WO2016060067A1 - 特定装置、特定方法および特定プログラム - Google Patents
特定装置、特定方法および特定プログラム Download PDFInfo
- Publication number
- WO2016060067A1 WO2016060067A1 PCT/JP2015/078670 JP2015078670W WO2016060067A1 WO 2016060067 A1 WO2016060067 A1 WO 2016060067A1 JP 2015078670 W JP2015078670 W JP 2015078670W WO 2016060067 A1 WO2016060067 A1 WO 2016060067A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- node
- data
- malware
- communication destination
- tag
- Prior art date
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/20—Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
- G06F16/22—Indexing; Data structures therefor; Storage structures
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/90—Details of database functions independent of the retrieved data types
- G06F16/901—Indexing; Data structures therefor; Storage structures
- G06F16/9024—Graphs; Linked lists
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/552—Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
- G06F21/53—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2463/00—Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
- H04L2463/144—Detection or countermeasures against botnets
Definitions
- the present invention relates to a specific device, a specific method, and a specific program.
- malware download sites In recent years, many malware such as bots and downloaders have been known to acquire and execute program codes from sites where malicious programs are installed (hereinafter referred to as malware download sites) to enhance functions. .
- functions for causing further damage such as attacks on external servers and information exploitation are added. For this reason, in order to minimize damage after infection, communication to the malware download site must be interrupted to prevent functional expansion.
- Non-Patent Document 1 download sites have been identified based on whether or not the downloaded file is malware.
- the process of determining whether or not the malware is malware is performed based on the inspection result of the anti-virus software and the behavior such as the registry operation that occurs when the file is executed.
- the above-described conventional technology has a problem that it may not be possible to appropriately identify a malicious site or malicious download data.
- the prior art has not been able to accurately identify malware and downloaded data. For this reason, it is not possible to analyze the dependency relationship between the communication destination that occurred during dynamic analysis of malware and the objects (program code and files) on the OS, and the cause of communication occurrence and the source of file data are identified. It wasn't done.
- malwares acquire and execute program codes from malware download sites to enhance their functions.
- a blacklist for preventing malware from communicating with the malware download site was obtained by dynamic analysis in order to prevent this functional expansion.
- a legitimate site was mistakenly specified as a download site.
- the specific apparatus of the present invention monitors malware to be analyzed, downloads the malware, download data downloaded from a communication destination, and the malware or the download data.
- a monitoring unit that acquires the data transfer relationship with the communication destination as log data, and the log data acquired by the monitoring unit, the malware, the download data and the communication destination as nodes,
- a creation unit that creates a dependency graph that is a directed graph with the node dependency as an edge, and detects each malignant node by comparing each node of the dependency graph created by the creation unit with known malignant information, The edge is traced from the end point to the start point with the malicious node as the base point, and the traced node is newly Characterized in that it comprises a specifying unit that specifies a malignant nodes.
- the identification method of the present invention is an identification method executed by a specific device, which monitors malware to be analyzed, downloads the malware, download data downloaded from a communication destination, and the malware or the download data.
- the specific program of the present invention monitors the malware to be analyzed, and the data transfer relationship between the malware, the download data downloaded from the communication destination, and the malware or the communication destination of the download data.
- a creation step for creating a relationship graph and each node of the dependency relationship graph created by the creation step is checked against known malignant information to detect a malignant node, and the edge from the end point is determined from the malignant node as a base point And follow the direction to the new node Characterized in that to execute a specifying step of specifying as over de in the computer.
- FIG. 1 is a schematic configuration diagram illustrating an overall configuration of a specific apparatus according to the first embodiment.
- FIG. 2 is a diagram illustrating a configuration example of a tag.
- FIG. 3 is a diagram illustrating an example of a dependency relationship graph.
- FIG. 4 is a diagram illustrating a malignancy determination process for determining a malignant node using known malignant information.
- FIG. 5 is a diagram for explaining a specifying process for specifying a malignant communication destination by tracing a dependency relationship starting from a malignant node.
- FIG. 6 is a flowchart illustrating a flow of log acquisition processing by the specific apparatus according to the first embodiment.
- FIG. 7 is a flowchart showing the flow of a process for identifying a malicious communication destination by the identifying apparatus according to the first embodiment.
- FIG. 8 is a diagram illustrating a computer that executes a specific program.
- FIG. 1 is a schematic configuration diagram illustrating an overall configuration of a specific apparatus according to the first embodiment.
- the identification device 10 includes a malware 11, a guest OS 12, a virtual machine 13, a log DB 14, a creation unit 15, and a identification unit 16.
- the identification device 10 is connected to a plurality of malignant information DBs 20 and acquires known malignant information from the malignant information DB 20.
- the malware execution environment unit 10a of the specific device 10 includes a malware 11, a guest OS 12, and a virtual computer 13.
- the guest OS 12 is an environment for dynamically analyzing the malware 11.
- the malware 11 is executed on the guest OS 12 and executes instructions such as API (Application Programming Interface) call and system call issuance.
- API Application Programming Interface
- the malware execution environment unit 10a operates the malware 11 on the guest OS 12, and tracks the instructions executed by the malware 11 and the data flow at the time of execution using the taint analysis technology.
- the taint analysis technique is a technique for tracking the propagation of data in the analysis system by setting a tag for data and propagating the tag according to a propagation rule.
- a tag is attribute information given to data, and the origin and type of data are set.
- the propagation rule is a condition for propagating a tag, and generally, data copy or calculation is set as a propagation condition. For example, when analyzing the usage of received data, a tag that can uniquely identify the acquisition source is set for the received data, and the tag is propagated according to data copy or calculation.
- the taint analysis technique is generally realized by using a virtual computer technique, and the tag is held in a dedicated recording area different from the data so as to be associated with the data.
- the malware execution environment unit 10a first installs the malware 11 to be analyzed on the guest OS 12, and the monitoring target tag (the monitoring target flag is enabled) in the disk area corresponding to the malware 11 file. Tag). Thereafter, the malware execution environment unit 10a executes the malware 11 to be analyzed.
- the instruction monitoring unit 13a monitors instructions executed by the malware 11, and the data flow analysis unit 13b starts the data flow in the malware execution environment unit 10a based on the data reception API and the malware program code data.
- the virtual computer 13 includes an instruction monitoring unit 13a and a data flow analysis unit 13b.
- the instruction monitoring unit 13a monitors the malware 11 to be analyzed, and logs a data transfer relationship between the malware 11, the download data downloaded from the communication destination, and the malware 11 or the communication destination of the download data. Get as data.
- the instruction monitoring unit 13a performs monitoring by attaching a tag to a file of the malware 11, and when the malware 11 calls a data reception API that is an API to be monitored, the instruction monitoring unit 13a relates to the API.
- a tag that can uniquely identify the transmission source of the data is assigned to the data after the monitoring target flag is enabled, and log data is acquired by tracking the propagation of the data to which the tag is attached. .
- the instruction monitoring unit 13a acquires the value of the instruction pointer register during analysis of the malware 11, and whether the monitoring target tag is attached to the memory area pointed to by the instruction pointer register.
- the data flow analysis unit 13b is inquired whether or not. If the monitoring target tag is set in the data as a result of the inquiry, the command monitoring unit 13a determines that the command is a monitoring target. If the call instruction to be monitored is executed and the target to be called by the call instruction is not the monitoring target API, it is determined that all instructions nested deeper than the instruction are the operation contents of the program code that executed the call instruction to be monitored. To be monitored.
- the instruction monitoring unit 13a identifies each instruction to be monitored in consideration of the call stack. This registration is canceled when returning to the next address of the call instruction.
- the instruction monitoring unit 13a performs processing according to the category of the monitoring target API.
- the data reception API is assumed to be an API for setting a tag
- the data transmission API is assumed to be an API for confirming the tag.
- the memory write API used for the file write API and the code injection is an API for checking the tag and setting the tag.
- a tag capable of uniquely specifying an acquisition source is set.
- FIG. 2 is a diagram illustrating a configuration example of a tag.
- a 64 bit long tag is represented.
- the tag includes a monitoring target flag, a write ID, and a data ID.
- the monitoring target flag is a flag value indicating that execution is to be monitored.
- the write ID is a value for managing whether or not the data to which the tag is attached is data written in a file or memory, and a unique value is given at the time of file writing and code injection.
- the last data ID is a value that can uniquely identify the data acquisition source.
- the acquisition source is communication destination information (IP address, FQDN (Fully Qualified Domain Name), URL (Uniform Resource Locator), etc.) that is information related to the transmission source of received data.
- the granularity of the communication destination information is determined in advance before analysis according to the information desired to be extracted by the specifying unit 16.
- the write ID and the data ID take 0 in the state where they are not set. That is, a tag whose monitoring target flag is 1 (valid) and other than that is 0 is a monitoring target tag set for malware to be analyzed. Further, the monitoring target flag is set to 1 for data received by the data reception API, and a tag having a write ID of 0 and a data ID of other than 0 is set.
- the communication destination information associated with the tag can be specified by monitoring and recording the network-related API executed by the malware at the time of malware analysis execution, and the length of this tag depends on the monitoring target flag, write ID,
- the data ID can be arbitrarily changed as long as the data ID can be held.
- the data flow analysis unit 13b receives an inquiry from the instruction monitoring unit 13a as to whether or not the monitoring target tag is attached to the memory area indicated by the instruction pointer register, whether or not the monitoring target tag is attached to the memory area in which the inquiry is made.
- the command monitoring unit 13a is notified of the determined result as an inquiry result.
- the log DB 14 holds logs collected by the malware execution environment unit 10a.
- the creation unit 15 uses the log data acquired by the instruction monitoring unit 13a to create a dependency graph that is a directed graph with the malware 11, download data, and communication destination as nodes, and the dependency of each node as an edge.
- the dependency graph has a node having a granularity capable of mapping existing malicious information.
- the edge connecting the nodes holds a data dependency as a relation that can explain the malignancy of the start node based on the malignancy of the end node. Specifically, it uses the edge to hold the dependency relationship related to data execution, the dependency relationship related to data storage, and the dependency relationship related to communication destination determination.
- Dependency related to data execution holds program code acquisition source information and indicates whether data is executed. This dependency relationship corresponds to a case where received data from a communication destination is directly executed on a memory, a case where data read from a file is executed, and a case where data injected by another program is executed. This dependency is expressed by an edge having a program code at the end node.
- the acquisition source information of the file data is retained. By maintaining this dependency relationship, it is possible to determine the acquisition source of the in-file data based on the file malignancy determination result.
- the data received from the communication destination is stored in a file, the file is copied, or the program code cuts itself out as a file corresponds to this dependency.
- This dependency relationship is expressed by an edge having a file at the end node.
- this dependency holds the origin of the communication destination information.
- This dependency relationship enables the malignancy determination of the origin of the communication destination information based on the malignant information of the communication destination.
- the determination of the communication destination by the communication destination, the file, and the program code corresponds to this dependency relationship, and the edge having the communication destination at the end node expresses this dependency relationship.
- FIG. 3 is a diagram illustrating an example of a dependency relationship graph.
- the file downloaded from the communication destination A is executed, communication between the communication destination B and the communication destination C occurs, and the dependency relationship when a new file is downloaded from the communication destination C is shown.
- the dependency graph has a communication destination, a program code, and a file as nodes.
- a public blacklist can be mapped to a communication destination, a heuristic detection result such as calling a specific API for a program code, and an inspection result by anti-virus software can be mapped to a file.
- FIG. 3 shows a series of dependencies until the file A downloaded from the communication destination A is executed and a new file B is acquired from the communication destination C.
- the malware execution environment unit 10a has the following operation in creating the dependency relationship graph illustrated in FIG.
- the malware 11 to be analyzed specified the communication destination A for communication, and the file A was downloaded from the communication destination A.
- the file A is executed as a program code, and the program code performs communication by designating the communication destination B and the communication destination C, respectively.
- a new file B is downloaded from the communication destination C.
- a process of creating a dependency relationship graph will be described below.
- the malware execution environment unit 10a executes the analysis target malware 11 after setting the monitoring target tag. While the malware 11 to be analyzed is being executed, the instruction monitoring unit 13a monitors the presence or absence of execution of data with API calls related to communication, file writing, and memory writing, and monitoring target tags. When the program code calls the data transmission API during analysis, the instruction monitoring unit 13a checks the set tag for the data specifying the communication destination information passed as an argument to the data transmission API, and the communication destination information And log it together.
- the creation unit 15 It is determined that the program code specified the communication destination. Thereby, the dependency between the malware and the communication destination A ((1) in FIG. 4), the dependency between the program code and the communication destination B ((4) in FIG. 4), and the dependency between the program code and the communication destination C (FIG. 4). (5)) becomes clear, and the creation unit 15 connects the analysis target program code and the communication destination A with an edge, and connects the program code and the communication destination B with an edge.
- the instruction monitoring unit 13a sets a tag having a data ID for the received data, and records it in the log together with the communication destination information of the acquisition source To do.
- the instruction monitoring unit 13a sets the write ID and propagates the tag to the file data.
- the dependency indicating that the received data from the communication destination A has been written to the file A ((2) in FIG. 4) and the dependency indicating that the data received from the communication destination C has been written to the file B. ((6) in FIG. 4) can be traced.
- the write ID has already been set, the write ID is overwritten.
- the instruction monitoring unit 13a stores, in the log DB 14, the tag set in the data written to the file together with the file name and the tag newly set for the data written in the file.
- the creation unit 15 connects the communication destination A and the file A with an edge, and connects the communication destination C and the file B with an edge.
- whether or not the received data or the data written in the file has been executed is determined by whether or not a tag having a data ID or a write ID is set in the memory area pointed to by the instruction pointer register. For example, when a file downloaded from the communication destination A is executed, a write ID is set for the executed data. If the write ID is the same as the tag set in the data written to the file, it can be determined that the file has been executed. On the other hand, if it is the same as the tag set at the time of code injection, it can be determined that the injected data has been executed.
- the instruction monitoring unit 13a records a tag associated with the executed data in a log so that the creation unit 15 can represent the communication destination and the program code and the dependency relationship between the file and the program code on the graph.
- the creation unit 15 uses the log stored in the log DB 14 to connect the file A and the program code with an edge.
- the specifying unit 16 compares each node of the dependency relationship graph created by the creating unit 15 with known malignant information to detect a malignant node, and traces the edge from the end point to the start point using the malignant node as a base point. Then, the traced node is identified as a new malicious node. In addition, when the node identified as a malignant node is a communication destination node, the identification unit 16 identifies the communication destination node as a malignant site and immediately before reaching the communication destination node. If the node is download data such as a file or a program code, the communication destination node is detected as a malware download site.
- the specifying unit 16 maps existing malignant information to the dependency relationship graph created by the creating unit 15. For example, if the host name of the communication destination is “example.co.jp” and the host name is registered in existing malicious information such as a public blacklist, the corresponding node on the dependency graph Gives information indicating malignancy.
- the identifying unit 16 traces the dependency relationship starting from the node determined to be malignant by the mapping process, and determines that the communication destination reachable from the node is malignant. Also, the reachable file is identified as a malicious file. Thereafter, the specifying unit 16 outputs a list of malicious communication destinations including a malware download site and file information determined to be malicious in the process.
- a dependency relationship that can refer to the malignancy of the start node is held because of the malignancy of the end node.
- the specifying unit 16 collates each node of the dependency relationship graph with known malignant information, and detects a malware node and a communication destination C node as malignant nodes. Then, as illustrated in FIG. 5, the specifying unit 16 traces the edge from the end point toward the start point using the malignant node as a base point, and sets the communication destination A, the file A, and the program code as malignant as the traced node. Identifies as a node. For this reason, it is possible to determine the malignancy by tracing back the dependency relationship between the two nodes connected by the edge in order.
- the direction of dependency plays an important role in preventing false detection.
- the malware 11 has an analysis disturbing function in order to avoid execution in the analysis environment. One of them is confirmation of connection to the Internet using a legitimate site, and the malware 11 discriminates whether or not the analysis environment is isolated from the Internet by checking the connectivity to the legitimate site.
- connection confirmation site is also expressed as one node on the dependency graph, and the data dependency is the edge from the origin of the communication destination information to the communication destination. Expressed. For this reason, for example, even if it is determined that the communication destination C is malignant based on known malicious information as shown in FIG. 4, the dependency between the program code and the communication destination B cannot be traced back. The result is malignant. Therefore, the communication destination B is not determined to be malignant. In this way, the present method of using the data dependency relationship as a dependency graph is not erroneously detected even when communication with a regular site for the purpose of connection confirmation occurs.
- the analysis target is assumed to be malware.
- the analysis target may be a suspicious program code.
- it is possible to determine the malignancy of the suspicious program code using the specific device 10.
- it can be applied to a technique for identifying malware by operating a suspected program suspected of being malware, tracing from a node that matches existing malicious information, and reaching the suspected program.
- malignant information to be applied may be limited using known benign information.
- known benign information includes, for example, a hash value of a file installed as a standard on the OS if it is a file, a DNS (Domain Name System) server if it is a communication destination, etc. List of famous sites.
- FIG. 6 is a flowchart illustrating a flow of log acquisition processing by the specific apparatus according to the first embodiment.
- FIG. 7 is a flowchart showing the flow of a process for identifying a malicious communication destination by the identifying apparatus according to the first embodiment.
- the malware execution environment unit 10a of the specific device 10 first installs the malware 11 to be analyzed on the guest OS 12 (step S101), and monitors a tag to be monitored in the disk area corresponding to the malware 11 file. Is set (step S102). Thereafter, the malware execution environment unit 10a executes the malware 11 (step S103).
- the instruction monitoring unit 13a acquires the value of the instruction pointer register during the analysis of the malware 11 (step S104), and whether the monitoring target tag is attached to the memory area indicated by the instruction pointer register in the data flow analysis unit 13b. Inquire. Then, the data flow analysis unit 13b acquires the address area tag pointed to by the instruction pointer register (step S105), and notifies the instruction monitoring unit 13a of the inquiry result. If the monitoring target tag is not attached to the data as a result of the inquiry (No at Step S106), the instruction monitoring unit 13a determines whether the currently monitored thread is the monitoring target (Step S107). .
- Step S107 when the instruction monitoring unit 13a determines that the currently monitored thread is not a monitoring target (No at Step S107), the instruction monitoring unit 13a returns to Step S104. If the instruction monitoring unit 13a determines that the currently monitored thread is the monitoring target (Yes at Step S107), the instruction monitoring unit 13a proceeds to the process of Step S108.
- step S108 the instruction monitoring unit 13a determines that the instruction is a monitoring target, and determines whether the monitoring target call instruction is executed (step S108). As a result, when it is determined that the call instruction is not executed (No at Step S108), the instruction monitoring unit 13a determines whether or not the Ret instruction returns to the instruction pointer address immediately after monitoring target registration (Step S109).
- Step S109 when it is determined that the instruction monitoring unit 13a does not return to the instruction pointer address immediately after the monitoring target registration by the Ret instruction (No at Step S109), the instruction monitoring unit 13a returns to Step S104.
- the instruction monitoring unit 13a determines to return to the instruction pointer address immediately after monitoring target registration with the Ret command (Yes in step S109)
- the instruction monitoring unit 13a cancels the monitoring target (step S110), and returns to step S104.
- Step S111 the instruction monitoring unit 13a determines whether the monitoring target API is called. As a result, when the monitoring target API is not called (No at Step S111), the instruction monitoring unit 13a registers the thread as a monitoring target (Step S112) and returns to Step S104.
- the instruction monitoring unit 13a determines whether it is a tag setting API (Step S113). As a result, if the instruction monitoring unit 13a determines that the tag setting API is set (Yes at Step S113), the instruction monitoring unit 13a sets a tag that can uniquely identify the acquisition source (Step S114), and sets the communication destination information of the acquisition source. In addition, the tag is recorded in the log DB 14 (step S115). For example, in the case of the data reception API, the instruction monitoring unit 13a sets a tag for the data received by the data reception API, and adds the tag to the log DB 14 together with the communication destination information from which the received data is acquired. To record.
- the command monitoring unit 13a determines whether it is a tag confirmation API (Step S116). As a result, when it is determined that the tag monitoring API is the tag confirmation API (Yes at Step S116), the instruction monitoring unit 13a confirms the tag (Step S117) and records a log such as a tag in the log DB 14 (Step S118). For example, if the command monitoring unit 13a is a data transmission API, the command monitoring unit 13a checks the set tag for the data passed to the argument as the communication destination information, and immediately before the communication destination information and the cause of execution of the API The tag is recorded in the log DB 14 together with the monitoring target tag. The immediately preceding monitoring target tag that caused the execution is identified by tracing the call stack and checking the program code with the latest monitoring target tag.
- Step S116 If the instruction monitoring unit 13a determines that it is not the tag confirmation API (No at Step S116), the tag is set after the tag confirmation (Step S119), and the tag is recorded in the log DB 14 together with the write destination name (Step S119). Step S120).
- the command monitoring unit 13a is a memory writing API used for file writing API and code injection
- the tag is set after tag confirmation, and the monitoring target immediately before the execution destination of the API is set. Together with the tag, the confirmed tag and the set tag are recorded in the log DB 14.
- the write destination name is a file name in the case of a file write API, and a process name of a write destination in the case of a memory write API used for code injection.
- step S121 the instruction monitoring unit 13a determines whether or not a certain time has elapsed (step S121), and if it is determined that the certain time has not elapsed. (No at step S121), the process returns to step S104. If the instruction monitoring unit 13a determines that the predetermined time has passed (Yes in step S121), the instruction monitoring unit 13a ends the process.
- the creation unit 15 extracts nodes and edges of the dependency relationship graph from the log stored in the log DB 14.
- the dependency relationships held in the dependency relationship graph are dependency relationships related to data execution, dependency relationships related to data storage, and dependency relationships related to communication destination determination.
- the edge that holds the dependency related to data execution has a program code at the end node and a program code or file at the start node and a communication destination. This edge is created as follows based on the log recorded in the log DB 14.
- the edge that is the program code in both the end point node and the start point node is created when the monitoring target tag immediately before the execution cause is a tag written by the memory write API. At this time, the program code with the monitoring target tag immediately before causing the execution of the memory write API becomes the start node.
- the edge where the end node is a program code and the start node is a file is created when the monitoring target tag immediately before execution is a tag written by the file write API. At this time, the file in which the tag is set becomes the start point node.
- the edge whose end node is the program code and whose start point node is the communication destination is generated when the monitoring target tag immediately before the execution cause is the tag set in the received data from the communication destination. At this time, the communication destination becomes the start node.
- the edge that holds the dependency related to data storage has a file at the end node, a program code or file at the start node, and a communication destination. This edge is created as follows based on the log recorded in the log DB 14.
- An edge that is a file in both the start node and the end node is created when a tag set in a file is observed in the write data to a different file by the file write API.
- the tag set at the time of writing to the file X is set to the data to be written to the file Y is applicable.
- the file X becomes a start point node and the file Y becomes an end point node.
- An edge whose end node is a file and whose start node is a program code is created when it is observed that the program code has written data having the same tag as the program code.
- the edge whose end-point node is a file and whose start-point node is a communication destination confirms the tag of data written to the file in the file write API, and the tag before setting the confirmed write ID is the communication destination. Generated when the tag is set in the received data from.
- the destination node has a communication destination
- the start node has a program code or file
- a communication destination This edge is created as follows based on the log recorded in the log DB 14.
- the edge that is the communication destination of both the start node and the end node is created when the tag set in the data passed as the communication destination information to the data transmission API is the same as the tag set in the reception data in the data reception API Is done.
- the starting point node is a sender of the received data.
- An edge whose end node is a communication destination and whose start point node is a program code indicates that a tag is not set in the data passed as the communication destination information to the data transmission API, or the set tag is the data transmission It is created when it is the same as the immediately preceding monitoring target tag that caused the API execution.
- the start node is a program code having a monitoring target tag immediately before causing the execution of the data transmission API.
- An edge whose end node is a communication destination and whose start point node is a file is a tag that is set in the data passed as communication destination information to the data transmission API, and a tag that is newly set in the write data by the file write API. Created if they are the same. At this time, the start point node becomes a write destination file of the file write API. The start point node and end point node of the edge created by the above method become nodes on the dependency relationship graph.
- the creating unit 15 of the specifying apparatus 10 constructs a dependency relationship graph using the log stored in the log DB 14 (Step S201). Then, the specifying unit 16 determines whether or not a node exists in the dependency relationship graph (step S202). As a result, when the node does not exist (No at Step S202), the specifying unit 16 ends this process.
- the specifying unit 16 maps the existing malignant information to the dependency graph created by the creating unit 15 (Step S203). Then, the specifying unit 16 determines whether there is a node to which the malignant information is mapped (step S204). As a result, when the node to which the malignant information is mapped does not exist (No at Step S204), the specifying unit 16 ends the process. Further, when there is a node to which the malignant information is mapped (Yes in Step S204), the specifying unit 16 changes the edge of the dependency relationship graph in the reverse direction (Step S205), and sets the malignant node as a base point.
- the edge is traced from the end point to the start point, all nodes reachable from the node to which the malignant information is mapped are determined to be malignant (step S206), and the process is terminated.
- the communication destination corresponding to the communication destination node determined to be a malicious node is detected as a malicious site, and the node immediately before reaching the communication destination node is download data such as a file or a program code. In this case, the communication destination node is detected as a malware download site. Note that it is not always necessary to follow the edge after changing the edge of the dependency relationship graph in the reverse direction, and the edge may be traced in the reverse direction from the end point to the start point without making the edge reverse.
- the identification device 10 monitors the malware 11 to be analyzed, and the malware 11, the download data downloaded from the communication destination, and the malware 11 or the communication destination of the download data. Get the data transfer relationship between them as log data. Then, the specific device 10 uses the acquired log data to create a dependency graph that is a directed graph with the malware, download data, and communication destination as nodes, and the dependency of each node as an edge. Then, the identifying device 10 collates each node of the created dependency relationship graph with known malignant information to detect a malignant node, and follows the edge from the end point to the start point using the malignant node as a base point. The traced node is identified as a new malicious node.
- the identification device 10 is useful for identifying a malicious communication destination including a malware download site, and is effective when execution data cannot be determined as malignant or when the download site is configured in multiple stages.
- the identified node is a communication destination, that node can be detected as a malware download site.
- the communication to the legitimate site performed by the malware 11 cannot be traced from known malicious information (the edge does not connect from the end point to the start point), the legitimate site is not mistakenly detected as a malware download site. Also play.
- each component of each illustrated apparatus is functionally conceptual, and does not necessarily need to be physically configured as illustrated.
- the specific form of distribution / integration of each device is not limited to that shown in the figure, and all or a part thereof may be functionally or physically distributed or arbitrarily distributed in arbitrary units according to various loads or usage conditions. Can be integrated and configured.
- all or any part of each processing function performed in each device may be realized by a CPU and a program analyzed and executed by the CPU, or may be realized as hardware by wired logic.
- the creating unit 15 and the specifying unit 16 may be integrated.
- program In addition, it is possible to create a program in which processing executed by the specific device 10 according to the above embodiment is described in a language that can be executed by a computer. In this case, the same effect as the above-described embodiment can be obtained by the computer executing the program. Further, such a program may be recorded on a computer-readable recording medium, and the program recorded on the recording medium may be read by the computer and executed to execute the same processing as in the above embodiment. Below, an example of the computer which performs the specific program which implement
- FIG. 8 is a diagram illustrating a computer that executes a specific program.
- the computer 1000 includes, for example, a memory 1010, a CPU 1020, a hard disk drive interface 1030, a disk drive interface 1040, a serial port interface 1050, a video adapter 1060, and a network interface 1070. These units are connected by a bus 1080.
- the memory 1010 includes a ROM (Read Only Memory) 1011 and a RAM (Random Access Memory) 1012.
- the ROM 1011 stores a boot program such as BIOS (Basic Input Output System).
- BIOS Basic Input Output System
- the hard disk drive interface 1030 is connected to the hard disk drive 1090.
- the disk drive interface 1040 is connected to the disk drive 1041.
- a removable storage medium such as a magnetic disk or an optical disk is inserted into the disk drive 1041.
- a mouse 1110 and a keyboard 1120 are connected to the serial port interface 1050.
- a display 1130 is connected to the video adapter 1060.
- the hard disk drive 1090 stores, for example, an OS 1091, an application program 1092, a program module 1093, and program data 1094.
- Each table described in the above embodiment is stored in the hard disk drive 1090 or the memory 1010, for example.
- the specific program is stored in the hard disk drive 1090 as a program module in which a command to be executed by the computer 1000 is described, for example.
- a program module describing each process executed by the specific device 10 described in the above embodiment is stored in the hard disk drive 1090.
- data used for information processing by the specific program is stored in the hard disk drive 1090 as program data, for example.
- the CPU 1020 reads out the program module 1093 and the program data 1094 stored in the hard disk drive 1090 to the RAM 1012 as necessary, and executes the above-described procedures.
- program module 1093 and the program data 1094 related to the specific program are not limited to being stored in the hard disk drive 1090, but are stored in, for example, a removable storage medium and read out by the CPU 1020 via the disk drive 1041 or the like. May be.
- the program module 1093 and the program data 1094 related to the specific program are stored in another computer connected via a network such as a LAN (Local Area Network) or a WAN (Wide Area Network), and are transmitted via the network interface 1070. It may be read by the CPU 1020.
- a network such as a LAN (Local Area Network) or a WAN (Wide Area Network
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Computer Hardware Design (AREA)
- Databases & Information Systems (AREA)
- Data Mining & Analysis (AREA)
- Computing Systems (AREA)
- Signal Processing (AREA)
- Computer Networks & Wireless Communication (AREA)
- Debugging And Monitoring (AREA)
Abstract
Description
以下の実施の形態では、第一の実施の形態に係る特定装置の構成および処理の流れを順に説明し、最後に第一の実施の形態による効果を説明する。
まず、図1を用いて、第一の実施の形態に係る特定装置10について説明する。図1は、第一の実施の形態に係る特定装置の全体構成を示す概略構成図である。図1に示すように、特定装置10は、マルウェア11、ゲストOS12、仮想計算機13、ログDB14、作成部15および特定部16を有する。また、特定装置10は、複数の悪性情報DB20と接続されており、悪性情報DB20から既知の悪性情報を取得する。
次に、図6および図7を用いて、特定装置10の処理について説明する。図6は、第一の実施の形態に係る特定装置によるログの取得処理の流れを示すフローチャートである。図7は、第一の実施の形態に係る特定装置による悪性通信先の特定処理の流れを示すフローチャートである。
このように、第一の実施形態に係る特定装置10は、解析対象のマルウェア11を監視し、該マルウェア11と、通信先からダウンロードされたダウンロードデータと、マルウェア11またはダウンロードデータの通信先との間で行われるデータの受け渡し関係をログデータとして取得する。そして、特定装置10は、取得されたログデータを用いて、マルウェア、ダウンロードデータおよび通信先をノードとし、各ノードの依存関係をエッジとする有向グラフである依存関係グラフを作成する。そして、特定装置10は、作成された依存関係グラフの各ノードを既知の悪性情報と照合して悪性なノードを検出し、該悪性なノードを基点としてエッジを終点から始点方向へと辿っていき、辿ったノードを新たな悪性なノードとして特定する。このため、悪性なサイトや悪性なダウンロードデータを適切に特定することが可能である。つまり、特定装置10は、マルウェアダウンロードサイトを含む悪性通信先の特定に有用であり、実行データを悪性判定できない場合や、ダウンロードサイトが多段で構成されている場合に効果的である。
また、図示した各装置の各構成要素は機能概念的なものであり、必ずしも物理的に図示の如く構成されていることを要しない。すなわち、各装置の分散・統合の具体的形態は図示のものに限られず、その全部または一部を、各種の負荷や使用状況などに応じて、任意の単位で機能的または物理的に分散・統合して構成することができる。さらに、各装置にて行なわれる各処理機能は、その全部または任意の一部が、CPUおよび当該CPUにて解析実行されるプログラムにて実現され、あるいは、ワイヤードロジックによるハードウェアとして実現され得る。例えば、作成部15と特定部16を統合してもよい。
また、上記実施形態に係る特定装置10が実行する処理をコンピュータが実行可能な言語で記述したプログラムを作成することもできる。この場合、コンピュータがプログラムを実行することにより、上記実施形態と同様の効果を得ることができる。さらに、かかるプログラムをコンピュータで読み取り可能な記録媒体に記録して、この記録媒体に記録されたプログラムをコンピュータに読み込ませて実行することにより上記実施形態と同様の処理を実現してもよい。以下に、特定装置10と同様の機能を実現する特定プログラムを実行するコンピュータの一例を説明する。
10a マルウェア実行環境部
11 マルウェア
12 ゲストOS
13 仮想計算機
13a 命令監視部
13b データフロー解析部
14 ログDB
15 作成部
16 特定部
20 悪性情報DB
Claims (6)
- 解析対象のマルウェアを監視し、該マルウェアと、通信先からダウンロードされたダウンロードデータと、前記マルウェアまたは前記ダウンロードデータの通信先との間で行われるデータの受け渡し関係をログデータとして取得する監視部と、
前記監視部によって取得されたログデータを用いて、前記マルウェア、前記ダウンロードデータおよび前記通信先をノードとし、各ノードの依存関係をエッジとする有向グラフである依存関係グラフを作成する作成部と、
前記作成部によって作成された依存関係グラフの各ノードを既知の悪性情報と照合して悪性なノードを検出し、該悪性なノードを基点としてエッジを終点から始点方向へと辿っていき、辿ったノードを新たな悪性なノードとして特定する特定部と
を備えることを特徴とする特定装置。 - 前記監視部は、前記マルウェアのファイルに対してタグを付与して監視を行い、該マルウェアが監視対象のAPIを呼び出した場合には、該APIに関するデータに対して、当該データの送信元を一意に特定可能なタグを付与し、該タグが付与されたデータの伝搬を追跡することで、前記ログデータを取得することを特徴とする請求項1に記載の特定装置。
- 前記特定部は、前記悪性なノードであると特定したノードが通信先のノードである場合には、該通信先のノードを悪性なサイトとして特定することを特徴とする請求項1または2に記載の特定装置。
- 前記特定部は、前記悪性なノードであると特定したノードが通信先のノードである場合には、該通信先のノードを悪性なサイトとして特定し、さらに該通信先のノードに至る直前のノードが前記ダウンロードデータのノードである場合には、前記悪性なサイトとして特定したノードをマルウェアダウンロードサイトとして検出することを特徴とする請求項3に記載の特定装置。
- 特定装置で実行される特定方法であって、
解析対象のマルウェアを監視し、該マルウェアと、通信先からダウンロードされたダウンロードデータと、前記マルウェアまたは前記ダウンロードデータの通信先との間で行われるデータの受け渡し関係をログデータとして取得する監視工程と、
前記監視工程によって取得されたログデータを用いて、前記マルウェア、前記ダウンロードデータおよび前記通信先をノードとし、各ノードの依存関係をエッジとする有向グラフである依存関係グラフを作成する作成工程と、
前記作成工程によって作成された依存関係グラフの各ノードを既知の悪性情報と照合して悪性なノードを検出し、該悪性なノードを基点としてエッジを終点から始点方向へと辿っていき、辿ったノードを新たな悪性なノードとして特定する特定工程と
を含んだことを特徴とする特定方法。 - 解析対象のマルウェアを監視し、該マルウェアと、通信先からダウンロードされたダウンロードデータと、前記マルウェアまたは前記ダウンロードデータの通信先との間で行われるデータの受け渡し関係をログデータとして取得する監視ステップと、
前記監視ステップによって取得されたログデータを用いて、前記マルウェア、前記ダウンロードデータおよび前記通信先をノードとし、各ノードの依存関係をエッジとする有向グラフである依存関係グラフを作成する作成ステップと、
前記作成ステップによって作成された依存関係グラフの各ノードを既知の悪性情報と照合して悪性なノードを検出し、該悪性なノードを基点としてエッジを終点から始点方向へと辿っていき、辿ったノードを新たな悪性なノードとして特定する特定ステップと
をコンピュータに実行させるための特定プログラム。
Priority Applications (4)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
JP2016554061A JP6088714B2 (ja) | 2014-10-14 | 2015-10-08 | 特定装置、特定方法および特定プログラム |
CN201580055319.7A CN106796635B (zh) | 2014-10-14 | 2015-10-08 | 确定装置、确定方法 |
US15/514,748 US10397261B2 (en) | 2014-10-14 | 2015-10-08 | Identifying device, identifying method and identifying program |
EP15851421.6A EP3200115B1 (en) | 2014-10-14 | 2015-10-08 | Specification device, specification method, and specification program |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
JP2014210221 | 2014-10-14 | ||
JP2014-210221 | 2014-10-14 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2016060067A1 true WO2016060067A1 (ja) | 2016-04-21 |
Family
ID=55746613
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/JP2015/078670 WO2016060067A1 (ja) | 2014-10-14 | 2015-10-08 | 特定装置、特定方法および特定プログラム |
Country Status (5)
Country | Link |
---|---|
US (1) | US10397261B2 (ja) |
EP (1) | EP3200115B1 (ja) |
JP (1) | JP6088714B2 (ja) |
CN (1) | CN106796635B (ja) |
WO (1) | WO2016060067A1 (ja) |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2020075808A1 (ja) * | 2018-10-11 | 2020-04-16 | 日本電信電話株式会社 | 情報処理装置、ログ分析方法及びプログラム |
KR102239985B1 (ko) * | 2020-10-14 | 2021-04-14 | (주)시큐레이어 | 시스템에 위협이 될 수 있는 위협 이벤트를 최적화 ui 상에서 디스플레이함으로써 사용자가 상기 위협 이벤트를 용이하게 분석할 수 있도록 하는 위협 이벤트 리플레이 방법 및 장치 |
WO2021070352A1 (ja) * | 2019-10-10 | 2021-04-15 | 日本電信電話株式会社 | グラフ関連付けシステムおよびグラフ関連付け方法 |
CN113282909A (zh) * | 2021-05-11 | 2021-08-20 | 南京大学 | 一种设备指纹信息采集项识别方法 |
Families Citing this family (16)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2016121255A1 (ja) * | 2015-01-28 | 2016-08-04 | 日本電信電話株式会社 | マルウェア解析システム、マルウェア解析方法およびマルウェア解析プログラム |
US10192051B2 (en) * | 2015-06-17 | 2019-01-29 | Accenture Global Services Limited | Data acceleration |
US10848501B2 (en) | 2016-12-30 | 2020-11-24 | Microsoft Technology Licensing, Llc | Real time pivoting on data to model governance properties |
US10579821B2 (en) | 2016-12-30 | 2020-03-03 | Microsoft Technology Licensing, Llc | Intelligence and analysis driven security and compliance recommendations |
US20180191781A1 (en) * | 2016-12-30 | 2018-07-05 | Microsoft Technology Licensing, Llc | Data insights platform for a security and compliance environment |
CN109712010B (zh) * | 2017-10-24 | 2023-07-18 | 华为云计算技术有限公司 | 发现社团的方法和装置、计算设备、可读存储介质 |
US10628586B1 (en) * | 2017-11-30 | 2020-04-21 | Palo Alto Networks, Inc. | Detecting malware via scanning for dynamically generated function pointers in memory |
JP6984551B2 (ja) * | 2018-06-27 | 2021-12-22 | 日本電信電話株式会社 | 異常検知装置、および、異常検知方法 |
EP3588348A1 (en) * | 2018-06-29 | 2020-01-01 | AO Kaspersky Lab | Systems and methods for detecting malicious activity in a computer system |
US11601442B2 (en) * | 2018-08-17 | 2023-03-07 | The Research Foundation For The State University Of New York | System and method associated with expedient detection and reconstruction of cyber events in a compact scenario representation using provenance tags and customizable policy |
US11552962B2 (en) | 2018-08-31 | 2023-01-10 | Sophos Limited | Computer assisted identification of intermediate level threats |
JP7040467B2 (ja) * | 2019-01-11 | 2022-03-23 | 日本電信電話株式会社 | 更新装置および更新方法 |
US11238154B2 (en) * | 2019-07-05 | 2022-02-01 | Mcafee, Llc | Multi-lateral process trees for malware remediation |
US12014156B2 (en) * | 2020-09-04 | 2024-06-18 | Mitsubishi Electric Corporation | Program creation support program to provide log data on device values and dependency relationships between devices |
JP2022050219A (ja) * | 2020-09-17 | 2022-03-30 | 富士フイルムビジネスイノベーション株式会社 | 情報処理装置及び情報処理プログラム |
CN114172689B (zh) * | 2021-11-11 | 2023-11-28 | 卓尔智联(武汉)研究院有限公司 | 一种信息处理方法及设备 |
Citations (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US8065731B1 (en) * | 2008-07-01 | 2011-11-22 | Narus, Inc. | System and method for malware containment in communication networks |
Family Cites Families (39)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7409717B1 (en) * | 2002-05-23 | 2008-08-05 | Symantec Corporation | Metamorphic computer virus detection |
JP2006053788A (ja) | 2004-08-12 | 2006-02-23 | Ntt Docomo Inc | ソフトウェア動作監視装置及びソフトウェア動作監視方法 |
US20070067844A1 (en) * | 2005-09-16 | 2007-03-22 | Sana Security | Method and apparatus for removing harmful software |
US8566928B2 (en) * | 2005-10-27 | 2013-10-22 | Georgia Tech Research Corporation | Method and system for detecting and responding to attacking networks |
US7530105B2 (en) * | 2006-03-21 | 2009-05-05 | 21St Century Technologies, Inc. | Tactical and strategic attack detection and prediction |
US8838570B1 (en) * | 2006-11-06 | 2014-09-16 | Trend Micro Incorporated | Detection of bot-infected computers using a web browser |
US7854002B2 (en) * | 2007-04-30 | 2010-12-14 | Microsoft Corporation | Pattern matching for spyware detection |
US8316448B2 (en) * | 2007-10-26 | 2012-11-20 | Microsoft Corporation | Automatic filter generation and generalization |
JP5050781B2 (ja) * | 2007-10-30 | 2012-10-17 | 富士通株式会社 | マルウエア検出装置、監視装置、マルウエア検出プログラム、およびマルウエア検出方法 |
US20090328215A1 (en) * | 2008-06-30 | 2009-12-31 | Microsoft Corporation | Semantic networks for intrusion detection |
US8176556B1 (en) * | 2008-10-31 | 2012-05-08 | Symantec Corporation | Methods and systems for tracing web-based attacks |
US8850571B2 (en) * | 2008-11-03 | 2014-09-30 | Fireeye, Inc. | Systems and methods for detecting malicious network content |
AU2010223925A1 (en) * | 2009-03-13 | 2011-11-03 | Rutgers, The State University Of New Jersey | Systems and methods for the detection of malware |
US8443447B1 (en) * | 2009-08-06 | 2013-05-14 | Trend Micro Incorporated | Apparatus and method for detecting malware-infected electronic mail |
US20110035802A1 (en) * | 2009-08-07 | 2011-02-10 | Microsoft Corporation | Representing virtual object priority based on relationships |
US20110113491A1 (en) * | 2009-11-12 | 2011-05-12 | Deutsche Telekom Ag | Collaborative system for protecting against the propagation of malwares in a network |
US8341745B1 (en) * | 2010-02-22 | 2012-12-25 | Symantec Corporation | Inferring file and website reputations by belief propagation leveraging machine reputation |
US8566944B2 (en) * | 2010-04-27 | 2013-10-22 | Microsoft Corporation | Malware investigation by analyzing computer memory |
US8510829B2 (en) * | 2010-06-24 | 2013-08-13 | Mcafee, Inc. | Systems and methods to detect malicious media files |
US8826444B1 (en) * | 2010-07-09 | 2014-09-02 | Symantec Corporation | Systems and methods for using client reputation data to classify web domains |
US8516585B2 (en) * | 2010-10-01 | 2013-08-20 | Alcatel Lucent | System and method for detection of domain-flux botnets and the like |
US9519781B2 (en) | 2011-11-03 | 2016-12-13 | Cyphort Inc. | Systems and methods for virtualization and emulation assisted malware detection |
US10262148B2 (en) * | 2012-01-09 | 2019-04-16 | Visa International Service Association | Secure dynamic page content and layouts apparatuses, methods and systems |
US9158893B2 (en) * | 2012-02-17 | 2015-10-13 | Shape Security, Inc. | System for finding code in a data flow |
AU2013272211B2 (en) * | 2012-03-22 | 2016-11-24 | Los Alamos National Security, Llc | Path scanning for the detection of anomalous subgraphs, anomaly/change detection and network situational awareness |
US9411890B2 (en) * | 2012-04-04 | 2016-08-09 | Google Inc. | Graph-based search queries using web content metadata |
US9021589B2 (en) * | 2012-06-05 | 2015-04-28 | Los Alamos National Security, Llc | Integrating multiple data sources for malware classification |
US9069963B2 (en) * | 2012-07-05 | 2015-06-30 | Raytheon Bbn Technologies Corp. | Statistical inspection systems and methods for components and component relationships |
US8931092B2 (en) * | 2012-08-23 | 2015-01-06 | Raytheon Bbn Technologies Corp. | System and method for computer inspection of information objects for shared malware components |
WO2014087597A1 (ja) | 2012-12-07 | 2014-06-12 | キヤノン電子株式会社 | ウイルス侵入経路特定装置、ウイルス侵入経路特定方法およびプログラム |
CN103995814B (zh) | 2013-02-20 | 2017-04-05 | 腾讯科技(深圳)有限公司 | 一种病毒最终母体的查找方法和*** |
US9710646B1 (en) * | 2013-02-26 | 2017-07-18 | Palo Alto Networks, Inc. | Malware detection using clustering with malware source information |
US9749336B1 (en) * | 2013-02-26 | 2017-08-29 | Palo Alto Networks, Inc. | Malware domain detection using passive DNS |
US9202052B1 (en) * | 2013-06-21 | 2015-12-01 | Emc Corporation | Dynamic graph anomaly detection framework and scalable system architecture |
US9225730B1 (en) * | 2014-03-19 | 2015-12-29 | Amazon Technologies, Inc. | Graph based detection of anomalous activity |
US10887331B2 (en) * | 2014-03-20 | 2021-01-05 | Nec Coporation | Information processing apparatus and influence-process extraction method |
US9363280B1 (en) * | 2014-08-22 | 2016-06-07 | Fireeye, Inc. | System and method of detecting delivery of malware using cross-customer data |
JP2016068282A (ja) | 2014-09-26 | 2016-05-09 | 日本電産コパル株式会社 | プリンタ装置 |
US20160219066A1 (en) * | 2015-01-26 | 2016-07-28 | Cisco Technology, Inc. | Event correlation in a network merging local graph models from distributed nodes |
-
2015
- 2015-10-08 US US15/514,748 patent/US10397261B2/en active Active
- 2015-10-08 JP JP2016554061A patent/JP6088714B2/ja active Active
- 2015-10-08 WO PCT/JP2015/078670 patent/WO2016060067A1/ja active Application Filing
- 2015-10-08 EP EP15851421.6A patent/EP3200115B1/en active Active
- 2015-10-08 CN CN201580055319.7A patent/CN106796635B/zh active Active
Patent Citations (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US8065731B1 (en) * | 2008-07-01 | 2011-11-22 | Narus, Inc. | System and method for malware containment in communication networks |
Non-Patent Citations (3)
Title |
---|
TOMONORI IKUSE ET AL.: "Identifying C&C Server by Analyzing Relation between Control Flow and Communications", IEICE TECHNICAL REPORT, vol. 113, no. 502, 20 March 2014 (2014-03-20), pages 137 - 142, XP055250109 * |
TOMONORI IKUSE ET AL.: "Malware Download Site Detection Based on Dependencies between Remote Servers and Malware Behavior", CSS2014 COMPUTER SECURITY SYMPOSIUM 2014 RONBUNSHU GODO KAISAI MALWARE TAISAKU KENKYUNIN, vol. 2014, no. 2, 24 December 2014 (2014-12-24), pages 1134 - 1141, XP008185246 * |
YUHEI KAWAKOYA: "Tracing Malicious Code with Taint Propagation", TRANSACTIONS OF INFORMATION PROCESSING SOCIETY OF JAPAN (JOURNAL, vol. 54, no. 8, 15 August 2013 (2013-08-15), pages 2079 - 2089, XP055370788 * |
Cited By (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2020075808A1 (ja) * | 2018-10-11 | 2020-04-16 | 日本電信電話株式会社 | 情報処理装置、ログ分析方法及びプログラム |
JPWO2020075808A1 (ja) * | 2018-10-11 | 2021-09-02 | 日本電信電話株式会社 | 情報処理装置、ログ分析方法及びプログラム |
JP7176569B2 (ja) | 2018-10-11 | 2022-11-22 | 日本電信電話株式会社 | 情報処理装置、ログ分析方法及びプログラム |
WO2021070352A1 (ja) * | 2019-10-10 | 2021-04-15 | 日本電信電話株式会社 | グラフ関連付けシステムおよびグラフ関連付け方法 |
JPWO2021070352A1 (ja) * | 2019-10-10 | 2021-04-15 | ||
JP7251649B2 (ja) | 2019-10-10 | 2023-04-04 | 日本電信電話株式会社 | グラフ関連付けシステムおよびグラフ関連付け方法 |
KR102239985B1 (ko) * | 2020-10-14 | 2021-04-14 | (주)시큐레이어 | 시스템에 위협이 될 수 있는 위협 이벤트를 최적화 ui 상에서 디스플레이함으로써 사용자가 상기 위협 이벤트를 용이하게 분석할 수 있도록 하는 위협 이벤트 리플레이 방법 및 장치 |
CN113282909A (zh) * | 2021-05-11 | 2021-08-20 | 南京大学 | 一种设备指纹信息采集项识别方法 |
CN113282909B (zh) * | 2021-05-11 | 2024-04-09 | 南京大学 | 一种设备指纹信息采集项识别方法 |
Also Published As
Publication number | Publication date |
---|---|
CN106796635B (zh) | 2019-10-22 |
EP3200115B1 (en) | 2019-01-09 |
JPWO2016060067A1 (ja) | 2017-04-27 |
US20170223040A1 (en) | 2017-08-03 |
US10397261B2 (en) | 2019-08-27 |
CN106796635A (zh) | 2017-05-31 |
JP6088714B2 (ja) | 2017-03-01 |
EP3200115A1 (en) | 2017-08-02 |
EP3200115A4 (en) | 2017-10-04 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
JP6088714B2 (ja) | 特定装置、特定方法および特定プログラム | |
JP6122562B2 (ja) | 特定装置、特定方法および特定プログラム | |
JP5972401B2 (ja) | 攻撃分析システム及び連携装置及び攻撃分析連携方法及びプログラム | |
US10055585B2 (en) | Hardware and software execution profiling | |
US8042186B1 (en) | System and method for detection of complex malware | |
US8782791B2 (en) | Computer virus detection systems and methods | |
US8474039B2 (en) | System and method for proactive detection and repair of malware memory infection via a remote memory reputation system | |
US8191147B1 (en) | Method for malware removal based on network signatures and file system artifacts | |
KR102271545B1 (ko) | 도메인 생성 알고리즘(dga) 멀웨어 탐지를 위한 시스템 및 방법들 | |
JP2019082989A (ja) | 標的型攻撃をクラウド型検出、探索および除去するシステムおよび方法 | |
US11893114B2 (en) | Memory layout based monitoring | |
EP2515250A1 (en) | System and method for detection of complex malware | |
US10382455B2 (en) | Identifying apparatus, identifying method, and identifying program | |
WO2018131199A1 (ja) | 結合装置、結合方法および結合プログラム | |
JP6000465B2 (ja) | プロセス検査装置、プロセス検査プログラムおよびプロセス検査方法 | |
CN105791250B (zh) | 应用程序检测方法及装置 | |
JP5876399B2 (ja) | 不正プログラム実行システム、不正プログラム実行方法及び不正プログラム実行プログラム | |
US10893090B2 (en) | Monitoring a process on an IoT device | |
US20130019313A1 (en) | Granular virus detection | |
JP6258189B2 (ja) | 特定装置、特定方法および特定プログラム | |
JP2009271686A (ja) | ネットワークシステム、マルウェア検出装置、マルウェア検出方法、プログラム及び記録媒体 | |
Lee et al. | Identifying inter-component communication vulnerabilities in eventbased systems | |
CN114697057B (zh) | 获取编排剧本信息的方法、装置及存储介质 | |
Lee | Detecting Inter-Component Vulnerabilities in Event-based Systems |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 15851421 Country of ref document: EP Kind code of ref document: A1 |
|
ENP | Entry into the national phase |
Ref document number: 2016554061 Country of ref document: JP Kind code of ref document: A |
|
WWE | Wipo information: entry into national phase |
Ref document number: 15514748 Country of ref document: US |
|
REEP | Request for entry into the european phase |
Ref document number: 2015851421 Country of ref document: EP |
|
WWE | Wipo information: entry into national phase |
Ref document number: 2015851421 Country of ref document: EP |
|
NENP | Non-entry into the national phase |
Ref country code: DE |