future Work

Since this work focuses on the algebraic properties of hierarchical attacks, it remains an open problem to determine the properties associated with more general types of infections and NIDS based on deep learning algorithms.

Another task to develop in the future is to apply the proposed theoretical framework to the real field of the intrusion and detection of malware.