JP2017129893A - Malware detection method and system - Google Patents

Abstract

PROBLEM TO BE SOLVED: To appropriately perform sandbox analysis by preparing a virtual machine matching a user environment in the case of executing measures against a vicious program by using a sandbox.SOLUTION: When analyzing mail with attached files transmitted to a client terminal of a user from the outside, an analysis/control unit selects, from information on attached files attached to the mail and the destination of the mail, a sandbox environment for sending a mail with attached files similar to a client terminal environment of the mail destination, and sends the mail with attached files to the selected sandbox environment, and the sandbox environment executes the attached files. Thus, it is possible to perform analysis in the sandbox environment close to a user environment.SELECTED DRAWING: Figure 1

Description

  The present invention relates to malware detection technology for malicious programs such as malware attached to e-mails.

  It is common for organizations such as companies to send and receive information using the Internet in order to work in cooperation with other organizations. On the other hand, there are malicious users on the Internet, and if emails with malicious programs such as malware sent from those users are received and executed without being aware of the maliciousness, information leakage outside the organization And may cause system down in the organization. As a countermeasure against such malicious programs, a technique for detecting and removing file patterns is used. Such techniques are effective for known malicious programs, but are not suitable for detecting and removing unknown or new types of malicious programs. Therefore, users in the organization are required not to execute the file even if they receive an email attached with a file that seems to be a malicious program. However, in the targeted attacks used in recent years, It is difficult to distinguish the attached file even if the user is careful because it pretends to be a file.

  As a method of solving the above problem, there is a method of preparing a computer that is not damaged even if a malicious program is executed, and allowing the user to perform file operations on the computer. Typical examples of such a method are a method for searching for a virtual machine whose operation tendency is similar to the virtual machine to be analyzed shown in Patent Document 1, and a method for isolating from an external network called a sandbox as in Patent Document 2. A method for executing a file to be analyzed in a virtual machine environment.

Japanese Unexamined Patent Publication No. 2015-11362 JP 2014-238870

  In Patent Document 1, a measure for searching for a virtual machine whose operation tendency is similar to the virtual machine to be analyzed is implemented, but the search for the virtual machine according to the user environment has not been completed and the accuracy is insufficient. . Patent Document 2 implements a measure to prevent suspicious behavior that harms the host system using a sandbox, but there is no mechanism to alert the user when a malicious program executes behavior that is malicious in behavior. . Also, when implementing countermeasures against malicious programs using sandboxes, it is difficult to prepare a one-on-one sandbox for all users due to limited resources.

  In the present invention, in order to solve the above-described problem, when analyzing an email with an attached file transmitted from the outside to the user's client terminal, the analysis / control unit uses the attached file attached to the email and information on the destination of the email. To select a sandbox environment for sending an email with an attachment similar to the client terminal environment of the email destination. Send an email with an attachment to the selected sandbox environment and execute the attachment. When it is confirmed that a malicious behavior is performed as an execution result of the attached file, an alert mail is transmitted from the mail transmitting unit / alert unit to the user's client terminal. If it cannot be confirmed that the attached file has a malicious behavior, an email with an attached file is sent from the email sending / alert unit to the user's client terminal.

  In the present invention, when an email with a malicious attachment is sent from the outside, an appropriate sandbox environment is applied within a limited resource to notify the user of the result of detecting a security risk. I can do it.

It is a figure explaining the structure of the malware detection system using the optimal sandbox by one Embodiment of this invention. It is a figure which shows an example of the mail management table processed within the malware detection system using the optimal sandbox by one Embodiment of this invention. It is a figure which shows an example of the client terminal management table processed within the malware detection system using the optimal sandbox by one Embodiment of this invention. It is a figure which shows an example of the sandbox management table processed within the malware detection system using the optimal sandbox by one Embodiment of this invention. It is a figure explaining the received mail comparison processing flow of the malware detection method using the optimal sandbox by one Embodiment of this invention. It is a figure explaining the received mail confirmation processing flow of the malware detection method using the optimal sandbox by one Embodiment of this invention. It is a figure which shows an example of the rule which selects the optimal sandbox environment by the analysis / control part processed within the malware detection system using the optimal sandbox by one Embodiment of this invention.

  Embodiments of the present invention will be described below with reference to the drawings.

  FIG. 1 is a configuration of a malware detection system using an optimum sandbox according to an embodiment of the present invention.

  The malware detection system includes a mail server / judgment device 100 and a sandbox management device 108, and these devices and a plurality of client terminals 111 are connected by a network 112. A plurality of devices may be included in the system, and the network may be wired or wireless.

  The mail server / determination apparatus 100 includes a mail server unit 101 and a determination apparatus unit 102. The mail server unit 101 is a general mail server, and includes a mail receiving unit 101a that receives a mail, a mail management DB 101b that manages the received mail, and the like. (Omitted). The determination apparatus unit 102 includes an analysis / control unit 103, a mail transmission / alert unit 104 that performs mail transmission and alerting, an analysis mail management table 105, a client terminal management table 106, and a sandbox management table 107. The mail receiving unit 101a, the analysis / control unit 103, and the mail transmission / alert unit 104 are configured by running a program on the processor, and include a mail management DB 101b, an analysis mail management table 105, a client terminal management table 106, and a sandbox management table. Reference numeral 107 denotes a DB (Data Base) stored in the storage device.

  The mail receiving unit 102 has a mail receiving function of a mail server that transmits and receives mail. The analysis / control unit 103 quickly analyzes the attached file attached to the mail by dynamic analysis, and based on the analysis result, whether the received mail can be sent to the client terminal, and sends the attached file when the sending is not possible Select the sandbox environment that best suits your needs. If necessary, the same OS (Operation System) and application as the environment of the client terminal that is the destination of the received mail are installed in the sandbox environment 109. The mail transmission / alert unit 104 transmits the received mail to the sandbox environment, and also receives the received mail and alert that have been analyzed and confirmed to be safe by the client terminal (the mail receiving unit 101a and the mail management DB corresponding to the mail terminal). Send an email. The analysis mail management table 105 stores information on the mail to be analyzed, analysis status of the received mail, and analysis result information. The client terminal management table 106 stores information regarding the client terminal 111. The sandbox management table 107 stores information related to the sandbox environment.

  The client terminal 111 is an information terminal used by a user, and has a mail function capable of sending and receiving mail, a function of executing a mail attached file using an application, a function of remotely logging on and accessing the sandbox environment 109, and the like. This applies to general information devices such as PCs, tablets, and smartphones. It is assumed that there are a plurality of client terminals 111 and that the number of client terminals 111 is larger than that of the sandbox environment 109.

  The sandbox management device 108 includes a sandbox environment 109 to which platform resources are virtually allocated, and a sandbox spare software environment 110 that is a server that holds a plurality of OSs and applications.

  The sandbox environment 109 has a plurality of environments with different combinations of OS and applications, and executes the attached file of the received mail sent from the analysis / control unit 103.

  2A to 2C are diagrams illustrating examples of data processed in the system of the malware detection method using the optimum sandbox according to an embodiment of the present invention.

  The mail management table 105 shown in FIG. 2A includes a mail ID 201 that is an identifier, a mail destination 202, mail information 203 including all contents of a transmission source, a destination, a subject, an attached file, and a body, an attached file name, and an attached file. It consists of attached file information 204 including the entire contents of the format and attached file size, a status 205 indicating the analysis status of the attached received mail, and an analysis result 206 indicating the result of analyzing the attached received mail. For example, with the ID “m001”, the destination “bb@aaa.com” and attached file information are acquired from the mail information, and the status “analyzing” is registered because the analysis status of the mail is being analyzed. Also, with ID “002”, the recipient “cc@aaa.com” and the attached file information are obtained from the mail information, and it is confirmed that the behavior of the mail analysis is malicious, and an alert mail is sent to the client terminal. Is registered as status “alert” and analysis result “NG”. In addition, with the ID “003”, the destination “dd@aaa.com” and the attached file information are acquired from the mail information, and it is confirmed that the behavior of the mail analysis is not malicious and is received by the client terminal. Since the e-mail was sent as it is, the status “Sheet” and the analysis result “OK” are registered.

  The client terminal management table 106 shown in FIG. 2B includes an identifier ID 207, a mail address 208 of the client terminal 111, an OS 209 installed in the client terminal 111, and an application 210 installed in the client terminal 111. The All information of the client terminal 111 is stored in the client terminal management table 106 in advance. For example, with the ID “001”, the client terminal has the mail address “bb@aaa.com”, “OS Ver1.1” as the OS, “application AA”, “application BA”, and “application BA” as the applications. Is installed.

  The sandbox management table 107 shown in FIG. 2C includes an identifier ID 211, a sandbox environment IP 212, an OS 213 installed in the sandbox environment 109, and an application 214 installed in the sandbox environment 109. . The sandbox management table 107 stores all the information of the sandbox environment 109 in advance. For example, with the ID “001”, the sandbox environment has the sandbox environment IP “192.168.10.1”, the OS is “OS Ver1.2”, the applications are “application BA” and “application CA”. Is installed.

  FIG. 4 is a file-application correspondence table which is an example of a rule for selecting an optimum sandbox in the analysis / control unit processed in the system of the malware detection method using the optimum sandbox according to an embodiment of the present invention. FIG.

  In the rule for selecting the optimum sandbox environment in the analysis / control unit shown in FIG. 4, the attachment file format 401 indicating the extension of the attachment file information 204 and the application 402 that can open the extension of the attachment file format 401 are provided. Have. With reference to the attached file format 401 of the received mail, an application 402 that can open the attached file format is associated. The analysis / control unit 103 refers to the application 214 in the sandbox environment 109 and selects the sandbox environment 109 having the associated application 402 and having the OS 209 installed in the client terminal 111 that is the destination of the received mail. For example, when the received mail destination is “bb@aaa.com” and the attached file format is “.xlsx”, the application “application AA” is associated. There may be one or a plurality of applications associated with each other. In some cases, the executable file “.exe” cannot be associated.

  FIG. 3A is a diagram for explaining a received mail processing flow that is one of typical processes of the system of the malware detection method using the optimum sandbox according to the embodiment of the present invention.

  The flow starts when the device 101 receives a mail with an attached file from outside the mail server / determination device 101.

  In step 301, the mail receiving unit 102 of the mail server / determination apparatus 101 first receives a mail with an attached file from an external mail server. Then, the mail received by the mail receiving unit 102 is sent to the analysis / control unit 103.

  In step 302, the analysis / control unit 103 performs a primary analysis, which is a simple analysis of the mail information 203 of the received mail. If there is no suspicion of malware in the primary analysis, in step 303, the received mail is sent to the mailbox of the client terminal. If there is a suspicion of malware, the process proceeds to step 304.

  In step 304, the analysis / control unit 103 stores the mail information 203 and the attached file information 204 of the received mail in the mail management table, and registers the status 205 as “under analysis”. Then, the analysis / control unit 103 acquires the destination 201 of the received mail from the mail management table 105, and searches the client management table 106 for the mail address 208 that matches the acquired destination address. Client terminal information such as the OS 209 and application 210 of the client terminal 111 having the searched mail address 208 is acquired.

  When the mail is addressed to a plurality of mail addresses in the company, the analysis / control unit acquires information of the client terminal corresponding to each mail address. Then, the analysis / control unit compares the client terminal information and determines how to prepare the sandbox. For example, when two mail addresses are included and the client terminal information relating to them is the same or close, only one of them is an analysis target in the sandbox environment. It is clear that one of them is vulnerable to malware, and if the terminal is okay, the other can be declared okay (for example, the old and new OS of the same series or the version difference of the same application. Anti-malware is advancing), and determine the strength of malware resistance and analyze only in the weak client terminal information in the sandbox environment. When two pieces of client terminal information are greatly different, a sandbox environment corresponding to each piece of tail client terminal information is prepared and analyzed.

  In step 305, the analysis / control unit 103 acquires information on the application 402 used to process the attached file format 401 from the attached file information 204 of the received mail and the file-application correspondence table. Then, the information of the application 210 of the client terminal 111 acquired in step 303 is compared, and the application used when processing the received mail attached file at the client terminal 111 is specified.

  Then, the sandbox management table 107 is referenced to obtain sandbox information. The client terminal information and the client terminal information are compared, and it is determined whether or not they match (including a case where the difference is less than or equal to a predetermined value). Concerning whether or not they match, the OS 213 and the application used by the client terminal to process the attached file are compared, and if they do not match, they do not match. When there is no application to use, such as “exe.”, Only the OS is emphasized. The versions are also compared, and even if the OS and application are the same, the versions are different. If the difference is large, it is determined that they do not match.

  For example, since the client terminal management table 105 has the client terminal whose received mail destination is “bb@aaa.com” and the OS “OS Ver1.1”, the application “application A” and the OS “OS Ver1.1” The sandbox environment of ID “001” having

  In addition, about the version, it can also be considered to be the same with the condition that it is the same by updating to the latest version. In that case, when sending the received mail after the analysis, the client terminal OS or application may be updated to the latest version. Note that the sandbox is updated to the latest version by updating the OS and applications as needed.

  A threshold can be set as appropriate for the matching condition. It is possible to evaluate the difference between the applications other than processing the attached file relatively small, and not to evaluate at all other than the OS and the application processing the attached file.

  If there is a sandbox environment that matches the client terminal information, the process proceeds to step 307, and the received mail is sent from the mail transmission / alert unit 104 to the sandbox environment 109 selected in step 305 or step 306.

  If the client terminal information does not match any sandbox environment, the OS 209 and application 210 information acquired in step 304 is called from the sandbox spare software environment 110, and the OS 213 and / or application 214 that do not match is called. Install as sandbox environment 109. The installed sandbox environment 109 is selected (step 306).

  For example, when an incoming mail with an attached file in the attached file format “.docx” is received at the address “cc@aaa.com”, the OS “OS Ver1.1” on the client terminal and the application “ ”And“ Application C ”. The application “application D” is associated with the application that can open the attached file. The sandbox management table has a sandbox environment with a sandbox environment IP “192.168.10.1” having “OS Ver1.1”, but does not have an application “application D”. Therefore, the application “application D” is reinstalled in the sandbox environment from the sandbox spare software environment.

  The received mail is sent to the installed sandbox environment 109.

  Through the above processing, the mail server / determination apparatus 101 receives the received mail with the attached file. By executing steps 301 to 307, a sandbox close to the client environment corresponding to the mail destination can be selected from a plurality of sandbox environments 109, and an optimum environment can be prepared and selected for analyzing the attached file of the received mail. become. As a sandbox environment, it is not necessary to prepare all terminals, OSs and applications that are completely the same, and resources can be saved. As a result, the user can use an optimum environment for analysis in the sandbox environment 109 which is a limited resource among many client terminals 111 possessed by the user.

  FIG. 3B is a diagram illustrating a received mail confirmation processing flow of the malware detection method using the optimum sandbox according to an embodiment of the present invention.

  The flow starts when a mail with an attached file is transmitted from the mail server / determination apparatus 101 to the sandbox management apparatus 108.

  In step 309, the attached file of the received mail is executed in the sandbox environment 109, and its behavior is analyzed.

  After executing the attached file, if it can be confirmed that the behavior of the sandbox environment 109 is malicious, the attached file is determined to be malware. Then, an alert mail is sent from the mail transmitting / alert unit 104 to notify the client terminal 111 having the received mail destination 201 that the malicious behavior of the received mail has been confirmed. The information system management department is also notified of malware detection by email. After sending the alert mail to the client terminal 111, the analysis / control unit 103 registers the status “alert” and the analysis result “NG” in the mail management table 105 (step 309).

  In step 310, when it is not confirmed that the malicious behavior is performed in the environment of the sandbox environment 109 after execution of the attached file, it is determined that it is not malware. The received mail is sent from the mail transmitting / alert unit 104 to the client terminal 111 having the destination 201 of the received mail. After sending the received mail to the client terminal 111, the analysis / control unit 103 registers the status “through” and the analysis result “OK” in the mail management table 105.

  Through the above processing, the mail server / determination apparatus 101 sends the received mail with an attached file to the sandbox environment 109 that is optimal for analysis. Execution of step 308 makes it possible to check for the presence or absence of malicious behavior in the received mail. As a result, it is possible to prevent malware threats to the client terminal owned by the user.

  DESCRIPTION OF SYMBOLS 100: Mail server and determination apparatus, 101: Mail server part, 101a: Mail receiving part, 101b: Mail management DB, 102: Determination apparatus part, 103: Analysis / control part, 104: Mail transmission and alert part, 105: Mail management table, 106: client terminal management table, 107: sandbox management table, 108: sandbox management device, 109: sandbox environment, 110: sandbox backup software environment, 111: client terminal, 112: network.

Claims (6)

In the method of detecting malware from files attached to emails,
A step of receiving a mail addressed to the client terminal and having an attached file;
A process in which the analysis unit sends the attached file of the email to the sandbox analysis device;
A sandbox analysis device analyzes the attached file using a sandbox, and sends a result to the analysis unit;
Including
The analysis unit selects a sandbox to be used for analysis based on the attached file, client terminal information storing the client terminal profile, and sandbox information storing the sandbox profile. A malware detection method characterized by being sent to a box analysis device. In claim 1,
The client terminal information and sandbox information have OS and application information as a profile of the client terminal and the sandbox,
The analysis unit
Based on the destination address of the mail, obtain the profile of the client terminal related to the destination address from the client terminal,
The malware detection method, wherein the sandbox is selected based on the profile of the client terminal and the sandbox information. In claim 2,
The analysis unit
Identify the type of application used to process the attached file,
Based on the application type, the client terminal information, and the sandbox information, an application related to the attached file is identified from the profile of the client terminal and the profile of the sandbox,
A malware detection method, comprising: selecting a sandbox to be used for analyzing the attached file based on the client terminal, the identified application of the sandbox, and the OS. In any one of Claims 1 thru | or 3,
The analysis unit determines whether to use an existing sandbox or to newly set a sandbox as a selection of a sandbox used for the analysis,
The malware detection method, wherein the sandbox analysis device prepares a sandbox based on the determination. In claim 2,
When the destination of the received mail includes a plurality of destination addresses, the analysis unit acquires each client terminal information corresponding to the plurality of destination addresses, compares the plurality of client terminal information, and compares each of the client terminal information. A malware detection device that determines whether or not to analyze client terminal information in a sandbox. In a system that detects malware from files attached to emails,
A mail receiving unit for receiving a mail addressed to a client terminal and having an attached file;
An analysis unit that sends the attached file of the email to a sandbox analysis device;
A sandbox analysis device that analyzes the attached file using a sandbox and transmits the result to the analysis unit;
Including
The analysis unit selects a sandbox to be used for analysis based on the attached file, client terminal information storing the client terminal profile, and sandbox information storing the sandbox profile. A malware detection system characterized by being sent to a box analysis device.

Images