JP2010267128A - Analysis system, analysis device, detection method, analysis method and program - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide an analysis system which estimates an input path of unauthorized software to an execution device executing software. <P>SOLUTION: An execution device 100 records the operating history of an infection cause function (S113), obtains the behavioral information of an executing monitoring object program (S115), and, if the behavioral information does not conform to the behavioral model information when the monitoring object program is normally executed (YES at S116), outputs abnormal function information including information regarding the infection cause function and the operating history satisfying the conditions corresponding to the input path of the unauthorized software to an analysis device 200 (S119). The analysis device 200 collects the information regarding the operating history per infection cause function in each abnormal function information (S213), ranks the infection cause functions based on the collection result (S214), and outputs infection path risk information (S215). <P>COPYRIGHT: (C)2011,JPO&INPIT

Description

  The present invention relates to a technique for estimating an input path of unauthorized software.

  Malicious software programs such as viruses, worms, and spyware are collectively referred to as malware. A malware behavior analysis system that automatically analyzes the behavior of this malware is disclosed in Patent Document 1 below. The malware behavior analysis system of Patent Document 1 is configured by connecting an execution terminal that executes malware and a dummy server that analyzes log data related to malware behavior in a pseudo Internet environment, and the malware calls an API in the execution terminal. The API call log is collected and transmitted to the dummy server every time, and the dummy server collects an access log and a packet log related to server access from the malware execution terminal. The dummy server extracts the behavior of the malware based on the log from the execution terminal and the log and behavior definition file collected by itself. Further, as a specific method for detecting the execution of malicious code, for example, a method for verifying the validity of the issuance order of system calls that are instructions executed when a process requests processing to the kernel (for example, Non-Patent Document 1) and those that verify the status of a call stack when a system call is issued (for example, Non-Patent Document 2 and Patent Document 2) are known.

JP 2007-334536 A JP 2007-179131 A S. Forrest et al, "Intrusion Detection using Sequences of System Calls", Journal of Computer Security Vol. 6, pp.151-180, 1998 H. Feng, "Anomaly Detection Using Call Stack Information", The proc. Of IEEE Symposium on Security and Privacy, pp.62, 2003

  By the way, as countermeasures against malware, in addition to detecting that it has been infected with the malware, it is necessary to know what route the malware has been infected with. It is difficult to identify.

  An object of the present invention is to estimate an illegal software input path to an execution device that executes software.

  An analysis system according to the present invention includes one or a plurality of execution devices that execute monitoring target software that is software to be monitored, and an analysis device that analyzes an illegal software input path to the execution device, The execution device includes: an execution unit that executes the monitoring target software; a behavior model storage unit that stores behavior information representing a behavior when the monitoring target software is normally executed; For each of a plurality of functions that can acquire information provided from the recording unit, a recording unit that records an operation history of the function, and a behavior that acquires behavior information indicating a behavior when the execution unit executes the monitoring target software Information acquisition means and the behavior information acquired by the behavior information acquisition means are stored in the behavior model storage means. Determining means for determining whether or not the stored behavior model is compatible; and when the determining means determines that the behavior information does not match the behavior model, the recording means records each of the functions Analyzing the recorded operation history, identifying the function in which the operation history satisfying the condition corresponding to the illegal software input path is recorded, and the function specified by the operation history analysis unit; A notification means for notifying the analysis device of information relating to the operation history of the function, wherein the analysis device analyzes the information relating to the operation history notified from one or a plurality of the execution devices for each function. And ranking each of the functions based on the analysis result, and using the ranking result of an illegal software input path to the execution device. Input path analysis means for outputting the information indicating the degree of risk is provided.

According to the present invention, it is possible to estimate an illegal software input path to an execution device that executes software.
In the execution device, the operation history analysis means may include at least one of the number of operations, the operation period, the number of operations, and the combination of the operation periods included in the operation history of each function. It is good also as specifying the function for which the operation | movement log | history satisfy | fills the condition corresponding to the input path | route of an unauthorized software is recorded as the function which totals for every said function and the total result exceeds the threshold value.

  Further, in the execution device, the notifying unit notifies flag information indicating that the aggregation result of the function exceeds the threshold as information on the operation history of the function specified by the operation history analyzing unit. In the analyzing apparatus, the input path analyzing means totals the number of the flag information notified from one or a plurality of the execution apparatuses for each function, and ranks the functions in order of the totaling result. It is good as well.

  In the execution device, the operation history analyzing means may be configured such that at least one of a combination of the number of operations, the operation period, the number of operations, and the operation period included in the operation history of each function is a threshold value. Each time, the function is identified as a function in which an operation history satisfying a condition corresponding to an illegal software input path is recorded, and the notification unit is configured to identify the function specified by the operation history analysis unit. As the information related to the operation history, flag information indicating that the number of times of the function or the operation period exceeds the threshold value is notified to the analysis device. In the analysis device, the input path analysis means includes one or more The number of flag information including information related to the operation history notified from the execution device is totaled for each function, and the functions are in order of the total result. Ranking may be performed.

  Moreover, the analysis apparatus according to the present invention stores, as a behavior model, execution means for executing monitoring target software that is software to be monitored, and behavior information representing behavior when the monitoring target software is normally executed. For each of a plurality of functions capable of acquiring information provided from outside the own apparatus, a behavior model storage means, a recording means for recording an operation history of the function, and the execution means when the monitoring target software is executed A behavior information acquisition unit that acquires behavior information representing the behavior of the behavior, and a determination that determines whether or not the behavior information acquired by the behavior information acquisition unit matches the behavior model stored in the behavior model storage unit And the determination means determines that the behavior information does not match the behavior model, the recording means The operation history recorded with respect to the recording function is analyzed, and the operation history analysis means for specifying the function in which the operation history satisfying the conditions corresponding to the input path of the unauthorized software is recorded is specified by the operation history analysis means. The information on the operation history of the function is analyzed for each function, and ranking of each function is performed based on the analysis result, and the ranking result is obtained as an illegal software input path to the execution device. Input path analysis means for outputting the information indicating the degree of risk is provided.

  In addition, the detection method according to the present invention is a method for detecting unauthorized software performed by an execution device that executes monitoring target software that is software to be monitored, and acquires information provided from outside the execution device. For each of a plurality of possible functions, a recording step for recording the operation history of the function, a behavior information acquisition step for acquiring behavior information representing a behavior when the monitoring target software is executed, and the behavior information acquisition step A determination step for determining whether the acquired behavior information is compatible with a behavior model stored in advance as behavior information representing a behavior when the monitoring target software is normally executed; If it is determined that the information does not conform to the behavior model, each of the functions is performed by the recording step. The operation history recorded is analyzed, and the operation history analysis step for identifying the function in which the operation history satisfying the condition for satisfying an illegal software input path is recorded is specified by the operation history analysis step. And a notification step of notifying the analysis device analyzing the illegal software input path of the function and information related to the operation history of the function.

  Moreover, the analysis method according to the present invention is an analysis method performed by an analysis device that analyzes an input path of illegal software to one or more execution devices that execute monitoring target software that is software to be monitored, Among the plurality of functions of the execution device, from the one or more execution devices, a function in which an operation history satisfying a condition corresponding to an illegal software input path is recorded, and information on the operation history of the function And obtaining information on the operation history of each function obtained by the obtaining step, ranking each function based on the analysis result, and ranking the ranking. And an input path analysis step for outputting the result of the above as information indicating the degree of danger of the input path of the unauthorized software.

  In addition, the program according to the present invention provides a computer that executes monitoring target software, which is software to be monitored, with respect to each of a plurality of functions that can acquire information provided from outside the computer. A recording step for recording a history, a behavior information acquisition step for acquiring behavior information representing a behavior when the monitoring target software is executed, and the behavior information acquired by the behavior information acquisition step include the monitoring target software. A determination step for determining whether or not the behavior model stored in advance as behavior information representing the behavior in the case of normal execution is compatible, and the determination step determines that the behavior information does not match the behavior model In addition, the operation history recorded for each of the functions in the recording step is solved. An operation history analysis step for identifying the function in which an operation history satisfying a condition for satisfying an illegal software input path is recorded; the function specified by the operation history analysis step; A notification step for notifying information relating to the operation history to an analysis device that analyzes an input path of unauthorized software is executed.

  In addition, the program according to the present invention is a computer that analyzes an illegal software input path to one or more execution devices that execute monitoring target software that is software to be monitored, from the one or more execution devices. An acquisition step of acquiring, from among a plurality of functions of the execution device, a function in which an operation history satisfying a condition for satisfying an illegal software input path is recorded, and information related to the operation history of the function; Analyzing the information related to the operation history of each of the functions acquired in the acquisition step for each function, ranking the functions based on the analysis results, and determining the ranking results as unauthorized software And an input route analysis step that outputs the information indicating the degree of danger of the input route.

It is a block diagram of the software analysis system which concerns on embodiment. It is a block diagram which shows the structure of the execution apparatus 100 in embodiment. (A) is a figure showing an example of log information of an embodiment. (b) is a figure showing an example of a threshold table of an embodiment. (c) is a figure which shows the example of the behavior model information of embodiment. It is a functional block diagram of execution device 100 of an embodiment. It is a figure which shows the example of the abnormal function information 80 of embodiment. It is a lineblock diagram of analysis device 200 of an embodiment. It is a functional block diagram of analysis device 200 of an embodiment. It is a figure which shows the example of the infection route risk information of embodiment. It is an operation | movement flowchart of the execution apparatus 100 and analysis apparatus 200 of embodiment. It is a figure which shows the example of the log information which concerns on a modification.

Hereinafter, a software analysis system according to an embodiment of the present invention will be described with reference to the drawings. In the following description, the software program is a general term for computer programs and data.
<Embodiment>
<Configuration>
FIG. 1 is a diagram illustrating a configuration example of a software analysis system according to the present embodiment. The software analysis system 1 includes a plurality of execution devices 100a to 100c (hereinafter referred to as the execution device 100 when there is no need to distinguish each execution device) and the analysis device 200. The device 200 is connected via a network such as a LAN (Local Area Network), a WAN (World Area Network), and the Internet.

  In the present embodiment, a software program to be monitored (hereinafter referred to as a monitoring target program) is executed by the execution device 100. The execution device 100 is provided with a plurality of functions capable of acquiring information provided from outside the execution device 100, such as an e-mail transmission / reception function and a communication function according to the Bluetooth (registered trademark) standard. . A virus or the like is input from the outside to the execution apparatus 100 via these functions, and the execution apparatus 100 itself or the monitoring target software in the execution apparatus 100 is infected with the virus. Therefore, a function that can be an input path for such virus infection is hereinafter referred to as an infection-causing function. When it is determined that the behavior of the monitored software becomes abnormal due to virus infection, the determination result is notified from the execution device 100 to the analysis device 200. In response to the notification, the analysis device 200 estimates a virus infection route (that is, a route through which a virus is input to the execution device 100) based on the operation history of the infection cause function in the execution device 100. Hereinafter, details of the execution device 100 and the analysis device 200 will be described.

<Configuration of Execution Device 100>
FIG. 2 is a block diagram illustrating a configuration of the execution apparatus 100. The execution device 100 is realized by a mobile phone, a personal computer, a PDA (Personal Digital Assistants), or the like, and includes the following units.
The CPU 110 is connected to the CPU 110 by executing various programs including a monitoring target program stored in a ROM (Read Only Memory) 111 or a storage unit 113 described later using a RAM (Random Access Memory) 112 as a work area. Control each part. The execution device 100 uses, for example, a Windows (registered trademark) OS (Operating System), and each program performs an external interrupt or an internal interrupt via an API (Application Program Interface) of the OS, and according to the interrupt type. Perform each process. Note that the OS is not limited to the Windows OS, and any Unix (registered trademark) OS such as Linux may be used.

  The storage unit 113 is configured by a non-volatile storage medium such as a hard disk. The monitoring target program, a detection program for determining whether the behavior of the monitoring target program is abnormal, an e-mail program (not shown), or the like The application software program is stored. Further, the storage unit 113 stores various data such as log information of the infection cause function, a threshold table in which thresholds for the log information are described, and behavior model information. The behavior of the monitoring target program is the processing content of the CPU 110 when the CPU 110 performs processing according to the procedure described in the monitoring target program.

  The input unit 114 includes a keyboard, a mouse, and the like, receives an input operation from a user, and supplies an input signal corresponding to the input operation to the CPU 110. The display unit 115 is configured by a display such as a liquid crystal display, and displays various images such as a screen when the execution apparatus 100 is activated and a screen defined by each program. The network communication unit 116 performs data communication with the analysis device 200 connected via the network under the control of the CPU 110. The external memory connection unit 117 has a connector for connecting an external memory such as a USB (Universal Serial Bus) memory or an SD memory card, and exchanges data with the external memory connected to the connector. The Bluetooth (registered trademark) communication unit 118 establishes communication with a device conforming to the Bluetooth (registered trademark) standard, and transmits and receives data to and from the device.

Next, data stored in the storage unit 113 will be described.
FIG. 3A shows an example of log information. The log information 50 includes each function such as each function realized by the external memory connection unit 117, the Bluetooth (registered trademark) communication unit 118, and the input unit 114, and a mail transmission / reception function realized by executing an e-mail program. This is information representing the operation history of the cause function, and includes, for example, the number of operations or the operation period of each infection cause function.
For example, with regard to the “mail transmission / reception” function shown in FIG. 3A, the transmission date / time of a transmission mail and the reception date / time of a reception mail transmitted / received by executing an electronic mail program are stored as log information. In the present embodiment, there are two types of log information 50. Here, the transmission date and time of outgoing mail is log type 1, and the reception date and time of incoming mail is log type 2. By counting the number of “sent date / time” records, the number of times of email transmission by the “mail transmission / reception” function is specified. Note that the received date / time of all received emails may be stored as the received date / time of email, or only the received date / time of emails from addresses not registered in the email address book may be recorded. May be.

  In addition, regarding the function of “Bluetooth (registered trademark)”, the date and time when communication is performed according to the Bluetooth (registered trademark) standard and the state in which communication is continuously possible according to the standard of Bluetooth (registered trademark) (hereinafter referred to as “Bluetooth (registered trademark)”). The continuous ON time) is stored as log information. Viruses such as “cabir” that infect via Bluetooth (registered trademark) communication (hereinafter referred to as Bluetooth (registered trademark) communication) enable Bluetooth (registered trademark) communication continuously for a long time. In this case, the continuous ON time is useful information for specifying the infection route.

  With regard to the function of “external memory”, the attachment / detachment date / time when the external memory is attached / detached to / from the external memory connection unit 117 and the access date / time when the external memory is accessed are stored as log information. The external memory may be used by devices other than the execution device 100. When an external memory in which a virus-infected file is stored in another device is connected to the execution device 100, the external memory is used. Since the execution apparatus 100 may be infected with a virus, the more frequently the external memory is attached / detached, the higher the possibility of being infected with a virus. In addition, regarding the “keyboard input” function, the date and time when an operation for continuously inputting a predetermined number of characters of symbols and the date and time when the same key continuous operation for a predetermined number of times or more are performed are stored as log information. There is a possibility that a virus is input to the execution apparatus 100 by an input operation on the keyboard.

  FIG. 3B shows an example of the threshold value table. As shown in the figure, the threshold value table 60 stores threshold values for the result of totaling the log information 50 of FIG. 3A for a predetermined period for each log type 1 and 2. If the result of counting the log information 50 exceeds this threshold, it means that the infection cause function corresponding to the log information is frequently used. Therefore, there is a possibility that the infection cause function corresponds to the virus infection route. Is expensive. That is, it can be said that the total result of log information exceeding the threshold is an operation history that satisfies the conditions corresponding to the virus input path.

  FIG. 3C shows an example of behavior model information. The behavior model information 70 is behavior information that represents a behavior when the monitoring target program 30 is normally executed. Here, the behavior model information 70 is information that models a system call sequence that is called from the monitoring target program 30. In the present embodiment, the behavior model information 70 is described as being stored in the storage unit 113 in advance, but the behavior model information 70 may be acquired from the outside and stored in the storage unit 113. Specifically, the behavior model information 70 includes a program ID for identifying the monitoring target program 30, a type of system call, and a calling order of the system call. In the example shown in the figure, the calling order of the system calls when the monitoring target program 30 with the program ID “001” is operated normally is system calls A → B → A → C. In the present embodiment, for the sake of convenience of explanation, it is assumed that there is one monitoring target program 30. However, when there are a plurality of monitoring target programs 30, the behavior model information 70 is stored for each monitoring target program 30. It is remembered. Then, by determining whether or not the system call sequence of the behavior model stored as described above matches the system call sequence when the monitoring target program 30 is executed, the monitoring target program 30 It is determined whether or not the behavior is abnormal.

Next, the function of the execution apparatus 100 in this embodiment is demonstrated using FIG. In the execution apparatus 100, the CPU 110 reads out and executes the detection program stored in the storage unit 113, whereby the program execution unit 11, the log recording unit 12, the behavior information acquisition unit 13, and the abnormality determination unit illustrated in FIG. 14, each function of the log analysis unit 15 and the abnormality notification unit 16 is realized.
The program execution unit 11 includes an OS function, and sequentially reads and executes the monitoring target program 30 stored in the storage unit 113. Since the present embodiment is configured with a single processor, the program execution unit 11 also controls the execution of detection programs and other application programs in addition to the monitoring target program 30, but in the case of being configured with multiprocessors. The program execution unit 11 may be provided for each program.

The log recording unit 12 sequentially acquires the operation history of the log types 1 and 2 of the above-described infection cause function via the OS 40 and stores them as log information 50 in the storage unit 113.
The behavior information acquisition unit 13 performs hook processing for hooking a system call prepared by the OS 40 after the detection program is started, and sequentially acquires and acquires the types of system calls called from the monitoring target program 30 via the API. The type of the system call is supplied to the abnormality determination unit 14 as behavior information of the monitoring target program.

  Here, system call hook processing will be described. The detection program of the present embodiment is configured to include a device driver that is activated simultaneously with the activation of the OS and operates in the privileged mode. By this device driver, the system call entry instruction, for example, the address of the corresponding system call is specified from the table in which the address of the system call is arranged, and the instruction to transfer control to the corresponding system call is issued. The code to be hooked is rewritten with an instruction to jump to the hook processing routine described. By this rewriting, the hook processing routine is executed, and the system call called from the monitoring target program 30 is acquired. By executing the hook processing routine, the original instruction is stored before the instruction is rewritten, and the register group values are stored first after the transition to the hook processing routine. Then, at the end of the hook processing routine, the address of the monitoring target program 30 of the caller is set in a register preset for the return address, and the stored instruction and the value of the register group are written back. Control is transferred to processing of the original system call called from the target program 30.

  The abnormality determination unit 14 collates the behavior information supplied from the behavior information acquisition unit 13 with the behavior model information 70 stored in the storage unit 113, and system calls are made in the order of the system call sequence included in the behavior model information 70. If not called, it is determined that the monitoring target program is abnormal, and the determination result is supplied to the log analysis unit 15. In this embodiment, the determination as to whether or not this is an abnormality is made every time behavior information, that is, a system call is acquired.

  When the log analysis unit 15 receives a determination result indicating that there is an abnormality from the abnormality determination unit 14, the log analysis unit 15 identifies an infection-causing function that may cause an infection route to the virus. Specifically, the log analysis unit 15 divides log information for a predetermined period from the log information 50 stored in the storage unit 113 into log types 1 and 2 (hereinafter, log types 1 and 2 are not particularly distinguished). Are referred to as log types). In addition, the total content obtained by totalizing the log information 50 for each log type of each infection cause function in FIG. 3A is the log total type 1 and 2 of each infection cause function shown in FIG. The contents shown in each of the above. For example, in the case of an e-mail function, the total number of records of log type 1 “transmission date” is totaled to obtain log total type 1 “number of transmissions” and the total number of records of log type 2 “reception date” As a result, the log totaling type 2 “number of received cases” is obtained. Then, the log analysis unit 15 performs log aggregation types 1 and 2 in which the above-described aggregation results exceed the thresholds of the threshold table 60 stored in the storage unit 113 (hereinafter, log aggregation types 1 and 2 are not distinguished). Identifies the infection-causing function corresponding to the log aggregation type). That is, it can be said that the infection cause function identified at this time is an infection cause function in which an operation history that satisfies the conditions corresponding to the virus input path is recorded. Then, the log analysis unit 15 supplies to the abnormality notification unit 16 the log aggregation type of the identified infection cause function and the aggregation result for each log aggregation type. Since the user continues to use the execution apparatus 100 even after the abnormality is detected, the predetermined period is, for example, a certain period before the abnormality detection time when the abnormality is detected, or from the abnormality detection time point. It may be a fixed period later, a fixed period before and after the abnormality detection time, or any period as long as it is equal to or greater than the minimum recording unit of the log information 50.

  The abnormality notifying unit 16 receives the log information 50 aggregated from the abnormality determining unit 14, and, as shown in FIG. 5, the flag for each log aggregation type of each infection-causing function exceeding the threshold is 1 and exceeds the threshold. The flag for each log aggregation type that does not exist is set to 0, and abnormal function information 80 associated with the program ID of the monitoring target program 30 is generated. That is, this flag information is flag information indicating that the total result of log information exceeds a threshold value, and is information related to the operation history of the infection-causing function. Then, the abnormality notification unit 16 transmits the generated abnormal function information 80 to the analysis device 200 via the network communication unit 116. Thereby, the information regarding the operation history of the infection cause function is notified to the analysis apparatus 200.

<Configuration of Analysis Device 200>
FIG. 6 is a block diagram illustrating a configuration of the analysis apparatus 200. The analysis device 200 is realized by a personal computer, a server device, or the like, and includes the following units.
The CPU 210 controls each unit connected to the CPU 210 by executing a program stored in the ROM 211 or a storage unit 213 described later using the RAM 212 as a work area. The storage unit 213 is configured by a non-volatile storage medium such as a hard disk, and stores various data such as abnormal function information 80 transmitted from the execution device 100 and a control program. The input unit 214 includes a keyboard, a mouse, and the like, receives an input operation from a user, and supplies an input signal corresponding to the input operation to the CPU 210. The display unit 215 includes a display such as a liquid crystal display, and displays various images such as a screen when the analysis apparatus 200 is activated and a screen defined by a control program. The network communication unit 216 performs data communication with the execution device 100 connected via the network under the control of the CPU 210.

  Next, functions of the analysis apparatus 200 will be described with reference to FIG. In FIG. 7, the functions of the information extraction unit 21 and the risk analysis unit 22 are realized by the CPU 210 of the analysis apparatus 200 reading and executing the control program stored in the storage unit 213. The information extraction unit 21 extracts the flag of each monitoring target program included in the abnormal function information 80 received from the execution apparatus 100 via the network communication unit 216 for each infection cause function, and extracts the extracted monitoring target program. A flag for each infection-causing function is supplied to the risk analysis unit 22. The risk analysis unit 22 receives the flags for each infection cause function of each monitoring target program supplied from the information extraction unit 21, and totals the number of flags for each infection cause function of each monitoring target program. Then, ranking is performed in descending order of the count results for each infection-causing function, and the ranking results are displayed as infection route risk information indicating the risk of the virus input route to the execution apparatus 100 as shown in FIG. Displayed on the part 215. In the example of FIG. 8, it means that the function related to Bluetooth communication is most likely to correspond to a virus infection route, and the function related to keyboard input is least likely to correspond to a virus infection route. When there is an infection cause function having the same flag total value, ranking may be performed according to a predetermined priority order of the infection cause function, or the user may arbitrarily select the ranking. You may make it perform.

(Operation)
Next, the operation of the software analysis system 1 will be described. FIG. 9 is an operation flowchart of the execution apparatus 100. In the execution device 100, when the power is turned on by the user, the CPU 110 reads the boot sector of the storage unit 113 to start the OS (step S111), reads the detection program stored in the storage unit 113, and starts it. Then, the system call entry command is saved in the RAM 112 and rewritten to a command for jumping to the address of the hook processing routine (step S112). Next, the CPU 110 starts recording the log information 50 of each infection-causing function (step S113), and after the OS and the detection program are started, the user executes the monitoring target program 30 via the input unit 114. Then, the CPU 110 reads and executes the monitoring target program 30 stored in the storage unit 113 (step S114).

  The CPU 110 performs each process according to the monitoring target program 30 in accordance with an operation performed by the user via the input unit 114, and executes a hook processing routine each time a system call is called from the monitoring target program 30. Are stored in the RAM 112 to hook a system call, and behavior information indicating the type of the hooked system call is sequentially stored in the RAM 112 (step S115). At the end of the hook processing routine, the CPU 110 sets the address of the monitoring target program 30 in the return address register, writes back the stored instruction and register value, and performs the original system call processing.

  CPU110 reads the behavior information sequentially stored in RAM112 in step S116, and collates with the behavior model information 70 memorize | stored in the memory | storage part 113 (step S116). If the system call sequence of the acquired behavior information is not included in the order of the system call sequence indicated by the behavior model information 70 (step S116: NO), the CPU 110 determines that the monitoring target program 30 is abnormal, and the storage unit The log information 50 successively recorded in 113 is read, and the log information 50 of each infection-causing function for a predetermined period is totaled for each log type (step S117). In addition, when this predetermined period is a fixed period after the determination time point determined to be abnormal, or when it is a fixed period before and after the determination time point, the time information at the determination time point is stored in a predetermined area of the storage unit 113. In step S117, the process from step S117 is performed when a certain period of time has elapsed from the determination time. If the predetermined period is a certain period before the determination time, the following processing is performed following step S117.

  CPU110 reads the threshold value table 60 memorize | stored in the memory | storage part 113, and judges whether the threshold value is exceeded about the log information 50 totaled for every log classification of each infection cause function (step S118). If the CPU 110 determines that the log information 50 aggregated for each infection-causing function exceeds the threshold (step S118: YES), the log aggregation type flag of the infection-causing function exceeding the threshold is set to 1. The log aggregation type flag that does not exceed the threshold is set to 0, and abnormal function information 80 is generated and transmitted to the analysis apparatus 200 via the network communication unit 116 (step S119).

If CPU 110 determines in step S116 that the system call sequence of the acquired behavior information is included in the order of the system call sequence indicated by behavior model information 70 (step S116: YES), it is being executed. Until the monitoring target program 30 is completed, the processing from step S115 is repeated (step S120: NO). When the monitoring target program 30 ends (step S120: YES), the CPU 110 continues to record the log information 50 of each infection-causing function until the execution device 100 is turned off by the user (step S120). 121: NO) When the power is turned off (step S121: YES), the recording of the log information 50 is terminated and the detection program is terminated (step S122).
In step S118, if the log information 50 aggregated for each infection-causing function does not exceed the threshold value (step S118: NO), the CPU 110 performs the processing from step S120.

  Next, the operation of the analysis apparatus 200 will be described. When the CPU 210 receives the abnormal function information 80 of each monitoring target program 30 from the execution apparatus 100 via the network communication unit 216 (step S211), each infection included in the abnormal function information 80 for each monitoring target program 30. The flag data of the cause function is extracted (step S212). Then, the CPU 210 aggregates the extracted flag data of the infection cause function of each monitoring target program 30 for each infection cause function (step S213), and ranks the infection cause functions in descending order of the aggregation result of each monitoring target program 30. This is performed (step S214). The CPU 214 generates infection route risk information 90 expressed as a higher risk of infection route as the rank ranked in step S214 is higher and displays it on the display unit 215 (step S215).

  In the above embodiment, each monitoring target program is executed for each execution device 100 under different execution environments including the user, and it is determined whether or not the monitoring target program 30 is abnormal. In addition, the abnormal function information 80 indicating whether or not the function exceeds the threshold among the log information collected for the infection cause function recorded in each execution apparatus 100 can be notified to the analysis apparatus 200. Further, the analysis device 200 can estimate the risk of the virus infection route by counting the notifications from the execution devices 100. This makes it possible to collect a wide range of information related to the behavior of monitored programs caused by unknown virus infections. In addition, the infection route may vary depending on the type of virus, but even in that case, the risk of the infection-causing function that can be considered as a virus infection route can be shown in order, so the virus was identified. In this case, it is possible to confirm which function is dangerous as an infection route, and it is easy to take measures when further analyzing the characteristics of the virus or removing the virus.

<Modification>
Hereinafter, modifications of the present invention will be described.
(1) In the above-described embodiment, when the execution apparatus 100 determines that the monitoring target program 30 is abnormal, the result of totaling the log information 50 for each infection-causing function for a predetermined period exceeds the threshold. In this example, the infection cause function is specified and the abnormal function information 80 is notified to the analysis apparatus 200. However, the following configuration may be adopted. For example, the CPU 110 of the execution device 100 accumulates log information 50 for each infection-causing function for a predetermined period, and every time the cumulative value exceeds a threshold, the log of each infection-causing function is performed as in the embodiment. Abnormal function information 80 including flag data for each type is notified to the analysis apparatus 200. In the analysis apparatus 200, similar to the embodiment, the notified abnormal function information 80 is aggregated for each infection-causing function and ranked. You may do it.

(2) In the above-described embodiment, the flag data set for each log aggregation type of the infection cause function as the abnormal function information 80 is output to the analysis apparatus 200. However, the CPU 110 of the execution apparatus 100 As the abnormal function information 80, the aggregation result of the log information 50 determined to exceed the threshold value may be output, or whether the cumulative value accumulated in a unit of a certain period exceeds the threshold value as in the modified example (1) When determining whether or not, the number of each infection route function exceeding the threshold may be output as the abnormal function information 80.

(3) In the above-described embodiment, the execution device 100 is an example of specifying an infection-causing function in which the total result of totaling the log information 50 for a predetermined period exceeds the threshold. The CPU 110 of 100 sets two periods within a predetermined period, obtains a cumulative value of the log information 50 for each infection-causing function in each period, and causes the infection cause for which the increase rate of the cumulative value in each period is equal to or greater than a predetermined threshold. You may comprise so that a function may be specified.

(4) In the above-described embodiment, the execution device 100 has been described as specifying an infection-causing function that exceeds the threshold when it is determined that the behavior of the monitoring target program 30 is abnormal. You may comprise as follows. In the execution apparatus 100, when the CPU 110 determines that the behavior of the monitoring target program 30 is abnormal, the CPU 110 transmits the log information 50 of the infection cause function for a predetermined period to the analysis apparatus 200. Then, the threshold value table 60 may be stored in advance in the analysis device 200, and the infection cause function exceeding the threshold value may be specified using the log information 50 transmitted from the execution device 100.

(5) In the above-described embodiment, the analysis apparatus 200 ranks the infection cause functions based on the abnormal function information 80 received from the plurality of execution apparatuses 100. However, the abnormal function information of each execution apparatus 100 is used. From 80, it is possible to rank the infection-causing functions for each execution device 100. In this case, the analysis apparatus 200 may be configured to transmit the infection route risk information obtained by ranking the abnormal function information 80 to each execution apparatus 100.

(6) Although the threshold value table 60 in the execution device 100 has been described as being common in the above-described embodiment, a different threshold value table 60 may be set for each execution device 100. Further, based on the log information 50 of each execution device 100, an average value obtained for each log type of each infection cause function may be set as a threshold for each log type of each infection cause function. In addition, when the log information 50 for each log type of each infection-causing function is tabulated on a daily basis, it may be configured to arbitrarily set a threshold, such as setting different thresholds for holidays and weekdays. .

(7) In the above-described embodiment, the abnormal function information 80 has been described as including information on an infection cause function that does not exceed the threshold. However, the infection cause function that exceeds the threshold and the log type of the infection cause function Any one of the log information 50, the flag data of the infection cause function, and the information indicating the infection cause function may be sent as the abnormal function information 80, or these may be combined into the abnormal function information 80. It may be included.

(8) In the above-described embodiment, it has been described that when the execution apparatus 100 determines that the monitoring target program 30 is abnormal, the log information 50 of each infection-causing function for a predetermined period is aggregated. A cumulative value obtained by accumulating the log information 50 for each log type at a certain time or day unit may be stored as an operation history.

(9) In the above-described embodiment, the execution apparatus 100 is an example of storing the modeled system call sequence as the behavior model information 70. However, a subroutine in the monitoring target program is called. A sequence of return addresses in the call stack at that time may be modeled and stored. In this case, the execution device 100 acquires the call stack sequence as behavior information when the subroutine is called when the monitoring target program is executed, and stores it in association with the program ID of the monitoring target program 30 as in the embodiment. To be configured.

(10) In the above-described embodiment, the execution device 100 is an example of hooking a system call by rewriting the instruction at the entrance of the system call into an instruction to transfer control to the hook processing routine. May be performed as follows. For example, the execution device 100 may hook a system call by setting the address of a hook processing routine in the interrupt vector table in advance as a jump destination at the time of software interrupt, or the monitoring target program 30 and the original dll file A hook dll file for hooking a system call is provided, and a system call call request from the monitoring target program 30 is passed to the original dll file via the hook dll file and monitored by the hook dll file. A system call called by the target program 30 may be acquired. In the case of a Unix-based OS such as Linux, a system call called by the monitoring target program 30 may be hooked using a ptrace system call.

(11) In the above-described embodiment, the execution apparatus 100 transmits the abnormal function information 80 to the analysis apparatus 200. However, in addition to the abnormal function information 80, the operating environment such as the version of the monitoring target program 30 and the OS Various information necessary for analyzing the infection route, such as software running simultaneously with the monitoring target program 30, time, and location, may be transmitted as appropriate.

(12) In the above-described embodiment, the execution apparatus 100 has been described as recording the log information 50 for the external memory connection function, the Bluetooth (registered trademark) communication function, and the e-mail transmission / reception function. In the case of having a function other than these, for example, a WEB page browsing function, an infrared communication function, a personal computer connection function, a communication function using an IC chip, etc., as shown in FIG. The log information 50 ′ to ˜3 may be recorded in the storage unit 113. The log type 3 “unofficial page access date / time” in the WEB page browsing function is set by the user in advance as the URL of the unofficial page corresponding to a predetermined official page, and the date / time when the set unofficial page was accessed To record. In the embodiment, two types of log types have been described. However, the log types may be equal to or more than the types shown in the embodiment and the modified example, or may be one type.

(13) In the operation flow (FIG. 9) of the above-described embodiment, the execution apparatus 100 performs a step when there is no infection cause function exceeding the threshold among the results of counting the log information 50 within a predetermined period. Although it has been described that the process of S120 is shifted (step S118: NO), the execution apparatus 100 receives a predetermined input period from the user via the input unit 114 and receives the input The log information 50 within the period may be aggregated to perform the processing from step S118.

(14) In the above-described embodiment, the behavior model information 70 in the execution device 100 has been described as preliminarily storing system call sequence information when the monitoring program 30 is executed in a normal state. Information on the pattern system call sequence may be stored in advance as the behavior model information 70, or may be acquired from the outside. In this case, if the behavior information acquired during the execution of the monitoring program 30 is included in the order of the system call sequence indicated by the behavior model information 70, the execution device 100 determines that the monitoring program 30 is abnormal. If the behavior information is not included in the order of the system call sequence indicated by the behavior model information 70, the monitoring program 30 determines that it is normal.
The behavior model information 70 may be configured to store in advance a model of the system call sequence by analyzing the source code of the monitoring program 30.

(15) In the above-described embodiment, the behavior model information 70 when the monitoring program 30 is executed in a normal state and the behavior information acquired during the execution of the monitoring program 30 are collated. The behavior information may be collated in combination with the virus behavior pattern.
In this case, the execution apparatus 100 stores virus pattern information indicating a known virus behavior pattern in the storage unit 113. Then, in the execution device 100, the behavior information and the behavior model information 70 are collated in the same manner as in the embodiment, and when the monitoring program 30 determines that it is abnormal, the obtained behavior information and the virus pattern information are collated. When the virus pattern is matched, the matched virus pattern information is output to the analyzing apparatus 200 together with the abnormal function information 80, and when not matched, only the abnormal function information 80 is output to the analyzing apparatus 200. Also good.
(16) In the above-described embodiment, when an abnormality is detected in each execution device 100, the abnormal function information 80 is transmitted to the analysis device 200, and the abnormal function information is aggregated in the analysis device 200 to rank the infection cause functions. In each execution device 100, the flag for each infection cause function is aggregated for the abnormal function information 80 in the own device in the same manner as in the analysis device 200 to rank the infection cause functions. Alternatively, the ranking result may be transmitted to the analysis apparatus 200.

(17) Programs executed by the CPU 110 and the CPU 210 of the execution device 100 and the analysis device 200 in the above-described embodiments are a magnetic recording medium (magnetic tape, magnetic disk, etc.), an optical recording medium (optical disc, etc.), and a magneto-optical recording medium. It can be provided in a state where it is stored in a computer-readable recording medium such as a semiconductor memory. It is also possible to download the execution apparatus 100 and the analysis apparatus 200 via a network such as the Internet. Various devices other than the CPU can be applied as the control means for performing such control. For example, a dedicated processor may be used.

  DESCRIPTION OF SYMBOLS 1 ... Software analysis system, 11 ... Program execution part, 12 ... Log recording part, 13 ... Behavior information acquisition part, 14 ... Abnormality determination part, 15 ... Log analysis part, 16 ... anomaly notification unit, 21 ... information extraction unit, 22 ... risk analysis unit, 100 ... execution device, 110, 210 ... CPU, 113, 213 ... storage unit, 114, 214 ... Input unit, 115,215 ... Display unit, 116,216 ... Network communication unit, 117 ... External memory connection unit, 118 ... Bluetooth (registered trademark) communication unit, 200 ... Analysis device.

Claims (9)

One or a plurality of execution devices that execute monitoring target software that is software to be monitored, and an analysis device that analyzes an input path of unauthorized software to the execution device,
Each of the execution devices
Execution means for executing the monitored software;
Behavior model storage means for storing behavior information representing behavior when the monitored software is normally executed as a behavior model;
For each of a plurality of functions that can acquire information provided from the outside of its own device, recording means for recording the operation history of the function;
Behavior information acquisition means for acquiring behavior information representing a behavior when the execution means executes the monitored software;
Determination means for determining whether or not the behavior information acquired by the behavior information acquisition means is compatible with the behavior model stored in the behavior model storage means;
When the determination means determines that the behavior information does not conform to the behavior model, the operation history recorded for each of the functions by the recording means is analyzed, and a condition corresponding to an illegal software input path is determined. An operation history analyzing means for specifying the function in which an operation history to be satisfied is recorded;
The function specified by the operation history analysis means, and information related to the operation history of the function, the notification means for notifying the analysis device,
The analysis device includes:
Information on the operation history notified from one or a plurality of the execution devices is analyzed for each function, ranking of the respective functions is performed based on the analysis result, and the ranking result is assigned to the execution device. An analysis system comprising an input path analysis means for outputting information indicating a degree of risk of an illegal software input path. In the execution device,
The operation history analysis means totals at least one of the number of operations included in the operation history of each function, the operation period, the number of operations and the operation period for each function, 2. The analysis system according to claim 1, wherein the function whose aggregation result exceeds a threshold is specified as a function in which an operation history satisfying a condition corresponding to an illegal software input path is recorded. In the execution device,
The notification means notifies the flag information indicating that the aggregation result of the function exceeds the threshold as information regarding the operation history of the function specified by the operation history analysis means,
In the analysis device,
The input path analyzing means, which counts the number of the flag information notified from one or a plurality of the execution devices for each function, and ranks the functions in the order of the count results. 2. The analysis system according to 2. In the execution device,
The operation history analysis unit is configured to output the function each time at least one of the combinations of the number of operations, the operation period, the operation number, and the operation period included in the operation history of each function exceeds a threshold value. Is identified as a function that has a history of operations that satisfy the conditions applicable to the input path of unauthorized software,
The notification means notifies the analysis apparatus of flag information indicating that the number of times of the function or the operation period exceeds the threshold as information on the operation history of the function specified by the operation history analysis means. ,
In the analysis device,
The input path analysis means counts the number of flag information including information related to the operation history notified from one or a plurality of execution devices for each function, and ranks the functions in order of the count results. The analysis system according to claim 1. Execution means for executing the monitoring target software that is the monitoring target software;
Behavior model storage means for storing behavior information representing behavior when the monitored software is normally executed as a behavior model;
For each of a plurality of functions that can acquire information provided from the outside of its own device, recording means for recording the operation history of the function;
Behavior information acquisition means for acquiring behavior information representing a behavior when the execution means executes the monitored software;
Determination means for determining whether or not the behavior information acquired by the behavior information acquisition means is compatible with the behavior model stored in the behavior model storage means;
When the determination means determines that the behavior information does not conform to the behavior model, the operation history recorded for each of the functions by the recording means is analyzed, and a condition corresponding to an illegal software input path is determined. An operation history analyzing means for specifying the function in which an operation history to be satisfied is recorded;
Information related to the operation history of the function specified by the operation history analysis means is analyzed for each function, the functions are ranked based on the analysis results, and the ranking results are used as the execution device. An analysis apparatus comprising: input path analysis means for outputting information indicating a degree of risk of an illegal software input path with respect to. An unauthorized software detection method performed by an execution device that executes monitoring target software, which is software to be monitored,
For each of a plurality of functions capable of acquiring information provided from outside the execution device, a recording step for recording an operation history of the function;
A behavior information acquisition step of acquiring behavior information representing a behavior when the monitoring target software is executed;
A determination step for determining whether or not the behavior information acquired by the behavior information acquisition step is compatible with a behavior model stored in advance as behavior information representing a behavior when the monitoring target software is normally executed;
When it is determined by the determination step that the behavior information does not match the behavior model, the operation history recorded for each of the functions by the recording step is analyzed to correspond to an illegal software input path An operation history analysis step for identifying the function in which an operation history satisfying a condition is recorded;
A notification method comprising: a notification step of notifying the analysis device analyzing the illegal software input path of the function specified in the operation history analysis step and information related to the operation history of the function. An analysis method performed by an analysis device that analyzes an illegal software input path to one or more execution devices that execute monitoring target software that is software to be monitored,
Among the plurality of functions that the execution device has from the one or more execution devices, a function in which an operation history satisfying a condition for satisfying an illegal software input path is recorded, and an operation history of the function An acquisition step for acquiring information;
Information on the operation history of each of the functions acquired in the acquisition step is analyzed for each function, ranking of the functions is performed based on the analysis result, and the ranking result is determined by an unauthorized software. And an input path analysis step for outputting the information indicating the degree of danger of the input path. On the computer that runs the monitored software that is the software to be monitored,
For each of a plurality of functions capable of acquiring information provided from outside the computer, a recording step for recording an operation history of the function;
A behavior information acquisition step of acquiring behavior information representing a behavior when the monitoring target software is executed;
A determination step for determining whether or not the behavior information acquired by the behavior information acquisition step is compatible with a behavior model stored in advance as behavior information representing a behavior when the monitoring target software is normally executed;
When it is determined by the determination step that the behavior information does not match the behavior model, the operation history recorded for each of the functions by the recording step is analyzed to correspond to an illegal software input path An operation history analysis step for identifying the function in which an operation history satisfying a condition is recorded;
A program for executing the notification step of notifying the analysis device that analyzes the function specified by the operation history analysis step and information related to the operation history of the function with respect to an input path of unauthorized software. A computer that analyzes an illegal software input path to one or a plurality of execution devices that execute the monitoring target software that is the monitoring target software;
Among the plurality of functions that the execution device has from the one or more execution devices, a function in which an operation history satisfying a condition for satisfying an illegal software input path is recorded, and an operation history of the function An acquisition step for acquiring information;
Information on the operation history of each of the functions acquired in the acquisition step is analyzed for each function, ranking of the functions is performed based on the analysis result, and the ranking result is determined by an unauthorized software. A program for executing an input route analysis step that is output as information indicating the degree of danger of the input route.

Images