JP6696161B2 - Malware determination device, malware determination method, and malware determination program - Google Patents

Description

  The present invention relates to a technique for analyzing data transmitted and received by cryptographic communication.

  In recent years, there has been a demand for a technique of analyzing a communication process executed in an information processing device such as a computer (hereinafter, may be simply referred to as “information communication device”) connected to a communication network.

  Such analysis of communication processing is used, for example, for analysis of behavior in the development and operation stages of the information communication apparatus, or analysis of behavior of a communication processing program executed in the information communication apparatus.

  In particular, in recent years, it is caused by an illegal computer program such as a virus executed in the information communication device (the computer program includes various software programs, which may be simply referred to as “program” hereinafter), There is a demand for a technique for analyzing the contents of illegal communication processing.

  When such an unauthorized program (hereinafter sometimes referred to as “malware”) executes various communication processes by adopting an advanced encryption method such as public key encryption, the communication record (communication data) Decoding (decoding) is extremely difficult.

  For example, when the information communication device to be analyzed adopts a specific cryptographic communication protocol (that is, a communication path encrypted by the specific cryptographic communication protocol is established between the information communication devices to be analyzed. If)) is assumed. In this case, the encryption key, the authentication information, etc. relating to the encryption communication protocol are safely exchanged between the communication devices. As the specific encrypted communication protocol, for example, the following encrypted communication protocol may be used.

-SSL (Secure Sockets Layer) / TLS (Transport Layer Security),
IKE (Internet Key Exchange) in IPSec (Security Architecture for Internet Protocol),
-SSH (Secure Shell).

  Usually, it is not easy to decipher the encrypted communication data transmitted / received based on such an encryption communication protocol. Therefore, a technique for collecting information about the encrypted communication by analyzing an information communication device that executes the encrypted communication (including various software programs executed in the information communication device) is being studied.

  As a technique for analyzing such an information communication device, for example, a method of analyzing the behavior of the program while the specific program (for example, malware) is being executed in the information communication device (hereinafter referred to as “live forensic method”) Sometimes known). The live forensic method performs various investigations and analyzes regarding the behavior of the device by collecting various information about the device while the device (or system) is operating. With such a live forensic method, for example, data stored in a volatile storage device (memory or the like), a program to be executed, or the like can be investigated when the information processing device is operating.

  For example, the following documents are disclosed in relation to the technique of analyzing the behavior of the information processing device including the communication process as described above.

  That is, Patent Literature 1 discloses a technique related to malware analysis. In the technology disclosed in Patent Document 1, a virtual machine monitor intercepts (obtains) various requests from an information processing device configured by a virtual machine (virtual machine), and transfers the information to a security agent. The security agent determines whether the program that executed the request is malware based on the acquired information. Since the virtual machine monitor exists in a lower layer than the virtual machine, it can acquire all requests executed in the virtual machine.

  Patent Document 2 discloses a technique related to malware analysis. The technique disclosed in Patent Document 2 extracts an encryption key used by malware from a memory space in a device that executes malware by analyzing traces when executing malware and data referred to in an execution process. .. Further, the technique disclosed in Patent Document 2 decrypts encrypted communication by malware using the extracted encryption key.

  Patent Document 3 discloses a technique for classifying encrypted communication by malware or the like. The technique disclosed in Patent Document 3 detects unapproved encrypted communication by comparing encrypted communication executed in the analysis target device with pre-registered approved encrypted communication. In addition, the technique disclosed in Patent Document 3 blocks (stops) the encrypted communication when the unapproved encrypted communication is detected.

  Patent Document 4 discloses a technique for classifying and identifying malware based on the similarity of the malware. The technique disclosed in Patent Document 4 classifies and identifies malware based on a correlation between a micro analysis that analyzes the execution code of the malware itself and a macro analysis that analyzes communication related to the malware. The technique disclosed in Patent Document 4 discloses a configuration in which, in the micro analysis, the execution code of the malware is extracted from the memory of the analysis target machine dumped at a predetermined timing and disassembled.

  Patent Document 5 discloses a technique related to an encrypted communication decryption device that is interposed between two communication devices and analyzes encrypted communication between the communication devices. The encryption / decryption device disclosed in Patent Document 5 analyzes communication data between two communication devices, and encrypts the data with each communication device at a timing at which key exchange of encrypted communication (IPSec) is executed. Exchange keys. That is, the encryption / decryption device disclosed in Patent Document 5 intervenes as an intermediary between two communication devices, exchanges an encryption key with one communication device, and communicates with the other communication device. But exchange encryption keys. As a result, the device disclosed in Patent Document 5 intervenes in the encrypted communication performed between the two communication devices, decrypts the encrypted communication data transmitted from one communication device, and transmits the encrypted communication data to the monitoring device. , The data is encrypted again and transmitted to the other communication device.

  Patent Document 6 discloses a technique for detecting malware by monitoring the generation of a link file in a computer. The technique disclosed in Patent Document 6 analyzes information on a process of creating links to various resources existing inside and outside a computer and information on a reference destination of the created link. The technology disclosed in Patent Document 6 suppresses execution of a countermeasure process against malware and access to links based on the analysis result. The technique disclosed in Patent Document 6 can delete, edit, and move the created link file.

  Patent Literature 7 discloses a technique for detecting malware based on the behavior of a specific file executed in an information processing device. The technique disclosed in Patent Document 7 adjusts the aggression level of a specific file based on the penetration rate of the specific file (how much is distributed in the actual network environment). The technique disclosed in Patent Document 7 uses a level of aggression against a specific file to determine whether or not the behavior of the file corresponds to malware.

  Patent Document 8 discloses a technique for allowing malware to access a virtual network and acquiring information about the operation and communication of the malware. The technique disclosed in Patent Document 8 executes malware in a malware execution environment connected to the virtual network unit. The virtual network unit receives the communication from the malware execution environment, analyzes the communication protocol, generates an appropriate response according to the protocol, and transmits the response to the malware execution environment. Further, the technology disclosed in Patent Document 8 connects such communication to the actual Internet environment according to the content of communication from the malware execution environment.

  Patent Literature 11 discloses a malware analysis system that receives a malware candidate sample from a firewall and analyzes the received malware candidate sample in a virtual machine environment that provides a sandbox environment.

  Patent Document 12 discloses a technique of, when a target program is analyzed, extracting the tool from a tool storage unit that stores a tool for analyzing the target program, and analyzing the target program using the extracted tool. To do.

  Patent Document 9 discloses a technique of adjusting a time lapse speed in an execution environment of a program in order to analyze a program that is active only at a specific timing or date and time.

  In addition, the following documents exist regarding the technique of decrypting encrypted data.

  Patent Document 10 discloses a technique for confirming the correctness of decrypted data obtained by decrypting a ciphertext. The technique disclosed in Patent Document 10 compares the entropy of the decrypted data with a specific reference value when decrypting the encrypted data using a pseudo-random number, and thus the decrypted data Judge the correctness of.

Special table 2014-514651 gazette JP, 2013-114637, A Special table 2012-511847 gazette JP, 2009-037545, A JP, 2006-279938, A Japanese Patent Publication No. 2013-508823 Japanese Patent Publication No. 2013-507722 JP, 2011-154727, A JP, 2013-105366, A JP, 2007-116752, A Japanese Patent Publication No. 2014-519113 International Publication No. 2013/073504

  However, even if the technology disclosed in documents such as Patent Document 11 and Patent Document 12 is used, it is possible to accurately analyze malware and detect software that is likely to be malware based on the analysis result. Not exclusively. The reason for this will be described.

  For example, the malware may have detected that it has been set in the sandbox, and in this case, the malware changes the behavior (process in the malware) by detecting that it has been set in the sandbox. Will end up. In this case, the technique disclosed in Patent Document 11 cannot accurately analyze the malware candidate sample.

  In addition, some malware may detect an analysis tool such as a debugger. In this case, the malware changes the behavior (processing in the malware) by detecting the analysis tool. In this case, the technique disclosed in Patent Document 12 cannot accurately analyze the malware candidate sample.

  Therefore, a main object of the present invention is to provide a malware determination device or the like that can accurately determine whether or not the device that has transmitted the communication message includes software that is likely to be malware.

In order to achieve the above-mentioned object, in one aspect of the present invention, a malware determination device is
An encryption method specifying unit for extracting encryption method information capable of identifying an encryption method used in the communication connection from a first communication message transmitted / received when an attempt is made to establish a communication connection according to the communication method,
According to the decryption method corresponding to the encryption method represented by the extracted encryption method information, the second communication message transmitted / received through the established communication connection is decrypted by using the encryption key information to obtain the second communication message. 2 result information creating means for creating result information representing the result of decoding processing of the communication message,
It is determined whether or not the result information includes code information that realizes a communication process according to the communication method, and if the data does not include the code information, a second communication message is transmitted. And a determining unit that determines that the device includes software that is likely to be malware.

Further, as another aspect of the present invention, the malware determination method is
From the first communication message transmitted and received when attempting to establish a communication connection according to the communication method, extract encryption method information that can identify the encryption method used in the communication connection,
According to the decryption method corresponding to the encryption method represented by the extracted encryption method information, the second communication message transmitted / received through the established communication connection is decrypted by using the encryption key information to obtain the second communication message. 2 Create result information indicating the result of decryption processing of the communication message,
A variation degree indicating the degree of variation in the data included in the result information is calculated, and when the calculated variation degree satisfies a predetermined criterion, the device that transmitted the second communication message is malware. It is determined that the software that has a high possibility is included.

Further, as another aspect of the present invention, the malware determination program is
An encryption method specifying function for extracting encryption method information capable of identifying an encryption method used in the communication connection from a first communication message transmitted / received when an attempt is made to establish a communication connection according to the communication method,
According to the decryption method corresponding to the encryption method represented by the extracted encryption method information, the second communication message transmitted / received through the established communication connection is decrypted by using the encryption key information to obtain the second communication message. 2 A result information creation function for creating result information representing the result of decryption processing of a communication message,
A variation degree indicating the degree of variation in the data included in the result information is calculated, and when the calculated variation degree satisfies a predetermined criterion, the device that transmitted the second communication message is malware. The computer is made to realize the determination function of determining that the software that has a high possibility is included.

  Furthermore, the same object is also realized by a computer-readable recording medium that records the malware determination program.

  According to the malware determination apparatus and the like according to the present invention, it is possible to accurately determine whether or not the apparatus that has transmitted the communication message includes software that is likely to be malware.

It is a block diagram which illustrates the functional composition of an analysis system, an analysis object device, etc. in a 1st embodiment of the present invention. It is a figure which illustrates the 1st structural example which can implement | achieve the analysis object apparatus and data acquisition part in the 1st Embodiment of this invention. It is a figure which illustrates the 2nd structural example which can implement | achieve the analysis object apparatus and data acquisition part in the 1st Embodiment of this invention. It is a figure which shows the specific example of the key data acquisition policy in the 1st Embodiment of this invention. It is a figure which shows the specific example of the communication data recording policy in the 1st Embodiment of this invention. It is a figure explaining the specific example of the communication data holding part in the 1st Embodiment of this invention. It is a figure which shows the specific example of the key candidate determination information in the 1st Embodiment of this invention. It is a figure explaining the specific example of the key candidate holding part in the 1st Embodiment of this invention. It is a figure which shows the specific example of the analysis result determination information in the 1st Embodiment of this invention. It is a figure explaining the specific example of the analysis result holding part in the 1st Embodiment of this invention. It is a flow chart which illustrates an outline of operation of an analysis system in a 1st embodiment of the present invention. 6 is a flowchart illustrating an operation of acquiring an encryption key used for encrypted communication performed between an analysis target device and a communication network in the first embodiment of the present invention. 6 is a flowchart illustrating an operation of acquiring an encryption key used for encrypted communication performed between an analysis target device and a communication network in the first embodiment of the present invention. It is a sequence diagram which illustrates the procedure of sharing an encryption key in the SSL protocol. 3 is a flowchart illustrating an operation of a communication processing unit (specifically, a communication data recording unit) according to the first embodiment of the present invention. 6 is a flowchart illustrating an operation of a cryptographic analysis unit (specifically, a key candidate extraction unit) according to the first embodiment of the present invention. 6 is a flowchart illustrating an operation of a cryptographic analysis unit (specifically, a decryption unit) in the first exemplary embodiment of the present invention. It is a block diagram which illustrates the functional composition of an analysis system, an analysis object device, etc. in a 2nd embodiment of the invention in this application. FIG. 1 is a block diagram illustrating a hardware configuration of an analysis system, an information processing apparatus capable of realizing the components of the analysis system, or a malware determination apparatus in each embodiment of the present invention. It is a block diagram which shows the structure which the malware determination apparatus which concerns on the 3rd Embodiment of this invention has. It is a flowchart which shows the flow of a process in the malware determination apparatus which concerns on 3rd Embodiment. It is a figure which represents an example of communication system information notionally. It is a figure which represents an example of encryption information notionally. It is a block diagram which shows the structure which the malware determination apparatus which concerns on the 4th Embodiment of this invention has. It is a flowchart which shows the flow of a process in the malware determination apparatus which concerns on 4th Embodiment. It is a block diagram which shows the structure which the malware determination apparatus which concerns on the 5th Embodiment of this invention has. It is a flowchart which shows the flow of a process in the malware determination apparatus which concerns on 5th Embodiment.

  Next, embodiments of the present invention will be described in detail with reference to the drawings. The configurations described in the following embodiments are merely examples, and the technical scope of the present invention is not limited thereto.

  It should be noted that the analysis system described in each of the embodiments includes a device (a physical information processing device, a virtual information processing device, etc.) in which one or more constituent elements of the system are physically or logically separated. It may be configured as a system realized by using. In this case, the plurality of devices may be communicatively connected to each other using a wired or wireless device or an arbitrary communication network combining them. Further, when the plurality of devices are configured by virtual information processing devices or the like, the communication network may be a virtual communication network.

  Further, the analysis system described in each embodiment is configured as a system in which all the constituent elements of the system are realized by using one device (physical information processing device, virtual information processing device, etc.). May be.

<First Embodiment>
Hereinafter, the first embodiment of the present invention will be described. First, an analysis system according to this embodiment will be described with reference to FIGS. 1 to 3. FIG. 1 is a block diagram illustrating a functional configuration of an analysis system 100 according to this embodiment. 2 and 3 are diagrams exemplifying a configuration example in which the analysis target device 101 and the data acquisition unit 102 according to the present embodiment can be realized.

  First, the analysis target device 101 will be described. The analysis target device 101 is a device to be analyzed which is analyzed by the analysis system 100 according to the present embodiment.

  As illustrated in FIG. 1, the analysis target device 101 according to the present embodiment includes at least a calculation unit 101a and a memory 101b, and is connected to a communication network 105 via a communication path 106 so as to communicate with any information communication. It is a device.

  The analysis target device 101 may be, for example, an information communication device such as a computer configured by physical hardware. The analysis target device 101 may be a virtual computer (VM: Virtual Machine) or the like provided on a predetermined virtualization platform capable of virtualizing various hardware such as an information processing device.

  The virtualization platform may be provided in, for example, an environment (cloud computing environment, etc.) constructed by a plurality of information processing apparatuses connected to each other by a communication network, and may be constructed by one information processing apparatus. May be provided in the environment.

  The virtualization platform may be provided as, for example, a software program executed in a specific host OS (Operating System), or as a software program interposed between the hardware of the information processing device and the OS. May be done.

  The virtualization platform may be provided by using the functions of a physical hardware device, and the functions of the hardware device (for example, various virtualization support functions in a CPU (Central Processing Unit)) and software. -It may be provided using a combination with a program.

  For example, Hyper-V manufactured by Microsoft (registered trademark) can be adopted as the virtualization platform, but the virtualization platform is not limited to this.

  Note that the analysis target device 101 is not limited to various computers and the like, and for example, mobile phones (including smartphones), PDAs (Personal Digital Assistants), game devices, tablet information devices, printers, digital multi-function peripherals, various network devices. It may be any device that can be connected to the communication network, such as (switch, router, access point).

  The arithmetic unit 101a reads, for example, various data and programs (computer programs) stored in the memory 101b and executes various arithmetic processes implemented in the programs, and a CPU (Central Processing Unit) and an MPU (Microprocessing Unit). ) And the like. The arithmetic unit 101a may be a physical arithmetic device configured by using specific hardware (integrated circuit). The computing unit 101a may also be a virtual computing device (virtual CPU) in a virtualization platform that virtualizes the hardware, as illustrated in FIG.

  The memory 101b functions, for example, as a main memory in the analysis target device 101, and holds various programs and data processed by the calculation unit 101a. The memory 101b may be a physical memory device configured by specific hardware (an integrated circuit or the like) (for example, a DRAM (Dynamic Random Access Memory) configured by a DIMM (Dual Inline Memory Module)). .. Further, the memory 101b may be a virtual memory device provided on the above-mentioned predetermined virtualization platform.

  With respect to the memory 101b in the present embodiment, stored data (hereinafter sometimes referred to as “memory area data”) retained (stored) in the memory 101b can be acquired (dumped) from outside the memory 101b. .. A well-known technique may be appropriately selected as a specific method of dumping the memory. For example, as such a method, a method of obtaining memory area data stored in a nonvolatile storage device by using a hibernation function of an OS (Operating System), or a paged-out memory in virtual storage provided by the OS A method of acquiring area data may be adopted.

  The memory area data is all the data stored in the memory, or the storage area specified in accordance with the key candidate determination criteria, which will be described later with reference to FIG. 7, among the data stored in the memory. Represents some data including stored data.

  Not limited to the above, for example, when the memory 101b is configured by physical hardware, the memory area data is obtained by acquiring the data transmitted / received in the communication bus or the like connecting the arithmetic unit 101a and the memory 101b. It may be acquired. The memory area data may be acquired by outputting (memory dumping) all the storage areas of the memory 101b at a specific timing. In this case, for example, the memory area data can be acquired by using the function of a memory controller (not shown) that controls reading, writing, access, and the like of data with respect to the memory 101b.

  When the memory 101b is configured as a virtual memory device, a function provided by the virtualization platform (for example, a specific application programming interface (API)) or data provided by the virtualization platform (for example, a virtual memory It is possible to acquire the data stored in the memory 101b via information (for example, information that can specify the storage area of the stored data). A well-known technique may be appropriately adopted as a specific method of realizing the processing according to the specific configuration of the virtualization infrastructure, and thus detailed description thereof will be omitted.

  The analysis target device 101 according to the present embodiment executes encrypted communication with the communication network 105 via the communication path 106. More specifically, the analysis target device 101 executes cryptographic communication with another information communication device 107 communicatively connected via the communication network 105.

  In this case, the program executed in the analysis target device 101 may realize encrypted communication with another information communication device 107. The program is not limited to the regular program executed in the analysis target device 101. Such a program may include the malware described above.

  As a cryptographic communication protocol for encrypting the communication path between the analysis target device 101 and the communication network 105 (other information communication device 107), for example, a cryptographic communication protocol such as SSL, SSH, or IPSec can be adopted. Is. In each of the embodiments described below, including this embodiment, a specific example in which SSL is used as the encryption communication protocol will be described. The analysis system 100 according to the present embodiment is not limited to SSL and can be applied to other cryptographic communication protocols.

  The communication network 105 is a communication network configured by wire, wireless, or any combination thereof, and capable of establishing a communication path using any communication protocol. The communication network 105 may be a wide area communication network such as Internet, a local area communication network such as LAN (Local Area Network), or a combination thereof.

  The communication protocol used in the communication network 105 may be a well-known communication protocol such as TCP / IP (Transmission Control Protocol / Internet Protocol). Further, the communication network 105 can provide, for example, a communication path encrypted by the above-described various encrypted communication protocols to the analysis target device 101. Since such a communication network 105 can be configured by a well-known technique or a combination thereof, detailed description thereof will be omitted.

  The other information communication device 107 is communicatively connected to the analysis target device 101 via the communication network 105. The other information communication device 107 may be, for example, an information communication device such as a computer configured by physical hardware. Further, the other information communication device 107 may be a virtual computer or the like provided on a predetermined virtualization platform.

  The other information communication device 107 is not limited to, for example, various computers, and is connected to mobile phones (including smartphones), PDAs, game devices, tablet information devices, printers, digital multi-function peripherals, various network devices, and communication networks. It may be any possible device.

  The other information communication device 107 executes encrypted communication with the analysis target device 101, for example, using the encrypted communication protocol exemplified in the above description. Since such other information communication device 107 can be configured by a well-known technique or a combination thereof, detailed description thereof will be omitted.

(Configuration of analysis system 100)
Next, the components of the analysis system 100 in this embodiment will be described.

  The analysis system 100 according to the present embodiment includes a data acquisition unit 102, a cipher analysis unit 104, and a communication processing unit 103 as main components (hereinafter, the data acquisition unit 102, the cipher analysis unit 104, the communication processing unit 103, and The constituent elements that configure them may be simply referred to as "the constituent elements of the analysis system 100".

  The analysis system 100 according to the present embodiment uses these components to analyze cryptographic communication executed between the analysis target device 101 and another information communication device 107 connected via the communication network 105. .. Then, the analysis system 100 in this embodiment executes a specific process based on the analysis result.

  Each component of the analysis system 100 may be realized using an information processing device such as a physical computer, or may be realized using a VM provided in a virtualization platform. The components of the analysis system 100 are communicatively connected to each other by wireless, wired, or any communication line combining them. A well-known technique may be adopted for the communication line, and thus detailed description thereof will be omitted. Hereinafter, each component of the analysis system 100 will be described.

  Note that the data acquisition unit 102 and the communication processing unit 103, which will be described below, are main constituent elements related to the present invention when the present embodiment is described as a specific example.

(Configuration of data acquisition unit 102)
First, the data acquisition unit 102 in this embodiment will be described. The data acquisition unit 102 in the present embodiment is communicatively connected to the analysis target device 101. The data acquisition unit 102 acquires the memory area data held in the memory 101b of the analysis target device 101. The data acquisition unit 102 has a memory dump holding unit 102a that holds the acquired memory area data.

  When the analysis target device 101 is realized by an information communication device such as a physical computer, the data acquisition unit 102 uses, for example, extended hardware connected to the memory 101b via various communication buses as illustrated in FIG. It may be realized as a wear device. Further, the data acquisition unit 102 may be connected to a memory controller (not shown) that controls reading, writing, access, etc. of data with respect to the memory 101b. In this case, the data acquisition unit 102 may acquire the data held in the memory 101b via, for example, a memory controller (not shown) that controls reading and writing of data from and to the memory 101b. A technique for acquiring the contents of a memory device (SDRAM: Synchronous Random Access Memory) installed in a computer by expansion hardware connected to a PCI (Peripheral Components Interconnect) bus is disclosed in Reference Document 1 below. ..

(Reference 1)
Brian D. Carrier, Joe Grand, "A_hardware-based_memory_acquisition_procedure_for_digital_investations", Digital Investigation Volume 1, Issue 1, 200, February. p. 50-60
It is assumed that the analysis target device 101 is realized by using a VM or the like provided by a virtualization platform. In this case, the data acquisition unit 102 is realized by using a function of a VMM (Virtual Machine Monitor) 300, which is software provided in a virtualization platform and capable of controlling the operation of the VM, as illustrated in FIG. 3, for example. May be done. More specifically, the data acquisition unit 102 may be realized by software (software program) using the function of the VMM 300 or a virtual device.

  In this case, the data acquisition unit 102 can specify the function provided by the VMM (for example, a specific API or the like) or the storage area of the data (for example, the data stored in the virtual memory 101b) as described above. It is possible to acquire (dump) the data stored in the memory 101b via the information). As a specific method of acquiring the memory area data, a well-known technique may be appropriately adopted according to the configuration of the memory 101b and the like.

  Further, the data acquisition unit 102 is not limited to FIGS. 2 and 3, and may be realized by, for example, incorporating a memory dump function by hardware or software or a combination of hardware and software in the analysis target device 101 itself. .. In this case, the data acquisition unit 102 may be realized as, for example, arbitrary software executed in the analysis target device. Since the data acquisition unit 102 itself does not perform analysis processing of malware or communication by malware, the risk of being detected by malware is relatively low.

  The data acquisition unit 102 receives, for example, a dump instruction instructing acquisition of the memory area data (data) held in the memory 101b from the communication processing unit 103 (specifically, the encrypted communication inspection unit 103b) described later. The data acquisition unit 102 dumps the memory area data held in the memory 101b at the timing when the dump instruction is accepted.

  The data acquisition unit 102 may dump all the memory area data held in the memory 101b (that is, the data held in all the memory areas of the memory 101b). Further, the data acquisition unit 102 may dump at least a part of the memory area data among the data held in the memory 101b.

  The data acquisition unit 102 saves (registers) the dumped memory area data in the memory dump holding unit 102a described later.

  When the process of dumping the memory area data from the memory 101b is completed, the data acquisition unit 102 may notify the communication processing unit 103 (specifically, the encrypted communication inspection unit 103b) described later that the process is completed.

  The memory dump holding unit 102a holds the memory area data acquired by the data acquisition unit 102. The memory dump holding unit 102a may hold the memory area data acquired from the memory 101b and the information indicating the timing at which the memory area data is acquired, in association with each other.

(Configuration of communication processing unit 103)
Next, the communication processing unit 103 in this embodiment will be described. First, the outline of the communication processing unit 103 in this embodiment will be described.

  The communication processing unit 103 is interposed between the analysis target device 101 and the communication network 105, and is communicably connected to each of them via a communication path 106. The communication processing unit 103 relays communication data between the analysis target device 101 and the communication network 105 based on a result of analysis of communication data transmitted and received between the analysis target device 101 and the communication network 105. .. In particular, the communication processing unit 103 in the present embodiment can relay communication data relating to encrypted communication using a predetermined encrypted communication protocol executed between the analysis target device 101 and the communication network 105.

  Further, the communication processing unit 103 instructs the data acquisition unit 102 to acquire (data) the memory area data stored in the memory 101b of the analysis target device 101 based on the result of analyzing the communication data. At this time, the communication processing unit 103 may control temporary suspension and resumption of communication between the analysis target device 101 and the communication network 105.

  In addition, the communication processing unit 103 stores the communication data based on the result of analyzing the communication data.

  The communication processing unit 103 may be, for example, a router, a switch, or a network device such as an access point having a communication interface connected to the plurality of communication paths 106. Further, the communication processing unit 103 may be an information processing device such as a computer that can realize those functions. Note that the communication processing unit 103 may be realized as a network device as a physical device or an information processing device. Further, the communication processing unit 103 may be realized as a virtual device obtained by virtualizing a network device or an information processing device on a specific virtualization platform.

  Hereinafter, a specific configuration of the communication processing unit 103 will be described.

  As illustrated in FIG. 1, the communication processing unit 103 includes a communication control unit 103a and an encrypted communication inspection unit 103b. The communication processing unit 103 may include a communication data recording unit 103d. The communication control unit 103a, the encrypted communication inspection unit 103b, and the communication data recording unit 103d are communicably connected to each other.

  Hereinafter, each component of the communication processing unit 103 will be described.

  As described above, the communication control unit 103a relays communication between the analysis target device 101 and the communication network 105. More specifically, the communication control unit 103a relays communication between the analysis target device 101 and another information communication device 107 connected via the communication network 105. Hereinafter, it is assumed that communication between the analysis target device 101 and the communication network 105 includes communication between the analysis target device 101 and another information communication device 107 connected via the communication network 105. .. The communication between the analysis target device 101 and the communication network 105 may be encrypted by a specific cryptographic communication protocol (for example, SSL or the like).

  The communication control unit 103a captures the communication data transmitted from the analysis target device 101 and analyzes the communication content represented by the communication data (destination information, communication protocol-related information, or the like). Further, the communication control unit 103a captures the communication data received from the communication network 105 and analyzes the content (destination information or information regarding the communication protocol). The communication control unit 103a transfers each communication data between the communication network 105 and the analysis target device 101 based on the result of analyzing them.

  For example, it is assumed that the communication network 105 is a network (IP network) adopting an IP (Internet Protocol) protocol such as the Internet. In this case, the communication control unit 103a can transfer the communication data between the communication network 105 and the analysis target device 101 by analyzing the IP packet forming the communication data. The communication data transfer control may employ the same technology as that of a well-known network device such as a router or a switch, and thus detailed description thereof will be omitted.

  The communication control unit 103a can temporarily stop the communication between the analysis target device 101 and the communication network 105, and can restart the stopped communication. More specifically, the communication control unit 103a can control stop and restart of communication between the analysis target device 101 and another information communication device 107 connected via the communication network 105.

  The communication control unit 103a controls, for example, stopping or resuming writing (or reading) of communication data to a network interface (not shown) to which the communication path 106 between the communication network 105 or the analysis target device 101 is connected. Accordingly, the communication control unit 103a can control communication between the analysis target device 101 and the communication network 105. Control of writing (or reading) of communication data with respect to the network interface may employ a well-known technique depending on the specific configuration of the network interface or the communication processing unit 103, and thus detailed description thereof will be omitted.

  The communication control unit 103a may suspend the communication between the analysis target device 101 and the communication network 105 based on a request from the encrypted communication inspection unit 103b described later. Similarly, the communication control unit 103a may restart the stopped communication based on a request from the encrypted communication inspection unit 103b described later.

  The communication control unit 103a transmits (passes) the captured communication data to the encrypted communication inspection unit 103b described later. Similarly, the communication control unit 103a may transmit (pass) the captured communication data to the communication data recording unit 103d described later.

  Next, the cryptographic communication inspection unit 103b will be described.

  The encrypted communication inspection unit 103b analyzes the communication data received from the communication control unit 103a. Based on the analysis result and a key data acquisition policy 103c, which will be described later, the encrypted communication inspection unit 103b determines that data including secret information used for encryption of a communication path in the encrypted communication protocol is stored in the memory of the analysis target device 101. The timing existing in 101b is determined.

  The data including the secret information is generally data (hereinafter, also referred to as “key data”) including a key used for encryption of a communication path (hereinafter, sometimes referred to as “encryption key”). is there. The encryption key is a key capable of encrypting or decrypting (deciphering) communication data transmitted and received on the encrypted communication path.

  In other words, the cryptographic communication inspection unit 103b analyzes whether or not the key data including the cryptographic key exists in the memory 101b of the analysis target device 101 by analyzing the communication data transmitted and received based on the specific cryptographic communication protocol. judge. More specifically, the encrypted communication inspection unit 103b may analyze the communication data to determine the timing at which the key data exists in the memory 101b of the analysis target device 101.

  For example, in a cryptographic communication protocol such as SSL / TLS, the progress status of a processing procedure for exchanging an encryption key used for encryption of a communication path can be confirmed by analyzing communication data.

  Specifically, in a cryptographic communication protocol such as SSL / TLS, the cryptographic key itself (or the information itself from which the cryptographic key can be derived) exchanged between two or more communication terminals uses a technology such as PKI (public key infrastructure). Protected (encrypted). Therefore, it is difficult for a third party to obtain the encryption key itself (or the information itself from which the encryption key can be derived) via the communication path.

  However, the encrypted communication inspection unit 103b can confirm the information indicating the progress status of the encryption key exchange procedure in the encrypted communication protocol by analyzing the unencrypted part of the communication data. For example, assuming that the encrypted communication protocol is SSL, in the communication data, the header of the Record protocol (Record header) and some messages in the handshake protocol are not encrypted. Therefore, the encrypted communication inspection unit 103b can confirm the progress status of the processing procedure for exchanging the encryption key in the SSL protocol by, for example, analyzing the relevant part in the communication data.

  For example, in the SSL protocol, when a predetermined procedure is executed (specifically, when a ChangeCipherSpec message is transmitted / received), an encryption key for encrypting a communication path is shared by two communication terminals. That is, at the timing when the encryption key is shared, there is a high possibility that key data including the encryption key is held in the memory of the communication terminal (for example, the analysis target device 101). As described above, the cryptographic communication inspection unit 103b can determine the timing at which the key data including the cryptographic key exists in the memory 101b of the analysis target device 101 by analyzing the communication data transmitted / received based on the specific cryptographic communication protocol. Is.

  In addition, the encrypted communication inspection unit 103b uses the communication message transmitted / received in the handshake process for establishing a communication connection via the communication network, to obtain information on the encryption process used in the communication (hereinafter referred to as “cipher suite”). May be extracted). For example, the communication message includes information indicating an encryption algorithm for encrypting target information transmitted / received when a communication connection is established, a key length of an encryption key, an encryption use mode (described later), a message authentication method for communication data, and the like. .. When the cryptographic communication protocol is the SSL protocol, the cryptographic communication inspection unit 103b extracts, for example, the cryptographic algorithm for encrypting the target information from the communication messages such as the ClientHello message and the ServerHello message transmitted and received in the handshake process. ..

  By analyzing the communication data, various information used in the encryption processing of the communication path in the above encryption communication protocol (hereinafter sometimes referred to as “cipher suite”) may be acquired. The cipher suite includes, for example, information indicating a cipher algorithm, a key length of a cipher key, a cipher use mode (described later), a message authentication method for communication data, and the like. For example, when the encrypted communication protocol is the SSL protocol, the encrypted communication inspection unit 103b can specify the encryption algorithm or the like used to encrypt the communication path by analyzing the ClientHello message and the ServerHello message.

  The Record protocol, the handshake protocol, and various messages used in the SSL protocol are well-known techniques, and thus detailed description thereof will be omitted.

  As described above, the encrypted communication inspection unit 103b confirms the progress status of the processing procedure for exchanging the encryption key between the analysis target device 101 and the other information communication device 107. As a result, the encrypted communication inspection unit 103b determines the timing when the key data including the encryption key exists in the memory 101b of the analysis target device 101. More specifically, the cryptographic communication inspection unit 103b uses the information set in the key data acquisition policy 103c to determine the timing at which the key data including the cryptographic key exists in the memory 101b of the analysis target device 101.

  As illustrated in FIG. 4, the key data acquisition policy 103c includes a type of a specific encrypted communication protocol (401 in FIG. 4) and a key data acquisition standard (402 in FIG. 4). The key data acquisition standard 402 is associated with the encrypted communication protocol 401. The key data acquisition standard 402 is information representing a standard by which at least the timing at which the key data exists in the memory 101b of the analysis target device 101 can be determined.

  Further, the key data acquisition policy 103c may further include the content of the process executed by the encrypted communication inspection unit 103b (403 in FIG. 4). The processing content 403 is associated with the cryptographic communication protocol 401. The processing content 403 is information representing the content of the processing executed by the encrypted communication inspection unit 103b when it is determined that the key data exists in the memory 101b of the analysis target device 101 based on the key data acquisition reference 402.

  In the encrypted communication protocol 401, for example, an identification code (ID: Identifier) capable of identifying the encrypted communication protocol may be set for each specific encrypted communication protocol.

  In the key data acquisition reference 402, for example, even if information that can be determined for the specific timing is registered, which is expressed based on an arbitrary format (format) that can be machine-interpreted by an information processing apparatus (computer) or the like. Good. The machine-interpretable format may be set arbitrarily, and may be a combination of specific codes or an expression in a structured language, for example.

  In the processing content 403, for example, information representing the content of the processing executed by the encrypted communication inspection unit 103b, which is expressed based on an arbitrary format (format) capable of machine interpretation, may be registered.

  For example, as illustrated in FIG. 4, when the encryption communication protocol is “SSL / TLS”, the key data acquisition reference 402 includes information on the timing “(after the ChangeCipherSpec is transmitted from the SSL / TLS server)”. Is set. As a result of analyzing the communication data, the cryptographic communication inspection unit 103b executes the process registered in the process content 403 when it is determined that the key data acquisition criterion 402 is satisfied.

  “ChangeCipherSpec” is a message indicating that encrypted communication according to the encryption method (encrypted communication protocol 401) is started. “SSH2_MSG_NEWKEY” is, for example, a message indicating that the communication regarding the key data has ended. Further, when the encryption communication protocol is “SSL / TLS”, the above-mentioned key data acquisition criterion 402 is (after the ChangeCipherSpec is transmitted from the SSL / TLS server) to (before the transmission / reception of Application Data is started). The period is not limited to the above example as long as it is within the period.

  In the key data acquisition standard 402, for example, in the cryptographic communication protocol, information regarding the timing when a specific condition regarding the cryptographic key is established may be set. More specifically, the key data acquisition reference 402 is set with information on the timing at which the encryption key is shared between the analysis target device 101 and the other information communication device 107 in the specific encrypted communication protocol 401. May be. In addition, the key data acquisition criterion 402 includes information regarding the timing when a specific procedure for sharing an encryption key is executed between the analysis target device 101 and the other information communication device 107 in the specific encryption communication protocol 401. May be set.

  The key data acquisition policy 103c described above may be preset in the encrypted communication inspection unit 103b by any method.

  The encrypted communication inspection unit 103b refers to the key data acquisition policy 103c (particularly, the key data acquisition standard 402) and determines whether or not there is key data including the encryption key in the memory 101b of the analysis target device 101. When it is determined that the key data including the encryption key exists in the memory 101b, the encrypted communication inspection unit 103b can instruct the data acquisition unit 102 described above to acquire the memory area data.

  That is, the encrypted communication inspection unit 103b analyzes the communication data and determines the timing at which the key data including the encryption key exists in the memory 101b of the analysis target device 101 based on the key data acquisition policy 103c. At this timing, the encryption key is likely to exist in the memory 101b. Therefore, the encrypted communication inspection unit 103b instructs the data acquisition unit 102 to acquire memory area data at the timing. In this case, the memory area data acquired by the data acquisition unit 102 is likely to include the encryption key.

  When the encrypted communication inspection unit 103b determines that the key data exists in the memory 101b of the analysis target device 101, the analysis target device 101, the communication network 105, and the analysis target device 101 are transmitted to the communication control unit 103a described above. It is possible to instruct (at least temporarily) to stop the communication between.

  It is assumed that the communication between the analysis target device 101 and the communication network 105 is continued without being stopped. In this case, the key data may be lost from the memory 101b of the analysis target device 101. Further, if the communication is continued without being stopped, the encryption key used for encrypting the communication path may be changed depending on the communication protocol.

  Therefore, the encrypted communication inspection unit 103b instructs the communication control unit 103a to suspend the communication between the analysis target device 101 and the communication network 105 at the timing when it is determined that the key data exists in the memory 101b. It is expected that the encryption key is held in the memory 101b while the communication is stopped. Therefore, it is expected that the memory area data acquired by the data acquisition unit 102 during this period includes the key data.

  In other words, the encrypted communication inspection unit 103b may suspend such communication for the purpose of extending the period (time) in which the encryption key is held in the memory 101b. At the timing when the key data exists in the memory 101b, the key data may be included by temporarily stopping the communication between the analysis target device 101 and the communication network 105 and then acquiring the memory area data. It is possible to acquire high memory area data.

  When the encrypted communication inspection unit 103b is notified by the data acquisition unit 102 of the completion of the process of acquiring the memory area data, if the communication between the analysis target device 101 and the communication network 105 is stopped, The communication control unit 103a may be instructed to restart the communication.

  The cryptographic communication inspection unit 103b may appropriately select the timing at which communication between the analysis target device 101 and the communication network 105 is restarted. That is, the cryptographic communication inspection unit 103b may restart the communication when notified by the data acquisition unit 102 that the acquisition of the memory area data has been completed. Further, the encrypted communication inspection unit 103b may restart the communication, for example, when the encryption analysis unit 104 (described later) notifies that the decryption of the communication data is completed. By controlling the communication restart timing as described above, the encrypted communication inspection unit 103b can keep the time (period) during which the communication is stopped to the necessary minimum.

  For example, if the period in which the communication is stopped is prolonged, it may be treated as a communication error in a program that executes communication processing in the analysis target device, and the processing by the program may end abnormally. In particular, when the program is malware, it becomes difficult to analyze its behavior when the processing by the malware ends. On the other hand, by keeping the time (period) during which the communication is stopped to the minimum necessary, it is possible to analyze the behavior while continuing the processing by the malware, for example.

  The cryptographic communication inspection unit 103b instructs the communication control unit 103a to stop communication between the analysis target device 101 and the communication network 105 when a specific time (for example, 30 seconds) elapses. Alternatively, an instruction may be given to restart communication between the analysis target device 101 and the communication network 105. The encrypted communication inspection unit 103b may appropriately select an appropriate value as the specific time. For example, by calculating in advance the time required for the data acquisition unit 102 to acquire the memory area data from the memory 101b through a preliminary experiment or a simulated experiment, the encrypted communication inspection unit 103b sets the minimum required time as the specific time. The value of can be selected.

  Further, when the encrypted communication inspection unit 103b is notified by the data acquisition unit 102 of the completion of the process of acquiring the memory area data, the encrypted communication inspection unit 103b saves it in the encrypted analysis unit 104 described later by the communication data recording unit 103d described later. You may instruct the decoding of communication data. At that time, the cryptographic communication inspection unit 103b may notify the cryptographic analysis unit 104 of information regarding the cryptographic algorithm used in the cryptographic communication protocol. Detailed processing regarding decoding of communication data will be described later.

  The encrypted communication inspection unit 103b may receive a notification from the encryption analysis unit 104 (in particular, the decryption unit 104d), which will be described later, indicating that the decryption processing of the communication data has been completed. At that time, the cryptographic communication inspection unit 103b may instruct the communication control unit 103a to restart the communication when the communication between the analysis target device 101 and the communication network 105 is stopped. ..

  The encrypted communication inspection unit 103b inspects (analyzes) the communication data decrypted by the encryption analysis unit 104, and executes a specific process based on the result of the analysis. The encrypted communication inspection unit 103b may appropriately select the specific process.

  The encrypted communication inspection unit 103b may instruct the communication control unit 103a to stop the communication between the analysis target device 101 and the communication network 105, for example, as the specific process. Further, the cryptographic communication inspection unit 103b may modify the data transmitted and received between the analysis target device 101 and the communication network 105, for example, as the specific processing. Further, the cryptographic communication inspection unit 103b may continue the communication between the analysis target device 101 and the communication network 105 as it is so as not to be detected by malware or the like. The specific process may be predetermined according to the decrypted communication data.

  Next, the communication data recording unit 103d will be described.

  The communication data recording unit 103d stores (registers) the communication data captured by the communication control unit 103a in the communication data holding unit 103f based on the communication data recording policy 103e.

  The communication data recording policy 103e is information used by the communication control unit 103a to determine whether to save the communication data captured.

  More specifically, as illustrated in FIG. 5, the communication data recording policy 103e includes a type of a specific encrypted communication protocol (501 in FIG. 5) and a communication data recording standard (502 in FIG. 5). Be done. The communication data recording standard 502 is associated with the encrypted communication protocol 501. The communication data recording standard 502 is a standard (information) by which it is possible to determine whether or not to save (record) communication data transmitted and received using the encrypted communication protocol 501.

  Further, the communication data recording policy 103e may further include the content of the process executed by the communication data recording unit 103d (503 in FIG. 5). The processing content 503 is associated with the cryptographic communication protocol 501. The processing content 503 is information indicating the content of the processing executed by the communication data recording unit 103d when it is determined that the communication data recording standard 502 is satisfied.

  In the encrypted communication protocol 501, for example, an identification code (ID) that can identify the encrypted communication protocol may be set for each specific encrypted communication protocol.

  In the communication data recording standard 502, for example, information that is expressed based on an arbitrary format (format) that can be machine-interpreted and that can determine whether or not to save (record) communication data may be registered. More specifically, for example, the communication data recording standard 502 may be registered with information capable of determining whether or not a condition for saving communication data is satisfied or a timing for saving communication data.

  In the processing content 503, for example, information representing the content of processing executed by the communication data recording unit 103d, which is expressed based on an arbitrary format (form) capable of machine interpretation, may be registered.

  For example, as illustrated in FIG. 5, when the encryption communication protocol is “SSL / TLS”, the communication data recording standard 502 is set with the information “(after transmission / reception of Application Data is started)”. As a result of analyzing the communication data, when the communication data recording unit 103d determines that the communication data recording criterion 502 is satisfied, the communication data recording unit 103d executes the process registered in the process content 503.

  The communication data recording standard 502 includes a condition indicating that data after the timing at which the first (encrypted) communication data is transmitted / received in the communication path encrypted by the encrypted communication protocol 501 is recorded, for example. It may be set.

  As described above, the encryption key used for encryption of the communication path may be changed at a predetermined timing depending on the encryption communication protocol. That is, the encryption key for encrypting the communication path may be different between the first communication data and the second and subsequent communication data in the encrypted communication path. In addition, after the communication channel is encrypted, highly sensitive information (information having high importance) may be transmitted / received in the first communication data. Therefore, it is effective to save the communication data at the timing when the first communication data is transmitted and received when the communication channel is encrypted so that the cipher analysis unit 104 described later can decrypt all the encrypted communication data. Is.

  It should be noted that the communication data recording standard 502 is not limited to the above, and information that can determine any timing may be set.

  The communication data recording policy 103e described above may be preset in the communication data recording unit 103d by an arbitrary method.

  The communication data recording unit 103d registers the communication data determined to satisfy the above-described communication data recording standard 502 in the communication data holding unit 103f.

  For example, as illustrated in FIG. 6, the communication data holding unit 103f, for each communication data, information regarding the transmission source of the communication data (601 in FIG. 6) and identification information indicating the encrypted communication protocol (602 in FIG. 6). , And record data (603 in FIG. 6) representing communication data to be recorded are held in association with each other. Information indicating the timing of capturing the communication data and the content of the communication data may be registered in the recording data 603.

(Structure of encryption analysis unit 104)
Next, the cipher analysis unit 104 in this embodiment will be described. First, the outline of the cipher analysis unit 104 in this embodiment will be described.

  The cipher analysis unit 104 analyzes the memory area data acquired by the data acquisition unit 102, and extracts the encryption key candidates included in the memory area data based on information (described later) indicating the characteristics of the key data. ..

  The cryptographic analysis unit 104, based on the result of decrypting the encrypted communication data stored by the communication data recording unit 103d using the extracted encryption key candidate, from among the encryption key candidates, Extract the correct encryption key. In this case, the correct encryption key is a key that can correctly decrypt the encrypted communication data. At this time, the cipher analysis unit 104 may specify the encryption method (encryption algorithm) used in the encryption communication protocol.

  Hereinafter, a specific configuration of the cipher analysis unit 104 will be described.

  The cipher analysis unit 104 includes a key candidate extraction unit 104a and a cipher decryption unit 104d. The constituent elements of the cryptographic analysis unit 104 are communicably connected to each other.

  First, the key candidate extraction unit 104a in this embodiment will be described. The key candidate extraction unit 104a has key candidate determination information 104b and a key candidate holding unit 104c.

  The key candidate extraction unit 104a refers to the memory area data registered in the memory dump holding unit 102a, and extracts the encryption key candidates from the memory area data based on the key candidate determination information 104b. That is, the key candidate extraction unit 104a extracts the key data including the candidate of the encryption key used for the encrypted communication between the analysis target device 101 and the communication network 105 from the memory area data based on the key candidate determination information 104b. Extract candidates. Hereinafter, such key data candidates may be referred to as “key data candidates”. The key candidate extraction unit 104a may notify the decryption unit 104d, which will be described later, of the completion of the process when the key data candidates are extracted.

  First, the search for the encryption key in the memory area data by the key candidate extraction unit 104a will be described.

  As described above, the memory area data is the data held in the memory 101b of the analysis target device 101 at a specific timing. That is, the content of the memory area data changes depending on the timing at which the data acquisition unit 102 acquires the memory area data from the memory 101b. Therefore, it is difficult to specify in advance the key data including the encryption key in the memory area data.

  Further, when the storage capacity (size of memory space) of the memory 101b in the analysis target device 101 is large, the memory area data also becomes large. That is, the key candidate extraction unit 104a needs to search for the encryption key from the huge size of data. If all 128-bit (unit: bit) encryption keys are searched for from 1 GB (unit: GigaBytes) memory area data, the number of candidates becomes enormous, so it is efficient to extract key data candidates. A method is needed.

  The key data including the encryption key often exhibits unique characteristics among the data included in the memory area data. The characteristic of the key data is, for example, the attribute of the key data itself (for example, the randomness of the data itself), or the arrangement pattern of the key data in the memory area data (the arrangement position, the arrangement data List) etc.

  The characteristics of the key data differ according to various conditions regarding execution of encrypted communication. The conditions include, for example, an encryption method (encryption algorithm) used in the encryption communication protocol, an encryption parameter used in the encryption method (described later), or execution of a process related to the encryption method in the analysis target device 101. Environment (described later) etc. are included. As a specific example, when the key lengths of the encryption keys used in a specific encryption algorithm are different, the characteristics of the key data may be different. Further, for example, since the information necessary for the encryption process including the encryption key is different depending on the encryption use mode used in each encryption algorithm, the characteristics of the key data may be different. The cipher usage mode is a processing method for encrypting a plaintext longer than the block length when the block cipher is adopted as the cipher algorithm.

  The key candidate extracting unit 104a extracts, from the memory area data, data that matches the characteristics of specific key data as a key data candidate. As a result, the key candidate extraction unit 104a can extract the encryption key candidates.

  For example, it is possible to collect information (data) representing the characteristics of the key data in advance for each combination of the various conditions based on prior knowledge about the cryptographic algorithm or prior experiments. Then, by patterning the collected data representing the characteristics of the key data, it is possible to provide determination information capable of extracting the key data candidate from the memory area data.

  A specific method of collecting data representing the characteristics of the key data can be selected as appropriate. For example, a user of the analysis system, a developer, an administrator, or the like (hereinafter, referred to as “user or the like”) executes an experimental encrypted communication program capable of outputting an encryption key in the analysis target device 101. Then, for example, the user or the like uses the data acquisition unit 102 to acquire the memory area data of the analysis target device 101 at a specific timing when the experimental communication program is executed. The user or the like searches the acquired memory area data for the (correct) encryption key output from the experimental program. By repeating such an experiment, it is possible to extract the features common to the area where the encryption key is arranged. In addition, the user or the like should extract the characteristic features of the key data based on, for example, general prior knowledge about the encryption method (for example, the key length of the encryption key or the randomness of the encryption key). Is possible.

  Further, for example, the user or the like may hook the API used for encrypted communication in the analysis target device 101 when the experiment program is executed in the analysis target device 101. The user or the like obtains the encryption key by analyzing the argument passed to the hooked API, and analyzes the characteristics of the key data representing the encryption key. Further, it is investigated where the data representing the encryption key is arranged in the memory 101b of the analysis target device. The user or the like collects the survey results obtained by such processing as data representing the characteristics of the key data. Since the method of hooking the API is a well-known technique, detailed description will be omitted.

  The method of collecting the data representing the characteristics of the key data is not limited to the above specific example, and any method may be adopted.

  As described above, the determination information capable of extracting the key data candidate from the memory area data is provided by previously collecting and patterning the data representing the characteristics of the key data according to the various conditions. Is possible. For example, a position (place) where a key data candidate is searched (extracted) in the memory area data, a determination criterion that can determine whether the specific data is the key data, or the like may be set in the determination information.

  The key candidate extraction unit 104a in the present embodiment extracts key data candidates including the encryption key from the memory area data using the determination information. More specifically, the key candidate extraction unit 104a extracts the key data candidate by using the key candidate determination information 104b having the determination information capable of extracting the key data candidate including the encryption key.

  As illustrated in FIG. 7, the key candidate determination information 104b has information (701 in FIG. 7) representing the type of encryption method (encryption algorithm) and a key candidate determination standard (704 in FIG. 7). The key candidate determination criterion 704 is associated with the cryptographic algorithm 701. The key candidate determination criterion 704 is information indicating a criterion with which it is possible to determine whether or not the specific data included in the memory area data corresponds to the key data including the encryption key. In other words, the key candidate determination criterion 704 is a criterion that can determine whether or not the specific data included in the memory area data corresponds to the key data including the encryption key, based on the data representing the characteristics of the key data. Is.

  Further, the key candidate determination information 104b includes the cryptographic parameter (702 in FIG. 7) associated with the cryptographic algorithm 701 and the information indicating the execution environment of the cryptographic process regarding the cryptographic algorithm 701 in the analysis target device 101 (FIG. 7 of 703), and may further be included.

  An identification code (ID) that can identify a specific encryption algorithm may be set in the encryption algorithm 701, for example.

  In the key candidate determination standard 704, for example, information expressed based on an arbitrary format (format) capable of machine interpretation may be registered.

  As illustrated in FIG. 7, the cryptographic parameter 702 may include a key length (key length) used in the cryptographic algorithm 701 and information on the cryptographic usage mode. As described above, the cipher use mode is a processing method for encrypting plaintext longer than the block length when the block cipher is adopted as the cipher algorithm 701. As such an encryption mode, for example, a CBC (Cipher Block Chaining) mode, a GCM (Galois / Counter Mode), etc. are known.

  As the execution environment information 703, for example, in the analysis target device 101, information regarding a library in which a process related to the cryptographic algorithm 701 is implemented, information regarding the execution environment of the analysis target device 101, and the like are set. More specifically, the execution environment information 703 is, for example, the OS (for example, Windows (registered trademark), Linux (registered trademark), etc.) of the analysis target device 101, and the cryptographic processing implementation (CGN (Cryptography Next Generation) API). , OpenSSL, etc.) can be specified.

  The key candidate determination information 104b described above may be preset in the key candidate extraction unit 104a by any method.

  Based on the above-described key candidate determination information 104b (particularly, the key candidate determination standard 704), the key candidate extraction unit 104a determines whether to extract a specific data area included in the memory area data as a key candidate. judge.

  Hereinafter, the extraction processing of the key data candidates by the key candidate extraction unit 104a will be described using a specific example shown in FIG.

  For example, as illustrated in FIG. 7, it is assumed that the encryption algorithm 701 is “AES”, the key length of the encryption parameter 702 is “128 bits” or “256 bits”, and the encryption use mode is “CBC”.

  In this case, the key candidate extraction unit 104a refers to the key candidate determination standard 704 associated with the encryption algorithm 701 and the encryption parameter 702. Then, the key candidate extracting unit 104a extracts a continuous 16-byte or 32-byte data region whose entropy is equal to or greater than a specific reference value from the memory region data held in the memory dump holding unit 102a.

  Generally, the greater the entropy of the value represented by the data included in a certain data area (hereinafter, may be referred to as “data entropy”), the greater the variation in the value represented by the data included in the data area. Further, since the encryption key is often a random value (which cannot find regularity), the value of the key data including the encryption key is assumed to have large variations. Therefore, the key candidate extracting unit 104a can extract a data area including data having a large variation as a key data candidate based on the determination criteria illustrated in FIG.

  The magnitude of such variation can be calculated using various known calculation methods. As a specific example, the key candidate extracting unit 104a may calculate, for example, the standard deviation (or variance) of the key data candidates as the magnitude of the variation. Since the method of calculating the standard deviation (or variance) is a well-known technique, detailed description thereof will be omitted.

  Further, for example, as illustrated in FIG. 7, it is assumed that the encryption algorithm 701 is “AES”, the key length of the encryption parameter 702 is “128 bits (unit: bit)”, and the encryption use mode is “GCM”.

  In this case, the key candidate extraction unit 104a refers to the key candidate determination criteria 704 associated with the encryption algorithm 701 and the encryption parameter 702, and reads "0x30, 0x02, 0x00, 0x00, 0x4b, 0x53, 0x53 from the memory area data. , Continuous 560-byte (unit: byte) data starting from 0x4D ”is extracted. For example, in the specific execution environment of the analysis target device 101, the key data including the encryption key may have a specific arrangement pattern. As illustrated in FIG. 7, by registering such an arrangement pattern as the key candidate determination criterion 704, the key candidate extraction unit 104a can extract data that matches the arrangement pattern as a key data candidate.

  The key candidate extraction unit 104a extracts data of a specific size while sequentially shifting a specific size (for example, 1 byte) from a specific position (for example, the head) of the memory area data, and determines a key candidate determination criterion 704. Based on the above, it may be determined whether or not the data corresponds to a key candidate.

  It is assumed that the cryptographic communication inspection unit 103b can acquire the information on the cipher suite from the result of analyzing the communication data on a certain cryptographic communication. In this case, the information of the cryptographic algorithm 701 and the cryptographic parameter 702 related to the cryptographic communication can be treated as known information that is known from the communication data. Further, the execution environment information 703 related to the analysis target device 101 can be treated as known information by a method such as presetting in the cryptographic analysis unit 104.

  When the cryptographic algorithm 701 and the cryptographic parameter 702 are unknown, the key candidate extraction unit 104a uses all the key candidate determination criteria 704 registered in the key candidate determination information 104b, and uses the key data matching each criterion. You may extract a candidate. In this case, the key data including the encryption key used to encrypt the communication data is decrypted by the decryption unit 104d described later based on the result of decrypting the encrypted communication data using the extracted key data candidate. , Cryptographic algorithm, and cryptographic parameters can be specified.

  Further, the key candidate extraction unit 104a extracts key data candidates and also uses other necessary information (hereinafter referred to as “encryption processing data”) used for processing of encrypting or decrypting communication data in a specific encrypted communication protocol. May be obtained).

  The cryptographic processing data may include the following data, for example. That is, the cryptographic processing data may include an initialization vector (IV) when a block cipher is used as a cryptographic algorithm. In addition, the cryptographic processing data may include various parameters used in a specific cryptographic usage mode (for example, a counter in a counter mode, a nonce (number used once: a disposable value used only once), and the like). . Further, the encryption processing data may include authentication information and the like added to the encrypted communication data. The cryptographic processing data is not limited to the above, and may include any data required according to the cryptographic algorithm, the cryptographic parameter, and the like.

  The key candidate extraction unit 104a may acquire the encryption processing data by acquiring communication data from the encrypted communication inspection unit 103b or the communication control unit 103a and analyzing the communication data. Further, for example, the key candidate extraction unit 104a may obtain the cryptographic process data from the memory area data held in the memory dump holding unit 102a based on a specific determination criterion, like the key data candidate. Good.

  The key candidate extracting unit 104a stores (registers) the key data candidates extracted from the memory area data in the key candidate holding unit 104c. Further, the key candidate extracting unit 104a may store (register) the cryptographic processing data related to the key data candidate in the key candidate holding unit 104c.

  As illustrated in FIG. 8, the key candidate holding unit 104c holds the extracted key data candidates 803 in association with each encryption algorithm 801. Note that the key candidate holding unit 104c may hold, for each cryptographic algorithm 801, the cryptographic parameter 802 used in the cryptographic algorithm in association with each other. Further, the key candidate holding unit 104c may hold the above cryptographic processing data in a part of the key data candidate 803. Not limited to the above, the key candidate holding unit 104c may hold the cryptographic processing data in an area (not shown) different from the key data candidate 803.

  As illustrated in FIG. 8, the key candidate holding unit 104c may hold a plurality of key data candidates related to a specific encryption algorithm (for example, “AES”). The configuration illustrated in FIG. 8 is one specific example, and the key candidate holding unit 104c in the present embodiment is not limited to this configuration.

  Next, the decryption unit 104d in this embodiment will be described.

  As illustrated in FIG. 1, the decryption unit 104d has analysis result determination information 104e and analysis result holding unit 104f.

  When the key data candidate is extracted by the key candidate extraction unit 104a, the decryption unit 104d uses the key data candidate to decrypt (decrypt) the communication data stored (encrypted) in the communication data storage unit 103f. ) Do.

  The decryption unit 104d refers to the (encrypted) communication data stored in the communication data storage unit 103f, and uses the key data candidates stored in the key candidate storage unit 104c to generate the encrypted communication data. To decrypt (decrypt). That is, the decryption unit 104d decrypts (decrypts) the communication data transmitted and received in the encrypted communication between the analysis target device 101 and the communication network 105 using the key data candidates stored in the key candidate holding unit 104c. To do. Note that the decryption unit 104d may decrypt (decrypt) the communication data using the key data candidate and the encryption processing data acquired by the key candidate extraction unit 104a, if necessary. In the following, the decrypted (decoded) communication data may be referred to as “decoded communication data”.

  The decryption unit 104d determines whether or not the decrypted communication data has been correctly decrypted (decoded) based on the data representing the characteristics of the decrypted communication data. The data representing the characteristics of the decrypted communication data represents, for example, the attribute of the decrypted communication data itself (for example, the randomness of the data itself) or the data format of the decrypted communication data.

  Specifically, the decryption unit 104d determines the success or failure of the decryption result of the communication data by the specific key data candidate based on the analysis result determination information 104e. If the decryption of the communication data is successful, the decryption unit 104d stores (registers) the key data used for the decryption in the analysis result storage unit 104f. Further, the decryption unit 104d may store (register) the encryption process data used for the decryption in the analysis result holding unit 104f together with the key data.

  In the following, the key data determined to be successful in decrypting the communication data based on the analysis result determination information 104e may be referred to as "correct key data".

  As shown in FIG. 9, the analysis result determination information 104e includes an analysis result determination standard 901 and a determination result 902.

  The analysis result determination standard 901 is set with information representing a standard by which it can be determined whether or not the decrypted communication data is correctly decrypted (decoded) based on the data representing the characteristics of the decrypted communication data. In this case, the information set in the analysis result determination standard 901 may be expressed based on, for example, an arbitrary format (format) capable of machine interpretation.

  In the determination result 902, a determination result (whether the decryption is successful or not) is set when the decryption unit 104d decrypts the specific communication data and the analysis result determination criterion 901 is satisfied. In this case, the determination result 902 may include a code or the like indicating the determination result.

  Based on the analysis result determination standard 901 as described above, the decryption unit 104d determines whether or not the communication data has been successfully decrypted. Hereinafter, the determination of success or failure of decryption of communication data by the decryption unit 104d will be described using a specific example shown in FIG.

  In the specific example shown in FIG. 9, the decryption unit 104d determines that the decrypted communication data is correctly decrypted, for example, when the entropy of the decrypted communication data is equal to or less than a specific reference value.

  Conversely, for example, when the entropy of the decrypted communication data is larger than the specific reference value, the decryption unit 104d determines that the decryption of the communication data has failed.

  Generally, the greater the entropy of data, the greater the variation in the value represented by the data included in the data area. That is, when the entropy of the decrypted communication data is equal to or less than the specific reference value, the variation in the value represented by the data included in the decrypted communication data is small to some extent, so that the decryption is likely to be successful. On the other hand, if the entropy of the decrypted communication data is greater than the specified reference value, the data contained in the decrypted communication data has a large variation (that is, high randomness), and the decryption fails. It is likely that you did. This is because the encrypted data (communication data) is often a random value (cannot find regularity), and the value represented by such data has a large variation.

  It should be noted that the specific reference value for determining the magnitude of the data dispersion degree (entropy) described above may be appropriately selected by knowledge about general characteristics (randomness) of the communication data itself, or by prior experiments or the like. .

  For example, the standard deviation σ (where σ represents a positive real number) can be used as a reference representing the degree of variation in the data. Assuming that the variation of the data follows a normal distribution, the average value of the data is “m” (where m represents a real number), and within the range of “m ± σ”, about 68.2% of the total, “m ± 2σ” The range includes about 95.4% of the total data. That is, when the value of σ is large, the decrypted communication data has extremely large variation (high randomness). In this case, the decryption unit 104d may appropriately select the value of σ so that the decryption is successful when the variation in the decrypted communication data is small to some extent.

  Further, for example, as illustrated in FIG. 9, whether or not the decrypted communication data includes specific data may be used as a criterion for determining whether or not the decryption of the decrypted communication data is successful. This is because if the decrypted communication data includes known data or a specific pattern, the decrypted communication data is likely to be correctly decrypted.

  In addition to the above, for example, whether or not the decrypted communication data conforms to a specific data format (expression format capable of expressing various data) is used as a criterion for determining the success or failure of the decryption of the decrypted communication data. Good. The data format may be, for example, a data format representing various sounds, still images, moving images, documents (documents), or the like. The data format may be a file format in a specific file system, for example. Note that the specific example shown in FIG. 9 is merely an example, and the present embodiment is not limited to this.

  The analysis result determination information 104e described above may be preset in the decryption unit 104d by an arbitrary method.

  The decryption unit 104d performs a decryption process of communication data using, for example, all the key data candidates stored in the key candidate holding unit 104c, and determines the result based on the analysis result determination information 104e. As a result, the decryption unit 104d can extract correct key data. The decryption unit 104d may execute the above-described decryption process on all the communication data stored in the communication data holding unit 103f.

  The decryption unit 104d stores the correct key data and the decrypted communication data decrypted by the correct key data in the analysis result holding unit 104f based on the result of decrypting the communication data based on the analysis result determination information 104e ( register. The decryption unit 104d may notify the encrypted communication inspection unit 103b of the completion of the above-described decryption process of communication data.

  As illustrated in FIG. 10, the analysis result holding unit 104f has information that can identify the encryption algorithm (encryption algorithm 1001 in FIG. 10), correct key data (key data 1002 in FIG. 10), and decrypted communication data ( The decryption result 1003) of FIG. 10 is associated and held. The configuration illustrated in FIG. 10 is one specific example, and the analysis result holding unit 104f in the present embodiment is not limited to this. For example, the analysis result holding unit 104f may hold only correct key data or only decrypted communication data, or may hold these separately. Further, the analysis result holding unit 104f may hold, as a part of the key data 1002, the correct key data and the cryptographic processing data used for decrypting the communication data. The analysis result holding unit 104f may hold the encryption processing data in an area (not shown) different from the key data 1002.

(Operation of the analysis system 100)
Next, the operation of the analysis system 100 configured as above will be described. In the following description, as a specific example, it is assumed that the encryption communication protocol between the analysis target device 101 and the communication network 105 is SSL.

  An outline of the operation of the analysis system 100 will be described with reference to FIG. 11.

  First, the communication processing unit 103 captures communication data transmitted and received between the analysis target device 101 and the communication network 105 (step S1101).

  Next, the communication processing unit 103 analyzes the captured communication data and determines the timing when the key data exists in the memory 101b of the analysis target device 101 (step S1102).

  When it is determined in step S1102 that the timing has arrived (YES in step S1103), the data acquisition unit 102 acquires memory area data held by the memory 101b in the analysis target device 101 (step S1104). If the determination result in step S1103 is NO, the process returns to step S1101 and the communication processing unit 103 continues the process.

  Next, the cryptographic analysis unit 104 analyzes the memory area data acquired in step S1104 based on a specific reference, and extracts key data candidates (step S1105).

  Next, the cryptographic analysis unit 104 obtains correct key data and decrypted communication data based on the result of decrypting the communication data using the key data candidate extracted in step S1105 (step S1106).

  Next, the communication processing unit 103 (in particular, the encrypted communication inspection unit 103b) analyzes the content of the decrypted communication data obtained in step S1106 and executes a specific process (step S1107). The communication processing unit 103 (in particular, the encrypted communication inspection unit 103b) may appropriately select the specific processing as described above.

  The communication processing unit 103 that captured the communication data in step S1101 determines whether or not the communication data needs to be stored, and stores the communication data based on the determination result (step S1108). The processing in step S1108 may be executed in parallel with the processing in steps S1102 to S1105.

  Next, details of the operation of the above-described analysis system 100 will be described.

  First, operations of the data acquisition unit 102 and the communication processing unit 103 will be described with reference to the flowcharts illustrated in FIGS. 12A and 12B. The flowchart illustrated in FIG. 12A will be described below. FIG. 12B is a flowchart similar to FIG. 12A, except for step S1209B and step S1210B, which will be described later, so only the differences will be described. The processing illustrated in steps S1201 to S1208 below corresponds to steps S1101 to S1105 illustrated in FIG. 11.

  First, the communication control unit 103a captures communication data transmitted and received between the analysis target device 101 and the communication network 105 (step S1201).

  In this case, as described above, the communication control unit 103a detects the communication data transmitted from the analysis target device 101 to the communication network 105 and the communication data transmitted from the communication network 105 to the analysis target device 101. Both can be captured.

  Next, the encrypted communication inspection unit 103b analyzes the communication data captured in step S1201 and determines whether to acquire the memory area data stored in the memory 101b based on the key data acquisition policy 103c. (Step S1202).

  More specifically, the cryptographic communication inspection unit 103b refers to the key data acquisition policy 103c to determine the timing at which the key data exists in the memory 101b of the analysis target device 101.

  When SSL is adopted as the cryptographic communication protocol, the cryptographic communication inspection unit 103b determines that the analysis target device 101 has the SSL server side (the other information communication device 107 side) in the processing sequence of the SSL protocol shown in FIG. When the ChangeCipherSpec message is received from (“Stop timing T1” illustrated in FIG. 13), it may be determined that the timing has arrived.

  When the analysis target device 101 receives the Finished message from the SSL server side (the other information communication device 107 side) (“stop timing T2” illustrated in FIG. 13), the encrypted communication inspection unit 103b determines that the timing is It may be determined that it has arrived.

  When the cryptographic communication inspection unit 103b determines in step S1202 that the timing has arrived (YES in step S1203), the cryptographic communication inspection unit 103b causes the communication control unit 103a to communicate with the analysis target device 101. It is instructed to stop the communication with the network 105 (step S1204).

  In this case, the communication control unit 103a that has received the instruction suspends communication between the analysis target device 101 and the communication network 105. A specific method of stopping the communication may be selected as appropriate.

  If NO in step S1203, the process returns to step S1201 and the communication control unit 103a continues the process.

  Next, the cryptographic communication inspection unit 103b instructs the data acquisition unit 102 to acquire the memory area data stored (held) in the memory 101b of the analysis target device 101 (step S1205).

  The data acquisition unit 102 that has received the instruction dumps the memory area data stored (held) in the memory 101b of the analysis target device 101 (step S1206). As described above, the specific dumping method of the data held in the memory 101b may be appropriately selected according to the configuration of the analysis target device 101.

  Next, the data acquisition unit 102 stores (registers) the acquired memory area data in the memory dump holding unit 102a (step S1207).

  Next, the data acquisition unit 102 notifies the encrypted communication inspection unit 103b that the acquisition of the memory area data has been completed (step S1208).

  Next, the encrypted communication inspection unit 103b, which has received the notification in step S1208, instructs the communication control unit 103a to restart the communication that has been suspended. Then, the communication control unit 103a restarts the communication (step S1209).

  If step S1208 is not executed, the cryptographic communication inspection unit 103b temporarily suspends the communication control unit 103a when a specific time has elapsed since the communication stop instruction was issued in step S1204. The communication may be restarted.

  After the processing in step S1209, the cryptographic communication inspection unit 103b may instruct the cryptographic analysis unit 104 to decrypt the communication data stored by the communication data recording unit 103d and extract the encryption key ( Step S1210). At this time, if the cryptographic algorithm used in the cryptographic communication protocol is known from the analysis result of the communication data, the cryptographic communication inspection unit 103b provides the cryptographic analysis unit 104 with information regarding the cryptographic algorithm. May be.

  Note that the processing order of steps S1209 and S1210 in FIG. 12A described above may be reversed. That is, as illustrated in FIG. 12B, the cryptographic communication inspection unit 103b that has received the notification in step S1208 causes the cryptographic analysis unit 104 to decipher the communication data stored by the communication data recording unit 103d and to decrypt the cryptographic key. May be instructed (step S1209B). Then, when the cryptographic communication inspection unit 103b is notified by the cryptographic analysis unit 104 of the completion of the decryption processing of the communication data, the cryptographic communication inspection unit 103b may instruct the communication control unit 103a to restart the communication that has been suspended. Good (step S1210B).

  Next, the processing of the communication processing unit 103 (particularly, the communication data recording unit 103d) will be described with reference to the flowchart illustrated in FIG. The following steps S1401 to S1404 correspond to step S1108 illustrated in FIG.

  First, in step S1201 shown in FIG. 14, the communication control unit 103a captures communication data. The process may be similar to step S1201 illustrated in FIGS. 12A and 12B.

  Next, the communication control unit 103a transmits (notifies) the captured communication data to the communication data recording unit 103d (step S1401).

  The communication data recording unit 103d determines whether to save the communication data captured in step S1201 based on the communication data recording policy 103e (step S1402).

  When SSL is adopted as the communication protocol, the communication data recording policy 103e (particularly, the communication data recording standard 502) includes, for example, "T3" and thereafter, which is the timing at which the first ApplicationData message illustrated in FIG. 13 is transmitted. A condition indicating that communication data is stored (recorded) may be set. Note that the communication data recording policy 103e (particularly the communication data recording standard 502) stores (records) communication data after the "stop timing T1" or the "stop timing T2" illustrated in FIG. 13, for example. May be set.

  If the result of determination in step S1402 is that communication data is to be saved (YES in step S1403), communication data recording unit 103d registers (saves) the communication data in communication data holding unit 103f (step S1404).

  If NO in step S1403, the communication data recording unit 103d does not have to save the communication data.

  Through the processes of steps S1401 to S1404, the communication data is stored in the communication data holding unit 103f as needed.

  Next, the processing of the cipher analysis unit 104 will be described with reference to the flowcharts illustrated in FIGS. The flowchart illustrated in FIGS. 15 and 16 corresponds to steps S1105 to S1106 in FIG.

  First, the operation of the key candidate extracting unit 104a will be described with reference to the flowchart illustrated in FIG.

  As described above, for example, in response to the instruction from the encrypted communication inspection unit 103b (step S1210), the encryption analysis unit 104 starts the decryption processing of the encrypted communication data.

  First, the key candidate extracting unit 104a refers to the memory area data registered (saved) in the memory dump holding unit 102a (step S1501). In this case, the key candidate extracting unit 104a may acquire the memory area data from the memory dump holding unit 102a.

  Next, the key candidate extracting unit 104a extracts encryption key candidates from the memory area data referred (acquired) in step S1501 based on the key candidate determination information 104b (step S1502).

  As described above, when the cryptographic communication inspection unit 103b provides the information about the cryptographic algorithm, the key candidate extraction unit 104a uses the key candidate determination criterion 704 associated with the cryptographic algorithm to extract the data from the memory area data. Extract key data candidates.

  If the encryption algorithm is unknown, key data candidates are extracted based on the key candidate determination standard 704 for all the encryption algorithms 701 registered in the key candidate determination information 104b.

  In addition, at this time, the key candidate extraction unit 104a may extract information regarding the cryptographic algorithm associated with the key data candidate (for example, the cryptographic algorithm 701 and the cryptographic parameter 702).

  Next, the key candidate extracting unit 104a registers (stores) the key candidate extracted in step S1502 and the information regarding the encryption algorithm in the key candidate holding unit 104c (step S1503).

  After step S1503, the key candidate extraction unit 104a may notify the decryption unit 104d that the key candidate extraction processing has been completed (step S1504).

  Next, the decryption unit 104d executes a process of decrypting the encrypted communication data using the key data candidates extracted in steps S1501 to S1503 (step S1505).

  Hereinafter, details of the processing in step S1505 will be described with reference to the flowchart illustrated in FIG.

  First, the decryption unit 104d acquires the key data candidate (803 in FIG. 8) registered in the key candidate holding unit 104c (step S1601). At this time, the decryption unit 104d may obtain information (801 and 802 in FIG. 8) regarding the encryption algorithm associated with the key candidate. Further, the decryption unit 104d may acquire the cryptographic processing data associated with the key candidate.

  Next, the decryption unit 104d refers to the encrypted communication data registered (saved) in the communication data holding unit 103f. In this case, the decryption unit 104d may acquire the communication data from the communication data holding unit 103f.

  Then, the decryption unit 104d decrypts (decrypts) the acquired communication data by using the information about the key data candidate and the encryption algorithm referred (acquired) in step S1601 (step S1602).

  Next, the decryption unit 104d determines, based on the analysis result determination information 104e, whether or not the decrypted communication data, which is the result of decrypting (decoding) the communication data in step S1602, has been correctly decrypted (decrypted). (Step S1603).

  As described above, the decryption unit 104d uses the entropy value of the decrypted communication data, whether the decrypted communication data matches a specific data format, or the like. However, it may be determined whether or not it has been correctly decoded.

  When it is determined that the decrypted communication data is properly decrypted (YES in step S1604), the decryption unit 104d registers the correct key data and the decrypted communication data in the analysis result holding unit 104f (step S1606).

  When it is determined that the decrypted communication data has not been correctly decrypted (NO in step S1604), the decryption unit 104d confirms whether another key data candidate is registered in the key candidate holding unit 104c (step S1605).

  If another key data candidate is registered (YES in step S1607), the decryption unit 104d continues the process from step S1601 and extracts the other key data candidate from the key candidate holding unit 104c.

  By the processes of steps S1601 to S1607, key data including an encryption key capable of decrypting communication data and decrypted communication data are obtained.

  The decryption unit 104d may notify the encrypted communication inspection unit 103b of the completion of the above-described decryption processing of communication data (step S1608).

  The cryptographic communication inspection unit 103b that has received the notification in step S1608 continues the process from step S1107 described above. In this case, the encrypted communication inspection unit 103b can execute a specific process based on the result of analyzing the decrypted communication data.

  In the analysis system 100 according to the present embodiment configured as described above, first, the communication processing unit 103 performs communication that is transmitted / received between the analysis target device 101 and the communication network 105 based on a specific cryptographic communication protocol. Analyze the data. Then, the communication processing unit 103 determines, based on the result of the analysis, the timing at which the encryption key for encrypting the communication path between the analysis target device 101 and the communication network 105 exists in the memory 101b of the analysis target device 101. Specify.

  The communication processing unit 103 instructs the data acquisition unit 102 to acquire the memory area data stored in the memory 101b at the timing.

  As described above, according to the analysis system 100 of the present embodiment, the data acquisition unit 102 analyzes the memory area data including the encryption key for encrypting the communication path between the analysis target device 101 and the communication network 105 as the analysis target. It can be obtained from the memory 101b of the device 101.

  In addition, the communication processing unit 103 (in particular, the encrypted communication inspection unit 103b) temporarily stops the communication between the analysis target device 101 and the communication network 105 with respect to the communication control unit 103a at the specific timing. Can be instructed to do so. As a result, the communication processing unit 103 in this embodiment can extend the period in which the encryption key is held in the memory 101b. Because the communication between the analysis target device 101 and the communication network 105 is temporarily stopped, the encryption key is not lost or changed due to the progress of the communication process, and the encryption key is stored in the memory 101b. It is expected to be held. Therefore, according to the analysis system 100 in the present embodiment, it is possible to acquire the memory area data that is highly likely to include the encryption key.

  As described above, according to the present embodiment, based on the result of analyzing the communication data transmitted and received between the analysis target device 101 and the communication network 105 based on the cryptographic communication protocol, it is used for the cryptographic processing in the cryptographic communication protocol. The data including the encryption key to be used can be acquired from the memory space of the information communication device.

  More specifically, according to the present embodiment, by analyzing the communication data transmitted and received by the encrypted communication, it is determined whether or not the encryption key used in the encrypted communication exists in the memory 101b of the analysis target device 101. It is possible to obtain the data held in the memory 101b based on the determination result.

  In addition to the above, the analysis system 100 in the present embodiment has the following effects.

  In the analysis system 100 according to the present embodiment, the cryptographic analysis unit 104 uses the cryptographic key based on the data (key candidate determination information 104b) representing the characteristics of the key data including the cryptographic key from the acquired memory area data. (Key data candidate) is extracted. Then, the cryptographic analysis unit 104 determines whether or not the result of decrypting (decoding) communication data using the extracted key data candidate is successful, based on the analysis result determination information 104e. The cryptographic analysis unit 104 can acquire the key data including the correct cryptographic key and the decrypted communication data based on the determination result.

  As described above, the analysis system 100 according to the present embodiment can efficiently extract key data candidates from the memory area data. This is because the cryptographic analysis unit 104 extracts key data candidates from the memory area data based on the data (key candidate determination information 104b) representing the characteristics of the key data, so that data that does not match the characteristics of the key data is extracted. , Because it can be excluded from the key data candidates. Further, since the correct key data included in the plurality of key data candidates can be determined, the analysis system 100 in the present embodiment can efficiently search the memory area data for the correct key data.

  Further, in the analysis system 100 according to the present embodiment, the cipher analysis unit 104 can decipher the encrypted communication data using the extracted correct key data.

  Further, according to the analysis system 100 in the present embodiment, the communication processing unit 103 uses the communication data decrypted by the cryptographic analysis unit 104 to perform communication that is transmitted and received between the analysis target device 101 and the communication network 105. The content of data can be analyzed. The communication processing unit 103 can execute, for example, the specific processing described above according to the analysis result.

  As described above, the analysis system 100 according to the present embodiment can analyze at least a part of encrypted communication data transmitted and received between the analysis target device 101 and the communication network 105. In addition, the analysis system 100 according to the present embodiment can execute a specific process according to the result of the above analysis. Specifically, the analysis system 100 according to the present embodiment can analyze the content of encrypted communication by an arbitrary software program such as malware executed in the analysis target device 101, for example. In particular, the analysis system 100 according to the present embodiment can analyze the content of the encrypted communication by a non-invasive method with respect to the software program and the analysis target device 101, and based on the analysis result, an arbitrary Processing can be executed.

<Modification of First Embodiment>
Hereinafter, a modified example of the above-described first embodiment will be described.

  In the first embodiment, the key candidate extraction unit 104a extracts key data candidates from the memory area data acquired by the data acquisition unit 102 based on the key candidate determination information 104b.

  The key candidate extraction unit 104a in the present modification extracts at least one of the above-described encryption processing data candidate and the key material data candidate that is the data from which the encryption key is generated from the memory area data. As described above, the key candidate extracting unit 104a in the first embodiment is expanded. The candidate of the key material data may be, for example, pre_master_secret or master_secret in SSL.

  Similar to the above-described key data, the encrypted data and the key material data may show unique characteristics among the data included in the memory area data. The characteristics of these data are, for example, the attributes of the data itself (for example, the randomness of the data itself), or the arrangement pattern of the data in the memory area data (arrangement position, arrangement of the arranged data). ) Etc.

  Further, the characteristics of the cryptographic processing data and the key material data may differ depending on various conditions regarding execution of the cryptographic communication, like the characteristics of the key data. Specifically, the characteristics of the data may differ depending on, for example, the encryption algorithm used in the encryption communication protocol or the execution environment of the process related to the encryption method in the analysis target device 101.

  For example, when GCM is adopted as a cipher use mode for a specific cryptographic algorithm, and when CBC mode is adopted, the type of data required as cryptographic processing data is different, and the characteristics of the data itself are also different. For example, some data has high randomness, and some data is set to a predetermined value. Further, the location of the cryptographic processing data in the memory area data may differ depending on the execution environment of the cryptographic processing in the analysis target device 101.

  Similar to the characteristics of the key data described above, it is possible to provide a criterion for extracting candidates of these data from the memory area data by collecting and patterning the data representing the characteristics of these data in advance. is there. The key candidate extraction unit 104a in the present modification extracts these data candidates from the memory area data based on the determination standard. For example, a position (place) for searching (extracting) these data candidates may be set as the determination criterion. Alternatively, for example, a determination method for determining whether or not specific data corresponds to these data may be set in the determination criteria.

  Note that the determination criterion may be added to the key candidate determination information 104b in the first embodiment. Further, the determination criterion may be added to the key candidate extraction unit 104a as a new component (not shown).

  When the key material data candidate is extracted, the decryption unit 104d in the present modification may generate the key data candidate from the key material data candidate. Generally, a method for generating an encryption key from key material data is specified for each encryption communication protocol (or an encryption algorithm used in the encryption communication protocol). For example, in the case of the SSL protocol, a method of generating a master_secret from pre_master_secret and a method of generating a key and the like used for encrypted communication from the master_secret are defined as the specifications of the SSL protocol.

  As in the first embodiment, the decryption unit 104d in the present variation decrypts communication data using key data candidates and encryption processing data candidates. The decryption unit 104d in the present modification determines the success or failure of the decryption result based on the analysis result determination information 104e, as in the first embodiment.

  When the decryption of the communication data is successful, the decryption unit 104d according to the present modification saves (registers) the correct key data, the decrypted communication data, and the encrypted data in the analysis result storage unit 104f. Good.

  The analysis system 100 according to the present modification configured as described above can extract at least one of a candidate for cryptographic processing data and a candidate for key material data based on a predetermined determination criterion. Further, the analysis system 100 in the present modification can acquire correct key data and decrypted communication data based on the result of decrypting the communication data using those data, as in the first embodiment. is there.

  In addition, the analysis system 100 according to the present embodiment includes the same configuration as the analysis system 100 according to the first embodiment described above, and thus has the same effect as that of the first embodiment.

<Second Embodiment>
Next, a second embodiment of the present invention will be described with reference to FIG. FIG. 17 is a block diagram illustrating a functional configuration of the analysis system 1700 according to this embodiment.

  The analysis system 1700 in the present embodiment analyzes encrypted communication executed between the information communication device 1701 and the communication network 1705. Then, the analysis system 1700 in this embodiment executes a specific process based on the analysis result.

  The information communication device 1701 is an arbitrary information communication device that includes at least a calculation unit 1701a and a memory 1701b and is communicably connected to a communication network 1705.

  The information communication device 1701 may be, for example, an information communication device such as a computer configured by physical hardware. Further, the information communication device 1701 may be a virtual computer (VM) provided on a predetermined virtualization platform capable of virtualizing various hardware such as an information processing device.

  The arithmetic unit 1701a in the information communication device 1701 reads out various data and programs stored in the memory 1701b and executes various arithmetic processes implemented in the programs, as in the arithmetic unit 101a in each of the above-described embodiments. It is an arithmetic unit such as an MPU.

  The memory 1701b in the information communication device 1701 functions as a main memory in the information communication device 1701 like the memory 101b in each of the above-described embodiments, and holds various programs and data processed by the calculation unit 1701a. The data held (stored) in the memory 1701b can be acquired (dumped) from the outside.

  Such an information communication device 1701 may be the same as the analysis target device 101 in each of the embodiments described above.

  The communication network 1705 is a wired, wireless, or any combination thereof, and is a communication network capable of establishing a communication path using an arbitrary communication protocol. Further, the communication network 1705 can provide the information communication device 1701 with a communication path encrypted by the various encrypted communication protocols described in the above embodiments. The communication network 1705 concerned may be the same as the communication network 105 in each of the above-described embodiments, and thus detailed description thereof will be omitted.

  Next, the configuration of the analysis system 1700 will be described.

  The analysis system 1700 according to this embodiment includes a data acquisition unit 1702 and a communication processing unit 1703.

  Each component of the analysis system 1700 may be realized by using an information processing device such as a physical computer, or may be realized by using a VM provided in the virtualization platform. Further, the respective constituent elements of the analysis system 1700 are communicably connected to each other by a wireless communication, a wired communication, or an arbitrary communication line combining them. A well-known technique may be adopted for the communication line, and thus detailed description thereof will be omitted. Hereinafter, each component of the analysis system 1700 will be described.

  The data acquisition unit 1702 can acquire at least a part of the data held in the memory 1701b from the information communication device 1701. A specific method of acquiring the data held (stored) in the memory 1701b can be appropriately selected according to the specific configuration of the information communication device 1701. The data acquisition unit 1702 may be the same as the data acquisition unit 102 in each of the above embodiments, for example.

  The communication processing unit 1703, based on communication data transmitted and received between the information communication device 1701 and the communication network 1705 according to a specific encryption communication protocol, includes key data including an encryption key used for encryption processing in the encryption communication protocol. Is stored in the memory 1701b. The communication processing unit 1703 instructs the data acquisition unit to acquire the data held in the memory based on the determined result. The communication processing unit 1703 may be the same as the communication processing unit 103 in each of the above embodiments, for example.

  The communication processing unit 1703 determines, for example, by analyzing the communication data, the timing when a specific condition regarding the encryption key is satisfied in a specific encryption communication protocol (for example, the timing when the encryption key exchange is established). Good. Then, the communication processing unit 1703 may instruct the data acquisition unit 1702 to acquire the data held in the memory 1701b at the timing.

  The analysis system 1700 (particularly the data acquisition unit 1702) configured as described above transfers the memory area data including the encryption key for encrypting the communication path between the information communication device 1701 and the communication network 1705 to the information communication. It can be obtained from the memory 1701b of the device 1701. This is because, when the communication processing unit 1703 determines that the key data including the encryption key is stored in the memory 1701b, it instructs the data acquisition unit 1702 to acquire the data stored in the memory 1701b. Is.

  As described above, according to the analysis system 1700 of this embodiment, the data including the encryption key used in the encrypted communication executed between the information communication device 1701 and the communication network 1705 is transferred from the memory 1701b of the information communication device 1701. Can be obtained.

  More specifically, according to this embodiment, the analysis system 1700 analyzes the encrypted communication data to determine whether the encryption key used in the encrypted communication exists in the memory 1701b of the information communication device 1701. To determine. Then, the analysis system 1700 can acquire the data held in the memory 1701b based on the determination result.

<Third Embodiment>
Next, using the encryption key (for example, the encryption key acquired by the analysis system shown in each embodiment), it is possible to determine whether or not the communication device includes software that is likely to be malware. A detailed malware determination device will be described. The configuration of the malware determination device 431 according to the third exemplary embodiment of the present invention will be described with reference to FIG. FIG. 19: is a block diagram which shows the structure which the malware determination apparatus 431 which concerns on the 3rd Embodiment of this invention has.

  The malware determination device 431 according to the third exemplary embodiment of the present invention includes an encryption method identification unit 432, a result information creation unit 433, and a determination unit 434.

  The malware determination device 431 can send and receive the communication method information 435 (illustrated in FIG. 21) and the encryption information 436 (illustrated in FIG. 22).

  The communication method information 435 will be described with reference to FIG. FIG. 21 is a diagram conceptually showing an example of the communication method information 435.

  The communication method information 435 is information in which a communication method and code information representing a code used when communicating according to the communication method are associated with each other. For example, in the code information illustrated in FIG. 21, the communication scheme “https” is associated with the code information “GET, POST, ...”. This is in accordance with the communication method using codes such as “GET” and “POST” included in the code information “GET, POST, ...” When communicating according to the communication method “https”. Indicates that communication processing can be realized. The communication method information 435 is not limited to the above example as long as it includes the communication method and the code information.

  Next, the cryptographic information 436 will be described with reference to FIG. FIG. 22 is a diagram conceptually showing an example of the encryption information 436.

  The encryption information 436 is information in which a name that can uniquely identify an encryption method and a processing procedure (encryption processing procedure, decryption processing procedure) according to the encryption method are associated with each other. For example, in the encryption information 436 illustrated in FIG. 22, the name “AES” and the processing procedure “processing procedure 1” are associated with each other. This means that when the process is executed according to the encryption method represented by the name “AES”, the encryption process (or the decryption process) can be executed according to the process procedure “process procedure 1”. The encryption method information is not limited to the above example, as long as the encryption method information includes a name that can identify the encryption method and a processing procedure according to the encryption method.

  Next, with reference to FIG. 20, processing in the malware determination device 431 according to the third exemplary embodiment will be described. FIG. 20 is a flowchart showing the flow of processing in the malware determination device 431 according to the third embodiment.

  The malware determination device 431 inputs, for example, data to be acquired from the memory by the analysis system shown in each embodiment of the present invention. As shown in each of the embodiments, for example, when the analysis system determines that the memory stores the key data related to the encryption key used in the communication, the analysis system acquires the data stored in the memory. be able to. The data is, for example, key data representing an encryption key.

  The encryption method identifying unit 432 provides the encryption method information that can identify the encryption method used in the communication method from the first communication message transmitted and received when establishing the communication connection according to the communication method (communication protocol). It is extracted (step S431). As described above with reference to FIG. 13, for example, when the communication protocol is the SSL protocol, the process of establishing a communication connection according to the encryption method is also called a handshake process (“Handshake: Client_Hello” in FIG. 13). Through processing to timing stop T2). Communication messages such as the ClientHello message and the ServerHello message transmitted / received in the handshake process include a cipher suite (for example, “ChangeCipherSpec” in FIG. 13) that represents information related to the encryption process used at the time of communication. The encryption method identifying unit 432 extracts, for example, encryption method information (for example, the name of the encryption method) that can identify the encryption method included in the encryption suite from these communication messages.

  A communication connection is established after the handshake process, and the second communication message is transmitted and received between the devices via the established communication connection (processes after “T3” shown in FIG. 13).

  The result information creation unit 433 reads the second communication message transmitted / received via the communication connection. The second communication message can be encrypted according to the cipher suite transmitted and received when establishing the communication connection. In the following description, it is assumed that the second communication message is encrypted according to the cipher suite.

  The result information creation unit 433 uses the input data (that is, the data stored in the memory, for example, the key data) to execute the decryption process of decrypting the second communication message (step S432). Through this process, the result information creation unit 433 creates result information indicating the result of the decoding process. The result information is, for example, the second communication message decrypted using the input data.

  Next, the determination unit 434 identifies the code information associated with the communication method information 435 based on the communication method information 435 as illustrated in FIG. The determination unit 434 determines whether or not the result information includes the specified code information (step S433). When determining unit 434 determines that the result information includes the specified code information (YES in step S433), the device (for example, the client illustrated in FIG. 13) that has transmitted the second communication message determines Judge that it does not include software that is likely to be malware. On the other hand, when the determination unit 434 determines that the identified code information is not included in the result information (NO in step S433), the device that transmitted the second communication message may be malware. It is determined that it does not include highly probable software (step S435).

  For example, in the case of the communication method information 435 illustrated in FIG. 21, the determination unit 434 identifies the code information “GET, POST” associated with the communication protocol “https”. The communication message transmitted / received according to the communication protocol “https” includes code information “GET”, code information “POST”, or the like. In this example, the determination unit 434 determines whether or not the second communication message includes code information “GET”, code information “POST”, or the like, and any code information is included in the second communication message. If not, it is determined that the device that has transmitted the second communication message includes software that is likely to be malware (step S434).

  The reason why the process shown in FIG. 20 can determine whether or not software that is likely to be malware is included will be described. In a communication connection established according to a certain communication method, the second communication message transmitted / received through the communication connection is often encrypted according to the encryption method determined by the handshake process. The result information created by decoding the second communication message includes code information (e.g., a command) for the second communication message. When the result information does not include the code information, the second communication message which is the basis of the result information is a communication message which does not comply with the communication method. In such a case, the inventor of the present application has a high regularity that the information processing device (for example, the client shown in FIG. 13) that transmits and receives the second communication message includes software that is likely to be malware. Found. In other words, since the malware determination device 431 executes processing according to the regularity, it is possible to determine whether or not the device includes software that is highly likely to be malware.

  Therefore, the malware determination device 431 according to the present embodiment can accurately determine whether or not the device that has transmitted the communication message includes software that is likely to be malware.

  Furthermore, the malware determination device 431 does not have a tool for analyzing software, a sandbox, or the like. Therefore, the malware cannot be detected when the technology disclosed in Patent Document 11 or Patent Document 12 is used (for example, a sandbox or malware whose processing is changed by detecting the tool). On the other hand, the malware determination device 431 according to the present embodiment can detect the malware.

  For convenience of explanation, in the third embodiment, when the malware determination device 431 receives the communication message (the first communication message or the second communication message), it executes the process shown in FIG. did. However, the malware determination device 431 reads the communication message (for example, the data shown in the column “record data 603”) from the communication data stored in the communication data holding unit 103f as illustrated in FIG. You may perform the process shown by FIG. Similarly, in each of the embodiments of the present invention described below, the processing may be performed on the communication message stored in the record data 603 or the like.

<Fourth Embodiment>
Next, a fourth embodiment of the present invention based on the above-described third embodiment will be described.

  In the following description, the characteristic part according to the present embodiment will be mainly described, and the same configurations as those of the third embodiment described above will be denoted by the same reference numerals to omit redundant description. To do.

  The configuration of the malware determination device 441 according to the fourth exemplary embodiment of the present invention will be described in detail with reference to FIG. FIG. 23 is a block diagram showing the configuration of the malware determination device 441 according to the fourth embodiment of the present invention.

  The malware determination device 441 according to the fourth exemplary embodiment of the present invention includes an encryption method identification unit 432, a result information creation unit 433, and a determination unit 444.

  The malware determination device 441 can send and receive the communication method information 435 (illustrated in FIG. 21) and the encryption information 436 (illustrated in FIG. 22).

  Next, with reference to FIG. 24, processing in the malware determination device 441 according to the fourth exemplary embodiment will be described. FIG. 24 is a flowchart showing the flow of processing in the malware determination device 441 according to the fourth embodiment.

  The encryption method identifying unit 432 extracts the encryption method by performing the same processing as the processing shown in step S431 of FIG. The result information creation unit 433 creates result information by executing the same processing as the processing shown in step S432 of FIG.

  The determination unit 444 calculates a variation degree indicating the degree of variation in the data included in the result information (step S443). The variation degree can be calculated, for example, by calculating the frequency of appearance of a character in the result information and calculating the variance of the calculated frequencies. Alternatively, the degree of variation can be calculated by calculating the frequency with which a character appears in the result information and calculating the entropy of the calculated frequency. The degree of variation is not limited to the above example.

  Next, the determination unit 444 determines whether or not the calculated degree of variation satisfies a predetermined standard (step S444). The determining unit 444 determines whether or not the degree of variation satisfies a predetermined criterion, for example, by determining whether or not the degree of variation is equal to or greater than a predetermined threshold. If the variation degree is a value larger than the predetermined threshold value (that is, the variation degree satisfies the criterion) (YES in step S444), the determination unit 444 transmits the second communication message to the device as malware. It is determined that the software that has a high possibility is included (step S434). If the variation degree is less than the predetermined threshold value (that is, the variation degree does not satisfy the criterion) (NO in step S444), the determination unit 444 may determine that the device that has transmitted the second communication message is malware. Is not included in the high software (step S435).

  The reason why the processing shown in FIG. 24 can determine whether or not software that is likely to be malware is included will be described. In a communication connection established according to a certain communication method, the second communication message transmitted / received through the communication connection is often encrypted according to the encryption method determined by the handshake process. The result information created by decoding the second communication message often includes code information as shown in FIG. In this case, since the result information includes specific code information, the degree of variation in the result information is often small. However, the inventor of the present application has a high possibility that, for example, the result information is encrypted (that is, doubly encrypted) when the degree of variation in the result information is large. , And found that there is a high possibility that the device that transmitted the second communication message, which is the basis of the result information, includes software that is highly likely to be malware. In other words, since the malware determination device 441 executes processing according to the regularity, it is possible to determine whether or not the device includes software that is highly likely to be malware.

  Therefore, the malware determination device 441 according to the present embodiment can accurately determine whether or not the device that has transmitted the communication message includes software that is likely to be malware.

<Fifth Embodiment>
Next, a fifth embodiment of the present invention based on the above-described third embodiment will be described.

  In the following description, the characteristic part according to the present embodiment will be mainly described, and the same configurations as those in the above-described fourth embodiment will be denoted by the same reference numerals, and redundant description will be omitted. To do.

  The configuration of the malware determination device 451 according to the fifth exemplary embodiment of the present invention will be described in detail with reference to FIG. FIG. 25: is a block diagram which shows the structure which the malware determination apparatus 451 which concerns on the 5th Embodiment of this invention has.

  The malware determination device 451 according to the fifth exemplary embodiment of the present invention includes an encryption method identification unit 432, a result information creation unit 433, and a determination unit 454.

  The malware determination device 451 can send and receive the communication method information 435 (illustrated in FIG. 21) and the encryption information 436 (illustrated in FIG. 22).

  Next, the processing in the malware determination device 451 according to the fifth embodiment will be described with reference to FIG. FIG. 26 is a flowchart showing the flow of processing in the malware determination device 451 according to the fifth embodiment.

  The encryption method identifying unit 432 extracts the encryption method by performing the same processing as the processing shown in step S431 of FIG. The result information creation unit 433 creates result information by executing the same processing as the processing shown in step S431 of FIG.

  The determination unit 454 calculates the degree of variation indicating the degree of variation in the data included in the result information (step S443). The determination unit 454 determines whether or not the calculated degree of variation satisfies a predetermined standard (step S444). When the degree of variation satisfies the criterion (YES in step S444), the determination unit 454 determines that the device that has transmitted the second communication message contains software that is likely to be malware (step S434). ). When the degree of variation does not satisfy the criterion (NO in step S444), the determination unit 454 determines the code associated with the communication method of the communication connection based on the communication method information 435 illustrated in FIG. Identify the information.

  The determination unit 454 determines whether the result information calculated in step S432 includes the code information (step S455). The specific processing regarding step S455 is the same as the processing regarding step S433 in FIG. 20, and thus detailed description thereof is omitted here.

  When the determination unit 454 determines that the result information includes the code information (YES in step S455), the determination unit 454 includes software that has a high possibility that the device that transmitted the second communication message is malware. It is determined that there is not (step S435). On the other hand, when the determining unit 454 determines that the specified code information is not included in the result information (NO in step S455), the determination unit 454 transmits software that is likely to be the second communication message. The determined device does not include software that is likely to be malware (step S434).

  Next, effects of the malware determination device 451 according to the fifth embodiment will be described.

  The malware determination device 451 according to the fifth embodiment can accurately determine whether or not the device that has transmitted the second communication message includes software that is highly likely to be malware. The reason is that the malware determination device 451 according to the fifth embodiment includes the malware determination device 441 according to the fourth embodiment.

  According to the malware determination apparatus 451 according to the fifth embodiment, it is possible to determine more accurately whether or not the apparatus that has transmitted the communication message includes software that is likely to be malware. The reason is that the determination unit 454 includes software that has a high possibility that the device that has transmitted the second communication message is malware based on the two determination results that are the determination result regarding the variation degree and the determination result regarding the code information. This is because it is determined whether or not

<Structure of hardware and software program (computer program)>
Hereinafter, a hardware configuration capable of realizing each of the above-described embodiments will be described.

  In the following description, the analysis system (reference numeral 100, reference numeral 1700) described in each of the above-mentioned embodiments may be collectively referred to simply as “analysis system”. In addition, each component of the analysis system (for example, the data acquisition unit (reference numeral 102, reference numeral 1702), the communication processing unit (reference numeral 103, reference numeral 1703), and the cryptographic analysis unit (reference numeral 104) is collectively referred to simply as “the analysis system It may be referred to as a “component”.

  As described above, the analysis system or the malware determination device described in each of the above embodiments may be realized by a single device (for example, a physical information processing device or a virtual information processing device). .. In addition, the analysis system or the malware determination device described in each of the above embodiments is a combination of a plurality of devices (physical information processing device or virtual information processing device) that are physically or logically separated from each other. May be realized by

  More specifically, the analysis system or the malware determination device described in each of the above embodiments may be configured using a dedicated hardware device. In that case, each component shown in each of the above drawings may be realized as hardware in which a part or all of the components are integrated (an integrated circuit in which a processing logic is mounted).

  For example, when each component is realized by hardware, each component may be implemented by an SoC (System-on-a-chip) or the like that is an integrated circuit capable of providing each function. In this case, for example, the data held by each component may be stored in the RAM area or flash memory area integrated as the SoC.

  Further, in this case, a well-known communication bus may be adopted as the communication line connecting the respective constituent elements. Further, the communication line connecting each component is not limited to the bus connection, and each component may be connected peer-to-peer.

  Further, the above-described analysis system or the components of this analysis system may be configured by hardware as illustrated in FIG. 18 and various software programs (computer programs) executed by the hardware. Good.

  The arithmetic unit 1801 in FIG. 18 is an arithmetic processing unit such as a general-purpose CPU or a microprocessor. The arithmetic device 1801 may read various software programs stored in, for example, a nonvolatile storage device 1803, which will be described later, into the storage device 1802, and execute processing according to the software programs.

  The storage device 1802 is a memory device such as a RAM (Random Access Memory) that can be referred to by the arithmetic device 1801 and stores software programs, various data, and the like. The storage device 1802 may be a volatile memory device.

  The non-volatile storage device 1803 is a non-volatile storage device such as a magnetic disk drive or a semiconductor storage device using a flash memory. The non-volatile storage device 1803 can store various software programs, data, and the like.

  The network interface 1806 is an interface device that connects to a communication network, and may be, for example, a wired and wireless LAN (Local Area Network) connection interface device.

  For example, the analysis system, the components of the analysis system, or the malware determination device in each of the above-described embodiments uses the analysis target device 101, the information communication device 1701, the communication network (105, 1705), and the network interface 1806. Connected so that they can communicate.

  The analysis system or the components of the analysis system (in particular, the communication processing units (103, 1703)) in each of the above embodiments may include a plurality of network interfaces 1806. In this case, for example, a specific network interface 1806 may be connected to the analysis target device 101 or the information communication device 1701, and another network interface 1806 may be connected to the communication network (105, 1705).

  The drive device 1804 is, for example, a device that processes reading and writing of data with respect to a recording medium 1805 described later.

  The recording medium 1805 is any recording medium capable of recording data, such as an optical disc, a magneto-optical disc, and a semiconductor flash memory.

  The input / output interface 1807 is a device that controls input / output with an external device. For example, a user or administrator of the analysis system can perform various operations on the analysis system by using various input / output devices (for example, keyboard, mouse, display device, printer, etc.) connected through the input / output interface. You may input instructions etc.

  In the present invention described by taking the above-described respective embodiments as examples, for example, the analysis system or the constituent elements thereof may be configured by the hardware device illustrated in FIG. 18. Further, in the present invention, a software program capable of realizing the functions described in the above embodiments may be supplied to the hardware device. In this case, the invention of the present application may be realized by the arithmetic device 1801 executing the software program supplied to the device.

  In each of the above-described embodiments, each unit illustrated in each of the above-described drawings (for example, FIG. 1, FIG. 17, FIG. 19, FIG. 23, FIG. 25, etc.) is a function (processing ) Unit, which can be realized as a software module. However, the division of each software module shown in these drawings is a configuration for convenience of description, and various configurations can be assumed when mounting.

  For example, when each unit illustrated in FIG. 1 and FIG. 17 is implemented as a software module, these software modules are stored in the non-volatile storage device 1803, and when the arithmetic device 1801 executes each processing, These software modules may be read into the storage device 1802.

  Also, between these software modules, various data may be mutually transmitted by an appropriate method such as shared memory or inter-process communication. With such a configuration, these software modules can be connected to be able to communicate with each other.

  Further, each of the above software programs may be recorded in the recording medium 1805. In this case, the software program may be appropriately stored in the non-volatile storage device 1803 through the drive device 1804 at the shipping stage or the operation stage of the communication device or the like.

  Further, when the constituent elements of the analysis system are realized as a software program, various data relating to the following respective constituent elements described in the above embodiments are stored in a nonvolatile memory by using an appropriate file system, a database, or the like. It may be stored in the device 1803. The constituent elements include the memory dump holding unit 102a, the key data acquisition policy 103c, the communication data recording policy 103e, the communication data holding unit 103f, the key candidate determination information 104b, the key candidate holding unit 104c, the analysis result determination information 104e, and the analysis result. The holding unit 104f and the like are included.

  In the above case, the method of supplying various software programs to the analysis system is installed in the apparatus by using an appropriate jig at the manufacturing stage before shipment or the maintenance stage after shipment. A method may be adopted. Further, as a method of supplying various software programs, a general procedure may be adopted at present, such as a method of downloading from the outside through a communication line such as the Internet.

  Then, in such a case, the present invention can be considered to be configured by a code configuring the software program or a computer-readable recording medium in which the code is recorded.

  The components of the analysis system, the analysis system, or the malware determination device described above are a virtual environment in which the hardware device illustrated in FIG. 18 is virtualized, and various software programs executed in the virtualized environment. (Computer program). In this case, the components of the hardware device illustrated in FIG. 18 are provided as virtual devices in the virtualization environment. Also in this case, the present invention can be realized with the same configuration as that when the hardware device illustrated in FIG. 18 is configured as a physical device.

  The present invention has been described above as an example applied to the exemplary embodiment described above. However, the technical scope of the present invention is not limited to the scope described in each of the above-described embodiments. It is obvious to those skilled in the art that various changes or improvements can be added to the embodiment. That is, the present invention can apply various aspects that can be understood by those skilled in the art within the scope of the present invention. In such a case, new embodiments with such changes or improvements may be included in the technical scope of the present invention. A combination of such embodiments is also included in the technical scope of the present invention. And this is clear from the matters described in the claims.

  INDUSTRIAL APPLICABILITY The present invention is applicable to, for example, analysis of communication processing in the development and operation stages of an information communication apparatus, analysis of communication processing of various programs executed in the information communication apparatus, and the like. More specifically, the present invention is applicable to, for example, an inspection system that inspects an unauthorized communication process executed by various programs in an information communication device, and executes an appropriate process according to the content of the communication process. is there.

100 analysis system 101 analysis target device 102 data acquisition unit 103 communication processing unit 104 encryption analysis unit 105 communication network 106 communication path 107 other information communication device 1700 analysis system 1701 information communication device 1702 data acquisition unit 1703 communication processing unit 1705 communication network 1801 Arithmetic device 1802 Storage device 1803 Nonvolatile storage device 1804 Drive device 1805 Recording medium 1806 Network interface 1807 Input / output interface 431 Malware determination device 432 Encryption method identification unit 433 Result information creation unit 434 Determination unit 435 Communication method information 436 Encryption information 444 Determination Part 454 Judgment Unit 441 Malware Judging Device 451 Malware Judgment Device

Claims (10)

An encryption method specifying unit for extracting encryption method information capable of identifying an encryption method used in the communication connection from a first communication message transmitted / received when an attempt is made to establish a communication connection according to the communication method,
According to the decryption method corresponding to the encryption method represented by the extracted encryption method information, the second communication message transmitted / received through the established communication connection is decrypted by using the encryption key information to obtain the second communication message. 2 result information creating means for creating result information representing the result of decoding processing of the communication message,
Whether the device that has transmitted the second communication message contains software that is likely to be malware depending on whether or not the result information includes code information that realizes communication processing according to the communication method A malware determination device comprising: a determination unit that determines whether or not the malware is determined. An encryption method specifying unit for extracting encryption method information capable of identifying an encryption method used in the communication connection from a first communication message transmitted / received when an attempt is made to establish a communication connection according to the communication method,
According to the decryption method corresponding to the encryption method represented by the extracted encryption method information, the second communication message transmitted / received through the established communication connection is decrypted by using the encryption key information to obtain the second communication message. 2 result information creating means for creating result information representing the result of decoding processing of the communication message,
A device that transmits the second communication message calculates a degree of variation representing a degree of variation of the data included in the result information, and determines whether the calculated degree of variation satisfies a predetermined criterion. When it is determined whether or not software that is likely to be malware is included, and when it is determined that the software is not included, the code information associated with the extracted encryption method information is added to the result. A malware determination device, which determines whether or not the device that has transmitted the second communication message includes software that is likely to be malware, depending on whether or not the information includes the information . The first communication message transmitted and received determines whether or not the encryption key information is stored in the memory within a period in which the target device that is a communication target of the device has stored in the memory, Further comprising communication processing means for transmitting, to the target device, an acquisition instruction for acquiring data including at least the encryption key information from the memory when it is determined that the encryption key information is stored in the memory,
The result information creating means creates the result information based on the encryption key information in the data acquired in response to the acquisition instruction.
The malware determination device according to claim 1 or 2 . When the communication processing unit determines that the encryption key information is stored in the memory, the communication processing unit issues a stop instruction to stop communication for transmitting and receiving the first communication message between the device and the target device. To the communication control device that controls the communication in step 1, then transmits the acquisition instruction, acquires data including the encryption key information from the target device, and then restarts the communication that has been stopped. To the communication control device,
The result information creating means creates the result information based on the data including the encryption key information acquired by the communication processing means.
The malware determination device according to claim 3 . The communication processing means, when the first communication message is at least one of a message indicating that communication regarding the encryption key information in the communication method has ended and a message indicating that encrypted communication is started. , Determine that the encryption key information is stored in the memory
The malware determination device according to claim 3 or 4 . The communication processing means determines that the encryption key information is stored in the memory when the first communication message is a message indicating that communication according to the encryption method is started.
The malware determination device according to claim 3 or 4 . From the first communication message transmitted and received when attempting to establish a communication connection according to the communication method, extract encryption method information that can identify the encryption method used in the communication connection,
According to the decryption method corresponding to the encryption method represented by the extracted encryption method information, the second communication message transmitted / received through the established communication connection is decrypted by using the encryption key information to obtain the second communication message. 2 Create result information indicating the result of decryption processing of the communication message,
Whether the device that has transmitted the second communication message contains software that is likely to be malware depending on whether or not the result information includes code information that realizes communication processing according to the communication method Malware determination method to determine whether or not . From the first communication message transmitted and received when attempting to establish a communication connection according to the communication method, extract encryption method information that can identify the encryption method used in the communication connection,
According to the decryption method corresponding to the encryption method represented by the extracted encryption method information, the second communication message transmitted / received through the established communication connection is decrypted by using the encryption key information to obtain the second communication message. 2 Create result information indicating the result of decryption processing of the communication message,
A device that transmits the second communication message calculates a degree of variation representing a degree of variation of the data included in the result information, and determines whether the calculated degree of variation satisfies a predetermined criterion. When it is determined whether or not software that is likely to be malware is included, and when it is determined that the software is not included, the code information associated with the extracted encryption method information is added to the result. A malware determination method of determining whether or not the device that has transmitted the second communication message includes software that is highly likely to be malware, depending on whether or not the information includes the information . An encryption method specifying function for extracting encryption method information capable of identifying an encryption method used in the communication connection from a first communication message transmitted / received when an attempt is made to establish a communication connection according to the communication method,
According to the decryption method corresponding to the encryption method represented by the extracted encryption method information, the second communication message transmitted / received through the established communication connection is decrypted by using the encryption key information to obtain the second communication message. 2 A result information creation function for creating result information representing the result of decryption processing of a communication message,
Whether the device that has transmitted the second communication message contains software that is likely to be malware depending on whether or not the result information includes code information that realizes communication processing according to the communication method A malware determination program that allows a computer to implement a determination function to determine whether or not . An encryption method specifying function for extracting encryption method information capable of identifying an encryption method used in the communication connection from a first communication message transmitted / received when an attempt is made to establish a communication connection according to the communication method,
According to the decryption method corresponding to the encryption method represented by the extracted encryption method information, the second communication message transmitted / received through the established communication connection is decrypted by using the encryption key information to obtain the second communication message. 2 A result information creation function for creating result information representing the result of decoding processing of a communication message,
A device that transmits the second communication message calculates a degree of variation representing a degree of variation of the data included in the result information, and determines whether the calculated degree of variation satisfies a predetermined criterion. When it is determined whether or not software that is likely to be malware is included, and when it is determined that the software is not included, the code information associated with the extracted encryption method information is added to the result. A malware determination program that causes a computer to implement a determination function of determining whether or not the device that has transmitted the second communication message includes software that is likely to be malware, depending on whether or not the information includes the information .

Images