JP2015225512A - Malware feature extraction device, malware feature extraction system, malware feature method, and countermeasure instruction device - Google Patents

Abstract

PROBLEM TO BE SOLVED: To make it possible to effectively extract the genuine behavior of malware from a log obtained by dynamically analyzing the malware.SOLUTION: A malware feature extraction device obtains a malware analysis log which is a log obtained by executing malware or executing a program associated with the malware, obtains a normal file analysis log which is a log obtained by executing a normal file which is a file not malware or executing a program associated with the normal file, compares the malware analysis log with the normal file analysis log, and extracts a log included in the malware analysis log but not included in the normal file analysis log by performing black log related to the malware.

Description

  The present invention relates to a malware feature extraction device, a malware feature extraction system, a malware feature method, and a countermeasure instruction device.

  In recent years, new cyber attacks such as targeted attacks have increased, and malware used for such attacks has become increasingly sophisticated and sophisticated. Conventionally, in order to analyze the behavior of malware, static analysis by reverse engineering and dynamic analysis in which behavior is actually observed by executing malware have been performed. Static analysis was a very expensive task, as it was necessary to read the code that disassembled the malware one by one. On the other hand, dynamic analysis can reduce the amount of work like static analysis by analyzing logs obtained by actually executing malware. Patent Document 1 discloses a technique for operating malware and observing its behavior, and a technique for detecting a malware infection by holding a normal file in advance as a standard state and changing it after the malware operation.

JP 2004-38273 A

  However, in recent years, the behavior of non-malware has increased due to the complexity of the OS and installed applications in the analysis environment, and the amount of logs has also been increasing, and there has been a problem that the original behavior of malware is buried in it.

  An object of the present invention is to provide a malware feature extraction device, a malware feature extraction system, a malware feature method, and a countermeasure instruction device that can effectively extract the original behavior of malware from a log obtained by dynamic analysis of malware. It is to provide.

  The main invention of the present invention for solving the above problems is a malware feature extraction system, which executes a malware reception unit that receives malware input, a regular file that is a file that is not the malware, or is related to the regular file A normal file analysis log storage unit that stores a normal file analysis log that is a log obtained by executing the attached program, an execution environment that executes the malware or executes a program related to the malware, and The malware acquisition log that is obtained from the execution environment is compared with the malware analysis log and the regular file analysis log, and the malware analysis log that is not included in the regular file analysis log is the malware. Black log to extract about bra And further comprising a Kurogu extracting unit.

  Other problems and solutions to be disclosed by the present application will be made clear by the embodiments of the invention and the drawings.

  It is possible to effectively extract the original behavior of the malware from the log obtained by dynamically analyzing the malware.

It is a figure showing an example of 1 composition of a malware feature extraction system. It is a figure which shows an example of a structure of a sample injection device. The upper row shows an example of the sample reception DB. The middle row is a diagram showing an example of a regular file management DB, (a) is a diagram showing an example of file type feature information stored in the regular file management DB, and (b) is stored in the regular file management DB. It is a figure which shows an example of a regular file store. The lower row shows an example of the analysis request DB. It is a figure which shows an example of a structure of a dynamic analyzer. It is a figure which shows an example of log management DB, (a) is a figure which shows an example of the analysis environment stored in log management DB, (b) is a figure which shows an example of the analysis log stored in log management DB It is. The upper part is a diagram showing an example of analysis log information obtained by dynamically analyzing a sample stored in the log management DB. The lower part is a diagram showing an example of analysis log information obtained by dynamically analyzing a regular file stored in the log management DB. It is a figure which shows an example of a structure of the malware feature extraction apparatus. It is a figure which shows an example of DB for a comparison, (a) is a figure which shows an example of the action identification rule stored in DB for comparison, (b) is a figure of the data identification rule stored in DB for comparison. It is a figure which shows an example, (c) is a figure which shows an example of the error tolerance rule at the time of the comparison stored in DB for a comparison. The upper row shows an example of the black log DB. The lower row shows an example of the white log DB. It is a figure which shows an example of a structure of a countermeasure instruction | indication apparatus. The upper row shows an example of the countermeasure policy DB. The middle row shows an example of the countermeasure rule DB. The lower part shows an example of the countermeasure device management DB. It is a figure which shows the flow of a process in a sample insertion program and a regular file generation program. It is a figure which shows the flow of a process in a log collection program and a log comparison program. It is a figure which shows the flow of a process in a countermeasure rule production | generation program and a countermeasure instruction | indication program. It is a figure which shows an example of operation | movement of the malware feature extraction system of this embodiment, a countermeasure instruction | indication apparatus, and a countermeasure system.

  A malware feature extraction system according to the best mode for carrying out the present invention (hereinafter referred to as “embodiment”) will be described in detail with reference to the drawings as appropriate. Hereinafter, for convenience, each application program will be described as an execution subject. That is, when it is described that an application program performs a certain process, the application program is stored in a computer (a sample input device 11, dynamic analysis devices 12 and 13, malware feature extraction device 14, countermeasure instruction device 21, countermeasure device described later). 31 and the detection device 32, etc.)) is executed as a function realized by execution.

  Malware is a collective term for threats for malicious activities created with malicious intent. A malicious program that can be executed by malware alone is called a worm, and a malicious program that performs unauthorized activities using other executable programs is called a virus. Note that malware has various names such as spyware and adware in addition to worms and viruses.

The malware feature extraction system 10 according to the present embodiment is intended to extract a feature of a specimen from a log obtained as a result of analyzing the specimen of the malware. FIG. 1 is a diagram illustrating a configuration example of a malware feature extraction system 10. The malware feature extraction system 10 is communicably connected to a countermeasure instruction device 21 that instructs countermeasures from malware features, and the countermeasure instruction device 21 is communicably connected to a malware countermeasure system 30 that receives countermeasure instructions and implements countermeasures. Is done.

  In FIG. 1, the malware feature extraction system 10 includes a specimen input device 11, dynamic analysis devices 12 and 13, and a malware feature extraction device 14. The malware countermeasure system 30 includes a countermeasure device 31 and a detection device 32. Although only two dynamic analyzers 12 and 13 are shown in FIG. 1, there may be three or more dynamic analyzers. Further, the dynamic analysis devices 12 and 13 have the same configuration, and may be replaced in the following embodiments.

  The sample loading device 11 is connected to the dynamic analysis devices 12 and 13, respectively, and loads a sample that is malware into the dynamic analysis device 12 to be executed, and dynamically analyzes a file that is not malware (hereinafter referred to as a regular file). This is a device that is loaded into the device 13 and executed. The sample input device 11 has a sample input program 111 and a regular file generation program 112. The sample insertion program 111 transmits a sample (malware) to be analyzed to the dynamic analysis device 12. The normal file generation program 112 generates a normal file of the same type as the input specimen and transmits it to the dynamic analyzer 13. The sample insertion device 11 holds sample acceptance information regarding the sample and the sample acquisition status, regular file management information for generating and storing a regular file, and analysis request information regarding the analysis request status of the analysis.

  The dynamic analysis device 12 is a device that provides a program execution environment. The dynamic analysis device 12 is connected to the sample input device 11 and the malware feature extraction device 14, respectively, executes the sample input from the sample input device 11, takes a log, and stores this log in the malware feature extraction device 14. send. In the following description, “execute a sample” includes not only executing a sample that is a program but also causing a program associated with the type of the file to execute a sample that is a file. The dynamic analyzer 12 has a sample execution program 121 and a log acquisition program 122. The sample execution program 121 receives a sample from the sample input device 11 and executes the sample. The log acquisition program 122 observes the behavior of the specimen and acquires the observation result as an analysis log.

  The dynamic analysis device 13 is a device that provides a program execution environment. The dynamic analysis device 13 is connected to each of the sample input device 11 and the malware feature extraction device 14, executes a regular file input from the sample input device 11, takes a log, and logs this malware feature extraction device 14. It is a device to send to. In the following description, “execute a regular file” includes not only executing a regular file that is a program but also causing a program associated with the file type to execute a regular file that is a file. The dynamic analyzer 13 has a sample execution program 131 and a log acquisition program 132. The sample execution program 131 receives a regular file from the sample loading apparatus 11 and executes the regular file. The log acquisition program 132 observes the behavior of the regular file and acquires the observation result as an analysis log.

The malware feature extraction device 14 is connected to the dynamic analysis devices 12 and 13 and the countermeasure instruction device 21, respectively, and is a device that specifies a log related to malware and provides it to the countermeasure instruction device 21. The malware feature extraction device 14 has a log collection program 141 and a log comparison program 142. The log collection program 141 collects analysis logs acquired by the dynamic analysis apparatuses 12 and 13 respectively. The log comparison program 142 compares the analysis log of the dynamic analysis device 12 and the analysis log of the dynamic analysis device 13 and stores a common log as a log not related to malware (hereinafter referred to as a white log). The points recorded only in the analysis log of the dynamic analysis device 12 are stored as malware logs (hereinafter referred to as black logs). Further, the malware feature extraction device 14 is connected to the countermeasure instruction device 21 and passes the black log to the countermeasure instruction device 21. The malware feature extraction device 14 holds comparison information defining a comparison condition for comparing two or more analysis logs, a black log, a white log, and the like.

  The countermeasure instruction device 21 is connected to the malware feature extraction device 14, the countermeasure device 31, and the detection device 32 of the malware feature extraction system 10, generates a countermeasure rule for the threat, and instructs the countermeasure device 31 and the detection device 32. Device. The countermeasure instruction device 21 has a countermeasure rule generation program 211 and a countermeasure instruction program 212. The countermeasure rule generation program 211 acquires a black log held by the malware feature extraction apparatus 14 and generates a countermeasure rule based on the countermeasure policy information and countermeasure apparatus management information set in advance. The countermeasure instruction program 212 transmits a countermeasure instruction for applying the countermeasure rule to the countermeasure device 31 and the detection device 32.

  The countermeasure device 31 is a device that performs security measures such as WebProxy, FW (firewall), and IDP (illegal intrusion prevention system). The countermeasure device 31 performs communication restriction (blocking, bandwidth limitation, route change, authentication addition), etc., in response to the countermeasure instruction from the countermeasure instruction device 21. A known technique can be used for security measures by the countermeasure device 31.

  The detection device 32 is a device that performs security measures such as IDS (illegal intrusion detection device), IDP (illegal intrusion prevention system), and virus detection device. In response to the countermeasure instruction from the countermeasure instruction device 21, the detection device 32 detects an abnormality and transmits an alert. A known technique can be used for security measures by the detection device 32.

  In FIG. 1, a solid line connecting the blocks (11 to 32) indicates a transmission path of a communication packet related to sample input, log acquisition, malware characteristic acquisition, or countermeasure instruction.

  Next, the configuration of the sample input device 11 will be described with reference to FIG. FIG. 2 is a diagram illustrating an example of the configuration of the sample input device.

  The sample insertion device 11 can be realized on a computer including a calculation unit 1101, a memory 1102, an input unit 1103, a display unit 1104, a communication unit 1105, and a storage unit 1106.

  The calculation unit 1101 controls the units (1102 to 1106) of the sample loading apparatus 11 and transmits information between the units (1102 to 1106). The arithmetic unit 1101 is, for example, a CPU (Central Processing Unit) that executes arithmetic processing. Then, the CPU develops an application program described below in the memory 1102, which is the main storage device, and executes the application program, thereby realizing the processing described below. The memory 1102 is implemented by a RAM (Random Access Memory). The application program is stored in the storage unit 1106.

  Each application program may be stored in the storage unit 1106 in advance, or, when necessary, another device through an external interface (not shown), the communication unit 1105, and a medium that can be used by the sample input device 11. May be introduced into the storage unit 1106. The medium refers to, for example, a storage medium that can be attached to and detached from an external interface, or a communication medium (that is, a wired, wireless, optical network, or a carrier wave or digital signal that propagates through the network).

  The input unit 1103 is a keyboard, a mouse, or the like, and accepts information input by an operator who operates the sample loading device 11.

  The display unit 1104 is a CRT (Cathode Ray Tube), an LCD (Liquid Crystal Display), or the like, and displays a screen for prompting input, a screen for confirming a calculation result, and the like.

  The communication unit 1105 transmits / receives information to / from each unit (12, 13, 14) in the malware feature extraction system 10 (see FIG. 1).

  The storage unit 1106 stores a sample insertion program 111, a regular file generation program 112, a sample reception DB 113, a regular file management DB 114, and an analysis request DB 115. Note that the sample insertion program 111 and the regular file generation program 112 are expanded in the memory 1102 as application programs and executed by the calculation unit 1101.

  The sample insertion program 111 receives malware as a sample from a user (not shown) or another malware providing device, and stores it as sample reception information in the sample reception DB 113. Further, the regular file provided from the regular file generation program 112 described later and the specimen are transmitted as analysis request information to the dynamic analyzers 12 and 13, respectively, and the request result is stored in the analysis request DB 115.

  The regular file generation program 112 generates a regular file of the same type as the sample file stored in the sample reception DB 113. The regular file of the same type refers to a file that is the same file type as the specimen (PowerPoint file, PDF file, EXE file, etc.) and is not malware. The regular file generation program 112 generates a regular file based on data read from the regular file management DB 114 described later.

  The sample reception DB 113 stores sample reception information regarding the sample. An example of the sample reception information will be described with reference to FIG. The sample reception information stored in the sample reception DB 113 includes a sample ID 1131, a sample file 1132, a hash value 1133, an acquisition source 1134, an acquirer 1135, an acquisition date and time 1136, and an acquisition unit 1137.

  The sample ID 1131 is information for uniquely identifying the sample to be input to the dynamic analyzer 12. The sample file 1132 is information (for example, a file name) indicating a file that is the substance of the sample. The hash value 1133 is a hash value of the file indicated by the sample file 1132. The acquisition source 1134 indicates a place where the sample file 1132 is acquired. For example, when the acquisition is made via the Web, the URL of the Web site, and the file attached to the e-mail is the e-mail transmission source. The acquirer 1135 indicates a person who has acquired the file indicated by the sample file 1132. For example, when the acquirer 1135 is acquired via the Web, the acquirer 1135 is an accessor to the Web site, and the file attached to the e-mail is the e-mail recipient. The acquisition date 1136 is the date when the file indicated by the sample file 1132 is acquired. The obtaining unit 1137 indicates a unit that obtains the file indicated by the sample file 1132. For example, the obtaining unit 1137 is “Web” when the file is obtained via the Web, and “Mail” when the file is attached to the mail.

  The regular file management DB 114 stores (a) file type feature information in which rules for determining the file type of a specimen for generating a regular file are defined, and information on the regular file for each file type ( b) A regular file store is stored. An example of file type feature information and a regular file store will be described with reference to FIG.

  (A) The file identification ID 11411 in the file type feature information is information for identifying the file type. The pattern feature 11412 is information defining a rule for identifying the file type from the content of the sample file. The extension feature 11413 is information defining a rule for identifying the file type from the extension of the sample file. The description 11414 is information describing a description of the file type.

  (B) The regular file ID 11421 in the regular file store is information for identifying the type of the regular file. The file 11422 is information (for example, a file name) indicating a file that is a substance of a regular file. The regular file generation program 112 converts a file (for example, a file including header information and empty body data) in the format indicated by the regular file ID 11421 (for example, MSPPT format, PDF format, and the like) from a minimum content. Assume that it is generated in advance and registered in the regular file store.

  The analysis request DB 115 stores analysis request information. The analysis request information is information related to a request (analysis request) transmitted to the dynamic analysis devices 12 and 13. An example of the analysis request information will be described with reference to FIG. The analysis request information includes an analysis ID 1151, a sample ID 1152, a sample input destination analysis environment ID 1153, a regular file input destination analysis environment ID 1154, and an analysis date 1155.

  The analysis ID 1151 is information for uniquely identifying an analysis request in the analysis of the same sample. The sample ID 1152 is an identifier corresponding to the sample ID 1131 of the sample reception DB 113. The sample input destination analysis environment ID 1153 is an identifier of the dynamic analyzers 12 and 13 that analyze the sample. The regular file input destination analysis environment ID 1154 is an identifier of the dynamic analysis devices 12 and 13 that analyze the regular file. The analysis date and time 1155 is the time when analysis of the specimen is started.

  Next, the configuration of the dynamic analysis devices 12 and 13 will be described with reference to FIG. FIG. 4 shows an example of the configuration of the dynamic analysis apparatus.

  The dynamic analysis devices 12 and 13 are realized on a computer including arithmetic units 1201 and 1301, memories 1202 and 1302, input units 1203 and 1303, display units 1204 and 1304, communication units 1205 and 1305, and storage units 1206 and 1306. can do.

  Each part (1201 to 1206, 1301 to 1306) is configured in the same manner as each part (1101 to 1106) of the sample injection device 11, and only a difference will be described below.

  The communication units 1205 and 1305 exchange information with each unit (11, 14) in the malware feature extraction system 10 (see FIG. 1).

  The storage units 1206 and 1306 store sample execution programs 121 and 131, log acquisition programs 122 and 132, and log management DBs 123 and 133. The sample execution programs 121 and 131 and the log acquisition programs 122 and 132 are developed as application programs in the memories 1202 and 1302 and executed by the arithmetic units 1201 and 1301.

The sample execution programs 121 and 131 receive a sample and a regular file as analysis request information from the sample input device 11 and execute them in the analysis environment on the respective dynamic analysis devices 12 and 13. Even if the sample or the regular file is a file that is not an executable file such as a document file, the file is opened by being opened by the associated application.

  The log acquisition programs 122 and 132 monitor the behavior regarding the sample or the regular file executed by the sample execution programs 121 and 131, and store them in the log management DBs 123 and 133 as analysis logs. Note that the monitoring process and the log collection process by the log acquisition programs 122 and 132 are omitted here because a known method is used.

  The dynamic analysis devices 12 and 13 preferably have the same hardware configuration and software configuration, but may have different configurations.

  The log management DBs 123 and 133 include (a) analysis environment information in which specifications and setting contents of the dynamic analysis devices 12 and 13 set in advance are stored, and (b) samples and samples in the dynamic analysis devices 12 and 13. An analysis log as observation information obtained by executing a regular file is stored. An example of analysis environment information and analysis log information will be described with reference to FIG.

  (A) Analysis environment IDs 12311 and 13311 in the analysis environment information are information for uniquely identifying the analysis environments of the analysis apparatuses 12 and 13. The OSs 12312 and 13312 are information on the type of OS (Operating System) in the analysis environment in which the sample execution programs 121 and 131 of the dynamic analyzers 12 and 13 execute samples or regular files, and are “Windows7 (registered trademark)” and “Android”. (Registered trademark) "and other product names are specified including version information. As a notation method, a standardized name standard such as CPE (Common Platform Enumeration) may be used. The architectures 12313 and 13313 are OS architecture information, and “32 bits”, “64 bits”, “ARM”, and the like are designated. In the applications 12314 and 13314, one or more identifiers of applications installed in the OS are designated. The CPUs 12315 and 13315 are information related to the CPU mounted on the hardware in which the OS is installed. The memories 12316 and 13316 are information related to the memory mounted on the hardware. The networks 12317 and 13317 are information related to network settings set in the OS, and one or more IP addresses, subnet masks, default gateways, DNS server address designations, and the like are designated. The engines 12318 and 13318 are information indicating the types and versions of the sample execution programs 121 and 131. The BIOS 12319 and 13319 are information indicating the type and version of a BIOS (BASIC Input / Output System) installed in the hardware.

  (B) Analysis IDs 12321 and 13321 in the analysis log are information for uniquely identifying the analysis log in each of the dynamic analysis devices 12 and 13.

  One or a plurality of file operations 12322 and 13322 can be stored, the sample execution programs 121 and 131 of the dynamic analyzers 12 and 13 execute a sample or a regular file, and the log acquisition programs 122 and 132 are files based on a sample or a regular file. Information obtained by observing behavior related to operations. The file operations 12322 and 13322 store the date and time when the file operation was observed, the action for the file (for example, file creation, deletion, etc.), and the data (for example, the file name, address, etc.) related to the action.

One or a plurality of registry operations 12323 and 13323 can be stored, and the log acquisition programs 122 and 132 acquire by observing the behavior related to the operation on the system setting file (registration is assumed in the present embodiment) using a sample or a regular file. Information. The registry operations 12323 and 13323 store the date and time when an operation on the registry was observed, actions on the registry (eg, registry creation, deletion, etc.), and data related to the actions (eg, registry key name, value, etc.).

  One or a plurality of process operations 12324 and 13324 can be stored, and the log acquisition programs 122 and 132 are information acquired by observing the behavior related to the process performed by the sample or the regular file. The process operations 12324 and 13324 store the date and time when the behavior related to the process (including the thread) is observed, the action related to the process (for example, process creation, stop, etc.), and the data related to the action (for example, process name, parent process, etc.).

  One or a plurality of network communications 12325 and 13325 can be stored, and information acquired by the log acquisition programs 122 and 132 by observing behavior related to network communication using a specimen or a regular file. The network communications 12325 and 13325 are the date and time when network communications were observed, actions related to network communications (for example, DNS query, HTTP request, NTP request, packet transmission, reception, etc.), and data related to the action (for example, host name, URL, communication) (Destination IP address, communication destination port number, protocol, etc.) are stored.

  One or a plurality of system operations 12326 and 13326 can be stored, and the log acquisition programs 122 and 132 are acquired by observing a behavior related to a system operation that calls an OS function (excluding files and processes) by the sample or the regular file. Information. The system operations 12326 and 13326 store the date and time when the system operation was observed, actions related to the system operation (for example, MUTEX generation and MUTEX reference), and data related to the action (for example, MUTEX name).

  One or a plurality of service operations 12327 and 13327 can be stored, and information acquired by the log acquisition programs 122 and 132 by observing the behavior related to the service by the sample or the regular file. A service is a program that operates as a background process, and is also called a daemon. The service operations 12327 and 13327 store the date and time when the behavior related to the service was observed, the action related to the service (for example, service registration, service activation, etc.), and the data related to the action (for example, service name, argument, etc.).

  One or more API operations 12328 and 13328 can be stored, and the log acquisition programs 122 and 132 are information acquired by observing the behavior related to a predetermined API called by the sample or the regular file, and the date and time when the behavior related to the API is observed. , API-related actions (for example, API calls, etc.) and data related to the actions (for example, call API names, arguments, etc.) are stored.

  Next, a specific example of the analysis log stored in the log management DBs 123 and 133 will be described with reference to FIG.

The analysis log includes sample analysis log (malware analysis log) information and regular file analysis log information. The sample analysis log information is an analysis log acquired by the sample execution program 121 executing the sample in the dynamic analyzer 12 and the log acquisition program 122 monitoring the behavior of the sample. The sample analysis log information is stored in the log management DB 123. On the other hand, the regular file analysis log is an analysis log obtained by the specimen execution program 131 executing the regular file in the dynamic analyzer 13 and the log acquisition program 132 monitoring and monitoring the behavior of the regular file. The regular file analysis log is stored in the log management DB 133.

  The analysis ID 12331 included in the sample analysis log information is information for uniquely identifying the analysis log in the dynamic analysis device 12, and corresponds to the analysis ID 12311 of the log management DB 123 provided in the dynamic analysis device 12. Each behavior of the specimen included in the analysis log is referred to as an event (12332-12341). An event is composed of information on time, item (type of event), action, and data. Each information is stored according to the definition of various operations (1232 to 12328) described above. For example, the event 12332 means that the file “malware.pdf” was executed at time 0:00.

  The analysis ID 13331 included in the regular file analysis log information is information for uniquely identifying the analysis log in the dynamic analysis device 13 and corresponds to the analysis ID 13311 of the log management DB 133 provided in the dynamic analysis device 13. Each behavior of the regular file included in the analysis log is referred to as an event (13332 to 13336), and the event includes time, item (event type), action, and data information. Each information is stored in accordance with the definition of various operations (13322 to 13328) described above. For example, the event 13332 means that the file “sample.pdf” was executed at time 0:00.

  Next, the configuration of the malware feature extraction apparatus 14 will be described with reference to FIG. FIG. 7 is a diagram illustrating an example of a malware feature extraction apparatus.

  The malware feature extraction device 14 can be realized on a computer including a calculation unit 1401, a memory 1402, an input unit 1403, a display unit 1404, a communication unit 1405, and a storage unit 1406. Each unit (1401 to 1406) is configured in the same manner as each unit (1101 to 1106) of the sample input device 11, and only the difference will be described below.

  The communication unit 1405 transmits and receives information to and from the units (11 to 13) in the malware feature system 10 (see FIG. 1) and the countermeasure instruction device 21.

  The storage unit 1406 stores a log collection program 141, a log comparison program 142, a comparison DB 143, a black log DB 144, and a white log DB 145. Note that the log collection program 141 and the log comparison program 142 are developed as application programs in the memory 1402 and executed by the arithmetic unit 1401.

  The log collection program 141 collects the analysis log from the dynamic analysis device 12 as a sample analysis log, and collects the analysis log from the dynamic analysis device 13 as a regular file analysis log.

  The log comparison program 142 compares the sample analysis log collected by the log collection program 141 with the regular file analysis log using the comparison rule information stored in the comparison DB 143 (see FIG. 8). The log comparison program 142 generates a black log and a white log based on the comparison result, and stores them in the black log DB 144 and the white log DB 145, respectively (see FIG. 7).

  The comparison DB 143 stores information for determining log identity. In the comparison DB 143, an ambiguous comparison is made between action equating rule information that realizes comparison in consideration of expression fluctuation relating to a preset action, data identification rule information that realizes comparison in consideration of expression fluctuation relating to data. Error tolerance rule information to be realized is stored. An example of action identification rule information, data identification rule information, and error tolerance rule information will be described with reference to FIG.

  (A) The acquisition of the OS language in the action identification rule (14411 to 14413) is the means for the malware to acquire whether or not the language environment of its execution OS is Japanese, and the version of the installed IME is A means for confirming that it is “Japanese IME” by reference (14411), a means for confirming that the keyboard layout is “106 Japanese keys” (14412), and confirming the version of the OS, “Japan The means (14413) for confirming that “the word version of Windows” is different as a means, but is the same action in the sense of examining the language environment. Therefore, a rule that matches the comparison results of these different actions. It is. Note that the language environment is not limited to Japanese. The file write (14414, 14415) means that the malware writes the file. The means (14414) for calling the write function and the means (14415) for calling the fput function are different from each other. Since the actions are the same, this is a rule that matches the comparison results of these actions. Waiting for a certain time (14416, 14417) is a means for waiting for malware to remain active for a certain period of time. The means for calling the sleep function (14416) and the means for calling the getTickCount function (14417) are different as the means. Since it is the same action in the sense of waiting for a time, it is a rule that matches the comparison results of these actions.

  (B) When the IP addresses “127.0.0.1” and “127.10.10.10” are compared as data, the loopback address 14421 in the data identification rule is different in value, but both Since both mean a loopback address, the comparison result between these data matches. The time 14422 is a rule in which “3600 sec” and “1 hour” are compared as data, but the values are different, but both mean one hour, so that the comparison results of these data coincide with each other. The fully qualified domain name 14423 has different values when the fully qualified domain names “www1.abc.com” and “www2.abc.com” both have the same IP address as the data, but both fully qualified domain names and Since all the IP addresses associated with the fully qualified domain name mean the same node, the comparison result between these data is a rule.

  (C) The numerical value 14431 in the error tolerance rule is a rule in which the comparison result matches if it is within the allowable error range set when the numerical values are compared. The character string 14432 is a rule that sets the comparison result as a match if the match is made under the conditions of forward match, backward match, and partial match by the comparison method set when the character strings are compared. The event time 14433 determines that the events recorded in the two logs are a combination to be compared if they are within the set allowable time when the events between the sample analysis log and the regular file analysis log are compared. It is a rule to do.

  The black log DB 144 stores a black log, and the white log DB 145 stores a white log. A configuration example of the black log DB 145 and the white log DB 145 will be described with reference to FIG.

  The black log DB 144 has an analysis ID 1451 corresponding to the analysis ID 1151 (see FIG. 3) of the analysis request DB 115 and an event (1452) that is in the sample analysis log information (12332 to 12341) but not in the regular file analysis log (13332 to 13336). 1 to 4457) are stored as one or a plurality of black logs.

The white log DB 145 is a combination of an analysis ID 1461 corresponding to the analysis ID 1151 of the analysis request DB 115, and events (1462-1455) that exist in both the sample analysis log (12332-12341) and the regular file analysis log (13332-13336). One or more white logs are stored.

  Next, the configuration of the countermeasure instruction device 21 will be described with reference to FIG. FIG. 10 shows an example of the configuration of the countermeasure instruction apparatus.

  The countermeasure instruction device 21 can be realized on a computer including a calculation unit 2101, a memory 2102, an input unit 2103, a display unit 2104, a communication unit 2105, and a storage unit 2106. Each unit (2101 to 2106) is configured in the same manner as each unit (1101 to 1106) of the sample input device 11, and only the difference will be described below.

  The communication unit 2105 transmits and receives information to and from the malware feature extraction device 14 (see FIG. 1) of the malware feature system 10, the countermeasure device 31 in the malware countermeasure system 30, and the detection device 32.

  The storage unit 2106 stores a countermeasure rule generation program 211, a countermeasure instruction program 212, a countermeasure policy DB 213, a countermeasure rule DB 214, and a countermeasure device management DB 215. The countermeasure rule generation program 211 and the countermeasure instruction program 212 are developed as application programs in the memory 2102 and executed by the arithmetic unit 2101.

  The countermeasure rule generation program 211 acquires a black log from the black log DB 145 (see FIG. 9) of the malware feature extraction apparatus 14, and refers to the acquired black log and countermeasure policy information stored in a countermeasure policy DB 213 described later. Then, a countermeasure rule for instructing execution of countermeasures against malware is created, and the countermeasure rules are stored in the countermeasure rule DB 214.

  The countermeasure instruction program 212 transmits the countermeasure rules stored in the countermeasure rule DB 214 to the countermeasure device 31, the detection device 32, or both.

  Next, with respect to the countermeasure policy DB 213, the countermeasure rule DB 214, and the countermeasure apparatus management DB 215, an example of countermeasure policy information, countermeasure rule information, and countermeasure apparatus management information will be described with reference to FIG.

  The countermeasure policy DB 213 stores countermeasure policy information that is information for creating a countermeasure rule. The countermeasure policy information includes a policy ID 2131, an item 2132, an action 2133, a countermeasure location 2134, and a countermeasure 2135.

  The policy ID 2131 is information for uniquely identifying the countermeasure policy. The item 2132 corresponds to the event item stored in the black log DB 144 (see FIG. 9), and is used to determine whether to apply a countermeasure policy to the event. The action 2133 corresponds to the event action stored in the black log DB 144, and is used to determine whether or not to apply a countermeasure policy to the event. The countermeasure location 2134 corresponds to a countermeasure location 2152 of a countermeasure device management DB 215 described later, and is used to determine whether or not to apply a countermeasure policy according to the countermeasure location. The measure 2135 indicates a measure to be implemented when all the conditions of the item 2132, the action 2133, and the measure place 2134 are satisfied.

  The countermeasure rule DB 214 stores countermeasure rules. The countermeasure rule includes a countermeasure ID 2141, a countermeasure device ID 2142, and countermeasure contents 2143.

The countermeasure ID 2141 is information for uniquely identifying a countermeasure rule that instructs the countermeasure apparatus 31 (see FIG. 1), the detection apparatus 32, or an apparatus not shown. The countermeasure device ID 2142 is information that is determined based on the information in the countermeasure device management DB 215 as to which countermeasure measure is to be taken for the event stored in the black log DB 144 (see FIG. 9). The countermeasure content 2143 is information determined by referring to the countermeasure policy DB 213 and the countermeasure apparatus management DB 215 as to what countermeasure is to be executed for the event stored in the black log DB 144.

  The countermeasure device management DB 215 stores countermeasure device management information. The countermeasure device management information includes a countermeasure device ID 2151 and a countermeasure location 2152.

  The countermeasure device ID 2151 is information for identifying a device (the countermeasure device 31, the detection device 32, or two terminals not shown) that can implement the countermeasure. The countermeasure location 2152 is information indicating a location where each countermeasure device can implement a countermeasure.

  Although the illustration of the configuration of the countermeasure device 31 and the detection device 32 is omitted, each includes an arithmetic unit that controls transmission and reception of various arithmetic processes and key information by an application program, an input unit for information input, an arithmetic result, It includes a display unit that displays instructions on the screen, a communication unit that controls communication with other devices, and a storage unit that stores application programs, information necessary for calculation, calculation results, and the like.

  The countermeasure program 311 of the countermeasure device 31 in the countermeasure system 30 receives the countermeasure rule of the countermeasure instruction apparatus 21 and implements countermeasures against threats according to the contents of the countermeasure rule.

  The detection program 321 of the detection device 32 in the countermeasure system 30 receives the countermeasure rule of the countermeasure instruction apparatus 21 and performs threat detection according to the content of the countermeasure rule.

  Here, the flow of processing in the sample input program 111 of the sample input device 11 in the malware feature extraction system 20 and the regular file generation program 112 will be described with reference to FIG.

As shown in FIG. 12, when the sample insertion program 111 (see FIG. 2) is started, malware as a sample is received from a user (not shown) or another malware providing device and stored as sample reception information in the sample reception DB 113. (Step S1101). For example, sample reception information including the contents shown in FIG. 3 (that is, the sample file 1132 is “malware.pdf”) is stored. The sample loading program 111 matches the received sample with the pattern feature 11411 of (a) file type feature information (see FIG. 3) stored in the regular file DB 114 to determine the file type (step S1102). For example, malware. If the beginning of the pdf file is a character string “% PDF”, it is determined that the file type ID 11411 corresponding to the pattern feature 11412 matches the character string “PDF”. Next, the sample insertion program 111 determines whether the file type has been narrowed down (step S1103). For example, if the file type ID is narrowed down to “PDF” in step S1102, but the head of the file does not fit any pattern feature 11412 described in (a) file type feature information, the file type is narrowed down. It was never. If the file type cannot be narrowed down (step S1103: No), the process proceeds to the process of determining the file type from the extension feature. Specifically, the sample insertion program 111 determines the file type ID 11411 corresponding to the extension part of the file name of the sample and the extension feature 11413 of the file type feature information (step S1104). For example, if the file name of the sample is “malware.pdf”, the extension is “pdf”, so that the file type ID is determined as “PDF”. The file type ID of the sample to be analyzed is determined by these processes (step S1105). In the example described above, the file type ID is determined as “PDF”.

  Next, the regular file generation program 112 obtains the file 11422 corresponding to the regular file ID having the same value as the determined file type ID from the regular file management DB 114 (b) regular file store (see FIG. 3), and obtains it. The regular file indicated by the file 11422 is acquired (step S1106). For example, when the file type ID of the sample to be analyzed is “PDF”, (b) “sample.pdf” indicated by the file 11422 of the record in which the regular file ID 11421 of the regular file store is “PDF” is read. If the extension of the sample file to be analyzed is different from the extension of the regular file, the extension of the regular file is changed according to the extension of the sample file to be analyzed. As the regular file, the regular file generation program 112 may generate a regular file composed of a minimum content on the spot. When the sample and the regular file are prepared, the sample loading program 111 transmits the sample to the dynamic analysis device 12, transmits the regular file to the dynamic analysis device 13, and requests analysis (step S1107). Three or more dynamic analyzers may be prepared, and the specimen may be transmitted to one or more dynamic analyzers, and the regular file may be transmitted to one or more dynamic analyzers. Further, it is desirable that the timing of transmitting the specimen and the regular file to the dynamic analyzers 12 and 13 (or the timing when the dynamic analyzers 12 and 13 execute the specimen and the regular file) is the same, but in some embodiments, 1 Only one dynamic analyzer 12 may be prepared, and the sample and the regular file may be analyzed (log collection) in one dynamic analyzer 12 in two steps. Finally, the sample insertion program 111 stores the result transmitted to the dynamic analyzers 12 and 13 in the analysis request DB 115 (step S1108). Here, analysis request information (analysis request information whose analysis ID 1151 is “REQ0001”) including the contents shown in FIG. 3 is stored.

  Next, the flow of processing by the log collection program 141 and the log comparison program 142 of the malware feature extraction device 14 in the malware feature extraction system 10 will be described with reference to FIG.

  As shown in FIG. 13, when the log collection program 141 (see FIG. 7) is started, an analysis log related to the analysis result of the specimen is collected from the dynamic analysis device 12, and the regular file analysis result is collected from the dynamic analysis device 13. Each analysis log is collected (step S1401). For example, in the example of FIG. 6, the sample analysis log shown in the upper part (sample analysis log whose analysis ID 12331 is “REQ0001”) and the regular file analysis log shown in the lower part (normal file analysis log whose analysis ID 13331 is “REQ0001”) are collected. Has been. When there are three or more dynamic analysis devices, an analysis log may be obtained from each.

  Next, the log comparison program 142 compares both events occurring at the same time recorded in the sample analysis log and the regular file analysis log in accordance with each rule defined in the comparison DB 143 (see FIG. 8). This is performed (step S1402). For example, in the example of FIG. 6, the first event “time = 00: 00, item = process operation, action = execution, data = malware.pdf” of the detection analysis log whose analysis ID 12331 is “REQ0001”, and the event , That is, the first event “time = 00: 00, item = process operation, action = execution, data = malware.pdf” of the regular file analysis log whose analysis ID 13331 is “REQ0001”. Will be compared. Here, in the comparison of the time of the sample analysis log and the time of the regular file analysis log, according to the value “+ -3 sec” of the event time 14433 defined in (c) error tolerance rule of the comparison DB 143 shown in FIG. , 3 seconds before and after “00:00” are regarded as the same time.

The log comparison program 142 determines whether the sample analysis log and the regular file analysis log match (step S1403). In the above example, the data “malware.pdf”
"And" sample.pdf "do not match even if they are compared according to any of the various rules defined in the comparison DB 143, the result of comparison between the two events is a mismatch. If they match (step S1403: Yes), the log comparison program 142 adds the event of the sample analysis log to the white log DB 146 (see FIG. 9) (step S1404). If they do not match (step S1403: No), the log comparison program 142 adds the event of the sample analysis log to the black log DB 145 (step S1405). In the above example, since the first event in the sample analysis log is inconsistent, the event in the sample analysis log (“time = 00: 00, item = process operation, action = execution, data = malware.pdf”) is black. Added to the log DB 145. It is determined whether all events in the sample analysis log have been compared (step S1406). If there is an event that has not been compared yet (step S1406: No), the process returns to step S1402.

  For example, in the example of FIG. 6, when the event 12332 in the sample analysis log is processed, an event that has not been compared with the sample analysis log remains, so the process returns to step S1402 and the second event in the detection analysis log. 12333 “Time = 00: 15, Item = Process Operation, Action = Execution, Data = Acrobat Reader” and Event 13333 “Time = 00: 15, Item = Process Operation, Action = Execution of Regular File Analysis Log” , Data = Acrobat Reader ”. In this case, since all items match, a match determination is made in step S1403, and in step S1404, it is added to the white log information 1462 of the white log DB 146 shown in FIG. By repeating the above processing, the black log information of the black log DB 145 includes “item = network communication, action = HTTP request, data = www.abc.com”, “item = file operation, action = creation, data = ABC.bat ”,“ item = file operation, action = operation, data = malware.pdf ”, and the like are added.

  As described above, according to the malware feature extraction system 10 of the present embodiment, it is obtained by executing a regular file among logs (events included in the sample analysis log information) obtained by executing malware. What is not included in the generated log (event included in the regular file analysis log information) can be extracted as a black log. Since regular files are non-malware files and the logs (events) obtained by executing them are not characteristic of malware, only logs (events) not included in the regular file analysis log information are extracted. By doing so, logs characteristic of malware can be extracted with high accuracy. In addition, for example, the behavior of reading the configuration file at the time of starting the application or obtaining the latest updater is performed even if it is a regular file. However, according to the malware feature extraction system 10 of the present embodiment, it is possible to accurately extract the behavioral characteristics of malware originally desired from a huge amount of analysis logs. Therefore, it is possible to reduce analysis costs, speed up measures using the analysis results, and realize damage prevention and damage minimization.

Further, according to the malware feature extraction system 10 of the present embodiment, the behavior analysis devices 12 and 13 can execute the malware and the regular file at the same time. For example, when a certain type of software update is set to be performed once a day at 12:00, whether or not a log related to the software updater is obtained depending on whether or not the update is executed at 12:00 For example, when the regular file is executed at 11:45 to 11:55 and the malware is executed at 11:55 to 12:05, the log related to the software updater is only the sample analysis log information. Although it is included, this is a log obtained when a regular file is executed at 12:00. Therefore, like the malware feature extraction system 10 of the present embodiment, by executing the malware and the regular file at the same time, the logs related to the behavior according to the time are also excluded when the regular file is executed. Thus, only logs characteristic of malware behavior can be extracted with high accuracy.

  Further, according to the malware feature extraction system 10 of the present embodiment, the identity between the event of the sample analysis log information and the event of the regular file analysis log information is determined according to the rules stored in the comparison DB 143. Yes. For example, as shown in FIG. 8, “acquisition of installed IME version” and “acquisition of keyboard layout” are different actions, but substantially the same kind of action is performed. By comparing these, actions that can be identified with different actions can be determined to be the same, and can be excluded from the black log. For example, as shown in FIG. 8, when “172.10.0.10” is used as a loopback address, “127.0.0.1” and “172.10.10. ”Can be evaluated as the same address, and by comparing events based on data identification rule information, it is determined that data that can be regarded as the same data even if different data is the same, This can be excluded from the black log. Also, for example, as shown in FIG. 8, by setting to allow an error of ± 30% for a certain numerical value, processing for setting the numerical value performed by the malware and the numerical value performed by the sincerity file are set. With respect to the processing, it is possible to compare the events while allowing an error, determine that the events are the same within the range of the error, and exclude the event from the black log.

When there are a plurality of sample analysis logs, the sample analysis logs may be compared with each other in the same manner as the processing flow described above, and only a portion that matches all the analysis logs may be extracted and used as the analysis log. Similarly, when there are a plurality of regular file analysis logs, the regular file analysis logs may be compared with each other in the same manner as the processing flow described above, and only a portion that matches all the analysis logs may be extracted and used as a regular file analysis log. This removes noise from the newly extracted sample analysis log and regular file analysis log, and increases the accuracy of the white log and black log.
Further, for example, by storing as a white log on condition that analysis environment ID = “SWSM0001” and file type ID = “PDF”, the same condition (analysis environment ID = “SWSM0001” and file type ID = “ When analyzing a sample by “PDF”), a white file of the condition is read and compared with the sample analysis log, thereby generating a regular file each time the sample is analyzed (step S1106), or analyzing a regular file ( The process of performing a part of the regular file in step S1107) may be omitted.

  Next, the flow of processing in the countermeasure rule generation program 211 and the countermeasure instruction program 212 of the countermeasure instruction device 21 will be described with reference to FIG.

  As shown in FIG. 14, the countermeasure rule generation program 211 (see FIG. 10) acquires a black log from the black log DB 144 (see FIG. 9) of the malware feature extraction apparatus 14 (step S2101). Here, as an example, an event 1454 “item = network communication, action = HTTP request, data = www.abc.com / ABC.bat” is selected from the events whose analysis ID 1451 of the black log DB 144 shown in FIG. 9 is “REQ0001”. Is obtained.

The countermeasure rule generation program 211 collates the items and actions of the acquired event 1454 of the black log with the countermeasure policy information items 2132 and actions 2133 stored in the countermeasure policy DB 213, and takes countermeasures for the corresponding countermeasure policy information. A place 2134 and a countermeasure 2135 are obtained (step S2102). Here, as a result obtained by searching the countermeasure policy DB 213 for countermeasure policy information corresponding to “item = network communication, action = HTTP request”, “policy ID = PL0002, item = network communication, action = HTTP request, countermeasure = Get an alert.

  The countermeasure rule generation program 211 generates countermeasure rule information based on the obtained countermeasure policy information and the event of the black log information, and stores it in the countermeasure rule DB 214 (step S2103). For example, the countermeasure rule generation program 211 assigns a new countermeasure rule ID 2141. The countermeasure rule generation program 211 acquires the countermeasure apparatus ID 2151 of the countermeasure apparatus management information having the countermeasure place 2152 that matches the countermeasure place 2134 of the countermeasure policy information from the countermeasure apparatus management DB 215 and sets it as the countermeasure apparatus ID 2142. The countermeasure rule generation program 211 creates countermeasure contents 2143 according to the event data of the black log and the countermeasure 2135 of the countermeasure policy information. Here, event 1454 “item = network communication, action = HTTP request, data = www.abc.com / ABC.bat” and countermeasure policy information “policy ID = PL0002, item = network communication, action = HTTP request, countermeasure” From the location = detection device, measure = alert ”and the measure device management information“ measure device ID = AP002, measure location = detection device ”,“ measure ID = ACT002, measure device = AP002, measure content = www.abc.com / Countermeasure rule information “alert at the time of HTTP request to ABC.bat” can be obtained and stored in the countermeasure rule DB 214.

  Next, the countermeasure instruction program 212 acquires countermeasure rule information for the countermeasure device 31 from the countermeasure rule DB 214 and instructs the countermeasure device 31 based on the countermeasure rule information (step S2104). That is, the countermeasure instruction program 212 acquires countermeasure device management information whose countermeasure place 2152 is “countermeasure device” from the countermeasure device management DB 215, and sets countermeasure rule information corresponding to the countermeasure device ID 2151 of the acquired countermeasure device management information. The countermeasure content 2143 of the countermeasure rule information is instructed to the countermeasure apparatus 31 acquired from the DB 214 and indicated by the countermeasure apparatus ID 2151 of the countermeasure apparatus management information. Here, countermeasure rule information of countermeasure ID 2141 = ACT001, which is countermeasure rule information of countermeasure apparatus ID 2142 = AP001, is extracted from countermeasure rule DB 214, and countermeasure contents 2143 “www” are taken for countermeasure apparatus 31 indicated by countermeasure apparatus ID 2142 = AP001. .Bbc.com DNS query is blocked ”.

  Further, the countermeasure instruction program 212 acquires countermeasure rule information for the detection device 32 from the countermeasure rule DB 214, and instructs the detection device 32 to detect based on the countermeasure rule information (step S2105). That is, the countermeasure instruction program 212 acquires countermeasure device management information whose countermeasure place 2152 is “detection device” from the countermeasure device management DB 215, and sets countermeasure rule information corresponding to the countermeasure device ID 2151 of the acquired countermeasure device management information. The countermeasure content 2143 of the countermeasure rule information is instructed to the detection apparatus 32 acquired from the DB 214 and indicated by the countermeasure apparatus ID 2151 of the countermeasure apparatus management information. Here, countermeasure rule information of countermeasure ID 2141 = ACT002, which is countermeasure rule information of countermeasure device ID 2142 = AP002, is extracted from the countermeasure rule DB 214, and the countermeasure content 2143 “www” is detected for the detection device 32 indicated by the countermeasure device ID = AP002. “Alert when HTTP request is made to .abc.com / ABC.bat”.

Further, for a terminal not shown, the countermeasure instruction program 212 acquires countermeasure rule information for the terminal from the countermeasure rule DB 214 and instructs the terminal based on the countermeasure rule (step S2106). That is, the countermeasure instruction program 212 acquires countermeasure device management information whose countermeasure place 2152 is “terminal” from the countermeasure device management DB 215, and sets countermeasure rule information corresponding to the countermeasure device ID 2151 of the acquired countermeasure device management information. To the terminal indicated by the countermeasure device ID 2151 of the countermeasure device management information, the countermeasure content 2143 of the countermeasure rule information is instructed. Here, countermeasure rule information corresponding to countermeasure device ID = AP003 or AP004 is extracted from the countermeasure rule DB, and countermeasure device ID = AP003 or A
The terminal indicated by P004 is instructed to “delete ABC.bat”, “prohibit execution of ABC.bat”, and “alert when ABC.bat is executed”.

  Next, operations of the malware feature extraction system 10, the countermeasure instruction device 21, and the malware countermeasure system 30 according to the present embodiment will be described with reference to FIG. FIG. 15 is a diagram illustrating an example of operations of the malware feature extraction system 10, the countermeasure instruction device 21, and the malware countermeasure system 30 according to the present embodiment.

  FIG. 15 illustrates a countermeasure example when malware is found. In FIG. 15, the sample input device 11, the dynamic analysis device 12, the dynamic analysis device 13, the malware feature extraction device 14, the countermeasure instruction device 21, the countermeasure device 31, and the detection device 32 are the same as those shown in FIG. Since it is the same, description is abbreviate | omitted.

  First, the administrator 51 operates the sample input device 11 or requests the sample input device 11 to analyze the sample that is malware from the sample providing device 52 (step S001).

  The specimen loading device 11 generates a regular file that is not malware of the same file type (execution file, PDF file, etc.) from the requested specimen (acquires a regular file prepared in advance from the regular file store in this embodiment). (Step S002). The sample insertion device 11 transmits the sample to the dynamic analysis device 12 and requests execution of the sample (step S003). Further, at the same time as step S003, the specimen loading apparatus 11 transmits a regular file to the dynamic analysis apparatus 13 and requests execution of the regular file (step S004).

  The dynamic analyzer 12 executes the sample when the sample is input (step S005), observes its behavior, and acquires the sample analysis log (step S006). In addition, when a regular file is input, the dynamic analysis device 13 executes the regular file (step S007), observes its behavior, and acquires a regular file analysis log (step S008).

  The malware feature extraction device 14 collects the sample analysis log from the dynamic analysis device 12 and the regular file analysis log from the dynamic analysis device 13 (step S009). The malware feature extraction device 14 compares the events of the sample analysis log and the regular file analysis log according to a predefined comparison rule (step S010), and matches the matching parts only to the white log and the sample analysis log. The appearing portion is extracted as a black log (step S011). The black log is information indicating the characteristics of the malware.

  The countermeasure instruction device 21 acquires a black log from the malware feature extraction device 14 (step S012), generates a countermeasure rule based on the predefined countermeasure policy information (step S013), the countermeasure device 31, and the detection device The countermeasure rule suitable for each of the terminal 32 and the terminal 53 is developed (step S014). As a result, it becomes possible to take countermeasures against the malware based on the characteristic unique to the malware provided in step S001, and even if the terminal 53 used by the user 52 is infected with the malware (step S015), Immediately delete the malware (step S016), or when the malware tries to communicate with the Internet 54 (step S017), the detection device 32 detects the communication and issues an alert to the administrator 51 (step S017). S018), the countermeasure device 31 can detect the communication and block the communication (step S019).

As described above, according to the system of this embodiment of the present embodiment, it is possible to take countermeasures against malware based on the black log that accurately expresses the features related to malware as described above. Therefore, it is possible to prevent a problem that blocks even non-malware files.

  Although the present embodiment has been described above, the above embodiment is intended to facilitate understanding of the present invention and is not intended to limit the present invention. The present invention can be changed and improved without departing from the gist thereof, and the present invention includes equivalents thereof.

  For example, in the present embodiment, the specimen input device 11, the dynamic analysis devices 12 and 13, and the malware feature extraction device 14 are assumed to be separate computers, but the malware feature extraction system 10 is a single computer or This is realized as a virtual computer composed of a plurality of hardware units, and at least one of the specimen input device 11, the dynamic analysis devices 12 and 13, and the malware feature extraction device 14 is installed on the malware feature extraction system 10. You may make it implement | achieve as a virtual computer performed by. For example, the malware feature extraction system 10 can emulate the calculation unit 1201, the memory 1202, the communication unit 1205, the storage unit 1206, and the like included in the dynamic analysis device 12.

DESCRIPTION OF SYMBOLS 10 Malware feature extraction system 11 Specimen input device 12, 13 Dynamic analysis device 14 Malware feature extraction device 21 Countermeasure instruction device 30 Malware countermeasure system 31 Countermeasure device 32 Detection device 50 Internet 51 Administrator 52 User 53 Terminal 54 Internet 111 Sample input program 112 Regular file generation program 113 Sample reception DB
114 Regular file management DB
115 Analysis request DB
121, 131 Sample execution program 122, 132 Log acquisition program 123, 133 Log management DB
141 Log collection program 142 Log comparison program 143 Comparison DB
144 White Log DB
145 Black Log DB
211 Countermeasure rule generation program 212 Countermeasure instruction program 213 Countermeasure policy DB
214 Countermeasure DB
215 Countermeasure device management DB
311 Countermeasure program 321 Detection program 1101, 1201, 1301, 1401, 2101 Operation unit 1102, 1202, 1302, 1402, 2102 Memory 1103, 1203, 1303, 1403, 2103 Input unit 1104, 1204, 1404, 1404, 2104 Display unit 1105 1205, 1305, 1405, 2105 Communication unit 1106, 1206, 1306, 1406, 2106 Storage unit

Claims (11)

A malware reception unit for receiving malware input;
A regular file analysis log storage unit that stores a regular file analysis log that is a log obtained by executing a regular file that is a file that is not the malware or by executing a program related to the regular file;
An execution environment for executing the malware or executing a program related to the malware;
A log acquisition unit for acquiring a malware analysis log obtained from the execution environment;
A black log extraction unit that compares the malware analysis log and the regular file analysis log, and extracts the malware analysis log that is not included in the regular file analysis log as a black log related to the malware;
A malware feature extraction system comprising: The malware feature extraction system according to claim 1,
In addition to the first execution environment, which is the execution environment, a second execution environment for executing the regular file or executing a program related to the regular file is provided.
The first and second execution environments operate simultaneously;
The log acquisition unit acquires the malware analysis log and the regular file analysis log from the first and second execution environments;
Malware feature extraction system characterized by (Corresponding to the old claim 4)
The malware feature extraction system according to claim 1,
In addition to the first execution environment, which is the execution environment, a second execution environment for executing the regular file or executing a program related to the regular file is provided.
Executing the regular file multiple times in the second execution environment or executing a program associated with the regular file;
The log acquisition unit acquires a log for a plurality of times from the second execution environment, extracts a log common to the acquired logs for a plurality of times, and stores the log in the normal file analysis log storage unit as the normal file analysis log To do,
Malware feature extraction system characterized by The malware feature extraction system according to claim 1,
A rule storage unit for storing a rule for determining the identity of the log;
The log extraction unit determines the identity of the malware analysis log and the regular file analysis log according to the rules;
Malware feature extraction system characterized by The malware feature extraction system according to claim 1,
It is connected to be able to communicate with a device that takes measures against the malware,
A countermeasure rule generating unit that generates a countermeasure rule for the malware based on the black log;
A countermeasure instruction unit that gives instructions to a device that performs countermeasures against the malware according to the countermeasure rules;
Malware feature extraction system characterized by Computer
Accepting malware input;
Storing a regular file analysis log that is a log obtained by executing a regular file that is a file that is not the malware, or by executing a program associated with the regular file;
Executing the malware or executing a program associated with the malware;
Obtaining a malware analysis log obtained by execution of the malware or execution of a program associated with the malware;
Comparing the malware analysis log and the regular file analysis log, and extracting the malware analysis log that is not included in the regular file analysis log as a black log related to the malware; and
A malware feature extraction method characterized by executing. The malware feature extraction method according to claim 6,
The computer
Executing the malware or executing a program associated with the malware simultaneously with executing the regular file or executing a program associated with the regular file;
Obtaining the malware analysis log and obtaining a log obtained by executing the regular file or executing a program associated with the regular file as the regular file analysis log; and
A malware feature extraction method characterized by further executing: The malware feature extraction method according to claim 6,
The computer
Executing the regular file or executing the program associated with the regular file multiple times;
Obtaining a plurality of logs obtained by executing the regular file or executing a program associated with the regular file;
Extracting a log common to the acquired multiple logs and storing it as the regular file analysis log; and
A malware feature extraction method characterized by further executing: The malware feature extraction method according to claim 6,
The computer further executes a step of storing rules for determining log identity;
The computer, in the step of comparing the malware analysis log and the regular file analysis log, to determine the identity of the malware analysis log and the regular file analysis log according to the rules;
Malware feature extraction method characterized by The malware feature extraction method according to claim 6,
The computer
It is connected to be able to communicate with a device that takes measures against the malware,
Generating a countermeasure rule against the malware based on the black log;
Instructing a device to take countermeasures against the malware according to the countermeasure rules;
A malware feature extraction method characterized by further executing: A countermeasure rule generation unit that generates a countermeasure rule for the malware based on the black log extracted by the malware feature extraction system according to claim 1;
A countermeasure instruction unit that gives instructions to a device that performs countermeasures against the malware according to the countermeasure rules;
A countermeasure instruction device comprising:

Images