JP5892840B2 - Program analysis system - Google Patents

Description

The present invention relates to program analysis system for analyzing the behavior of a computer program.

  There are two known methods for analyzing the behavior of a computer program without using source code: static analysis and dynamic analysis. In static analysis, behavior is investigated by analyzing an instruction code described in a program file. In dynamic analysis, a program is executed on a computer, and the behavior is examined by observing the behavior of the program at the time of execution.

  Some programs have various defensive measures to prevent static analysis. In particular, recent malware (malware: malicious programs such as computer viruses and spyware) is often obfuscated or encrypted in order to prevent static analysis. For this reason, the investigation by static analysis requires a long time and a skilled engineer for decoding and decoding the file structure.

  On the other hand, dynamic analysis observes the behavior of the program at the time of execution and investigates the behavior, so it is less affected by obfuscation and encryption of the file and can be completed in a relatively short time. effective.

  Therefore, in recent years, research and development of a system that realizes efficient analysis by automating dynamic analysis processing, such as Patent Document 1 and Patent Document 2, has been progressing. In these systems, malware is executed in an execution environment, and behaviors observed within a certain time (for example, malware file access and network communication) are acquired and analyzed.

JP 2009-181335 A JP 2009-37545 A

  However, some programs perform active activities only when the environment in which they are executed performs specific processing. For example, some malware starts an activity only when a computer accesses a bank WEB (World Wide Web) site, steals a user account, and alters a user's input content. For this reason, it is difficult to sufficiently analyze the characteristics of a program only by executing the program on a computer and analyzing the behavior thereof, as in the program analysis systems disclosed in Patent Document 1 and Patent Document 2. .

The present invention, computer and to provide a system that enables efficient analysis of programs for performing activities when performing a specific process.

In order to solve the above-described problem, according to the first aspect of the present invention, a control device that operates a sample program and analyzes its behavior, and executes a browser operation scenario based on a command from the control device. And a client device that records the behavior of the sample program and a server device that records the behavior by communicating with the client device based on a command from the control device, and the control device includes the client device A storage unit including an analysis database that stores information obtained by combining the operation scenario of the browser and server configuration information of the server device, and a control unit that transmits an instruction to the client device and the server device to perform analysis processing And the sample program attribute based on the records received from the client device and the server device. A detection unit for analyzing and a program analysis system, characterized in that it comprises a.
Other means will be described in the embodiment for carrying out the invention.

According to the present invention, the computer is able to provide a system that enables efficient analysis of programs for performing activities when performing a specific process.

It is a schematic block diagram which shows the program analysis system in this embodiment. It is a schematic block diagram which shows the control apparatus in this embodiment. It is a schematic block diagram which shows the client apparatus in this embodiment. It is a schematic block diagram which shows the server apparatus in this embodiment. It is a figure which shows analysis scenario DB in this embodiment. It is a figure which shows WEB site DB in this embodiment. It is a figure which shows activity record DB in this embodiment. It is a figure which shows detection rule DB in this embodiment. It is a figure which shows reanalysis rule DB in this embodiment. It is a figure which shows browser monitoring rule DB in this embodiment. It is a figure which shows WEB site monitoring DB in this embodiment. It is a sequence diagram of the program analysis process in this embodiment. It is a flowchart which shows the control pre-processing which the control part in this embodiment performs. It is a flowchart which shows the detection part process in this embodiment. It is a flowchart which shows the client control part process in this embodiment. It is a flowchart which shows the browser operation part process in this embodiment. It is a flowchart which shows the browser monitoring part process in this embodiment. It is a flowchart which shows the server control part process in this embodiment. It is a flowchart which shows the WEB site monitoring part process in this embodiment.

(Configuration of this embodiment)

FIG. 1 is a schematic configuration diagram showing a program analysis system in the present embodiment.
The program analysis system 1 includes a control device 100, a client device 200, a server device 300, a communication network 400, and a communication network 500.
The program analysis system 1 according to the present embodiment analyzes whether or not the specimen 11 described later is malware. Here, malware is malicious software created with the intention of performing illegal and harmful operations. For example, when a user accesses a specific WEB site by infecting a WEB browser, stealing user input Or tampering. In the program analysis system 1, the control device 100, the client device 200, and the server device 300 cooperate with each other via the communication network 400 to analyze this malware.

The control device 100 is, for example, a computer such as one or more computers or workstations. The control device 100 performs processing for analyzing the behavior of malware in the program analysis system 1. The control device 100 determines malware to be analyzed (hereinafter may be referred to as a specimen) and its analysis procedure, and instructs the client device 200 and the server device 300. The control device 100 is connected to the client device 200 and the server device 300 via the communication network 400.
The configuration of the control device 100 will be described with reference to FIG.

  The client device 200 is, for example, a computer such as one or more computers or workstations. Based on the command transmitted from the control device 100, the client device 200 executes the sample 11 and executes (operates) the operation scenario of the WEB browser, and records the behavior of the sample 11. The client device 200 communicates with the server device 300 via the communication network 500. The configuration of the client device 200 will be described with reference to FIG.

  The server apparatus 300 is a computer such as one or more computers or workstations. The server apparatus 300 constructs a WEB site based on the command transmitted from the control apparatus 100, and communicates with the client apparatus 200 via the communication network 500 to record the behavior. The configuration of the server apparatus 300 will be described with reference to FIG.

  The communication network 400 is, for example, a public line network such as a WAN (World Area Network), a LAN (Local Area Network), a mobile phone, and a PHS (Personal Handy-phone System). Communication between the control device 100, the client device 200, and the server device 300 is performed via the communication network 400.

  The communication network 500 is a public line network such as WAN, LAN, mobile phone, PHS, for example. Communication between the client device 200 and the server device 300 is performed via the communication network 500. The client device 200 can also communicate with a device connected to an external network such as the Internet via the communication network 500.

  A line L1 indicates a flow of information from the control apparatus 100 to the client apparatus 200. A line L2 indicates a flow of information from the control device 100 to the server device 300. A line L3 indicates a flow of information from the client apparatus 200 to the control apparatus 100. A line L4 indicates a flow of information from the server apparatus 300 to the control apparatus 100. The lines L1 to L4 use the communication network 400 as a means for transmitting physical information.

  The line L1 is a flow of information in which the client control command 10 is transmitted from the control device 100 to the client device 200. The client control instruction 10 includes a sample 11 to be analyzed and an operation scenario 12. The program analysis system 1 according to the present embodiment detects malware based on the behavior of the sample 11 when the operation specified in the operation scenario 12 of the client control instruction 10 is performed on the WEB browser in the client device 200. I do.

  The line L2 is a flow of information in which the server control command 20 is transmitted from the control device 100 to the server device 300. The server control instruction 20 includes a WEB site configuration file 21. The server apparatus 300 constructs a WEB site based on information included in the WEB site configuration file 21. In the present embodiment, malware detection is performed based on information received from the client device 200 by the constructed WEB site.

  The line L3 is a flow of information in which the client side execution result 30 is transmitted from the client device 200 to the control device 100. The client-side execution result 30 includes analysis information acquired by the client device 200 when the sample 11 is analyzed based on the client control command 10 and the server control command 20.

  The line L4 is a flow of information in which the server side execution result 40 is transmitted from the server apparatus 300 to the control apparatus 100. The server-side execution result 40 includes analysis information acquired by the server device 300 when the sample 11 is analyzed based on the client control command 10 and the server control command 20.

  A line L5 indicates a flow of information from the client device 200 to the server device 300. A line L6 indicates a flow of information from the server apparatus 300 to the client apparatus 200. The lines L5 and L6 use the communication network 500 as a means for transmitting physical information.

  The line L5 is a flow of information in which the request 50 and the operation completion notification 70 are transmitted from the client device 200 to the server device 300. The request 50 is a request sentence issued by the WEB browser in the client device 200 and is processed by the WEB site in the server device 300. The operation completion notification 70 is used to transmit from the client device 200 to the server device 300 that a series of operations necessary for analysis has been completed.

  The line L6 is a flow of information in which the response 60 is transmitted from the server apparatus 300 to the client apparatus 200. The response 60 is a response sentence of the WEB site in the server apparatus 300 with respect to the request 50.

  In the program analysis system 1 of the present embodiment, the control device 100, the client device 200, and the server device 300 are configured as separate processing devices. However, the present invention is not limited to this, and these may be realized by one processing device, or any two of them may be realized by one processing device. Further, the control device 100 may be configured to manage a plurality of client devices 200 and a plurality of server devices 300.

FIG. 2 is a schematic configuration diagram showing the control device in the present embodiment.
The control device 100 includes a device main body 110 and an input / output device 190.
The apparatus main body 110 includes a CPU (Central Processing Unit) 120, a memory 130, an interface (IF) 140, an external storage device 150, a bus 160, a specimen storage device 170, and a WEB site storage device 180. Yes. Note that the interface may be described as “IF” in the drawings.

The CPU 120 embodies a control unit 121 and a detection unit 122. The CPU 120 executes various arithmetic processes based on the software program on the memory 130. The CPU 120 is connected to the bus 160.
The memory 130 includes a control program 131 and a detection program 132. The memory 130 is a storage medium including a program in which an instruction to be executed by the CPU 120 is described and data referred to by the program. The memory 130 is connected to the bus 160.

  The control unit 121 is realized by the CPU 120 executing the control program 131. The detection unit 122 is realized by the CPU 120 executing the detection program 132. The control unit 121 manages the analysis status of the sample 11 and transmits a client control command 10 to the client apparatus 200 to instruct an analysis method. The control unit 121 further transmits a server control command 20 to the server apparatus 300 to instruct a method for configuring the WEB site.

  The detection unit 122 receives the client-side execution result 30 from the client device 200 and receives the server-side execution result 40 from the server device 300 as information necessary for malware determination. The detection unit 122 determines (detects) whether or not the sample 11 is malware by analyzing the client-side execution result 30 and the server-side execution result 40.

  The interface 140 is a communication device such as a LAN card, for example, and is an interface through which the control device 100 communicates via the communication network 400. The interface 140 is connected to the bus 160.

  The external storage device 150 is a storage medium such as an HDD (Hard Disk Drive), and stores an analysis scenario DB 151, a WEB site DB 152, an activity record DB 153, a detection rule DB 154, and a reanalysis rule DB 155. It is. The external storage device 150 is connected to the bus 160.

The bus 160 connects the CPU 120, the memory 130, the interface 140, the external storage device 150, the sample storage device 170, the WEB site storage device 180, and the input / output device 190 in a communicable manner.
The sample storage device 170 is a storage medium such as an HDD, and stores the sample 11 to be analyzed. The sample storage device 170 is connected to the bus 160.

  The WEB site storage device 180 is configured by a storage medium such as an HDD, and stores a WEB site configuration file 21 configured by an HTML (Hyper Text Markup Language) file, a CGI (Common Gateway Interface) file, or the like. The WEB site storage device 180 is connected to the bus 160. Note that the WEB site storage device 180 may store a plurality of WEB site configuration files 21.

  The input / output device 190 inputs data to the control device 100 and outputs data in the control device 100. The input / output device 190 is, for example, a keyboard, a mouse, a display, or the like. The input / output device 190 is connected to the bus 160.

FIG. 3 is a schematic configuration diagram showing the client device according to the present embodiment.
The client device 200 includes a device main body 210 and an input / output device 280.
The apparatus main body 210 includes a CPU 220, a memory 230, interfaces 240 and 241, an external storage device 250, a bus 260, and an image storage device 270.

The CPU 220 embodies a client control unit 221, a browser operation unit 222, a browser monitoring unit 223, and a browser unit 224. The CPU 220 executes various arithmetic processes based on the software program on the memory 230. The CPU 220 is connected to the bus 260.
The memory 230 includes a client control program 231, a browser operation program 232, a browser monitoring program 233, and a browser program 234. The memory 230 is a storage medium including a program in which an instruction to be executed by the CPU 220 is described and data referred to by the program. The memory 230 is connected to the bus 260.

  The client control unit 221 is realized by the CPU 220 executing the client control program 231. The browser operation unit 222 is realized by the CPU 220 executing the browser operation program 232. The browser monitoring unit 223 is realized by the CPU 220 executing the browser monitoring program 233. The browser unit 224 is realized by the CPU 220 executing the browser program 234.

The client control unit 221 controls the client device 200. That is, the client control unit 221 receives the client control command 10 from the control device 100, analyzes the sample 11 received from the control device 100, and transmits the analysis result as the client-side execution result 30.
The browser operation unit 222 operates the browser unit 224 based on the operation scenario 12 received from the control device 100.
The browser monitoring unit 223 monitors the behavior of the browser unit 224.
The browser unit 224 operates as a WEB browser and performs an operation based on an instruction from the browser operation unit 222.

  The interface 240 is a communication device that connects the client device 200 to the communication network 400. Communication equipment such as a LAN card corresponds to this. The interface 240 may be described as IF in the figure. Similarly, the interface 241 is a communication device for connecting the client device 200 to the communication network 500. The interfaces 240 and 241 are connected to the bus 260, respectively.

The external storage device 250 is composed of a storage medium such as an HDD, and stores the browser monitoring rule DB 251. The browser monitoring rule DB 251 describes what activities of the browser program 234 are recorded by the browser monitoring program 233. Specific contents of the browser monitoring rule DB 251 will be described later.
The bus 260 connects the CPU 220, the memory 230, the interface 240, the interface 241, the external storage device 250, the image storage device 270, and the input / output device 280.

The image storage device 270 includes a storage medium such as an HDD, and stores an execution environment image 271. The image storage device 270 is connected to the bus 260.
The execution environment image 271 is a file including general operating system configuration information, and provides a software environment for executing the sample 11 when executed on the CPU 220. The image storage device 270 temporarily stores information about files and registries created or changed during execution of the specimen 11.

  The input / output device 280 is a device for inputting data by the administrator and outputting data in the client device 200 to the client device 200. The input / output device 280 is, for example, a keyboard, a mouse, a display, or the like. The input / output device 280 is connected to the bus 260.

FIG. 4 is a schematic configuration diagram showing the server device in the present embodiment.
The server device 300 includes a device main body 310 and an input / output device 380.
The apparatus main body 310 includes a CPU 320, a memory 330, interfaces 340 and 341, an external storage device 350, a bus 360, and a WEB site storage device 370.

  The CPU 320 embodies a server control unit 321, a WEB site monitoring unit 322, and a WEB server unit 323. The CPU 320 executes various arithmetic processes based on the software program on the memory 330. The CPU 320 is connected to the bus 360.

  The memory 330 includes a server control program 331, a WEB site monitoring program 332, and a WEB site program 333. The memory 330 is a storage medium including a program in which an instruction to be executed by the CPU 320 is described and data referred to by the program. The memory 330 is connected to the bus 360.

The server control program 331 is executed by the CPU 320, thereby communicating with the control apparatus 100 and analyzing the sample 11. When the WEB site monitoring program 332 is executed by the CPU 320, the behavior of the WEB site program 333 is monitored. The WEB site program 333 is executed on the CPU 320 to operate as a WEB server.
The server control unit 321 is realized by the CPU 320 executing the server control program 331. The WEB site monitoring unit 322 is realized by the CPU 320 executing the WEB site monitoring program 332. The WEB server unit 323 is realized by the CPU 320 executing the WEB site program 333.

The server control unit 321 controls the server device 300, receives the server control command 20 from the control device 100, and transmits the analysis result as the server-side execution result 40 when the analysis of the sample 11 is completed. It is.
The WEB site monitoring unit 322 monitors the behavior of the WEB server unit 323.
The WEB server unit 323 reads the WEB site configuration file 21, operates as a WEB server, receives the request 50 from the client device 200, and returns a response 60.

  The interface 340 is a communication device for connecting the server device 300 to the communication network 400. Communication equipment such as a LAN card corresponds to this. The interface 340 may be described as IF in the drawings and specification. Similarly, the interface 341 is a communication device for connecting the server device 300 to the communication network 500. The interfaces 340 and 341 are connected to the bus 360.

The external storage device 350 includes a storage medium such as an HDD, and stores a WEB site monitoring rule DB 351. The WEB site monitoring rule DB 351 describes what activities of the WEB site program 333 are recorded by the WEB site monitoring program 332. Specific contents of the WEB site monitoring rule DB 351 will be described later. The external storage device 350 is connected to the bus 360.
The bus 360 connects the CPU 320, the memory 330, the interfaces 340 and 341, the external storage device 350, the WEB site storage device 370, and the input / output device 380.
The WEB site storage device 370 includes a storage medium such as an HDD, and stores the WEB site configuration file 21 received from the control device 100. The WEB site storage device 370 is connected to the bus 360.

  The input / output device 380 is a device for inputting data by the administrator and outputting data in the server device 300 to the server device 300. The input / output device 380 is, for example, a keyboard, a mouse, a display, or the like. The input / output device 380 is connected to the bus 360.

(Description of processing)
FIG. 5 and subsequent figures show a configuration example of a DB included in the system and a flowchart of each functional unit.
Each DB shown in the figures after FIG. 5 has a configuration after the sample 11 is analyzed in the following procedure.

(The first analysis: January 1, 2012, 00:00)
At 0:00 am on January 1, 2012, the control apparatus 100 starts analyzing the sample 11 whose ID is “Sample A”. In the analysis, first, the site X is selected as the analysis WEB site. The control device 100 completes the first analysis at 0:00 am on the same day, and determines that the sample A is non-malware.

(Second analysis: January 1, 2012 at 0:02 am)
At 0:02 am on January 1, 2012, the control device 100 starts the second analysis and selects the site Y as the analysis WEB site. The control device 100 completes the second analysis at 0:03 am on the same day, and determines that the sample A is non-malware.

(Third analysis: January 1, 2012, 0:04 am)
The control device 100 starts the third analysis and selects the site Z as the analysis WEB site. The control device 100 completes the third analysis at 0:05 am on the same day, and determines that the sample A is malware. Thereby, all the analysis processes are completed.

(Various tables of this embodiment)
FIG. 5 is a diagram showing an analysis scenario DB in the present embodiment.
Each record in the analysis scenario DB 151 stores a time at which an analysis on a certain sample 11 is started, a time at which the analysis is completed, an analysis method, an analysis status, and a result detected by the analysis. It is. The analysis scenario DB 151 includes an analysis management ID 151a, a sample ID 151b, a site ID 151c, an analysis start time 151d, an analysis end time 151e, an analysis status 151f, and a detection result 151g as columns of each record.

  The analysis management ID 151a is used to uniquely recognize a record in the analysis scenario DB 151. For this reason, the value of each analysis management ID 151a is unique in the analysis scenario DB 151.

  The sample ID 151b is a number for uniquely identifying each sample 11 analyzed by this system. When the same sample ID 151b is set in different records, it means that the same sample 11 is analyzed a plurality of times under different conditions. Here, the same specimen A is analyzed three times.

The site ID 151c is an identifier that uniquely identifies the WEB site used for the analysis. The site ID 151c is linked to a record in the WEB site DB 152 described later.
The analysis start time 151d indicates the start time of the analysis related to each record.
The analysis end time 151e indicates the end time of the analysis related to each record.
The analysis status 151f indicates the analysis status of the sample 11 specified by the sample ID 151b, and stores a value of “under analysis” or “analysis completed”.
The detection result 151g indicates the detection result of the sample analysis performed for each record, and stores any value of “non-malware”, “possible malware”, and “malware”.

FIG. 5 shows examples of records of three types of analysis scenarios.
The record in which “1” is stored in the analysis management ID 151a indicates the result of the first analysis. “Sample A” is stored in the sample ID 151b of the record, and “Site X” is stored in the site ID 151c. “2012 01/01 00:00:00” is stored in the analysis start time 151d of the record, and “2012 01/01 00:01:00” is stored in the analysis end time 151e. “Analysis completed” is stored in the analysis status 151f of the record, and “non-malware” is stored in the detection result 151g.

  The record in which “2” is stored in the analysis management ID 151a indicates the result of the second analysis. “Sample A” is stored in the sample ID 151b of the record, and “Site Y” is stored in the site ID 151c. “2012 01/01 00:02:00” is stored in the analysis start time 151d of the record, and “2012 01/01 00:03:00” is stored in the analysis end time 151e. “Analysis completed” is stored in the analysis status 151f of the record, and “non-malware” is stored in the detection result 151g.

  The record in which “3” is stored in the analysis management ID 151a indicates the result of the third analysis. “Sample A” is stored in the sample ID 151b of the record, and “Site Z” is stored in the site ID 151c. “2012 01/01 00:04:00” is stored in the analysis start time 151d of the record, and “2012 01/01 00:05:00” is stored in the analysis end time 151e. “Analysis completed” is stored in the analysis status 151f of the record, and “malware” is stored in the detection result 151g.

  Thereby, the program analysis system 1 can determine that the sample 11 having the ID “sample A” is malware for the site Z.

FIG. 6 is a diagram showing the WEB site DB in the present embodiment.
Each record in the WEB site DB 152 includes an identifier of the WEB site, the ease of an attack on the WEB site, the WEB site configuration file 21 that configures the WEB site, and the operation of the browser unit 224 that accesses the WEB site. Memorize the procedure. The WEB site DB 152 includes a site ID 152a, an attack ease 152b, a site configuration file storage destination 152c, and an operation procedure 152d as fields of each record.
The WEB site DB 152 serving as an analysis database stores information obtained by combining the operation scenario 12 for operating the browser unit 224 in the client device 200 and the site configuration file storage destination 152 c constituting the server device 300.

  The site ID 152a is used to uniquely recognize a record in the WEB site DB 152, and is used to identify the WEB site related to the record. For this reason, the value of each site ID 152a is unique within the WEB site DB 152.

The attack ease 152b indicates the possibility that the malware attacks the WEB site related to the record. An arbitrary numerical value is set in the attack ease 152b, and the higher the numerical value, the higher the possibility that malware will attack the WEB site.
The site configuration file storage destination 152c indicates a storage location in the WEB site storage device 180 of the WEB site configuration file 21 of the record.
The operation procedure 152d designates what operation the browser operation unit 222 performs on the browser unit 224 that has accessed the WEB site.

FIG. 6 shows an example of records of three types of WEB sites. The record of the site ID 152a = “site X” stores the ease of attack 152b = 100 and the site configuration file storage destination 152c = “C: \ storage \ site X”. The operation procedure 152d stores the following seven operation procedures.
(1) Enter “alice” in the User field and “pass” in the password field. (2) Execute the “Login” button. (3) Execute the “Transfer button”. (4) Transfer “bob” in the transfer destination field. Enter “¥ 1000” in the field (5) Execute “Procedure button” (6) Execute “Confirm button” (7) Execute “Procedure button”

The record of the site ID 152a = “site Y” stores the ease of attack 152b = 80 and the site configuration file storage destination 152c = “C: \ storage \ site Y”. The operation procedure 152d stores the following five operation procedures.
(1) Enter “alice” in the User field and “pass” in the password field. (2) Execute the “login” button. (3) Execute the “Transfer” button. (4) “Cindy” in the transfer destination field. Enter “$ 100” in the field,
(5) Execute “submit” button

The record of site ID 152a = “site Z” stores ease of attack 152b = 30 and site configuration file storage destination 152c = “C: \ storage \ site Z”. The operation procedure 152d stores the following seven operation procedures.
(1) Enter “alice” in the User field and “pass” in the password field. (2) Execute the “Login” button. (3) Execute the “Transfer button”. (4) “Dave” in the transfer destination field. Enter “¥ 1000” in the field (5) Execute “Procedure button” (6) Execute “Confirm button” (7) Execute “Procedure button”

FIG. 7 is a diagram showing an activity record DB in the present embodiment.
Activity records recorded by the browser monitoring unit 223 of the client device 200 and the WEB site monitoring unit 322 of the server device 300 are recorded in the activity record DB 153. The detection unit 122 refers to the activity record DB 153 to determine whether or not the sample 11 is malware.

  FIG. 7 shows record examples of 13 types of activity record DBs 153. The records of activity record IDs 153a = 1 to 4 store the activity records recorded during the execution of the analysis scenario of analysis management ID 153b = 1. In the records of activity record IDs 153a = 5 to 8, the activity records recorded when the analysis scenario of analysis management ID 153b = 2 is executed are stored. The records of activity record IDs 153a = 9 to 13 store the activity records recorded when the analysis scenario of analysis management ID 153b = 3 is executed.

The record of activity record ID 153a = 1 includes analysis management ID 153b = 1, activity record time 153c = “2012/01/01 00:00:05”, record location 153d = “client”, activity type 153e = “CPU usage rate” "Increase rate" and activity data 153f = "0.1%" are stored. The “CPU usage rate increase rate” indicates how much the usage rate of the CPU used by the browser unit 224 has increased compared to a certain time before (for example, 10 seconds before).
In the record of activity record ID 153a = 2, analysis management ID 153b = 1, activity record time 153c = “2012/01/01 00:00:06”, recording location 153d = “server”, activity type 153e = “client transmission content” ”, Activity data 153f =“ user = alice & password = pass ”is stored. “Client transmission content” indicates data included in the request 50.
The activity record IDs 153a = 3 to 9 are the same records as in the case of the activity record IDs 153a = 1 and 2.
The record of the activity record ID 153a = 10 includes the analysis management ID 153b = 3, the activity record time 153c = “2012/01/01 00:04:05”, the recording location 153d = “client”, and the activity type 153e = “socket open”. , Activity data 153f = “dst = 192.168.1.1” is stored. “Socket open” is information indicating that the browser unit 224 has transmitted a communication request to a terminal having an IP address of “192.168.1.1” via the communication network 500. The activity record IDs 153a = 11 to 13 are the same records as in the case of the activity record IDs 153a = 1 and 2.

FIG. 8 is a diagram showing the detection rule DB in the present embodiment.
The detection unit 122 refers to the detection rule DB 154 and the activity record DB 153 to perform malware determination on the sample 11.
The detection rule ID 154a is used to uniquely identify each record in the detection rule DB 154.

The detection content 154b indicates a detection procedure. The detection unit 122 compares the activity record DB 153 record linked to a certain analysis management ID 153b with the detected content 154b, and determines one of “malware”, “possible malware”, and “non-malware”. In the determination process, the detection rule ID 154a is applied in order from the smallest value, and the determination process ends when there is an activity record DB 153 record that matches the detection content 154b.
FIG. 8 shows record examples of four types of detection rule DBs 154.

  In the record of the detection rule ID 154a = 1, the detection content 154b stores “determined as“ malware ”when“ client transmission content ”differs from that assumed in the operation procedure 152d”.

  In the record of the detection rule ID 154a = 2, the detection content 154b stores “determined“ possibility of malware ”when the“ CPU usage rate increase rate ”increased by 30% when accessing the WEB site” ing.

  In the record of the detection rule ID 154a = 3, the detection content 154b stores “determined“ possibility of malware ”when“ socket open ”occurs when accessing the WEB site”.

  In the record of the detection rule ID 154a = 4, “determined as“ non-malware ”otherwise” ”is stored in the detection content 154b. In other words, if none of the activity record DB 153 records match the detection rule ID 154a = 1 to 3, the sample 11 is determined to be “non-malware”.

FIG. 9 is a diagram showing the reanalysis rule DB in the present embodiment.
The control unit 121 refers to the detection result of the detection unit 122 and the reanalysis rule DB 155 to determine whether to reanalyze the sample 11.
The reanalysis rule ID 155a is used to uniquely identify each record in the reanalysis rule DB 155.

The determination content 155b indicates a determination procedure. The control unit 121 refers to the detection result 151g and the determination content 155b of the analysis scenario DB 151 and determines whether or not the sample 11 should be reanalyzed.
FIG. 9 shows record examples of three types of reanalysis rule DB 155.
In the record of the reanalysis rule ID 155a = 1, the determination content 155b stores “if the detection result is“ malware ”, it is finally determined to be malware and analysis is completed”.

  In the record of the reanalysis rule ID 155a = 2, the determination content 155b includes “If there is a possibility of malware”, the reanalysis is executed. “Determine and complete analysis” is stored.

  In the record of the reanalysis rule ID 155a = 3, the determination content 155b includes “If the detection result“ non-malware ”occurs three times, it is finally determined as non-malware, and the analysis is completed. "Reanalyze" is stored.

FIG. 10 is a diagram showing the browser monitoring rule DB in the present embodiment.
The browser monitoring unit 223 refers to the browser monitoring rule DB 251 to monitor the browser unit 224.
The browser monitoring rule ID 251a is used to uniquely identify each record in the browser monitoring rule DB 251.
The monitoring content 251b defines how the browser unit 224 is monitored.
FIG. 10 shows record examples of two types of browser monitoring rule DB 251.

In the record of the browser monitoring rule ID 251a = 1, the monitoring content 251b stores “record the CPU usage rate increase rate periodically”.
In the record of the browser monitoring rule ID 251a = 2, “monitor socket open” is stored in the monitoring content 251b.

FIG. 11 is a diagram showing a WEB site monitoring DB in the present embodiment.
The WEB site monitoring unit 322 refers to the WEB site monitoring rule DB 351 and monitors the WEB server unit 323.
The WEB site monitoring rule ID 351a is used to uniquely identify each record in the WEB site monitoring rule DB 351.
The monitoring content 351b defines how the WEB server unit 323 is monitored.
FIG. 11 shows a record example of one type of WEB site monitoring rule DB 351.
In the record of WEB site monitoring rule ID 351a = 1, “record client transmission content” is stored in the monitoring content 351b.

(Operation of this embodiment)

FIG. 12 is a sequence diagram of program analysis processing in the present embodiment.
In sequence Q <b> 10, the control device 100 transmits the client control command 10 to the client device 200. The client control command 10 includes a sample 11 and an operation scenario 12. Thereby, the client apparatus 200 executes the operation scenario 12.
In sequence Q11, control device 100 transmits server control command 20 to server device 300.
In sequence Q12, the client apparatus 200 transmits a request “1” to the server apparatus 300.
In sequence Q13, the client apparatus 200 receives a response “1” to the request “1” from the server apparatus 300.
In sequence Q14, the client apparatus 200 transmits a request “2” to the server apparatus 300.
In sequence Q15, the client apparatus 200 receives the response “2” to the request “2” from the server apparatus 300. Similarly, the client device 200 and the server device 300 execute the analysis process of the sample 11.

When all of the operation scenarios 12 are executed, the client device 200 performs processing of sequences Q20 and Q21.
In sequence Q20, the client apparatus 200 transmits an operation completion notification 70 to the server apparatus 300.
In sequence Q <b> 21, the client apparatus 200 transmits the client side execution result 30 to the control apparatus 100.
In sequence Q <b> 21, server apparatus 300 transmits server-side execution result 40 to control apparatus 100. Thereby, the program analysis sequence shown in FIG. 12 is completed.

FIG. 13 is a flowchart showing pre-control processing executed by the control unit of the control device according to this embodiment.
The flowchart shows a series of flows from the introduction of the specimen 11 to the completion of all analysis. When the person in charge of analysis sets the sample 11 to be analyzed via the input / output device 190, the control device 100 starts pre-control processing.

  In step S <b> 10, the control unit 121 selects the sample 11 stored in the sample storage device 170. The control unit 121 may select the sample 11 from another terminal via the interface 140, or may select the sample 11 via the input / output device 190.

  In step S11, the control unit 121 creates a new record in the analysis scenario DB 151. The control unit 121 sets a record creation time as the analysis start time 151d of the new record. The control unit 121 further sets the analysis status 151f to “under analysis”. The control unit 121 sets a site that has the highest attack ease 152b and has not yet been analyzed for the sample 11 as the site ID 151c of the new record. Thereby, when the sample 11 is malware, it can be determined in a short time.

  In step S12, the control unit 121 searches the site ID 152a of the WEB site DB 152 (FIG. 6) based on the information of the site ID 151c of the record of the analysis scenario DB 151 (FIG. 5) created in step S11. Select the record to be used.

  In step S <b> 13, the control unit 121 transmits the client control command 10 to the client device 200. In the sample 11 included in the client control command 10, the sample 11 selected in step S10 is set. In the operation scenario 12 included in the client control command 10, an operation procedure 152d related to the record in the WEB site DB 152 (FIG. 6) is set.

In step S <b> 14, the control unit 121 transmits the server control command 20 to the server device 300. The WEB site configuration file 21 included in the server control command 20 is indicated by the site configuration file storage destination 152c related to the record in the WEB site DB 152.
In step S15, the control unit 121 causes the detection unit 122 to perform detection unit processing (FIG. 14) and waits until a detection result is derived.

In step S16, the control unit 121 refers to the record newly created in the analysis scenario DB 151 (FIG. 5) and all the records in the re-analysis rule DB 155 (FIG. 9) to re-analyze the specimen 11. It is determined whether or not it is necessary to perform. When the condition is satisfied, that is, when the determination of the sample 11 is completed (Yes), the control unit 121 returns to the process of step S11 to perform reanalysis, and when the condition is not satisfied, that is, the sample. If the determination of 11 does not end (No), the process of step S17 is performed.
That is, the control unit 121 instructs the reanalysis process until the detection result of the sample 11 by the detection unit 122 is positive or negative for a certain number of times.

  In step S17, the control unit 121 outputs an analysis result. The control unit 121 may output a record of the analysis scenario DB 151 as an output content and present it to the administrator through the input / output device 190, or may transmit it to another device via the communication network 500 and output it. When the process of step S17 ends, the process of FIG. 13 ends.

Next, a specific example of the process performed in FIG. 13 will be described again.
In step S <b> 10, the control unit 121 selects the sample A and stores it in the sample storage device 170.
In step S11, the control unit 121 creates a new record in the analysis scenario DB 151 (FIG. 5) and sets the analysis management ID 151a = 1. The control unit 121 sets the selected sample A as the sample ID 151b for the new record, sets the current start time “2012/01/01 00:00:00” as the analysis start time 151d, and performs analysis. Set “under analysis” in the situation 151f.
In step S12, the control unit 121 selects the first record in the WEB site DB 152 (FIG. 6), and stores “site X” set in the site ID 152a related to the record in the analysis scenario DB 151 (FIG. 5). It is set to the site ID 151c of the created record.

  In step S13, the control unit 121 sets the sample A to the sample 11 included in the client control command 10, and selects the record selected in the WEB site DB 152 (FIG. 6) in the operation scenario 12 included in the client control command 10. The operation procedure 152d (site X) is set. The control unit 121 transmits the client control command 10 to the client device 200.

In step S14, the control unit 121 sets a file group indicated by the site configuration file storage destination 152c of the site X in the WEB site configuration file 21 included in the server control command 20. The control unit 121 transmits the server control command 20 to the server device 300.
In step S15, the control unit 121 stands by until the detection unit 122 derives a detection result.

  In step S16, since “non-malware” is set in the detection result 151g of the record with the analysis management ID 151a = 1, the control unit 121 sets the re-analysis rule ID 155a = 3 in the re-analysis rule DB 155 (FIG. 9). It is determined that the record is applied, re-analysis is necessary, and the determination of the sample A is not completed. The control unit 121 sets “2012 01/01 00:01:00” as the analysis end time 151e of the record with the analysis management ID 151a = 1, and sets “analysis completed” as the analysis status 151f. Furthermore, since the determination of the sample A has not ended (No), the control unit 121 returns to the process of step S11.

Returning to step S11, the control unit 121 creates a new record in the analysis scenario DB 151 with the analysis management ID 151a = 2. For the new record, the control unit 121 sets the sample A to the sample ID 151b, sets “2012/01/01 00:02:00” to the analysis start time 151d, and sets “analysis in progress” to the analysis status 151f. "Is set.
In step S12, the control unit 121 selects the second record in the WEB site DB 152 (FIG. 6), and sets the “site Y” set in the site ID 152a related to the record as the analysis scenario DB 151 (FIG. 5). ) To the site ID 151c of the created record.

  In step S13, the control unit 121 sets the sample A to the sample 11 included in the client control command 10, and sets the operation procedure 152d of the site Y to the operation scenario 12 included in the client control command 10. The control unit 121 transmits the client control command 10 to the client device 200.

In step S14, the control unit 121 sets a file group indicated by the site configuration file storage destination 152c of the site Y in the WEB site configuration file 21 included in the server control command 20. The control unit 121 transmits the server control command 20 to the server device 300.
In step S15, the control unit 121 stands by until the detection unit 122 derives a detection result.

  In step S16, since “non-malware” is set in the detection result 151g of the record with the analysis management ID 151a = 2, the control unit 121 sets the re-analysis rule ID 155a = 3 in the re-analysis rule DB 155 (FIG. 9). It is determined that the record is applied, re-analysis is necessary, and the determination of the sample A is not completed. The control unit 121 sets “2012 01/01 00:03:00” as the analysis end time 151e of the record with the analysis management ID 151a = 2, and sets “analysis completed” as the analysis status 151f. Furthermore, since the determination of the sample A has not ended (No), the control unit 121 returns to the process of step S11.

Returning to step S11, the control unit 121 creates a new record in the analysis scenario DB 151 with the analysis management ID 151a = 3. For the new record, the control unit 121 sets the sample A to the sample ID 151b, sets “2012/01/01 00:04:00” to the analysis start time 151d, and sets “under analysis” to the analysis status 151f. "Is set.
In step S12, the control unit 121 selects the second record in the WEB site DB 152 (FIG. 6), and sets the “site Z” set in the site ID 152a related to the record as the analysis scenario DB 151 (FIG. 5). ) To the site ID 151c of the created record.

  In step S13, the control unit 121 sets the sample A to the sample 11 included in the client control command 10, and sets the operation procedure 152d of the site Z to the operation scenario 12 included in the client control command 10. The control unit 121 transmits the client control command 10 to the client device 200.

In step S <b> 14, the control unit 121 sets a file group indicated by the site configuration file storage destination 152 c of the site Z in the WEB site configuration file 21 included in the server control command 20. The control unit 121 transmits the server control command 20 to the server device 300.
In step S15, the control unit 121 stands by until the detection unit 122 derives a detection result.

In step S16, since “malware” is set in the detection result 151g of the record with the analysis management ID 151a = 3, the control unit 121 records with the reanalysis rule ID 155a = 1 in the reanalysis rule DB 155 (FIG. 9). Is applied, it is determined that reanalysis is unnecessary, and it is determined that the determination of the sample A is completed. The control unit 121 sets “2012 01/01 00:05:00” as the analysis end time 151e of the record with the analysis management ID 151a = 3, and sets “analysis completed” as the analysis status 151f. Further, the control unit 121 determines that the determination of the sample A has been completed (Yes), and performs the process of step S17.
In step S17, the control unit 121 notifies the administrator that “sample A is malware” and completes the process shown in FIG.

FIG. 14 is a flowchart showing the detection unit processing (step S15 in FIG. 13) in the present embodiment.
In the first analysis, when the control unit 121 of the control device 100 performs the process of step S15 (FIG. 13), the detection unit 122 of the control device 100 performs a detection unit process.
In step S20, the detection unit 122 receives the client side execution result 30 from the client device 200, and creates and stores a new record in the activity record DB 153 (FIG. 7).
In step S21, the detection unit 122 receives the server-side execution result 40 from the server device 300, and creates and saves a new record in the activity record DB 153 (FIG. 7).

In step S22, the detection unit 122 refers to the record in the activity record DB 153 (FIG. 7) and the record in the detection rule DB 154 (FIG. 8) to determine whether or not the sample 11 is malware.
In step S23, the detection unit 122 records (updates) the determination result in the detection result 151g of the record newly created in the analysis scenario DB 151 (FIG. 5).

Next, a specific example of the process performed in FIG. 14 will be described again.
In step S20, the detection unit 122 receives the client-side execution result 30 and stores it as a record of activity record IDs 153a = 1, 3 in the activity record DB 153 (FIG. 7).
In step S21, the detection unit 122 receives the server-side execution result 40 and stores it as a record of activity record ID 153a = 2, 4 in the activity record DB 153 (FIG. 7).

In step S22, the detection unit 122 corresponds to the records of the activity record ID 153a = 1 to 4 in the activity record DB 153 (FIG. 7) and the records of the detection rule ID 154a = 1 to 3 in the detection rule DB 154 (FIG. 8). It is determined whether or not there is something, and it is determined whether or not the sample 11 is malware.
In step S23, the detection unit 122 sets (updates) “non-malware” in the detection result 151g of the record with the analysis management ID 151a = 1 in the analysis scenario DB 151 (FIG. 5), and ends the process of FIG.

In the second analysis, when the control unit 121 of the control device 100 performs the process of step S15 (FIG. 13), the detection unit 122 of the control device 100 performs a detection unit process.
In step S20, the detection unit 122 receives the client-side execution result 30 and stores it as a record of activity record IDs 153a = 5 and 7 in the activity record DB 153 (FIG. 7).
In step S21, the detection unit 122 receives the server-side execution result 40 and stores it as a record of activity record IDs 153a = 6, 8 in the activity record DB 153 (FIG. 7).

In step S22, the detection unit 122 corresponds to the record of the detection rule ID 154a = 1 to 3 in the detection rule DB 154 (FIG. 8) in the record of the activity record ID 153a = 5 to 8 in the activity record DB 153 (FIG. 7). It is determined whether or not there is something to do, and it is determined whether or not the sample 11 is malware.
In step S23, the detection unit 122 sets “non-malware” to the detection result 151g of the record of the analysis management ID 151a = 2 in the analysis scenario DB 151 (FIG. 5), and ends the process of FIG.

In the third analysis, when the control unit 121 of the control device 100 performs the process of step S15 (FIG. 13), the detection unit 122 of the control device 100 performs a detection unit process.
In step S20, the detection unit 122 receives the client-side execution result 30 and stores it as a record of activity record ID 153a = 9, 10, 12 in the activity record DB 153 (FIG. 7).
In step S21, the detection unit 122 receives the server-side execution result 40 and stores it as records of activity record IDs 153a = 11, 13 in the activity record DB 153 (FIG. 7).

In step S22, the detection unit 122 corresponds to the record of the detection rule ID 154a = 1 to 3 in the detection rule DB 154 (FIG. 8) in the record of the activity record ID 153a = 9 to 13 in the activity record DB 153 (FIG. 7). Search whether there is something to do. Then, there is “target = evil & money = ¥ 1000000” in the activity data 153f of the record with the activity record ID 153a = 13, which indicates communication for transferring ¥ 1000000 to the user named evil. However, in the operation procedure (4) of the site ID 152a = site Z designated by the analysis scenario DB 151 record of the analysis management ID 153b = 3, “transfer 1000 yen to user dave” is recorded, and the transfer destination, transfer amount, Is different. Therefore, the detection unit 122 applies the detection content 154b of the record with the detection rule ID 154a = 1, and determines that the sample A is “malware”.
In step S23, the detection unit 122 sets “malware” in the detection result 151g of the analysis scenario DB 151 record with the analysis management ID 151a = 3, and ends the process of FIG.

  The record of the detection rule DB 154 (FIG. 8) detection rule ID 154a = 2 matches the activity record DB 153 record of the activity record ID 153a = 12. The record with the detection rule ID 154a = 3 in the detection rule DB 154 (FIG. 8) matches the record with the activity record ID 153a = 10 in the activity record DB 153 (FIG. 8). However, since the record with the detection rule ID 154a = 1 having a high priority is applied, the determination result is “malware”.

FIG. 15 is a flowchart showing client control unit processing in the present embodiment.
In step S <b> 30, the client control unit 221 receives the client control command 10 from the control device 100.
In step S31, the client control unit 221 activates the browser monitoring unit 223 to perform browser monitoring unit processing (FIG. 17).

In step S <b> 32, the client control unit 221 activates the browser operation unit 222. The client control unit 221 further passes the sample 11 and the operation scenario 12 included in the client control command 10 to the browser operation unit 222.
In step S33, the client control unit 221 stands by until the processing of the browser operation unit 222 is completed.
In step S <b> 34, the client control unit 221 transmits an operation completion notification 70 to the server device 300.
In step S35, the client control unit 221 stands by until the processing of the browser monitoring unit 223 is completed.
In step S 36, the client control unit 221 acquires the client side execution result 30 from the browser monitoring unit 223.
In step S <b> 37, the client control unit 221 transmits the client side execution result 30 to the control device 100.
In step S <b> 38, the client control unit 221 uses the execution environment image 271 to restore each program in the client device 200 to a state before the sample 11 is executed. When the process of step S38 ends, the client control unit 221 ends the process of FIG.

FIG. 16 is a flowchart showing browser operation unit processing in the present embodiment.
When the client control unit 221 executes the process of step S32 of the client control unit process (FIG. 15), the browser operation unit process of FIG. 16 is activated.
In step S40, the browser operation unit 222 executes the sample 11.
In step S41, the browser operation unit 222 activates the browser unit 224.
In steps S42 to S44, the browser operation unit 222 repeats the process for the operation procedures of all the operation scenarios 12.
In step S43, the browser operation unit 222 operates the browser unit 224 in accordance with the operation procedure of the operation scenario 12.
In step S44, the browser operation unit 222 determines whether or not the operation procedure for all operation scenarios 12 has been completed. If the determination condition is not satisfied, the browser operation unit 222 returns to the process of step S42, and if the determination condition is satisfied, the browser operation unit 222 ends the process of FIG.

FIG. 17 is a flowchart showing browser monitoring processing in the present embodiment.
When the client control unit 221 executes the process of step S31 of the client control unit process (FIG. 15), the browser monitoring unit process of FIG. 17 is activated.
In step S50, the browser monitoring unit 223 reads the browser monitoring rule DB 251 and executes monitoring processing.
In step S51, the browser monitoring unit 223 determines whether the end of the browser operation unit 222 is detected. If the determination condition is not satisfied (No), the browser monitoring unit 223 returns to the process of step S50, and if the determination condition is satisfied (Yes), the browser monitoring unit 223 performs the process of step S52.
In step S52, the browser monitoring unit 223 transmits the activity record recorded so far to the client control unit 221 and ends the process of FIG.

FIG. 18 is a flowchart showing server control unit processing in the present embodiment.
When the server apparatus 300 is activated and the server control unit 321 is in a reception waiting state, the processing in FIG. 18 starts.
In step S <b> 60, the server control unit 321 receives the server control command 20 from the control device 100. The server control unit 321 stores the WEB site configuration file 21 included in the server control command 20 in the WEB site storage device 370.
In step S61, the server control unit 321 activates the WEB site monitoring unit 322.
In step S62, the server control unit 321 activates the WEB server unit 323. The WEB server unit 323 reads the WEB site configuration file 21 and starts up the WEB site.
In step S <b> 63, the server control unit 321 waits until an operation completion notification 70 is received from the client device 200.

In step S64, the server control unit 321 notifies the WEB site monitoring unit 322 of an end signal and stops it.
In step S <b> 65, the server control unit 321 acquires the server-side execution result 40 that is an activity record from the WEB site monitoring unit 322.
In step S66, the server control unit 321 transmits the server-side execution result 40 to the control device 100, and ends the process of FIG.

FIG. 19 is a flowchart showing a WEB site monitoring unit process in the present embodiment.
When the server control unit 321 executes the process of step S61 of the server control unit process (FIG. 18), the WEB site monitoring unit process is activated.
In step S70, the WEB site monitoring unit 322 reads the WEB site monitoring rule DB 351 and executes monitoring processing.
In step S71, the WEB site monitoring unit 322 determines whether an end signal is detected from the server control unit 321. If the determination condition is not satisfied (No), the browser monitoring unit 223 returns to the process of step S70, and if the determination condition is satisfied (Yes), the browser monitoring unit 223 performs the process of step S72.

In step S72, the WEB site monitoring unit 322 notifies the server control unit 321 of the activity records recorded so far, and ends the process of FIG.

(Effect of this embodiment)
The present embodiment described above has the following effects (A) to (D).

(A) An efficient analysis is possible for a program that is active only when a computer performs a specific process.

(B) The behavior of the specimen 11 relative to the server device of the system actually operated is not the same as the system actually operated on the server device 300 operating for evaluation in the program analysis system 1. The WEB site configuration file 21 is transmitted. As a result, the same behavior as the behavior of the specimen 11 with respect to the actually operated system can be acquired, and adverse effects on the actually operated system can be suppressed.

(C) In the program analysis system 1, the control device 100 comprehensively analyzes the client-side execution result 30 and the server-side execution result 40 to determine whether or not it is malware. This makes it possible to accurately determine that the malware is more than analyzing only the client-side execution result 30.

(D) In the program analysis system 1, the control device 100 repeatedly analyzes the program of the specimen 11 based on the reanalysis rule DB 155. Thereby, the certainty of judgment whether it is malware can be improved.

(Modification)
The present invention is not limited to the above embodiment, and can be modified without departing from the spirit of the present invention. For example, the following forms (a) to (c) are available as usage forms and modifications.

(A) The control device 100 according to the present embodiment constructs WEB sites one by one in the server device 300 and executes the sample 11 for analysis. However, the present invention is not limited to this, and the control apparatus 100 may simultaneously construct a plurality of WEB sites and continuously access from the client apparatus 200. Thereby, a plurality of WEB sites can be tested simultaneously, and the analysis time can be shortened.

(B) Each of the lines L1 to L6 mediates the communication network 400 as a means for transmitting physical information. However, the present invention is not limited to this, and the lines L1 to L6 may be those in which physical information is transmitted via an external storage device or the like.

(C) In the program analysis system 1, the control device 100 may determine the order of the analysis environment of the specimen 11 based on predetermined priority information. Thereby, it can be determined whether it is malware according to the importance of an analysis environment.

(D) Any one of the samples 11 stored in the sample storage device 170 may be automatically selected, and the control unit 121 may start the pre-control processing.

1 Program analysis system 10 Client control instruction 11 Sample (Sample program)
12 operation scenario 20 server control instruction 21 WEB site configuration file 30 client side execution result 40 server side execution result 50 request 60 response 70 operation completion notification 100 control device 110 device main body 120 CPU
121 Control Unit 122 Detection Unit 130 Memory 131 Control Program 132 Detection Program 140 Interface 150 External Storage Device (Storage Unit)
151 Analysis scenario DB
152 WEB site DB
153 Activity record DB
154 Detection rule DB
155 Reanalysis rule DB
160 Bus 170 Specimen Storage Device 180 WEB Site Storage Device 190 Input / Output Device 200 Client Device 210 Device Body 220 CPU
220 processing unit 221 client control unit 222 browser operation unit 223 browser monitoring unit 224 browser unit (browser)
250 External storage device 251 Browser monitoring rule DB
270 Image storage device 271 Execution environment image 300 Server device 320 CPU
321 Server control unit 322 WEB site monitoring unit 323 WEB server unit 350 External storage device 351 WEB site monitoring rule DB
370 WEB site storage device 400 communication network 500 communication network

Claims (11)

A control device that operates the sample program and analyzes its behavior;
A client device that executes a browser operation scenario based on a command from the control device and records the behavior of the sample program;
A server device that records behavior by communicating with the client device based on a command of the control device;
Equipped with a,
The control device includes:
A storage unit comprising an analysis database for storing information obtained by combining the operation scenario of the browser of the client device and server configuration information of the server device;
A control unit that transmits an instruction to the client device and the server device to perform analysis processing;
Based on the records received from the client device and the server device, a detection unit for analyzing the attribute of the sample program,
A program analysis system comprising: The controller is
Transmitting the operation scenario to the client device and transmitting the server configuration information stored in combination with the operation scenario to the server device;
The program analysis system according to claim 1 . The client device is
A client control unit for communicating with the control device;
A browser operation unit for operating the browser according to the operation scenario specified by the control device;
A browser monitoring unit that monitors the client device and records a specific event as a client execution result,
The program analysis system according to claim 2 . The server device
Based on the server configuration information transmitted from the control unit of the control device, a server control unit that constructs a server function of the server device,
A WEB site monitoring unit that monitors a request from the client device and records a predetermined event as a server execution result;
The program analysis system according to claim 2 . The detection unit receives the server execution result from the server device, detects an inconsistency between the operation scenario and the server execution result, and detects an attribute of the sample program;
The program analysis system according to claim 4 . The detection unit receives and analyzes the client execution result from the client device, and detects an attribute of the sample program.
The program analysis system according to claim 3 . The control unit commands reanalysis processing based on the detection result of the sample program by the detection unit.
The program analysis system according to claim 1 , wherein: The control unit commands reanalysis processing until the detection result of the sample program by the detection unit is positive or negative for a certain number of times.
The program analysis system according to claim 7 . The analysis database further stores priority information for each combination of the operation scenario and the server configuration information,
The control unit determines a combination of the operation scenario and the server configuration information used for analyzing the behavior of the sample program based on the priority information.
The program analysis system according to claim 2 . The control unit processes a plurality of analyzes in parallel by transmitting a plurality of combinations of the operation scenario and the server configuration information to each combination of the client device and the server device.
The program analysis system according to claim 2 . The client control unit has a function of restoring the client device to a state before the execution of the sample program after completion of the execution of the operation scenario.
The program analysis system according to claim 3 .

Images