WO2016027292A1 - 分析装置、分析方法及びコンピュータ読み取り可能な記録媒体 - Google Patents
分析装置、分析方法及びコンピュータ読み取り可能な記録媒体 Download PDFInfo
- Publication number
- WO2016027292A1 WO2016027292A1 PCT/JP2014/004320 JP2014004320W WO2016027292A1 WO 2016027292 A1 WO2016027292 A1 WO 2016027292A1 JP 2014004320 W JP2014004320 W JP 2014004320W WO 2016027292 A1 WO2016027292 A1 WO 2016027292A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- behavior
- knowledge information
- analysis apparatus
- relationship
- information
- Prior art date
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/20—Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
- G06F16/24—Querying
- G06F16/245—Query processing
- G06F16/2455—Query execution
- G06F16/24553—Query execution of query operations
- G06F16/24558—Binary matching operations
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/552—Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
Definitions
- the present invention relates to an analyzer, an analysis method, and a computer-readable recording medium.
- IDS Intrusion Detection System
- SIEM Security Information and Event Management
- Patent Document 1 describes a system for protecting a computer from malware.
- the system described in Patent Literature 1 collects local machine events and aggregates a knowledge base from anti-malware services and other event detection systems to protect computers from malware in advance.
- Patent Document 2 describes a method for monitoring the behavior of a suspected malware in which a plurality of activities on a computer system executed in a predetermined time frame in the computer system are monitored during installation of a suspect file. Has been.
- Patent Document 3 describes a malware detection system and the like.
- the system described in Patent Document 3 receives an assembly language sequence from a binary file, identifies an instruction sequence from the assembly language sequence, and classifies the instruction sequence according to the knowledge base of the expert system.
- Patent Document 4 describes an analysis system that estimates an illegal software input path to an execution device that executes software.
- each patent document only presents information on detected events when a security problem in an information system to be monitored is detected. That is, it is difficult for the techniques described in each patent document to provide information on an attacker's intention and purpose when a security problem in an information system to be monitored is detected.
- the present invention has been made to solve the above-mentioned problems, and it is a main object of the present invention to provide an analysis apparatus, an analysis method, and a computer-readable recording medium that can obtain information on the attacker's intention and purpose. And
- the analysis apparatus includes a purpose estimation unit that estimates a behavior purpose based on predetermined behavior in a computer and knowledge information including a relationship between the behavior and a purpose of executing the behavior.
- each component of each device represents a functional unit block.
- Each component of each device can be realized by any combination of an information processing device 50 and software as shown in FIG. 3, for example.
- the information processing apparatus 50 includes, for example, a CPU (Central Processing Unit) 51, a ROM (Read Only Memory) 52, a RAM (Random Access Memory) 53, a program 54 loaded in the RAM 53, a storage device 55 for storing the program 54, and a storage medium 56 includes a drive device 57 that reads and writes 56, a communication interface 58 that connects to the network 59, an input / output interface 60 that inputs and outputs data, and a bus 61 that connects each component.
- each device can be realized as a dedicated device.
- Each device can be realized by a combination of a plurality of devices.
- FIG. 1 is a diagram illustrating a configuration of an analysis apparatus and an analysis system including the analysis apparatus according to the first embodiment of the present invention.
- FIG. 2 is a diagram illustrating another configuration of the analysis apparatus and the analysis system including the analysis apparatus according to the first embodiment of the present invention.
- FIG. 4 is a diagram illustrating an example of a behavior pattern used by the analysis apparatus according to the first embodiment of the present invention.
- FIG. 5 is a diagram illustrating an example of a relationship between a behavior pattern and a purpose used by the analysis apparatus according to the first embodiment of the present invention.
- FIG. 6 is a diagram illustrating an example of knowledge information used by the analysis apparatus according to the first embodiment of the present invention.
- FIG. 1 is a diagram illustrating a configuration of an analysis apparatus and an analysis system including the analysis apparatus according to the first embodiment of the present invention.
- FIG. 2 is a diagram illustrating another configuration of the analysis apparatus and the analysis system including the analysis apparatus according to the first embodiment of the present invention.
- FIG. 4 is a diagram
- FIG. 7 is an example of the purpose for the behavior estimated by the analysis apparatus according to the first embodiment of the present invention.
- FIG. 8 is a flowchart showing the operation of the analyzer according to the first embodiment of the present invention.
- 9 and 10 are diagrams showing a configuration of a modified example of the analyzer according to the first embodiment of the present invention.
- 11 and 12 are diagrams showing the configuration of another modified example of the analyzer according to the first embodiment of the present invention.
- the analysis apparatus 100 includes a purpose estimation unit 110.
- the purpose estimation unit 110 estimates the purpose of the predetermined behavior based on the predetermined behavior in the computer and the knowledge information including the relationship between the predetermined behavior and the purpose of executing the predetermined behavior.
- the analysis apparatus 100 is configured to store the knowledge information including the relationship between the behavior and the purpose of executing the behavior, as shown in FIG. Can do.
- the purpose estimation unit 110 estimates the purpose of the behavior using the knowledge information stored in the knowledge information storage unit 120.
- the analysis apparatus 100 is not limited to such a configuration, and may have an arbitrary configuration in which knowledge information can be used by the purpose estimation unit 110.
- the knowledge information is information used when the analysis apparatus 100 estimates the purpose for the behavior.
- the knowledge information includes at least a certain behavior, a purpose for the behavior, and a relationship between the behavior and the purpose.
- the behavior is, for example, some operation in a computer connected to a network, and more specifically, a characteristic operation performed by malicious software such as malware.
- the behavior that is mainly targeted by the analysis apparatus 100 is, for example, the behavior of malware detected by the detection device 150 that detects the operation of malware or the like.
- the detection device 150 is, for example, the IDS or SIEM tool described above, and detects the operation of malware or the like using a known method. For example, the detection device 150 detects the operation of malware or the like by determining whether or not the operation recorded in the malware operation log 151 has a pattern corresponding to the behavior pattern in which the behavior of the malware is recorded.
- the malware operation log 151 includes a record of computer operations such as network communication performed when malware is operated, API (Application Programming Interface) calls, and access to files and memory.
- the detection device 150 can also detect the operation of malware or the like by reading the communication content in the network 152 and determining whether or not the read operation has a pattern corresponding to the behavior pattern.
- FIG. 4A is an example of the malware operation log 151.
- FIG. 4B is an example of a behavior pattern used in the detection device 150.
- the behavior pattern is one or more behaviors of malware to be detected by the detection device 150.
- the detection device 150 indicates that the operation of the malware or the like is detected and indicates the corresponding behavior.
- the action L01 described in the malware action log shown in FIG. 4A is “Wait” as “Action” of the behavior pattern P01 is “Action”.
- the “Duration” value “4948” is larger than the “DurationMin” value 300 of the behavior pattern P01 and smaller than the “DurationMax” value “86400”. Therefore, this operation L01 corresponds to the behavior pattern P01 shown in FIG.
- the detection device 150 outputs information indicating that the operation of the malware has been detected in an arbitrary format together with the behavior pattern P01 shown in FIG.
- the purpose is a matter that an attacker who uses, for example, malware tries to realize by executing the above-described behavior in a computer.
- the purpose is not limited to items related to the components and operations of the information system and the like.
- the analysis apparatus 100 can handle a matter that does not explain the components and operations of the information system or the like at all, such as “personal information sales business”. That is, the object in the present embodiment can include social achievements such as making money.
- the attacker is a person who intends to cause some harm to the network or the information system, for example.
- the relationship between the behavior and the purpose of executing the behavior is a relationship that links the behavior described above and the purpose of the attacker performing the behavior using malware.
- the above-described object is realized by one or more functions.
- the above-described behavior can be considered as a part of a certain function. Therefore, the relationship between a behavior and the purpose of executing that behavior is not limited to the case where they are directly linked. That is, a relationship between a behavior and a purpose of executing the behavior may be expressed using a relationship between the behavior and a function realized by the behavior and a relationship between the function and the purpose of executing the function.
- the knowledge information includes a function, a relationship between the behavior and the function, and a relationship between the function and the purpose.
- the above-described purpose and function may be embodied in a more detailed function or purpose.
- the purpose and function may be hierarchical.
- the relationship between the behavior and the purpose of executing the behavior may be further expressed using the relationship between the purposes and the relationship between the functions.
- Knowledge information includes these relationships.
- FIG. 5 is a diagram illustrating an example of a relationship between a behavior and a purpose for executing the behavior.
- the relationship between the behavior and the purpose of executing the behavior is expressed using the relationship between the behavior and the function realized by the behavior and the relationship between the function and the purpose of executing the function. ing.
- the behavior of “waiting for time” detected by the detection device 150 or the like is related to the function of “making it difficult to find a bot”.
- the function of “making it difficult to find a bot” is related to the purpose of “DDoS (Distributed Denial of Service) attack bandwidth sales business”. Based on the relationship shown in FIG. 5A, therefore, it can be considered that the behavior of “waiting for time” is performed for the purpose of, for example, “DDoS attack band sales business”.
- these behaviors, functions, purposes and relationships are expressed by assigning identifiers to each as shown in FIGS. 5B to 5E, for example.
- FIG. 6 shows an example of knowledge information.
- the knowledge information as shown in FIG. 6 is created based on the knowledge and experience of an analyst who can conceive the true purpose and intention of the attacker from the fact detected by the detection device 150 or the like described above, for example.
- the knowledge information as shown in FIG. 6 is created by an arbitrary method.
- the analysis apparatus 100 includes the knowledge information storage unit 120, the relationship illustrated in FIG. 5 and the knowledge information illustrated in FIG. 6 are stored in the knowledge information storage unit 120, for example. Further, the analysis apparatus 100 can display the relationship shown in FIG. 5 and the knowledge information shown in FIG. 6 on a display device (not shown).
- the purpose estimation unit 110 estimates a purpose for executing a behavior based on a predetermined behavior in the computer and a relationship between the behavior and a purpose for executing the behavior.
- the purpose estimation unit 110 estimates the purpose of executing the behavior based on, for example, the relationship between the behavior and purpose shown in FIG. 5 and the knowledge information shown in FIG. In other words, the purpose estimation unit 110 identifies the purpose related to the behavior based on these relationships and knowledge information. Then, the purpose estimating unit 110 estimates the specified purpose as a purpose for executing the behavior. For example, based on the relationship between the behavior and purpose shown in FIG. 5, the purpose estimating unit 110 may specify that the behavior “waiting for time” is related to the purpose “DDoS attack band sales business”. it can. Therefore, the purpose estimating unit 110 estimates that the behavior of “waiting for time” is aimed at the “DDoS attack band sales business”. Further, based on the knowledge information shown in FIG.
- the purpose estimation unit 110 estimates that the behavior labeled “MACT-2014-0005” is intended for at least one of the purposes shown in FIG. That is, the purpose estimation unit 110 estimates that the purpose is at least one of “card / personal information sales business”, “click fraud business”, “ransom business”, and “DDoS attack band sales business”. Further, the analysis apparatus 100 can output the relationship between the behavior estimated by the purpose estimation unit 110 and the purpose as shown in FIG. 7 in an arbitrary format. For example, the analysis apparatus 100 can display the relationship between the behavior and the purpose on a display device or the like (not shown) or output it to an arbitrary file.
- the purpose estimation unit 110 of the analysis apparatus 100 first obtains a list of behaviors to be a target estimation target (step S101).
- the analysis apparatus 100 acquires one of the behaviors included in the list from the behavior list acquired in step S101 (step S102).
- the analysis apparatus 100 can acquire one of the behaviors from the list on an arbitrary basis.
- the purpose estimation unit 110 acquires a list of relationships from the behavior acquired in step S102 (step S103).
- the analysis apparatus 100 includes the knowledge information storage unit 120
- the relationship list is read from the knowledge information storage unit 120.
- the purpose estimating unit 110 selects a relation including the behavior selected in step S102 from one of the relation lists (step S104).
- the purpose estimation unit 110 uses the relationship selected in step S104 to acquire the purpose associated with the behavior acquired in step S102 by the relationship (step S105). If the relationship selected in step S104 does not directly relate the behavior described above to the purpose of executing the behavior, the purpose estimation unit 110 sequentially follows the relationships included in the relationship list from the relationship. The purpose is estimated.
- the purpose estimating unit 110 confirms whether or not the processing of step S104 and step S105 has been executed for all the relationships included in the relationship list acquired in step S103 (step S106). If the process has not been executed for all the relationships, the purpose estimating unit 110 returns to step S104, selects a relationship that has not been processed among the relationships included in the relationship list described above, and continues the process. When the process is executed for all relationships, the purpose estimating unit 110 proceeds to the process of the next step S107.
- the purpose estimating unit 110 confirms whether or not processing has been executed for all behaviors included in the behavior list (step S107). If the process has not been executed for all the behaviors (step S107: No), the purpose estimating unit 110 returns to step S102, selects a behavior that has not been processed from the above-described behavior list, and continues the processing. To do.
- step S107 If the processing has been executed for all behaviors (step S107: Yes), the analysis apparatus estimates that the purpose obtained by the purpose estimation unit 110 in step S105 is the purpose for executing the behavior, and ends.
- the analysis apparatus 100 can output the estimated purpose in an arbitrary format.
- the purpose estimation unit 110 estimates the purpose of the behavior based on the predetermined behavior in the computer and the relationship between the behavior and the purpose of executing the behavior. Therefore, the analysis apparatus 100 according to the present embodiment can obtain information related to the attacker's intention and purpose.
- the behavior that is the target estimation target is not limited to the behavior detected by the detection device 150.
- the analysis apparatus 100 according to the present embodiment can set an arbitrary behavior whose purpose should be estimated as a target estimation target.
- the analysis apparatus 100 when the analysis apparatus 100 according to the present embodiment estimates the purpose for the behavior detected by the detection apparatus 150, the analysis apparatus 100 and the detection apparatus 150 can perform various operations.
- the detection device 150 may be configured to detect the operation of the malware every time a packet is received from the network 152 by connecting to the network 152 that is the monitoring target on which the malware is being executed.
- the analysis device 100 can estimate the purpose for the behavior of the malware detected by the detection device 150. In this way, the analyst can analyze the malware while observing the behavior of the malware in real time.
- the specific configuration of the analysis apparatus 100 can be in various forms.
- the analysis device 100 and the detection device 150 can be configured as one analysis system.
- FIG. 9 shows an example in which the analysis apparatus 100 and the detection apparatus 150 are configured as an integrated analysis system 10.
- the analysis apparatus 100 and one or more detection apparatuses 150-1... N can be configured to be connected via a network as shown in FIG.
- the purpose estimation unit 110 and the knowledge information storage unit 120 can be connected via a network.
- the knowledge information stored in the knowledge information storage unit 120 can be provided to the plurality of purpose estimation units 110.
- the analysis apparatus 100 can be configured to be provided as a so-called cloud service, as shown in FIG.
- the user of the analysis apparatus 100 connects to the analysis apparatus 100 via the network using the terminal device 160, for example.
- the knowledge information stored in the knowledge information storage unit 120 of the analyzer 100 is shared by a plurality of analysts.
- FIG. 13 is a diagram illustrating an example of a method of calculating the behavior suitability used by the analysis apparatus according to the second embodiment of the present invention.
- FIG. 14 is a diagram illustrating another example of the method for calculating the behavior suitability used by the analysis apparatus 100 according to the second embodiment of the present invention.
- FIG. 15 is a diagram illustrating an example of an estimation method in the case where the analysis apparatus 100 according to the second embodiment of the present invention estimates the purpose using the behavior suitability.
- FIG. 16 is a diagram illustrating an example in which additional information is specified for knowledge information used by the analysis apparatus 100 according to the second embodiment of the present invention.
- FIG. 13 is a diagram illustrating an example of a method of calculating the behavior suitability used by the analysis apparatus according to the second embodiment of the present invention.
- FIG. 14 is a diagram illustrating another example of the method for calculating the behavior suitability used by the analysis apparatus 100 according to the second embodiment of the present invention.
- FIG. 15 is a diagram illustrating an example of an estimation method in the
- FIG. 17 is a diagram illustrating another example in which additional information is specified for knowledge information used by the analysis apparatus 100 according to the second embodiment of the present invention.
- FIG. 18 is a diagram illustrating an example of information indicating a correspondence between the behavior used by the analysis apparatus 100 according to the second embodiment of the present invention and the malware causing the behavior.
- FIG. 19 is a diagram illustrating an example of information related to an analyst related to knowledge information including a relationship between a behavior and a purpose used by the analysis apparatus 100 according to the second embodiment of the present invention.
- the analyzer 100 in the present embodiment can have the same configuration as the analyzer 100 in the first embodiment of the present invention.
- the analysis apparatus 100 according to the present embodiment is different from the analysis apparatus 100 according to the first embodiment of the present invention in that the purpose of the behavior is estimated using additional information related to the behavior or the relationship between the behavior and the purpose.
- the analysis device 100 When the analysis device 100 according to the present embodiment is used to obtain the purpose of the behavior of malware detected by the detection device, there are a plurality of detected behaviors or a plurality of purposes are estimated as a result. Sometimes. The possibility that the purpose inferred from the behavior matches the actual purpose that the attacker intends to realize by the behavior may differ depending on the purpose.
- the analysis apparatus 100 estimates the purpose of the behavior using the additional information regarding the behavior or the relationship between the behavior and the purpose. By doing in this way, the analyzer 100 in this embodiment can improve the precision which estimates the objective.
- the additional information is the degree of fitness of behavior
- the analysis apparatus 100 uses the degree of suitability of behavior that is a target estimation target for the operation of malware as additional information.
- the behavior of the malware detected by the detection device 150 is not limited to the case where the behavior pattern of the malware held by the detection device 150 is completely matched, and may partially match. Therefore, the analysis apparatus 100 according to the present embodiment estimates the purpose for the behavior by using the degree of matching between the behavior that is the target of the target estimation and the behavior of the malware specified in advance as the behavior suitability.
- the fitness is calculated by the detection device 150.
- the degree of suitability of behavior is not limited to being calculated by the detection device 150.
- the behavior suitability can be calculated, for example, in the form that an analyst gives to each behavior based on his / her experience.
- the suitability of the behavior can be calculated by an arbitrary method as long as it can be used by the analysis apparatus 100.
- FIG. 13 shows an example of a method for calculating the fitness of behavior.
- the operation L01 is recorded as the operation of the malware in the malware operation log.
- the detection device 150 uses patterns from P01 to P06 as behavior patterns.
- the behavior pattern P01 and “Action” match.
- the “Duration” value of the operation L01 is included between the “DurationMin” value and the “DurationMax” value of the behavior pattern P01. That is, the operation L01 corresponds to the behavior pattern P01.
- “Action” in the operation L01 matches “Action” in the behavior pattern P02 or P03.
- the operation L01 matches a part of the behavior pattern P02 or P03.
- the detection device 150 sets the fitness of the behavior pattern P01 to the operation L01 to 1.0.
- the detection device 150 sets, for example, the fitness of the behavior pattern P02 or P03 for the operation L01 to 0.5.
- FIG. 14 shows another example relating to a calculation method of behavior suitability.
- the operation L09 is recorded as the operation of the malware in the malware operation log.
- the detection apparatus 150 uses the pattern of P31 and P32 as a behavior pattern.
- the action L09 matches “Action” with both the behavior patterns P31 and P32.
- the value of “DstPort” in the operation L09 matches the value of “DstPort” in the behavior pattern P31.
- the value of “DstPort” in the operation L09 is partially equal to the value of “DstPort” in the behavior pattern P32. That is, the operation L09 corresponds to the behavior pattern P31.
- the operation L09 coincides with a part of the behavior pattern P32.
- the detection device 150 sets the fitness of the behavior pattern P31 for the operation L09 to 1.0.
- the detection device 150 sets the fitness of the behavior pattern P32 for the operation L09 to 0.5, for example.
- behaviors P21 to P29 which are objects to be estimated, are related to the purpose B21 or B22 via functions F31 to F35.
- a degree of fitness is assigned to each of the behaviors P21 to P29.
- the analysis apparatus 100 calculates the suitability for the estimated purpose together with estimating the purpose from the behavior.
- the analyzer 100 calculates the fitness of each of the functions F31 to F35 based on the fitness of the behaviors P21 to P29.
- the analyzer 100 calculates the fitness of each of the objectives B21 or B22 based on the fitness of each of the functions F31 to F35 as an example.
- the analysis apparatus 100 determines that the fitness of the upper element is the same as the estimated lower element. Can be calculated. In the example shown in FIG. 14, the relationship between the behavior P21 and the function F31 corresponds.
- the upper element estimated from the lower element is estimated from a plurality of lower elements, and each of the plurality of lower elements may be required to realize the higher element.
- the analysis apparatus 100 calculates, for example, a value obtained by weighting the fitness of each of the plurality of lower elements as the fitness of the upper element.
- the analysis apparatus 100 calculates, for example, the largest value as the fitness level of the upper element among the fitness levels of each of the plurality of lower elements. In the example illustrated in FIG. 14, the analysis apparatus 100 calculates the fitness of the function F35 as 0.8, which is the greatest fitness among the related behaviors P27 to P29.
- the analysis apparatus 100 calculates the fitness of the objectives B21 and B22 in the same procedure as described above.
- the fitness of the purpose B21 is calculated as 0.603
- the fitness of the purpose B22 is calculated as 0.3.
- the user of the analysis apparatus 100 determines that there is a high possibility of the purpose B21 among the objectives B21 and B22 estimated based on the behaviors P21 to P29 based on the fitness. be able to. That is, the user of the analysis apparatus 100 can take measures against the attack on the assumption that the attack to the network or the information system from the outside is the “DDoS attack band sales business”.
- the degree of fitness of behavior is expressed numerically.
- the conformity of the behavior is not limited to the above format, and may be any format that can be used by the analysis apparatus 100 according to the present embodiment.
- the degree of suitability of behavior is given in the form of ranking in any of a plurality of predetermined stages.
- the additional information is behavior history information
- the analysis apparatus 100 uses history information of a behavior whose purpose is estimated as additional information.
- the analysis apparatus 100 when estimating the purpose of the behavior, stores the behavior to be estimated as history information in, for example, the knowledge information storage unit 120 illustrated in FIG. Then, the analysis apparatus 100 specifies information on the behavior satisfying a predetermined condition based on the history information based on the stored history information, together with the purpose estimation result for the behavior or separately from the target estimation result. To do.
- Some examples of the information related to the behavior specified by the analysis apparatus 100 can be considered.
- One example of such information is information relating to behavior that appears more than a predetermined number of times in history information.
- the behavior that always appears when the number of times exceeds a predetermined number is not limited to the case where the same operation is always performed by the malware.
- the behavior described above may not be an appropriate condition for the detection device 150 to detect the operation of malware. Therefore, the analysis apparatus 100 specifies the behavior that appears more than a predetermined number of times in the history information, for example.
- the analysis apparatus 100 can specify information related to the behavior described above by various methods. As an example, when detecting the behavior as described above, the analysis apparatus 100 outputs the result in an arbitrary format together with the purpose estimated for the behavior. By doing in this way, the user of the analysis apparatus 100 refers to the output behavior, corrects the behavior condition, or detects the malware so that it is excluded from the malware action target detected by the detection device 150. 150 behavior patterns can be set.
- the analysis apparatus 100 can provide the detection apparatus 150 with information related to behavior that appears more than a predetermined number of times in history information, for example.
- the detection device 150 can exclude the behavior from the behavior pattern of malware whose detection target is the target.
- Another example of information related to behavior specified by the analysis apparatus 100 is information related to the number or frequency of behavior that appears in the history information.
- the history information held by the analysis apparatus 100 indicates that the number of behaviors to be estimated is reduced using the analysis apparatus 100.
- the malware may be performing an unknown operation that is not included in the behavior pattern to be detected by the detection device 150 (that is, the detection device 150 cannot detect the operation of the malware). is there.
- the analysis apparatus 100 specifies that the number of behaviors appearing in the history information is reduced as information related to the behavior.
- the analyzing apparatus 100 can specify that the number of behaviors appearing in the history information is reduced as behavior information in an arbitrary format.
- the analysis apparatus 100 can represent the knowledge information stored in the knowledge information storage unit 120 by adding a special behavior.
- This special behavior indicates that, for example, the situation is unknown regarding the operation of the malware.
- this special behavior can be in a form associated with all functions, for example.
- the purpose estimation unit 110 of the analysis apparatus 100 can be configured to always estimate the purpose for the special behavior when estimating the purpose for the behavior. By doing so, the user of the analysis device 100 can know that there is a possibility that there is an operation of unknown malware that cannot be detected by the detection device 150.
- the history information held by the analysis apparatus 100 may indicate that the frequency of appearance of a specific behavior that is the target estimation target is reduced using the analysis apparatus 100.
- the analysis apparatus 100 specifies that the appearance frequency of the specific behavior appearing in the history information is reduced as information related to the behavior.
- the analysis apparatus 100 can represent the knowledge information stored in the knowledge information storage unit 120 by using a format such as that shown in FIG. That is, the analysis apparatus 100 identifies the behavior information by adding a special behavior to the knowledge information stored in the knowledge information storage unit 120 in association with the behavior whose number of appearances is reduced in the history information.
- the special behavior indicates that, for example, the status of the operation of the malware related to the associated behavior is unknown.
- the analysis apparatus 100 can provide, for example, information related to the special behavior described above to the detection apparatus 150 in association with the behavior in which the number of appearances has decreased in the history information.
- the detection device 150 may be configured such that the detection device 150 always detects the special behavior when the behavior in which the number of appearances is reduced is detected in the history information of the analysis device 100, for example. it can.
- the user of the analysis apparatus 100 can know that the operation of the specific malware detected by the detection apparatus 150 may have changed, for example. Further, the user of the analysis apparatus 100 can know that there is a possibility that the attacker has come to use another malware in order to achieve the same purpose. Furthermore, the malware analyst clearly identifies the behavior of the malware that should be focused on the analysis because the special behavior added by the analysis device 100 is related to the behavior whose appearance frequency has decreased in the history information. It becomes possible to know.
- the analysis device 100 displays the knowledge information to which the special behavior is added, for example, on a display device (not shown). Can be displayed. By doing in this way, it becomes easy for the user of the analysis apparatus 100 to know the information regarding the behavior.
- the analysis apparatus 100 can add a special behavior to the knowledge information in association with a behavior satisfying a predetermined condition other than the above-described condition of the history information. Further, the analysis apparatus 100 can add a special behavior to the knowledge information with a meaning different from the above-described meaning.
- the additional information is a relationship between behavior and malware
- the analysis apparatus 100 uses, as additional information, information related to the relationship between the behavior that is the target estimation target and the malware that causes the behavior.
- the analysis apparatus 100 can specify the purpose for the behavior (instead of estimating) by using the correspondence relationship. Therefore, in this example, the analysis apparatus 100 attempts to specify the purpose for the behavior by using information regarding the relationship between the behavior to be estimated and the malware that causes the behavior.
- the knowledge information storage unit 120 of the analysis apparatus 100 holds information indicating the correspondence between the behavior and the malware that causes the behavior.
- FIG. 18A is an example of information stored in the knowledge information storage unit 120.
- the malware specimen identification name is associated with the relationship between the behavior related to the malware and the function, or the relationship between the function and the purpose. Such information is created by an analyst based on a known analysis result, for example.
- the purpose estimating unit 110 of the analysis apparatus 100 refers to the above-described information when estimating the purpose corresponding to the behavior. For example, when information indicating correspondence with malware exists in the relationship between the behavior and the purpose estimated for the behavior, the purpose estimation unit 110 tries to realize the purpose by the behavior. Identify as purpose.
- FIG. 18B An example in which the analysis apparatus 100 uses information on the relationship between the behavior that is the target estimation target and the malware that causes the behavior is shown.
- the purpose estimation unit 110 of the analysis apparatus 100 behaves and estimates the purpose for “MACT-2014-0010”.
- four purposes are estimated for the behavior “MACT-2014-0010”.
- the sample identification name “W32.Morto.B” of the malware is associated with the relationship with R30 and R32 as the relationship identifier. Therefore, the purpose estimation unit 110 indicates that “MACT-2014-0010” is caused by malware with the specimen identifier “W32.Morto.B”, and the purpose for this behavior is “click fraud business”. Identify.
- specimen identification name of the malware can be associated with the behavior or function included in the knowledge information stored in the knowledge information storage unit 120.
- the analysis apparatus 100 can output the result of estimating the purpose using information on the relationship between the behavior to be estimated and the malware causing the behavior in an arbitrary format.
- the analysis apparatus 100 can change the display format of the objective specified based on the above information among the objectives estimated for the behavior and output the result to an arbitrary output device.
- the additional information is information about the analyst
- the analysis apparatus 100 uses, as additional information, information about an analyst related to knowledge information including a relationship between behavior and purpose.
- the relationship between the behavior and purpose stored in the knowledge information storage unit 120 as knowledge information is created by an analyst who has knowledge and experience regarding malware activity.
- the knowledge information regarding the relationship between the created behavior and the purpose depends on the knowledge and experience of the analyst. That is, the reliability (for example, the accuracy of information) of the created knowledge information may vary depending on the analyst who created the information.
- the analysis apparatus 100 uses information about the analyst related to knowledge information including the relationship between behavior and purpose. By doing in this way, the analysis apparatus 100 can estimate the purpose for the behavior based on highly reliable information.
- FIG. 19A shows the relationship between the analyst and the rank related to the analyst.
- the rank value indicates the degree of knowledge and experience related to the activity of the malware and the reliability of the created information. That is, in the example of FIG. 19A, it can be said that the analyst whose identifier is A22 has the highest reliability.
- FIG. 19B is a diagram showing the relationship between the behavior and purpose included in the knowledge information stored in the knowledge information storage unit 120 and the correspondence between the analyst who created the relationship.
- each of the relationships having the relationship identifiers R40, R41, and R42 is created by an analyst whose identifier is A11.
- the relationship having the relationship identifiers R43 and R44 is created by an analyst whose identifier is A22.
- the purpose estimation unit 110 of the analysis apparatus 100 estimates the purpose for the behavior using the information shown in FIGS. 19A and 19B in addition to the relationship between the behavior and the purpose.
- the purpose estimation unit 110 outputs the relation used to estimate the purpose and the information of the analyst who created the relation together with the purpose estimated for the behavior.
- the user of the analysis apparatus 100 determines that there is a high possibility of the purpose related to the behavior estimated by the analysis apparatus 100 by the analyst whose identifier is A22. Can do.
- the analysis apparatus 100 can use information related to an analyst who has created knowledge information including the relationship between behavior and purpose by a method other than the method described above.
- the purpose estimation unit 110 of the analysis apparatus 100 can estimate the purpose for behavior using knowledge information created by an analyst whose rank is a predetermined value or more.
- the purpose estimation unit 110 can estimate the purpose for the behavior using knowledge information created by a specific analyst.
- the purpose estimation unit 110 can also calculate the fitness using the rank value for the analyst when calculating the fitness described above.
- the analysis apparatus 100 estimates the purpose of the behavior using the additional information regarding the behavior or the relationship between the behavior and the purpose. That is, the analysis apparatus 100 according to the present embodiment can estimate the purpose for the behavior using the behavior or the information that cannot be expressed by the relationship between the behavior and the purpose. Therefore, the analysis apparatus 100 according to the present embodiment can increase the accuracy of estimating the purpose.
- analysis apparatus 100 according to the present embodiment can estimate the purpose for the behavior using information different from the information described above as additional information. Further, the analysis apparatus 100 according to the present embodiment can use the additional information described above in combination with each other.
- the configuration related to the modified example of the analysis apparatus 100 in the first embodiment of the present invention can be used in combination with each example of the analysis apparatus 100 in the present embodiment.
- FIG. 20 is a diagram illustrating a configuration of an analysis apparatus 300 and an analysis system including the analysis apparatus according to the third embodiment of the present invention.
- FIG. 21 is a flowchart illustrating a procedure when the knowledge information input unit 130 receives knowledge information in the analysis apparatus 300 according to the third embodiment of the present invention.
- FIG. 22 is an example of an input screen when the knowledge information input unit 130 accepts knowledge information.
- the analysis apparatus 300 includes a purpose estimation unit 110, a knowledge information storage unit 120, and a knowledge information input unit 130.
- the purpose estimation unit 110 and the knowledge information storage unit 120 have the same functions as those of the analysis apparatus 100 according to the first embodiment of the present invention.
- the knowledge information input unit 130 receives knowledge information including the relationship between behavior and purpose.
- the analysis apparatus 300 according to this embodiment is different from the analysis apparatus 100 according to the first embodiment of the present invention in that the knowledge information input unit 130 is provided.
- the analysis apparatus 300 in the present embodiment can be configured in the same manner as the analysis apparatus 100 in the first embodiment of the present invention except for this.
- the knowledge information input unit 130 accepts knowledge information including at least a relationship between behavior and purpose.
- the knowledge information newly received by the knowledge information input unit 130 is added to the knowledge information storage unit 120, for example.
- the new knowledge information stored by the knowledge information storage unit 120 is used when the purpose estimation unit 110 estimates the purpose for the behavior.
- the analysis apparatus 300 includes the knowledge information input unit 130, so that the purpose for the behavior can be estimated using the knowledge information newly added by the knowledge information input unit 130. Therefore, when a new malware is detected or an analysis is performed on the malware by an analyst, the analysis apparatus 300 according to the present embodiment can reflect the information related to the knowledge information to estimate the purpose. It becomes easy.
- the knowledge information received by the knowledge information input unit 130 is not limited to the relationship between behavior and purpose.
- the knowledge information input unit 130 can also accept the purpose of executing the behavior. Further, the knowledge information input unit 130 can accept a function realized by behavior, a relationship between the behavior and the function, or a relationship between the function and the purpose.
- the knowledge information received by the knowledge information input unit 130 may not be stored in the knowledge information storage unit 120.
- the knowledge information received by the knowledge information input unit 130 only needs to be usable when the purpose estimation unit 110 estimates the purpose.
- the knowledge information input unit 130 receives a purpose of executing a behavior, a function realized by the behavior, a relationship between the behavior and the function, or a relationship between the function and the purpose.
- the knowledge information input unit 130 first reads and acquires information on behavior, function, purpose, and relationship, which is knowledge information, from the knowledge information storage unit 120 (step S301).
- the knowledge information input unit 130 receives the knowledge information to be added from an input unit (not shown) or the like (step S302).
- the knowledge information input unit 130 confirms the type of knowledge information to be accepted and added (step S303).
- the knowledge information input unit 130 accepts the purpose and adds it to the knowledge information storage unit 120 (step S304). If the accepted knowledge information is a function, the knowledge information input unit 130 accepts the function and adds it to the knowledge information storage unit 120 (step S305).
- the knowledge information input unit 130 proceeds to the process of step S315. If the knowledge information to be accepted is related, the knowledge information input unit 130 proceeds to the next step S306.
- step S306 the knowledge information input unit 130 confirms the type of relationship to be accepted.
- the knowledge information input unit 130 confirms whether the relationship added to the knowledge information storage unit 120 is a relationship between behavior and function.
- step S306 Yes
- the knowledge information input unit 130 obtains the behavior to which the relationship is added from the information acquired in step S301.
- Select step S307.
- the knowledge information input unit 130 selects a function to be a relation addition target from the information acquired in step S301 (step S308).
- the knowledge information input unit 130 checks whether the relationship between the behavior and the function selected in steps S307 and S308 exists as knowledge information in the knowledge information storage unit 120 (step S309).
- the knowledge information input unit 130 creates a relationship between behavior and function and adds it to the knowledge information storage unit 120 (step S310).
- the knowledge information input unit 130 does not particularly perform processing.
- the processes of step S309 and step S310 are completed, the knowledge information input unit 130 proceeds to the process of step S315.
- the knowledge information input unit 130 determines to add the relationship between the function and the purpose. Then, the knowledge information input unit 130 selects a function to be a relation addition target from the information acquired in step S301 (step S311). Subsequently, the knowledge information input unit 130 selects a purpose as a relation addition target from the information acquired in step S301 (step S312).
- the knowledge information input unit 130 checks whether or not the relationship between the function and purpose selected in steps S311 and S312 exists as knowledge information in the knowledge information storage unit 120 (step S313).
- the knowledge information input unit 130 creates a relationship between the function and the purpose and adds it to the knowledge information storage unit 120 (step S314).
- the knowledge information input unit 130 does not particularly perform processing.
- the processes of step S313 and step S314 are finished, the knowledge information input unit 130 proceeds to the process of step S315.
- the knowledge information input unit 130 confirms whether there is any additional knowledge information (step S315). If there is information to be added, the knowledge information input unit 130 returns to step S302 and continues the processing. If there is no information to be added, the knowledge information input unit 130 ends the process.
- the knowledge information input unit 130 can accept knowledge information by displaying an input screen on a display device (not shown) or the like.
- FIG. 22 shows an example of the input screen.
- the knowledge information input unit 130 displays, for example, an input screen as shown in FIG. 22A or 22B on a display device or the like.
- the knowledge information input unit 130 displays an input screen as shown in FIG. 22C on a display device or the like.
- the user of the analysis apparatus 300 gives the relationship to be registered to the knowledge information input unit 130 by performing a drag operation on the input screen from the behavior to the function or the function to the purpose with the mouse. Can do.
- An arrow in FIG. 22C is an example in the case where a relationship to be registered is given to the knowledge information input unit 130 by performing a drag operation with the mouse.
- the analysis apparatus 300 can receive new knowledge information by including the knowledge information input unit 130. Therefore, the analysis apparatus 300 in this embodiment can estimate the purpose for the behavior using the newly received knowledge information. Therefore, the analysis apparatus 300 in the present embodiment can increase the accuracy of estimating the purpose.
- the structure regarding the analyzer in the 1st and 2nd embodiment of this invention and its modification can be used in combination with the analyzer 300 in this embodiment mutually.
- FIG. 23 is a diagram illustrating a configuration of an analysis apparatus 400 and an analysis system including the analysis apparatus according to the fourth embodiment of the present invention.
- FIG. 24 is a diagram illustrating an example of behavior or function predicted by the analysis apparatus 400 according to the fourth embodiment of the present invention.
- the analysis apparatus 400 includes a purpose estimation unit 110, a knowledge information storage unit 120, and an activity prediction unit 140.
- the purpose estimation unit 110 and the knowledge information storage unit 120 have the same functions as those of the analysis apparatus 100 according to the first embodiment of the present invention.
- the activity prediction unit 140 predicts a behavior or a function that realizes the purpose estimated by the purpose estimation unit 110 based on the knowledge information stored in the knowledge information storage unit 120.
- the analysis apparatus 400 in the present embodiment is different from the analysis apparatus 100 in the first embodiment of the present invention in that the activity prediction unit 140 is provided.
- the analysis apparatus 400 in the present embodiment can be configured in the same manner as the analysis apparatus 100 in the first embodiment of the present invention except for this.
- the activity prediction unit 140 predicts a behavior or a function that realizes the purpose estimated by the purpose estimation unit 110 based on the knowledge information stored in the knowledge information storage unit 120.
- the activity predicting unit 140 performs a behavior or function that realizes the purpose by tracing the relationship included in the knowledge information from the purpose estimated based on the knowledge information to the behavior or function in reverse to the estimation time. Predict.
- FIG. 24 shows an example when the activity prediction unit 140 predicts behavior or function.
- the purpose estimating unit 110 firstly calls “DDoS attack band sales business” via the function “infection spreading” from the behavior of “MACT-2014-0010”. Estimate the purpose. Subsequently, the activity prediction unit 140 predicts a behavior or a function that realizes the purpose, as shown in the lower side of FIG. For example, the activity predicting unit 140 further predicts that there are behaviors “MACT-2014-0005” and “MACT-2014-0011” in order to realize the function of “infection spreading”.
- the activity predicting unit 140 predicts that there are the functions of “line speed investigation” and “attack” in order to realize the purpose of “DDoS attack band sales business”. Further, the activity predicting unit 140 predicts that there is a behavior of “MACT-2014-0012” and “MACT-2014-0002” in order to realize the function of “line speed check”. In addition, when there is no knowledge information regarding the behavior performed to realize the predicted function, the activity prediction unit 140 indicates that fact in an arbitrary format. As an example, in the example of FIG. 24, it is indicated by a cloud icon that the knowledge information does not have a behavior performed to realize the “attack” function.
- the behavior and function predicted by the activity prediction unit 140 are output in an arbitrary format.
- the attacker may try to realize the purpose using the other malware. That is, when the behavior of malware that has been detected until then is no longer detected, the attacker may have created and executed another malware with a different behavior.
- the analysis apparatus 400 can predict the behavior of the different malware by using the knowledge information by the activity prediction unit 140. Therefore, the user of the analysis apparatus 400 can know another predicted behavior along with the estimated purpose. Therefore, the user of the analysis apparatus 400 can take measures against the predicted behavior and function, for example.
- the analysis apparatus 400 includes the activity prediction unit 140. And the analysis apparatus 400 in this embodiment predicts the behavior and function which implement
- Analysis System 50 Information Processing Device 51 CPU 52 ROM 53 RAM 54 program 55 storage device 56 storage medium 57 drive device 58 communication interface 59 network 60 input / output interface 61 bus 100, 300, 400 analyzer 110 purpose estimation unit 120 knowledge information storage unit 130 knowledge information input unit 140 activity prediction unit 150 detection device 151 Malware operation log 152 Network 160 Terminal device
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Theoretical Computer Science (AREA)
- Software Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- General Physics & Mathematics (AREA)
- Physics & Mathematics (AREA)
- Virology (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Computational Linguistics (AREA)
- Data Mining & Analysis (AREA)
- Databases & Information Systems (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
Abstract
Description
まず、本発明の第1の実施形態について説明する。図1は、本発明の第1の実施形態における分析装置及び当該分析装置を含む分析システム等の構成を示す図である。図2は、本発明の第1の実施形態における分析装置及び当該分析装置を含む分析システム等の別の構成を示す図である。図4は、本発明の第1の実施形態における分析装置によって用いられる振る舞いパターン等の例を示す図である。図5は、本発明の第1の実施形態における分析装置によって用いられる振る舞いパターンと目的との関係の例を示す図である。図6は、本発明の第1の実施形態における分析装置によって用いられる知識情報の例を示す図である。図7は、本発明の第1の実施形態における分析装置によって推定された振る舞いに対する目的の例である。図8は、本発明の第1の実施形態における分析装置の動作を示すフローチャートである。図9及び図10は、本発明の第1の実施形態における分析装置の変形例の構成を示す図である。図11及び図12は、本発明の第1の実施形態における分析装置の別の変形例の構成を示す図である。
すなわち、目的推定部110は、これらの関係や知識情報に基づいて、振る舞いに関係付けられた目的を特定する。そして、目的推定部110は、当該特定した目的を、振る舞いを実行する目的として推定する。例えば、図5に示す振る舞いと目的との関係に基づく場合、目的推定部110は、「時間待ち」という振る舞いは、「DDoS攻撃帯域販売ビジネス」という目的に関係付けられていると特定することができる。したがって、目的推定部110は、「時間待ち」という振る舞いは、「DDoS攻撃帯域販売ビジネス」を目的とすると推定する。また、図6に示す知識情報に基づく場合、目的推定部110は、“MACT-2014-0005”とラベル付された振る舞いは、図7に示す目的の少なくとも一つを目的とすると推定する。すなわち、目的推定部110は、「カード・個人情報販売ビジネス」、「クリック詐欺ビジネス」、「身代金ビジネス」、「DDoS攻撃帯域販売ビジネス」の少なくとも一つを目的とすると推定する。また、分析装置100は、図7によって示されるような、目的推定部110によって推定された振る舞いと目的との関係を、任意の形式にて出力することができる。例えば、分析装置100は、当該振る舞いと目的との関係を、図示しない表示装置等に表示したり、任意のファイルに出力したりすることができる。
本実施形態における分析装置100は、種々の変形例が考えられる。例えば、本実施形態において、目的の推定対象となる振る舞いは、検知装置150にて検知した振る舞いに限られない。本実施形態における分析装置100は、その目的を推定すべき任意の振る舞いを目的の推定対象とすることができる。
続いて、本発明の第2の実施形態について説明する。図13は、本発明の第2の実施形態における分析装置が用いる振る舞いの適合度を算出する方法の例を示す図である。図14は、本発明の第2の実施形態における分析装置100が用いる振る舞いの適合度を算出する方法の別の例を示す図である。図15は、本発明の第2の実施形態における分析装置100が振る舞いの適合度を用いて目的を推定する場合の推定方法の例を示す図である。図16は、本発明の第2の実施形態における分析装置100が用いる知識情報に対して追加情報を特定した例を示す図である。図17は、本発明の第2の実施形態における分析装置100が用いる知識情報に対して追加情報を特定した別の例を示す図である。図18は、本発明の第2の実施形態における分析装置100が用いる振る舞いと当該振る舞いを引き起こすマルウェアとの対応を示す情報の例を示す図である。図19は、本発明の第2の実施形態における分析装置100が用いる振る舞いと目的との関係を含む知識情報に関連する分析者に関する情報の例を示す図である。
本実施形態において、分析装置100が用いる付加情報の例を説明する。
一つの例として、分析装置100は、付加情報として、マルウェアの動作に対する目的の推定対象となる振る舞いの適合度を用いる。
本実施形態において、分析装置100が用いる付加情報の別の一例を説明する。この例において、分析装置100は、付加情報として、目的を推定した振る舞いの履歴情報を用いる。
本実施形態において、分析装置100が用いる付加情報の更に別の一例を説明する。この例において、分析装置100は、付加情報として、目的の推定対象となる振る舞いと、その振る舞いを引き起こすマルウェアとの関係に関する情報を用いる。
本実施形態において、分析装置100が用いる付加情報の更に別の一例を説明する。この例において、分析装置100は、付加情報として、振る舞いと目的との関係を含む知識情報に関連する分析者に関する情報を用いる。
続いて、本発明の第3の実施形態について説明する。図20は、本発明の第3の実施形態における分析装置300及び当該分析装置を含む分析システム等の構成を示す図である。図21は、本発明の第3の実施形態における分析装置300において、知識情報入力部130が知識情報を受付ける場合の手順を示すフローチャートである。図22は、知識情報入力部130が知識情報を受付ける場合における入力画面の一例である。
続いて、本発明の第4の実施形態について説明する。図23は、本発明の第4の実施形態における分析装置400及び当該分析装置を含む分析システム等の構成を示す図である。図24は、本発明の第4の実施形態における分析装置400によって予測される振る舞い又は機能の例を示す図である。
50 情報処理装置
51 CPU
52 ROM
53 RAM
54 プログラム
55 記憶装置
56 記憶媒体
57 ドライブ装置
58 通信インターフェイス
59 ネットワーク
60 入出力インターフェイス
61 バス
100、300、400 分析装置
110 目的推定部
120 知識情報記憶部
130 知識情報入力部
140 活動予測部
150 検知装置
151 マルウェア動作ログ
152 ネットワーク
160 端末装置
Claims (13)
- コンピュータにおける所定の振る舞いと、前記振る舞いと前記振る舞いを実行する目的との関係を含む知識情報とに基づいて、前記振る舞いの目的を推定する目的推定手段を備える、分析装置。
- 前記知識情報は、前記振る舞いによって実現される機能、前記振る舞いと前記機能との関係又は前記機能と前記目的との関係の少なくとも一つを更に含む、請求項1に記載の分析装置。
- 前記知識情報を記憶する知識情報記憶手段を備える、請求項1又は2に記載の分析装置。
- 前記振る舞いと、マルウェアの動作として予め特定された振る舞いとの適合度に基づいて、前記振る舞いの目的を推定する、請求項1から3のいずれか一項に記載の分析装置。
- 前記目的推定手段は、前記目的を推定するために用いた前記振る舞いの履歴に関する情報に基づいて、所定の条件を満たす前記振る舞いを特定する、請求項1から4のいずれか一項に記載の分析装置。
- 前記目的推定手段は、前記履歴が所定の条件を満たす場合に、所定の状況を表す前記振る舞いを前記知識情報に追加する、請求項5に記載の分析装置。
- 前記目的推定手段は、前記知識情報に含まれる情報とマルウェアとの関係を示す情報に基づいて、前記振る舞いの目的を推定する、請求項1から6のいずれか一項に記載の分析装置。
- 前記目的推定手段は、前記知識情報に関連する分析者の情報に基づいて前記振る舞いの目的を推定する、請求項1から7のいずれか一項に記載の分析装置。
- 前記知識情報を受付ける知識情報入力部を備える、請求項1から8のいずれか一項に記載の分析装置。
- 前記目的推定手段によって推定された前記目的と、前記知識情報とに基づいて、前記目的を実現する前記振る舞いを予測する活動予測手段を備える、請求項1から9のいずれか一項に記載の分析装置。
- 請求項1から10のいずれか一項に記載の分析装置と、
マルウェアの振る舞いを検知する検知装置とを有し、
前記分析装置は、前記検知装置にて検知された前記振る舞いと前記知識情報とに基づいて、前記振る舞いの目的を推定する、分析システム。 - コンピュータにおける所定の振る舞い及び前記振る舞いと前記振る舞いを実行する目的との関係に基づいて、前記振る舞いの目的を推定する、分析方法。
- コンピュータにおける所定の振る舞いと、前記振る舞いと前記振る舞いを実行する目的との関係を含む知識情報とに基づいて、前記振る舞いの目的を推定する処理をコンピュータに実行させるプログラムを記録した、コンピュータ読み取り可能な記録媒体。
Priority Applications (6)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
JP2016543499A JP6380537B2 (ja) | 2014-08-22 | 2014-08-22 | 分析装置、分析方法及びコンピュータ読み取り可能な記録媒体 |
PCT/JP2014/004320 WO2016027292A1 (ja) | 2014-08-22 | 2014-08-22 | 分析装置、分析方法及びコンピュータ読み取り可能な記録媒体 |
US15/505,498 US10360378B2 (en) | 2014-08-22 | 2014-08-22 | Analysis device, analysis method and computer-readable recording medium |
DE112014006880.2T DE112014006880T5 (de) | 2014-08-22 | 2014-08-22 | Analysevorrichtung, Analyseverfahren und computerlesbares Speichermedium |
US16/453,244 US11640463B2 (en) | 2014-08-22 | 2019-06-26 | Analysis device, analysis method and computer-readable recording medium |
US17/667,783 US11847216B2 (en) | 2014-08-22 | 2022-02-09 | Analysis device, analysis method and computer-readable recording medium |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
PCT/JP2014/004320 WO2016027292A1 (ja) | 2014-08-22 | 2014-08-22 | 分析装置、分析方法及びコンピュータ読み取り可能な記録媒体 |
Related Child Applications (2)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US15/505,498 A-371-Of-International US10360378B2 (en) | 2014-08-22 | 2014-08-22 | Analysis device, analysis method and computer-readable recording medium |
US16/453,244 Continuation US11640463B2 (en) | 2014-08-22 | 2019-06-26 | Analysis device, analysis method and computer-readable recording medium |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2016027292A1 true WO2016027292A1 (ja) | 2016-02-25 |
Family
ID=55350274
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/JP2014/004320 WO2016027292A1 (ja) | 2014-08-22 | 2014-08-22 | 分析装置、分析方法及びコンピュータ読み取り可能な記録媒体 |
Country Status (4)
Country | Link |
---|---|
US (3) | US10360378B2 (ja) |
JP (1) | JP6380537B2 (ja) |
DE (1) | DE112014006880T5 (ja) |
WO (1) | WO2016027292A1 (ja) |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2020503635A (ja) * | 2016-12-29 | 2020-01-30 | クロニクル エルエルシー | セキュリティ脅威検出のための危殆化のインジケータを収集すること |
WO2020161780A1 (ja) * | 2019-02-04 | 2020-08-13 | 日本電気株式会社 | 行動計画推定装置、行動計画推定方法、及びコンピュータ読み取り可能な記録媒体 |
WO2021109695A1 (zh) * | 2019-12-06 | 2021-06-10 | 支付宝(杭州)信息技术有限公司 | 一种对抗攻击的监测方法和装置 |
Families Citing this family (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US11762858B2 (en) * | 2020-03-19 | 2023-09-19 | The Mitre Corporation | Systems and methods for analyzing distributed system data streams using declarative specification, detection, and evaluation of happened-before relationships |
Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2006285599A (ja) * | 2005-03-31 | 2006-10-19 | Toshiba Corp | 行動支援装置、行動支援方法および行動支援プログラム |
JP2012501504A (ja) * | 2008-08-29 | 2012-01-19 | エーブイジー テクノロジーズ シーゼット、エス.アール.オー. | マルウェア検知のシステムおよび方法 |
Family Cites Families (24)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP3256967B2 (ja) * | 1990-07-25 | 2002-02-18 | オムロン株式会社 | 近似推論装置 |
US7318015B2 (en) * | 2001-06-13 | 2008-01-08 | Verizon Business Global Llc | Method, system and program product for generating scenarios utilizing graphical objects representing hierarchically arranged elements of a modeled environment |
US6907430B2 (en) * | 2001-10-04 | 2005-06-14 | Booz-Allen Hamilton, Inc. | Method and system for assessing attacks on computer networks using Bayesian networks |
US8516583B2 (en) | 2005-03-31 | 2013-08-20 | Microsoft Corporation | Aggregating the knowledge base of computer systems to proactively protect a computer from malware |
JP4663484B2 (ja) * | 2005-04-25 | 2011-04-06 | 株式会社日立製作所 | システムセキュリティ設計・評価支援ツール、システムセキュリティ設計支援ツール、システムセキュリティ設計・評価支援プログラム、およびシステムセキュリティ設計支援プログラム |
US20070006304A1 (en) * | 2005-06-30 | 2007-01-04 | Microsoft Corporation | Optimizing malware recovery |
US8413245B2 (en) | 2005-12-16 | 2013-04-02 | Cisco Technology, Inc. | Methods and apparatus providing computer and network security for polymorphic attacks |
US20070240222A1 (en) * | 2006-04-06 | 2007-10-11 | George Tuvell | System and Method for Managing Malware Protection on Mobile Devices |
JP2010267128A (ja) | 2009-05-15 | 2010-11-25 | Ntt Docomo Inc | 解析システム、解析装置、検知方法、解析方法及びプログラム |
US8752180B2 (en) | 2009-05-26 | 2014-06-10 | Symantec Corporation | Behavioral engine for identifying patterns of confidential data use |
EP2385676B1 (en) * | 2010-05-07 | 2019-06-26 | Alcatel Lucent | Method for adapting security policies of an information system infrastructure |
TWI435236B (zh) * | 2010-12-15 | 2014-04-21 | Inst Information Industry | 惡意程式偵測裝置、惡意程式偵測方法及其電腦程式產品 |
US8793790B2 (en) * | 2011-10-11 | 2014-07-29 | Honeywell International Inc. | System and method for insider threat detection |
US9223962B1 (en) * | 2012-07-03 | 2015-12-29 | Bromium, Inc. | Micro-virtual machine forensics and detection |
US20140053267A1 (en) | 2012-08-20 | 2014-02-20 | Trusteer Ltd. | Method for identifying malicious executables |
US9292695B1 (en) * | 2013-04-10 | 2016-03-22 | Gabriel Bassett | System and method for cyber security analysis and human behavior prediction |
US9350747B2 (en) * | 2013-10-31 | 2016-05-24 | Cyberpoint International Llc | Methods and systems for malware analysis |
US9245123B1 (en) * | 2014-05-07 | 2016-01-26 | Symantec Corporation | Systems and methods for identifying malicious files |
US9680855B2 (en) | 2014-06-30 | 2017-06-13 | Neo Prime, LLC | Probabilistic model for cyber risk forecasting |
ES2905268T3 (es) | 2014-07-30 | 2022-04-07 | Siemens Ag | Protección de un componente de automatización contra manipulaciones de programa mediante coincidencia de firmas |
US9571517B2 (en) * | 2014-11-11 | 2017-02-14 | Goldman, Sachs & Co. | Synthetic cyber-risk model for vulnerability determination |
WO2016076334A1 (ja) * | 2014-11-14 | 2016-05-19 | 日本電信電話株式会社 | マルウェア感染端末の検出装置、マルウェア感染端末の検出方法およびマルウェア感染端末の検出プログラム |
JP5933797B1 (ja) * | 2015-10-07 | 2016-06-15 | 株式会社ソリトンシステムズ | ログ情報生成装置及びプログラム並びにログ情報抽出装置及びプログラム |
WO2020246011A1 (ja) * | 2019-06-06 | 2020-12-10 | 日本電気株式会社 | ルール生成装置、ルール生成方法、及びコンピュータ読み取り可能な記録媒体 |
-
2014
- 2014-08-22 JP JP2016543499A patent/JP6380537B2/ja active Active
- 2014-08-22 DE DE112014006880.2T patent/DE112014006880T5/de active Pending
- 2014-08-22 WO PCT/JP2014/004320 patent/WO2016027292A1/ja active Application Filing
- 2014-08-22 US US15/505,498 patent/US10360378B2/en active Active
-
2019
- 2019-06-26 US US16/453,244 patent/US11640463B2/en active Active
-
2022
- 2022-02-09 US US17/667,783 patent/US11847216B2/en active Active
Patent Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2006285599A (ja) * | 2005-03-31 | 2006-10-19 | Toshiba Corp | 行動支援装置、行動支援方法および行動支援プログラム |
JP2012501504A (ja) * | 2008-08-29 | 2012-01-19 | エーブイジー テクノロジーズ シーゼット、エス.アール.オー. | マルウェア検知のシステムおよび方法 |
Non-Patent Citations (1)
Title |
---|
KOKI YASUMOTO ET AL.: "Function Estimation of Malware Code by Measuring Similarity", IEICE TECHNICAL REPORT, vol. 107, no. 343, 14 November 2007 (2007-11-14), pages 31 - 36 * |
Cited By (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2020503635A (ja) * | 2016-12-29 | 2020-01-30 | クロニクル エルエルシー | セキュリティ脅威検出のための危殆化のインジケータを収集すること |
WO2020161780A1 (ja) * | 2019-02-04 | 2020-08-13 | 日本電気株式会社 | 行動計画推定装置、行動計画推定方法、及びコンピュータ読み取り可能な記録媒体 |
JPWO2020161780A1 (ja) * | 2019-02-04 | 2021-11-25 | 日本電気株式会社 | 行動計画推定装置、行動計画推定方法、及びプログラム |
JP7168010B2 (ja) | 2019-02-04 | 2022-11-09 | 日本電気株式会社 | 行動計画推定装置、行動計画推定方法、及びプログラム |
US11989290B2 (en) | 2019-02-04 | 2024-05-21 | Nec Corporation | Action plan estimation apparatus, action plan estimation method, and computer-readable recording medium |
WO2021109695A1 (zh) * | 2019-12-06 | 2021-06-10 | 支付宝(杭州)信息技术有限公司 | 一种对抗攻击的监测方法和装置 |
Also Published As
Publication number | Publication date |
---|---|
JPWO2016027292A1 (ja) | 2017-04-27 |
JP6380537B2 (ja) | 2018-08-29 |
US10360378B2 (en) | 2019-07-23 |
US20200012788A1 (en) | 2020-01-09 |
US20170270297A1 (en) | 2017-09-21 |
US11847216B2 (en) | 2023-12-19 |
DE112014006880T5 (de) | 2017-05-04 |
US20220318382A1 (en) | 2022-10-06 |
US11640463B2 (en) | 2023-05-02 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11640463B2 (en) | Analysis device, analysis method and computer-readable recording medium | |
EP3120286B1 (en) | Behavior profiling for malware detection | |
US11310245B2 (en) | Indicator of compromise calculation system | |
US8805995B1 (en) | Capturing data relating to a threat | |
CN105247532A (zh) | 使用硬件特征的无监督的基于异常的恶意软件检测 | |
CN109344611B (zh) | 应用的访问控制方法、终端设备及介质 | |
EP3772004B1 (en) | Malicious incident visualization | |
JP6717206B2 (ja) | マルウェア対策装置、マルウェア対策システム、マルウェア対策方法、及び、マルウェア対策プログラム | |
JP2010267128A (ja) | 解析システム、解析装置、検知方法、解析方法及びプログラム | |
US20170155683A1 (en) | Remedial action for release of threat data | |
Bai et al. | $\sf {DBank} $ DBank: Predictive Behavioral Analysis of Recent Android Banking Trojans | |
Singh et al. | A context-aware trigger mechanism for ransomware forensics | |
JPWO2016002605A1 (ja) | 検知装置、検知方法及び検知プログラム | |
CN109120626A (zh) | 安全威胁处理方法、***、安全感知服务器及存储介质 | |
Doğru et al. | AppPerm analyzer: malware detection system based on android permissions and permission groups | |
Sihag et al. | Opcode n-gram based malware classification in android | |
US11303670B1 (en) | Pre-filtering detection of an injected script on a webpage accessed by a computing device | |
CN116938600B (zh) | 威胁事件的分析方法、电子设备及存储介质 | |
Elgohary et al. | Detecting Mimikatz in Lateral Movements Using Windows API Call Sequence Analysis | |
JP6258189B2 (ja) | 特定装置、特定方法および特定プログラム | |
KR101872406B1 (ko) | 악성코드들의 위험도를 정량적으로 결정하는 장치 및 방법 | |
Ozturk et al. | Dynamic behavioural analysis of privacy-breaching and data theft ransomware | |
US20240054213A1 (en) | Attack information generation apparatus, control method, and non-transitory computer readable medium | |
Wang et al. | Using dynamic taint approach for malware threat | |
Möller et al. | Threat Intelligence |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 14900057 Country of ref document: EP Kind code of ref document: A1 |
|
ENP | Entry into the national phase |
Ref document number: 2016543499 Country of ref document: JP Kind code of ref document: A |
|
WWE | Wipo information: entry into national phase |
Ref document number: 15505498 Country of ref document: US |
|
WWE | Wipo information: entry into national phase |
Ref document number: 112014006880 Country of ref document: DE |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 14900057 Country of ref document: EP Kind code of ref document: A1 |