JP5613000B2 - Application characteristic analysis apparatus and program - Google Patents

Description

  The present invention relates to an application characteristic analysis apparatus that analyzes application characteristics from information of multiple types of logs. The present invention also relates to a program for causing a computer to function as the application characteristic analysis apparatus.

  In recent years, smartphones that realize high functionality close to PCs are becoming popular. As an OS (operating system) installed in a smartphone, for example, Android which is a general-purpose OS called an open platform is adopted. Many applications operating on such an OS are published on the Internet, and a smartphone user can select a necessary application and install it on the smartphone.

  However, with the spread of smartphones, behaviors that may cause users' unintentional disadvantages such as stealing personal information of users, guiding them to malignant sites, and stealing OS administrator privileges. Malicious applications have also appeared. It is important to detect such malicious applications.

  In Android, there is a method of analyzing application logs collected using Dalvik Debug Monitor Service (DDMS) or Logcat, which is a debugging tool for applications on a virtual machine called Dalvik, as a method for detecting malicious applications. In addition, kernel logs collected using strace that monitors system calls in the Linux (registered trademark) kernel, which is a lower layer than the Dalvik virtual machine, and network device drivers embedded in Linux (registered trademark) You can also use communication logs collected using tcpdump, which monitors packets for sending and receiving.

  In addition, there is a method for analyzing the execution code of the application. In addition, Android applications are composed of multiple files. Analyze the file names of the configuration files that make up the application (for example, anti-virus software) and the file names of files that are added or changed by application installation. There is also a technique (for example, a specific IDS (Intrusion Detection System)). Patent Document 1 discloses a technique for analyzing a log output from a network device.

JP 2007-243338 A

  By analyzing each of the above logs, files, and executable codes, it becomes possible to detect malicious applications without missing them. However, since the behavior on the Dalvik virtual machine also appears in the behavior in the Linux (registered trademark) layer, there is a problem that the behavior is recorded twice in the log. Furthermore, when a malicious application that performs a network attack operates, the behavior is recorded in the communication log, and the behavior is recorded in triplicate in the log.

  By including a file containing a specific executable code in the application, the malicious behavior described above may be realized. In that case, the executable code, the files that make up the application, and before and after the installation of the application Traces of attacks also appear on changing files. Analyzing duplicate malicious behaviors individually to analyze the characteristics of a single application will detect information related to the same behavior over and over, and the application characteristics will be overemphasized. become.

For example, regarding the behavior of an application that leaks personal information, when the above logs and files are analyzed, a plurality of pieces of information are detected as follows.
Analysis result of application log (DDMS log): Sending the phone number of the terminal to the outside is detected (risk level: 2).
Analysis result of application log (Strace log): Detection of reading the phone number of the terminal from the disk to the memory (risk level: 1).
Analysis result of communication log (Tcpdump log): Transmission of the phone number of the terminal to a specific IP address is detected (risk level: 2).
Execution code analysis result: The terminal phone number reading function is detected (risk level: 1), and the communication function with external hosts is detected (risk level: 0).
Analysis result of application configuration file name: Detects the function to send the phone number of the terminal to an external host (risk level: 2).
Analysis result of added file name: Detects the function to send the phone number of the terminal to an external host (risk level: 2).

  Distinguishing multiple pieces of detected information as described above and outputting them as analysis results makes it difficult to understand the analysis results, creating an illusion of the administrator, etc., when a number of dangerous behaviors are detected. It becomes difficult for an administrator or the like to grasp the behavior. Therefore, it is desirable to obtain an analysis result obtained by aggregating a plurality of pieces of information detected by analysis of logs and files.

  The present invention has been made in view of the above-described problems, and an object of the present invention is to provide an information application characteristic analysis apparatus and program capable of obtaining representative information related to the behavior of a malignant application.

The present invention has been made to solve the above-described problems, and includes a plurality of patterns configured by information related to the behavior of a malicious application, and typical characteristics of the behavior of the malicious application associated with the pattern. A storage unit for storing representative characteristic information indicating a numerical value indicating the risk level of the malignant application associated with the representative characteristic information, an application log recording the behavior of the application, a kernel log recording the behavior of the kernel, A comparison unit that compares the information recorded in each of the communication logs that record information of packets transmitted and received during communication with the plurality of patterns, and the application log, the kernel log, or the communication log. The associated with the pattern that matches the recorded information And table characteristic information and the extraction unit extracts a combination of the numerical values, when a plurality kinds of the combination extracted by the extracting unit, comparing the numerical values of the extracted plural kinds of the combinations, the highest risk And a selection unit that selects the combination including the numerical values to be displayed .

  In addition, the application characteristic analysis apparatus according to the present invention further includes a display unit that displays the combination selected by the selection unit.

  In the application characteristic analysis apparatus of the present invention, the comparison unit further compares information on files constituting the application with the plurality of patterns.

  In the application characteristic analysis apparatus of the present invention, the comparison unit further compares the information of the file added or changed between the first time point and the second time point with the plurality of patterns. To do.

  In the application characteristic analysis apparatus of the present invention, the comparison unit further compares information obtained by performing code analysis of the application with the plurality of patterns.

In the application characteristic analysis apparatus of the present invention, the extraction unit extracts the combination every time the comparison unit performs comparison in a predetermined unit, and the selection unit performs comparison in the predetermined unit. Each time it is performed, the numerical values of a plurality of types of the combinations extracted by the extraction unit are compared , the combination including the numerical value indicating the highest degree of risk is selected, and included in the combination selected by the selection unit In the case where the numerical value is a predetermined numerical value, the comparison unit stops the operation of performing the comparison.

Further, the present invention provides a plurality of patterns composed of information related to the behavior of the malignant application, representative characteristic information associated with the pattern and indicating typical characteristics of the behavior of the malignant application, and the representative characteristic information. , A storage unit that stores a numerical value indicating the risk level of the malicious application, an application log that records the behavior of the application, a kernel log that records the behavior of the kernel, and information of packets transmitted and received during communication A comparison unit that compares the information recorded in each of the communication logs recorded with the plurality of patterns, and the pattern that matches the information recorded in the application log, the kernel log, or the communication log. A combination of the representative characteristic information and the numerical value associated with each other Selection and extraction portion for output, when it is extracted several kinds of the combination by the extraction section, the value of the extracted plural kinds of the combination are compared, and the combination comprising said numerical value indicating the highest risk And a program for causing the computer to function as the selection unit.

According to the present invention, when a plurality of types of combinations are extracted by the second information extraction unit, the numerical values of the extracted combinations of the plurality of types are compared, and the combination including the numerical value indicating the highest risk is selected. Thus, representative information related to the behavior of the malicious application can be obtained.

It is a block diagram which shows the structure of the application characteristic analysis apparatus by one Embodiment of this invention. It is a reference figure which shows the structure of the execution file of the application in one Embodiment of this invention. It is a reference figure which shows the relationship of the analysis object, malignant pattern, and representative characteristic in one Embodiment of this invention. It is a reference figure which shows the content of the malignant pattern file in one Embodiment of this invention. It is a flowchart which shows the procedure of the analysis process in one Embodiment of this invention. It is a reference figure which shows a mode that an analysis result is obtained by the analysis process in one Embodiment of this invention. It is a flowchart which shows the procedure of the analysis process in one Embodiment of this invention.

  Hereinafter, embodiments of the present invention will be described with reference to the drawings. In the present embodiment, a technique for aggregating various characteristics of applications detected from logs or the like into representative characteristics is proposed. In this method, various patterns that match the pattern of the malignant application are detected from a log or the like, but what is finally obtained as an analysis result is a representative characteristic indicating a concept in which detailed patterns are aggregated. For example, as a result of comparing a log composed of tens of thousands of lines of data with hundreds of types of malignant patterns, information such as “detection of leakage of personal information risk: 2” is output. Thus, by outputting only information indicating typical characteristics, the analysis result becomes easy to understand, and an administrator or the like can easily grasp the malicious behavior and its degree.

  When the detected information is given a risk level and output as an analysis result, if the detected individual risk levels are simply summed and output, the numerical value of the risk will be higher than necessary, resulting in extremely dangerous behavior. If this is detected, the manager will be illusioned. Therefore, in this embodiment, the risk levels associated with typical characteristics prepared in advance are output as they are, instead of summing the risk levels associated with various characteristics of the application detected from the log or the like. This avoids excessive emphasis on the behavior of malicious applications.

  FIG. 1 shows the configuration of an application characteristic analysis apparatus according to an embodiment of the present invention. 1 includes an application 10, a virtual machine 11, a kernel 12, a communication unit 13, an operation unit 14, a display unit 15, an application monitoring unit 16, a system call monitoring unit 17, a packet monitoring unit 18, and log generation. Unit 19, storage unit 20, code analysis unit 21, application configuration file analysis unit 22, addition / change file analysis unit 23, analysis unit 24, pattern comparison unit 25, representative characteristic extraction unit 26, selection unit 27, analysis result output unit 28.

  The application 10 operates on the virtual machine 11. Although only one application is illustrated in FIG. 1, a plurality of applications can operate. The virtual machine 11 corresponds to dalvik provided on the Android platform, and is implemented on Android, which is an OS. The kernel 12 is the core part of Android, and performs process management, memory management, device management related to devices such as the communication unit 13, and control of system calls.

  The communication unit 13 communicates with an external communication device via a network. The operation unit 14 includes an operation member operated by a user. The display unit 15 displays various information.

  The application monitoring unit 16 monitors information input / output between the application 10 and the virtual machine 11 and outputs information related to the execution condition and state of the application 10. The function of the application monitoring unit 16 can be realized by using, for example, DDMS or Logcat. The system call monitoring unit 17 monitors system calls in the kernel 12 and outputs information on system calls called by processes related to the processing of the application 10. The function of the system call monitoring unit 17 can be realized by using, for example, strace.

  The packet monitoring unit 18 monitors packets transmitted and received by the communication unit 13 and outputs information such as packet destinations. The function of the packet monitoring unit 18 can be realized by using, for example, tcpdump. The log generation unit 19 is an application log in which information output from the application monitoring unit 16 is recorded, a kernel log in which information output from the system call monitoring unit 17 is recorded, and a communication in which information output from the packet monitoring unit 18 is recorded. A log is generated and stored in the storage unit 20.

  As described above, each log is stored in the storage unit 20. In the application log, various types of information related to application behavior are recorded. The kernel log records the behavior of the kernel, especially the behavior of system calls. In the communication log, packet information transmitted and received during communication is recorded.

  In addition to the above log, the storage unit 20 stores various files such as an execution file of the application 10. The code analysis unit 21 performs code analysis of the execution file of the application 10 stored in the storage unit 20 to extract the function (instruction sequence) of the application 10 and stores the code analysis result in the storage unit 20.

  The application configuration file analysis unit 22 extracts the file name of each file constituting the application 10 stored in the storage unit 20 and stores it in the storage unit 20 as a configuration file name. FIG. 2 shows the configuration of the execution file of the application. As shown in FIG. 2, the execution file 200 includes an execution code 201 including an instruction sequence, a manifest file 202 including information such as an application package name and components used by the application, a library 203 referred to when the execution code 201 is executed, And files such as parameters 204. The application configuration file analysis unit 22 extracts the file names of these files. The function of the application configuration file analysis unit 22 can be realized by using, for example, anti-virus software.

  The addition / change file analysis unit 23 extracts a file name of a file added or changed between two different time points, and stores it in the storage unit 20 as an addition / change file name. In the present embodiment, the addition / change file analysis unit 23 specifically analyzes a file added or changed by installing an application. For this reason, the addition / change file analysis unit 23 analyzes the file in the storage unit 20 at a timing before and after the installation of the application. The function of the addition / change file analysis unit 23 can be realized by using a specific IDS, for example.

  The analysis unit 24 analyzes the behavior of the application 10 using an application log or the like stored in the storage unit 20. The analysis unit 24 includes a pattern comparison unit 25, a representative characteristic extraction unit 26, a selection unit 27, and an analysis result output unit 28.

  Before describing the function of each unit included in the analysis unit 24, the relationship among the analysis target, malignant pattern, and representative characteristics will be described. The analysis target, malignant pattern, and representative characteristic are associated as shown in FIG. The analysis target is an application log, a kernel log, a communication log, a configuration file name, an addition / change file name, and a code analysis result (application function). These analysis targets are associated with malignant patterns corresponding to each analysis target. For example, the application log and the kernel log are associated with a predetermined behavior pattern related to the malicious application and a communication destination of communication performed by the malicious application. The communication log is associated with a communication destination of communication performed by the malicious application and a communication amount when the malicious application performs communication. The configuration file name and the addition / change file name are associated with the file names related to the malicious application. The code analysis result is associated with the code included in the malicious application. In this embodiment, a malignant pattern is detected by pattern matching between each analysis target data and a malignant pattern associated with each analysis target.

  These malignant patterns are associated with representative characteristics corresponding to each malignant pattern. In this embodiment, three types of “spyware (information leakage)”, “attack”, and “others” are prepared as major classifications of representative characteristics. In addition, each large category is associated with a small item that is a more specific characteristic and a risk level. For example, “personal information” which is a small item indicating the type of information to be leaked and “other information” are associated with the large classification “spyware (information leakage)”. The major category “attack” is associated with “root privilege capture”, “terminal destruction”, and “network attack”, which are small items indicating the type of attack. A small item “a large amount of communication” is associated with the large category “other”. In addition, a risk level is associated with each small item.

  When a specific malignant pattern is detected by pattern matching between a certain analysis target and a malignant pattern, the above characteristic is traced and a representative characteristic as an analysis result is extracted. That is, no matter what malignant pattern is detected, the analysis result is finally collected into one of the above representative characteristics. In the present embodiment, when representative characteristics having the same major classification and different small items and different risk levels are extracted from a plurality of detected malignant patterns, the representative characteristics having the highest risk level are selected. For example, if all of the representative characteristics with a large classification of “spyware (information leakage)” are extracted, and the two representative characteristics with different risk levels are extracted, the risk level is “2”. A representative characteristic which is “personal information” is selected and output as an analysis result.

  The relationship between the analysis target, the malignant pattern, and the representative characteristic is stored in advance in the storage unit 20 as a malignant pattern file. FIG. 4 shows the contents of the malignant pattern file. The malignant pattern file includes five types of information 410 to 450 associated with the number 400. Information 410 indicates an analysis target. Application logs, kernel logs, communication logs, configuration file names, addition / change file names, and code analysis results (application functions) are analyzed. The information 410 may include a plurality of pieces of analysis target information.

  Information 420 indicates a malignant pattern. The malignant pattern is composed of information indicating a trace of the behavior of an actual malignant application. Specific examples of the malignant pattern will be described later. Information 430 (representative characteristic information) indicates a large classification of representative characteristics. “Spyware (information leakage)”, “attack”, and “others” are major categories of representative characteristics. Information 440 (representative characteristic information) indicates a small item in the large classification. For example, “personal information” and “other information” associated with “spyware (information leakage)” are small items. Information 450 indicates the degree of danger.

  In the present embodiment, it is necessary to create the malignant pattern file in advance and store it in the storage unit 20. The malicious pattern is acquired by operating a known malicious application and monitoring its behavior with various tools. The association between the malignant pattern and the major classification / small item of the representative characteristic and the risk level is determined by the intention of the creator who creates the malignant pattern file. For example, this association is determined by the intention of a developer who develops an application having the function of the analysis unit 24. Since this association only needs to be determined until the analysis target to be described later is analyzed, the association once determined by the developer or the like may be changed by the user.

  Hereinafter, functions of each unit included in the analysis unit 24 will be described. The pattern comparison unit 25 compares the data under analysis with the malignant pattern in the malignant pattern file stored in the storage unit 20. When the data under analysis matches the malignant pattern, the representative characteristic extraction unit 26 extracts a representative characteristic associated with the malignant pattern. The selection unit 27 selects one to be output as the analysis result from the representative characteristics extracted by the representative characteristic extraction unit 26. The analysis result output unit 28 outputs the representative characteristic selected by the selection unit 27 to the display unit 15 as an analysis result.

  Next, the malignant pattern in this embodiment will be described. As shown in FIG. 3, the malignant pattern includes a predetermined behavior pattern related to a malignant application, a communication destination of communication performed by the malignant application, a communication amount when the malignant application performs communication, a file name related to the malignant application, a malignant Contains information about the code included in the application.

  The predetermined behavior pattern related to the malicious application is composed of specific character strings appearing in the application log and the kernel log. For example, spyware behavior patterns that leak personal information include “phone number =” that is a character string related to a telephone number and “imsi =” that is a character string related to contractor information. Also, for example, the attack behavior pattern that seizes the root privilege includes “/ system / xbin / su”, which is a character string related to the execution privilege change command, and the attack behavior pattern due to terminal destruction includes the file system There is "mount -r, w re.mount" which is a character string related to the mount command. Note that a portion surrounded by “to” is a character string that becomes a malignant pattern. The same applies to the following.

  The malignant pattern indicating the communication destination of communication performed by the malignant application is configured by a specific character string appearing in the application log, the kernel log, and the communication log. For example, a malicious pattern that indicates a spyware communication destination that leaks personal information includes “FQDN = admob.com”, which is a character string related to the FQDN (Fully Qualified Domain Name) of a website that collects personal information, and personal information. There is "IP = xxx.xxx.xxx.xxx" (where x is actually any number from 0 to 9) that is a character string related to the IP address of the Web site to be collected. In addition, the malicious pattern indicating the communication destination of the network attack includes “port = yyy” (where yyy is actually any one of 135, 137, 138, 445, 1433, and 1434) that is a character string related to the destination port number.

  The malignant pattern indicating the communication amount when the malicious application performs communication includes a number of packets per unit time detected from the communication log or a numerical value indicating the communication data amount per unit time. There is a malicious application that realizes a function called tethering, which is used as a communication modem by changing an original function set in a portable terminal. When tethering is realized by this malicious application, a large amount of data communication is performed. In the present embodiment, when the communication amount detected from the communication log exceeds the communication amount as the malignant pattern, it is determined that the malignant pattern is matched.

  The malicious pattern indicating the file name related to the malicious application is composed of a character string indicating the file name of the common library including the malicious code. For example, there is “admob” as a malignant pattern indicating a file name related to spyware that leaks personal information. In addition, for example, there is “asroot” in the malignant pattern indicating the file name related to the malicious application performing the attack that seizes the root authority, and the malignant pattern indicating the file name related to the malicious application performing the attack due to the terminal destruction. There is “recovery flasher”.

  The malignant pattern indicating the code included in the malignant application is composed of a character string indicating a malicious instruction string. For example, “send_sim_info ()” is a malignant pattern indicating a spyware code that leaks personal information. Further, for example, there is “mount_system ()” as a malignant pattern indicating a code of a malignant application that performs an attack due to terminal destruction.

  Next, details of the analysis processing in the present embodiment will be described. Two examples will be described below. First, a first example will be described. FIG. 5 shows the procedure of the analysis process. The pattern comparison unit 25 is one of an application log, a kernel log, a communication log, a configuration file name, an addition / change file name, and a code analysis result (application function) stored in the storage unit 20. One is selected (step S100). Subsequently, the pattern comparison unit 25 selects data constituting the analysis target selected in step S100 and reads it from the storage unit 20 (step S105). At this time, for example, data for one recording unit in the log is selected.

  Subsequently, the pattern comparison unit 25 reads the malignant pattern file from the storage unit 20, and performs pattern matching that sequentially compares the data constituting the analysis target with the malignant pattern in the malignant pattern file (step S110). Although the malignant pattern file includes a plurality of malignant patterns, a malignant pattern corresponding to the analysis target is used for pattern matching. For example, when an application log is selected in step S100, only the malignant pattern whose information 410 in FIG. 4 is the application log is used for pattern matching. In step S110, pattern matching with all malignant patterns corresponding to the same analysis target is performed.

  In step S110, pattern matching for a predetermined behavior pattern related to a malicious application, a communication destination of communication performed by the malicious application, a file name related to the malicious application, and information on a code included in the malicious application is performed by comparison with character strings. In step S110, the pattern matching related to the traffic volume when a malicious application communicates is performed by determining whether the traffic volume detected from the communication log exceeds the traffic volume registered as the malignant pattern. Is called.

  Subsequently, the pattern comparison unit 25 stores the number (number 400 in FIG. 4) relating to the malignant pattern that matches the data constituting the analysis target in the storage unit 20 as a pattern matching result (step S115). Subsequently, the pattern comparison unit 25 determines whether or not the analysis of all data being analyzed is completed (step S120).

  If there is data that has not been analyzed, the process returns to step S105, and the next data is selected. In addition, when the analysis of all data being analyzed is completed, the pattern comparison unit 25 determines whether or not the analysis of all analysis objects is completed (step S125). If there is an analysis target that has not been analyzed, the process returns to step S100, and the next analysis target is selected.

  When the analysis of all the analysis targets is completed, the representative characteristic extraction unit 26 reads the pattern matching result and the malignant pattern file from the storage unit 20, and performs the major classification and small classification of the representative characteristic corresponding to the number recorded as the pattern matching result. Item information (information 430, 440 in FIG. 4) and risk (information 450 in FIG. 4) are extracted from the malignant pattern file (step S130). When a plurality of numbers are recorded as a pattern matching result, information on major classification and small items of representative characteristics and risk levels corresponding to each number are extracted from the pattern file.

  Subsequently, the selection unit 27 compares the numerical values of the risk levels of the respective information extracted in step S130, and selects the major classification and small item information and the risk level of the representative characteristic associated with the highest risk level. To obtain an analysis result (step S135). When only one number is recorded as the pattern matching result, the information extracted in step S130 is directly used as the analysis result. On the other hand, when a plurality of numbers are recorded as the pattern matching result, a plurality of combinations of information of major classification and small items of information and risk levels are extracted, and the combination having the highest risk level among these combinations Is selected and the analysis result is obtained. When there are a plurality of combinations having the highest risk level in the same major classification (however, the small items of those combinations are different), each of them is selected and becomes an analysis result. The analysis result is stored in the storage unit 20.

  Subsequently, the analysis result output unit 28 outputs the analysis result obtained in step S135 to the display unit 15 to display the analysis result (step S140). As a result, for example, a character string “Detection risk of personal information leakage risk: 2” is displayed on the screen of the display unit 15.

  FIG. 6 schematically shows how an analysis result is obtained by the above-described analysis processing. FIG. 6 is an example. The arrows in FIG. 6 indicate the relevance of the information detected by the analysis process.

  A predetermined behavior pattern related to a malicious application is detected from the application log and the kernel log. In this example, the major classification is “spyware (information leakage)”, the minor item is “personal information”, and the behavior pattern associated with the representative characteristic 600 having a risk level of “2” and the major classification are “ "Spyware (information leakage)", a small item is "other information", and a behavior pattern associated with the representative characteristic 610 having a risk level of "1" is detected. Further, the communication destination of communication performed by the malicious application is detected from the communication log. In this example, a communication destination associated with the representative characteristic 600 is detected.

  In addition, the file name related to the malicious application is detected from the application configuration file name and the addition / change file name. In this example, the file name associated with the representative characteristic 600 is detected. In addition, the code information included in the malicious application is detected from the code analysis result. In this example, a code associated with the representative characteristic 610 is detected.

  As shown in FIG. 6, two types of representative characteristics 600 and 610 are extracted as analysis result candidates. Since the risk levels of these representative characteristics 600 and 610 are “2” and “1”, the representative characteristic 600 having the highest risk level “2” is selected as the analysis result.

  Next, a second example of analysis processing will be described. FIG. 7 shows the procedure of the analysis process. In FIG. 7, the process of steps S200 to S215 is the same as the process of steps S100 to S115 of FIG. In steps S <b> 200 to S <b> 215, pattern matching between the data constituting the analysis target and the malignant pattern is performed, and the pattern matching result regarding the malignant pattern matching the data constituting the analysis target is stored in the storage unit 20.

  Subsequent to step S215, the pattern comparison unit determines whether the analysis target is an application log, a kernel log, or a communication log (step S220). If the analysis target is neither an application log, a kernel log, nor a communication log, the process proceeds to step S245. The processing in steps S245 to S265 is the same as the processing in steps S120 to S140 in FIG.

  When the analysis target is any one of the application log, the kernel log, and the communication log, the pattern comparison unit 25 determines whether or not the analysis for a predetermined analysis unit has been completed for the data constituting the analysis target ( Step S225). The predetermined analysis unit is each division unit when the data constituting one log is divided into a plurality of pieces. For example, when the data constituting one log is divided into 100 pieces, each of the divided 100 pieces of data is a predetermined analysis unit. The determination in step S225 is performed for the purpose of performing the processing in steps S230 to S240 every time analysis of data for a predetermined analysis unit is completed.

  If analysis of data for a predetermined analysis unit has not been completed, the process returns to step S205, and the next data is selected. When the analysis of data for a predetermined analysis unit is completed, the representative characteristic extraction unit 26 reads the pattern matching result and the malignant pattern file from the storage unit 20, and displays a large representative characteristic corresponding to the number recorded as the pattern matching result. Classification and small item information (information 430, 440 in FIG. 4) and risk (information 450 in FIG. 4) are extracted from the malignant pattern file (step S230). When a plurality of numbers are recorded as a pattern matching result, information on major classification and small items of representative characteristics and risk levels corresponding to each number are extracted from the pattern file.

  Subsequently, the selection unit 27 determines whether or not there is a predetermined maximum risk level among the risk levels of each piece of information extracted in step S230 (step S235). In the example shown in FIG. 3, the highest risk level is the risk level “2”. The risk level may be any number of levels. For example, when five levels of risk from the risk level “1” to the risk level “5” are prepared, the maximum risk level is the risk level “5”.

  If there is no risk of the predetermined maximum value, the process proceeds to step S245. If it is determined in step S245 that there is data that has not been analyzed, the process returns to step S205, and data for the next analysis unit is selected. Further, when there is a predetermined maximum risk level, the selection unit 27 selects the major classification and small item information and the risk level associated with the maximum risk level as an analysis result. (Step S240). The analysis result is stored in the storage unit 20. Subsequently, the process proceeds to step S265, and the analysis result is displayed on the screen of the display unit 15.

  In the present embodiment, the characteristics of detected malicious applications are collected into representative characteristics having the highest risk level. In the analysis process shown in FIG. 7, when the analysis target is any one of the application log, the kernel log, and the communication log, a representative characteristic is extracted every time pattern matching for data for a predetermined analysis unit is completed. . When a representative characteristic with the highest risk level is extracted from the pattern matching result of data for a certain analysis unit, the highest value is obtained from the pattern matching result for the subsequent analysis unit or the pattern matching result of another analysis target. Even if a representative characteristic having a risk level that is not is extracted, the analysis result is not affected.

  Therefore, in the analysis process shown in FIG. 7, a representative characteristic is extracted every time pattern matching for data for a predetermined analysis unit is completed, and only when a representative characteristic having the highest risk level is extracted, the representative characteristic is extracted. The characteristic is selected as the analysis result, and the analysis process is completed. Processing time is required for pattern matching between a log composed of tens of thousands of lines of data and hundreds of types of malignant patterns. However, according to the analysis processing shown in FIG. 7, the processing time can be shortened. The analysis processing shown in FIG. 7 may be missed for the characteristic analysis when a plurality of types of malignant applications operate simultaneously or the characteristic analysis of a malignant application having multiple characteristics. It is effective for characteristic analysis of malignant applications having characteristics.

  The order of selecting the analysis target may be arbitrary, but the analysis process may be performed by selecting the configuration file name, the addition / change file name, and the code analysis result in advance of the application log, kernel log, and communication log. Furthermore, when the representative characteristics are extracted when pattern matching for the configuration file name, added / changed file name, and code analysis result is completed, and the representative characteristics having the highest risk level are extracted, the representative characteristics are extracted. May be selected as an analysis result, and the analysis process may be terminated. As a result, it is not necessary to perform log pattern matching, and the processing time can be further reduced.

  As described above, according to the present embodiment, when a plurality of types of representative characteristics are extracted from the pattern matching result, any one of the extracted characteristics of the plurality of types of representative characteristics is compared based on the result of comparison. By selecting the representative characteristic, the representative characteristic that best represents the behavior of the malignant application can be obtained. By presenting the representative characteristics selected in this way to the administrator or the like, the administrator or the like can easily grasp the malicious behavior and its degree.

  In addition, when multiple representative characteristics with the same major classification and different risk levels are extracted, the representative characteristics with the highest risk level are selected as the analysis results, so that malignant applications that have a significant impact on the system can be selected. Analysis results regarding behavior can be obtained. Even when a plurality of representative characteristics are extracted, the risk of each representative characteristic is not summed, so that the behavior of the malicious application is not excessively emphasized.

  In addition, when the analysis target is one of the application log, kernel log, and communication log, representative characteristics are extracted every time pattern matching for data for a predetermined analysis unit is completed, and the representative having the highest risk level When a characteristic is extracted, the representative characteristic is selected as an analysis result, and the processing time can be shortened by terminating the analysis process.

  As described above, the embodiments of the present invention have been described in detail with reference to the drawings. However, the specific configuration is not limited to the above-described embodiments, and includes design changes and the like without departing from the gist of the present invention. . For example, a program for realizing the operation and function of the application characteristic analysis apparatus according to the above-described embodiment is recorded on a computer-readable recording medium, and the program recorded on the recording medium is read and executed by the computer. Also good.

  Here, the “computer” includes a homepage providing environment (or display environment) if the WWW system is used. The “computer-readable recording medium” refers to a storage device such as a portable medium such as a flexible disk, a magneto-optical disk, a ROM, and a CD-ROM, and a hard disk built in the computer. Further, the “computer-readable recording medium” refers to a volatile memory (RAM) in a computer system that becomes a server or a client when a program is transmitted via a network such as the Internet or a communication line such as a telephone line. In addition, those holding programs for a certain period of time are also included.

  The program described above may be transmitted from a computer storing the program in a storage device or the like to another computer via a transmission medium or by a transmission wave in the transmission medium. Here, the “transmission medium” for transmitting a program refers to a medium having a function of transmitting information, such as a network (communication network) such as the Internet or a communication line (communication line) such as a telephone line. Further, the above-described program may be for realizing a part of the above-described function. Furthermore, what can implement | achieve the function mentioned above in combination with the program already recorded on the computer, what is called a difference file (difference program) may be sufficient.

  DESCRIPTION OF SYMBOLS 10 ... Application, 11 ... Virtual machine, 12 ... Kernel, 13 ... Communication part, 14 operation part, 15 ... Display part, 16 ... Application monitoring part, 17 ... System Call monitoring unit, 18 ... packet monitoring unit, 19 ... log generation unit, 20 ... storage unit, 21 ... code analysis unit, 22 ... application configuration file analysis unit, 23 ... addition -Change file analysis unit, 24 ... analysis unit, 25 ... pattern comparison unit, 26 ... representative characteristic extraction unit, 27 ... selection unit, 28 ... analysis result output unit

Claims (7)

A plurality of patterns composed of information related to the behavior of the malignant application, representative characteristic information associated with the pattern and indicating typical characteristics of the behavior of the malignant application, and associated with the representative characteristic information, the malignant A storage unit for storing a numerical value indicating the risk level of the application;
The information recorded in the application log that records the behavior of the application, the kernel log that records the behavior of the kernel, and the communication log that records the information of packets transmitted and received during communication are compared with the multiple patterns. A comparison unit to
An extraction unit that extracts a combination of the representative characteristic information and the numerical value associated with the pattern that matches the information recorded in the application log, the kernel log, or the communication log;
When a plurality of types of the combinations are extracted by the extraction unit, the selection unit compares the numerical values of the extracted types of the combinations, and selects the combination including the numerical value indicating the highest risk ,
An application characteristic analysis device characterized by comprising:   The application characteristic analysis apparatus according to claim 1, further comprising a display unit that displays the combination selected by the selection unit.   The application characteristic analysis apparatus according to claim 1, wherein the comparison unit further compares information of files constituting the application with the plurality of patterns.   4. The information processing apparatus according to claim 1, wherein the comparison unit further compares the information of the file added or changed between the first time point and the second time point with the plurality of patterns. 5. The application characteristic analysis apparatus according to one item.   5. The application characteristic analysis apparatus according to claim 1, wherein the comparison unit further compares information obtained by performing code analysis of an application with the plurality of patterns. 6. The extraction unit extracts the combination every time the comparison unit performs a comparison in a predetermined unit.
The selection unit compares the numerical values of a plurality of types of combinations extracted by the extraction unit each time the comparison unit performs comparison in a predetermined unit, and includes the numerical value indicating the highest degree of risk. Select
If the numerical value included in the combination selected by the selecting section is a predetermined value, the comparison unit may be any of claims 1 to 5, characterized in that stops the operation of performing comparison The application characteristic analysis apparatus according to one item. A plurality of patterns composed of information related to the behavior of the malignant application, representative characteristic information associated with the pattern and indicating typical characteristics of the behavior of the malignant application, and associated with the representative characteristic information, the malignant A storage unit for storing a numerical value indicating the risk level of the application;
The information recorded in the application log that records the behavior of the application, the kernel log that records the behavior of the kernel, and the communication log that records the information of packets transmitted and received during communication are compared with the multiple patterns. A comparison unit to
An extraction unit that extracts a combination of the representative characteristic information and the numerical value associated with the pattern that matches the information recorded in the application log, the kernel log, or the communication log;
When a plurality of types of the combinations are extracted by the extraction unit, the selection unit compares the numerical values of the extracted types of the combinations, and selects the combination including the numerical value indicating the highest risk ,
As a program to make the computer function as.

Images