WO2014188780A1 - 情報処理装置及び特定方法 - Google Patents
情報処理装置及び特定方法 Download PDFInfo
- Publication number
- WO2014188780A1 WO2014188780A1 PCT/JP2014/058692 JP2014058692W WO2014188780A1 WO 2014188780 A1 WO2014188780 A1 WO 2014188780A1 JP 2014058692 W JP2014058692 W JP 2014058692W WO 2014188780 A1 WO2014188780 A1 WO 2014188780A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- communication destination
- program
- tag
- information
- virtual
- Prior art date
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/562—Static detection
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/145—Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
- H04L67/1097—Protocols in which an application is distributed across nodes in the network for distributed storage of data in networks, e.g. transport arrangements for network file system [NFS], storage area networks [SAN] or network attached storage [NAS]
Definitions
- the present invention relates to an information processing apparatus and a specifying method.
- Static analysis is a technique for grasping the functions of malware by analyzing the program code of the malware.
- static analysis comprehensively analyzes the functions of malware, many manual operations are involved.
- dynamic analysis is a technique for analyzing malware functions by preparing an environment for recording malware behavior and operating the malware in this environment. Since dynamic analysis is an analysis that extracts malware behavior, it is easier to automate than static analysis.
- dynamic taint analysis For example, in a virtual machine, a virtual CPU (Central Processing Unit) tracks the flow of data read and written by malware in a virtual memory, a virtual disk, or the like. More specifically, the dynamic taint analysis is composed of three phases: taint tag assignment, taint tag propagation, and taint tag detection.
- taint tag assignment taint tag assignment
- taint tag propagation taint tag propagation
- taint tag detection taint tag detection
- the virtual CPU executes the following processing. First, in the first phase, the virtual CPU operates malware. Then, at the stage when the file containing the confidential information is read into the memory, the virtual CPU assigns a taint tag representing the confidential information in association with the storage position of the file including the confidential information in the memory. Normally, this taint tag is stored in an area (also called “shadow memory”) prepared separately from a physical memory managed by an OS (Operating System). This area is implemented so that it cannot be accessed from the OS or applications (including malware).
- an area also called “shadow memory”
- OS Operating System
- the virtual CPU propagates the taint tag according to the copy of the confidential information by monitoring a transfer command or the like between the register and the memory area.
- the virtual CPU confirms whether a taint tag indicating confidential information is added to data output from the network interface. The virtual CPU detects that confidential information is about to be output to the outside when a taint tag is added to the output data.
- a user assigns a taint tag in advance to a location where a program is to be interrupted (a location where a “breakpoint” is set). Then, the virtual CPU checks whether a taint tag is assigned in association with an instruction to be executed, and interrupts the program if a taint tag is assigned.
- malware communication destination obtained in the dynamic analysis includes various hosts other than the destination where information in the terminal is leaked. For example, there are sites for distributing new malware (referred to as “malware distribution sites”) and sites for confirming that the malware itself is connected to the network. Sites for confirming that the malware itself is connected to the network are often legitimate sites such as general search engines.
- the disclosed technology has been made in view of the above, and aims to specify a distribution destination of malware.
- the information processing apparatus disclosed in the present application includes an adding unit and a specifying unit.
- the assigning unit assigns a tag capable of identifying the communication destination device to data received from the communication destination device by the program to be analyzed.
- the identification unit identifies the communication destination device identified by the tag.
- FIG. 1 is a diagram illustrating a configuration example of an information processing apparatus.
- FIG. 2 is a functional block diagram illustrating the configuration of the virtual hardware.
- FIG. 3 is a diagram illustrating an example of information stored in the communication destination information table.
- FIG. 4 is a diagram for explaining the processing operation by the assigning unit.
- FIG. 5 is a flowchart illustrating a processing procedure for assigning a taint tag by the assigning unit.
- FIG. 6 is a flowchart showing a procedure of processing for specifying a malware distribution site by the specifying unit.
- FIG. 7 is a diagram showing that information processing by a specific program for executing processing by a computer system is specifically realized using a computer.
- FIG. 1 is a diagram illustrating a configuration example of the information processing apparatus 10.
- the information processing apparatus 10 includes a physical machine 20 and a virtual machine 30.
- the physical machine 20 includes hardware 21, a host OS (Operating System) 22, and virtual machine software 23.
- host OS Operating System
- the hardware 21 is an electronic circuit or a peripheral device constituting the information processing apparatus 10, and is, for example, a memory, a CPU (Central Processing Unit), or the like. Further, the hardware 21 stores an image file of a disk storing an analysis target program 33 to be described later and an environment for performing the analysis. That is, the hardware 21 stores an image of the guest OS 32 that is activated on the virtual machine 30. The guest OS 32 will be described later.
- the host OS 22 is an OS serving as a base for operating the virtual machine 30, and is executed using the hardware 21.
- the virtual machine software 23 is software that provides the virtual machine 30 using the hardware 21, and operates the virtual machine 30 here. For example, the virtual machine software 23 allocates virtual hardware 31 including a virtual disk, virtual memory, and virtual CPU to the guest OS 32 and operates the virtual machine 30.
- the virtual machine 30 has, for example, virtual hardware 31, a guest OS 32, and an analysis target program 33.
- the virtual hardware 31 is a virtual information processing apparatus that operates the guest OS 32 using a virtual disk, virtual physical memory, virtual CPU, or the like provided from the virtual machine software 23 and executes various processes.
- the guest OS 32 operates the analysis target program 33.
- the analysis target program 33 is a program or application that is an analysis target in the information processing apparatus 10, and is, for example, malware.
- the information processing apparatus 10 is connected to a plurality of communication destination apparatuses 2a to 2c via an arbitrary network 5.
- the communication destination device 2a is a malware distribution site
- the communication destination device 2b is a search site
- the communication destination device 2c is a confidential information leakage destination site.
- the malware distribution site is a device that transmits data to malware.
- the search site is, for example, a device including a search engine, and is used to confirm communication connection by malware.
- the confidential information leakage destination site is a device that receives, for example, confidential information acquired by malware. Note that the malware distribution site and the confidential information leakage destination site may be the same.
- the communication destination devices 2a to 2c will be referred to as communication destination devices 2 when they are generalized without being distinguished from each other. Note that the number of communication destination devices 2 to which the information processing device 10 is connected is not limited to the number illustrated in FIG.
- the virtual machine 30 of the information processing apparatus 10 adds a taint tag that can identify the communication destination apparatus 2 to the data received from the communication destination apparatus 2 by the analysis target program 33.
- the virtual machine 30 detects the activation or reservation of the new program, if the taint tag is given to the data executed by the new program, the virtual machine 30 identifies the communication destination device 2 identified by the taint tag as malware. Identify as a distribution site.
- the virtual hardware 31 is a virtual information processing apparatus that operates the guest OS 32 and executes various processes, and includes a virtual memory 41a, a shadow memory 41b, a virtual disk 42a, a shadow disk 42b, a virtual NIC (Network Interface Card). 43, a communication destination information table 44, and a virtual CPU 45.
- the virtual memory 41a, the shadow memory 41b, the virtual disk 42a, the shadow disk 42b, the virtual NIC 43, the communication destination information table 44, the virtual CPU 45, and the like are provided from the virtual machine software 23.
- the virtual memory 41a is a virtual memory realized by allocating a predetermined area in the physical memory of the information processing apparatus 10 as a memory used by the guest OS 32 operating on the virtual machine 30.
- the virtual memory 41a stores programs and data read from the virtual disk 42a by the virtual CPU 45.
- the shadow memory 41b is a data structure that stores position information in which information for specifying a storage position on the virtual memory 41a in which data is stored is associated with a taint tag indicating that the data is a monitoring target.
- the structure of the shadow memory 41b may be a simple array structure, or a taint tag may be held as a tree structure.
- a value as a taint tag may be given, or as a pointer to a data structure holding taint information.
- the shadow memory 41b is a data structure that stores information specifying a storage position on the virtual memory 41a in which an API or a system call is stored and breakpoint information in association with each other.
- the “breakpoint information” here is information indicating that the process generated by the analysis target program 33 is stopped and the analysis process is executed. Specifically, the breakpoint information indicates communication information indicating that an API or system call is for communication, or indicates that an API or system call is for starting a new program or for starting a program. Contains startup information. The breakpoint information is set in advance by the user.
- the API and system call stored in the shadow memory 41b include a standard API for network communication, a system call for starting a new program and making a start reservation, a standard API, and the like. More specifically, for example, when the OS is Windows (registered trademark), a system call for executing a new program start or start reservation includes NtCreateProcess, and a new program start or start reservation is executed.
- the standard APIs that are included include CreateProcess / WinExec / CreateService. Further, for example, when the OS is Linux (registered trademark), the system call for executing the start and start reservation of the new program includes execve, and the standard API for executing the start and start reservation of the new program is included. Includes system / execl.
- the shadow memory 41b includes information indicating a storage location on the virtual memory 41a in which a system call and standard API written to a startup folder and a specific registry executed when the OS is started, and startup information (breakpoint information). ) Are stored in association with each other.
- new programs may take the form of dynamic link libraries.
- the standard API for reading the dynamic link library includes LoadLibrary (standard API of Windows (registered trademark)).
- the shadow memory 41b associates information indicating a storage location on the virtual memory 41a in which a system call for reading a dynamic link library such as LoadLibrary or a standard API is stored and information for activation (breakpoint information).
- system calls and standard APIs are sometimes referred to as “monitoring target instructions”.
- the virtual disk 42a is a virtual disk realized by allocating a predetermined area in the physical disk of the information processing apparatus 10 as an area used by the guest OS 32 operating on the virtual machine 30.
- the virtual disk 42a stores a program to be executed by the virtual CPU 45, data to be processed by the program, and the like.
- the shadow disk 42b is a data structure that stores position information in which information for specifying a storage position on the virtual disk 42a in which data is stored is associated with a taint tag indicating that the data is a monitoring target.
- the shadow disk 42b may have a simple arrangement structure or a taint tag as a tree structure.
- a value as a taint tag may be given, or as a pointer to a data structure holding taint information.
- the shadow disk 42b is a data structure that stores information for specifying a storage position on the virtual memory 41a in which an API or a system call is stored and breakpoint information in association with each other. Since the API, system call, and breakpoint information stored in the shadow disk 42b are the same as the API, system call, and breakpoint information stored in the shadow memory 41b, detailed description thereof is omitted.
- the virtual NIC 43 is recognized as a NIC by the guest OS 32 and is realized as software operating on a physical CPU. Further, the virtual NIC 43 controls the physical NIC, so that the guest OS 32 can communicate with the communication destination device 2 through the physical NIC.
- the communication destination information table 44 stores information indicating the communication destination device 2 that is the transmission source of the data to which the taint tag is assigned. In other words, the communication destination information table 44 manages taint tags and communication destination information in association with each other.
- FIG. 3 is a diagram illustrating an example of information stored in the communication destination information table 44. As shown in FIG. 3, the communication destination information table 44 includes a “taint tag”, “IP (Internet Protocol) version”, “source address”, “destination address”, “IP protocol”, “source port number”, And the information which matched "destination port number" is memorize
- IP Internet Protocol
- “taint tag” stored in the communication destination information table 44 indicates an identifier of the taint tag. For example, data values such as “1” and “2” are stored in the “taint tag”.
- the “IP version” stored in the communication destination information table 44 indicates the IP protocol version. For example, a data value such as “4” indicating IPv4 is stored in “IP version”.
- the “transmission source address” stored in the communication destination information table 44 indicates the address of the packet transmission source device. For example, data values such as “192.168.0.1” and “172.16.0.1” are stored in the “source address”.
- the “destination address” stored in the communication destination information table 44 indicates the address of the packet receiving device.
- the “destination address” indicates an address assigned to the information processing apparatus 10. For example, “10.0.0.1” is stored in the “destination address”.
- the “IP protocol” stored in the communication destination information table 44 indicates a protocol number. For example, data values such as “6” indicating TCP (Transmission Control Protocol) and “17” indicating UDP (User Datagram Protocol) are stored in the “IP protocol”.
- the “transmission source port number” stored in the communication destination information table 44 indicates a port number that identifies a transmission source program. For example, data values such as “80” and “20000” are stored in “transmission source port number”.
- the “destination port number” stored in the communication destination information table 44 indicates a port number that identifies the program of the reception source. For example, data values such as “10000” and “10001” are stored in “destination port number”.
- the data with the taint tag “1” is transmitted from the device having the source address “192.168.0.1” using the IPv4 protocol in the TCP layer. Indicates that it has been received by communication. Note that “source port number” and “destination port number” are acquired only when the IP protocol is 6 or 17.
- the virtual CPU 45 is a virtual CPU that is realized by assigning a predetermined processing capability of the physical CPU of the information processing apparatus 10 as a CPU used by the guest OS 32 operating on the virtual machine 30.
- the virtual CPU 45 includes, for example, a program execution unit 45a, a grant unit 45b, an update unit 45c, and a specifying unit 45d.
- the virtual CPU 45 has a virtual register and a shadow register (not shown).
- the virtual register is a virtual register realized by allocating a predetermined area in the physical register, physical memory, or physical disk of the information processing apparatus 10 as an area used by the guest OS 32 operating on the virtual machine 30.
- the virtual register stores a program and data read from the virtual memory 41a by the virtual CPU 45.
- the shadow register is a data structure that stores position information in which information for specifying a storage position on a virtual register in which data is stored is associated with a taint tag indicating that the data is a monitoring target.
- the shadow register is a data structure that stores information for specifying a storage position on a virtual register in which an API or a system call is stored and breakpoint information in association with each other. Since the API, system call, and breakpoint information stored in the shadow register are the same as the API, system call, and breakpoint information stored in the shadow memory 41b, detailed description thereof is omitted.
- the program execution unit 45a is a processing unit that executes a program stored in the virtual disk 42a.
- the program execution unit 45a reads a program from the virtual disk 42a and develops it in the virtual memory 41a. That is, the program execution unit 45a reads the execution target program from the virtual disk 42a and stores it in the virtual memory 41a, and then executes the execution target program stored in the virtual memory 41a.
- the assigning unit 45b assigns a tag that can identify the communication destination device 2 to the data received from the communication destination device 2 by the analysis target program 33. For example, when detecting that the virtual NIC 43 has received a packet, the assigning unit 45 b acquires communication destination information from the packet and generates a taint tag that does not exist in the communication destination information table 44. Then, the assigning unit 45b stores the communication destination information and the taint tag in the communication destination information table 44 in a state where they are associated with each other. In addition, when the data included in the received packet is extracted and copied to the virtual memory 41a, the adding unit 45b stores the taint tag in the shadow memory 41b corresponding to the writing destination virtual memory 41a.
- the data extracted from the packet includes a program and data referred to by the program.
- the program and data referred to by the program are simply referred to as “data”.
- FIG. 4 is a diagram for explaining the processing operation by the adding unit 45b.
- the assigning unit 45b acquires the communication destination information and generates a taint tag.
- the assigning unit 45 b generates “6” as a new taint tag because 1 to 5 are used as taint tags. If there is a record of the same communication destination information in the communication destination information table 44, the assigning unit 45b may use the taint tag of this record as a taint tag used here.
- the assigning unit 45b associates the communication destination information (here, IP version, source address, destination address, IP protocol, source port number, destination port number) and the taint tag (here, “6”). And stored in the communication destination information table 44.
- the assigning unit 45b associates the taint tag “6” with the IP version “4”, the source address “192.168.3.1”, and the destination address “10.0. 0.1 ”, the IP protocol“ 6 ”, the transmission source port number“ 80 ”, and the destination port number“ 10003 ”are stored in the communication destination information table 44 as communication destination information.
- the update unit 45c updates position information in which information indicating a data storage position is associated with a tag according to a data flow. For example, when the program execution unit 45a executes the analysis target program 33, the update unit 45c copies the data to be stored in another storage area or moved to another storage area. The taint tag is stored in association with the storage position of the storage area to be moved.
- the “storage area” mentioned here includes a virtual register, a virtual memory 41a, and a virtual disk 42a.
- the updating unit 45c generates a copy of data between the virtual register and the virtual memory 41a and between the virtual memory 41a and the virtual disk 42a, or an arithmetic instruction that occurs during the execution of the analysis target program 33.
- the taint tag is stored in the shadow register, the shadow memory 41b, and the shadow disk 42b corresponding to each storage area in association with the storage location of the storage area that is the data copy destination or migration destination.
- the update unit 45c propagates the taint tag to the storage position of the storage area that is the copy destination or the movement destination.
- the shadow register, the shadow memory 41b, and the shadow disk 42b may be collectively referred to as a shadow area.
- the updating unit 45c stores the storage location of the storage area that is the API or system call copy destination or movement destination. In association therewith, breakpoint information is stored in the shadow area corresponding to each storage area. In other words, the update unit 45c propagates breakpoint information to the storage location of the storage area that is the copy destination or the movement destination.
- the identification unit 45d determines whether or not a taint tag is attached to data executed by the new program when the activation or reservation for activation of the new program is detected.
- the communication destination device 2 identified by the taint tag is specified.
- the specifying unit 45d constantly monitors the start of a new program and the execution of a start reservation while the program execution unit 45a is executing the analysis target program 33.
- a new program is activated or reserved for activation through a system call or standard API provided by the guest OS 32.
- the specifying unit 45d determines whether or not activation information (break point information) is set in association with the storage location of the system call or standard API called by the analysis target program 33.
- the specifying unit 45d detects the activation of a new program or the execution of activation reservation.
- the specifying unit 45d detects the start of a new program or the execution of a start reservation, whether or not there is a corresponding taint tag from the shadow area corresponding to the storage area of the program to be newly executed or reserved for execution.
- the program storage area means a file stored in the virtual disk 42a.
- a pointer to a command line is specified as an argument in WinExec, which is a standard API of Windows (registered trademark).
- the identifying unit 45d determines whether or not a taint tag exists in the shadow area corresponding to the storage area of the program when the activation of the program is detected. It is determined whether there is a taint tag in the shadow area corresponding to the data storage area referred to by the program.
- the identifying unit 45d acquires the taint tag when it is determined that the taint tag exists in the shadow area corresponding to the storage area of the program to be newly executed or reserved for execution. Then, the specifying unit 45d acquires communication destination information corresponding to the taint tag from the communication destination information table 44, and specifies the acquired communication destination information as communication destination information of the malware distribution site.
- the identification unit 45d stores the information shown in FIG. 3 in the communication destination information table 44. If the taint tag acquired from the shadow area is “4”, the communication corresponding to the taint tag “4” is performed. Identify the destination information. That is, the specifying unit 45d specifies the communication destination device 2 whose address is “192.168.1.1”, protocol is “6”, and port number is “80”. Then, the specifying unit 45d provides the user with the specified communication destination device 2 as information related to the malware distribution site. In addition, the identification part 45d continues execution of a program, when it determines with a taint tag not existing.
- the analysis target program 33 may directly execute a program newly developed on the memory without using a system call or a standard API (monitoring target instruction). For this reason, the specifying unit 45d determines whether or not a taint tag is attached in association with the storage position of the machine language instruction to be executed, other than when it is detected that the system call or the standard API is executed.
- the specifying unit 45d acquires communication destination information corresponding to the taint tag from the communication destination information table 44, and acquires the acquired communication destination. Identify the information as the communication destination information of the malware distribution site.
- FIG. 5 is a flowchart illustrating a processing procedure for assigning a taint tag by the assigning unit 45b.
- the assigning unit 45b determines whether a packet has been received (step S101).
- step S101 determines whether a packet has been received.
- step S101 determines with the provision part 45b having received the packet (step S101, Yes)
- step S102 determines with the provision part 45b not having received the packet.
- step S101 determines with the provision part 45b not having received the packet.
- the grant unit 45b generates a taint tag after the process of step S102 (step S103). Then, the assigning unit 45b associates the communication destination information with the taint tag and stores them in the communication destination information table 44 (step S104). The assigning unit 45b stores the received data in the virtual memory 41a (step S105), and stores the taint tag in the shadow memory 41b (step S106).
- FIG. 6 is a flowchart showing a procedure of processing for specifying a malware distribution site by the specifying unit 45d.
- the specifying unit 45 d determines whether the activation of a new program or the execution of an activation reservation has been detected (step S ⁇ b> 201).
- the identification unit 45d determines that activation of a new program or execution of activation reservation has been detected (Yes in step S201)
- the identification unit 45d identifies the storage area of the program (step S202).
- the identification part 45d repeats the determination process of step S201, when it determines with starting of a new program or execution of an activation reservation not having been detected (step S201, No).
- the identifying unit 45d determines whether or not a taint tag exists in the shadow area after the process of step S202 (step S203). Here, when determining that the taint tag is present in the shadow area (step S203, Yes), the specifying unit 45d acquires the taint tag (step S204). If the identifying unit 45d determines that there is no taint tag in the shadow area (No at Step S203), the process ends.
- the identifying unit 45d acquires the communication destination information corresponding to the taint tag with reference to the communication destination information table 44 after the process of step S204 (step S205). Then, the identification unit 45d identifies the malware distribution site (step S206).
- the virtual CPU 45 assigns a taint tag that can identify the communication destination device to data received from the communication destination device by the program to be analyzed. Then, when the virtual CPU 45 detects activation or reservation for activation of a new program, if a taint tag is added to data executed by the new program, the virtual CPU 45 identifies the communication destination device 2 identified by the taint tag. .
- malware downloads and executes new malware to add functions and fix bugs.
- malware communication destinations In addition to new malware download sources, there are other servers that distribute information leakage destinations and instructions from attackers.
- the analysis target program 33 downloads a new program via the network
- the communication destination device 2 that is the download source of the program is specified. That is, according to the first embodiment, it is possible to identify a host that distributes new malware by analyzing malware.
- the communication destination information that can be acquired by the virtual NIC 43 is generally limited to layer 2 (Ethernet (registered trademark)) information. With information obtained from layer 2, it may be difficult to restore a URL (Uniform Resource Locator).
- a URL used for HTTP (HyperText Transfer Protocol) communication is first resolved with respect to the host name portion and then communicated using the IP address. For this reason, it is possible to acquire a URL as communication destination information by monitoring an API for HTTP communication. That is, the communication destination information acquired by the communication API may be preferable to the communication destination information that can be acquired by the virtual NIC 43.
- the grant unit 45b acquires the communication destination information when the virtual NIC 43 receives the packet has been described.
- the standard API for network communication provided by the OS or the like has been called. Immediately after that, communication destination information corresponding to the API may be acquired.
- the grant unit 45b determines whether communication information (breakpoint information) is stored in association with the storage location of the called API. .
- the grant unit 45b detects the communication API call.
- the provision part 45b acquires communication destination information from API for communication.
- the assigning unit 45 b stores the acquired communication destination information in the communication destination information table 44.
- each component of each illustrated apparatus is functionally conceptual and does not necessarily need to be physically configured as illustrated. That is, the specific form of distribution / integration of each device is not limited to the one shown in the figure, and all or a part of the distribution / integration may be functionally or physically distributed in arbitrary units according to various loads or usage conditions. Can be integrated and configured.
- program In addition, it is possible to create a specific program in which processing executed by the information processing apparatus according to the first embodiment is described in a language that can be executed by a computer. In this case, the same effect as the above-described embodiment can be obtained by the computer executing the specific program. Furthermore, such a specific program may be recorded on a computer-readable recording medium, and the specific program recorded on the recording medium may be read by a computer and executed to execute the same processing as in the above embodiment.
- a computer that executes a specific program that realizes the same function as the information processing apparatus 10 illustrated in FIG. 1 and the like will be described.
- FIG. 7 is a diagram illustrating a computer 1000 that executes a specific program.
- the computer 1000 includes, for example, a memory 1010, a CPU 1020, a hard disk drive interface 1030, a disk drive interface 1040, a serial port interface 1050, a video adapter 1060, and a network interface 1070. These units are connected by a bus 1080.
- the memory 1010 includes a ROM (Read Only Memory) 1011 and a RAM 1012.
- the ROM 1011 stores a boot program such as BIOS (Basic Input Output System).
- BIOS Basic Input Output System
- the hard disk drive interface 1030 is connected to the hard disk drive 1090.
- the disk drive interface 1040 is connected to the disk drive 1100.
- a removable storage medium such as a magnetic disk or an optical disk is inserted into the disk drive 1100, for example.
- a mouse 1110 and a keyboard 1120 are connected to the serial port interface 1050.
- a display 1130 is connected to the video adapter 1060.
- the hard disk drive 1090 stores, for example, an OS 1091, an application program 1092, a program module 1093, and program data 1094.
- the specific program described in the above embodiment is stored in, for example, the hard disk drive 1090 or the memory 1010.
- the specific program is stored in, for example, the hard disk drive 1090 as a program module in which a command executed by the computer 1000 is described.
- a program module in which a grant procedure for executing information processing similar to that of the grant unit 45b described in the above embodiment and a specific procedure for executing information processing similar to that of the specifying unit 45d are described in the hard disk drive. 1090 is stored.
- data used for information processing by the specific program is stored in the hard disk drive 1090 as program data, for example.
- the CPU 1020 reads out the program module and program data stored in the hard disk drive 1090 to the RAM 1012 as necessary, and executes each procedure described above.
- program modules and program data related to the specific program are not limited to being stored in the hard disk drive 1090, but are stored in, for example, a removable storage medium and read out by the CPU 1020 via the disk drive 1100 or the like. Also good.
- the program module and program data relating to the specific program are stored in another computer connected via a network such as a LAN (Local Area Network) or a WAN (Wide Area Network), and the CPU 1020 via the network interface 1070. It may be read out.
- a network such as a LAN (Local Area Network) or a WAN (Wide Area Network)
- the specific program described in this embodiment can be distributed via a network such as the Internet.
- the specific program can also be executed by being recorded on a computer-readable recording medium such as a hard disk, a flexible disk (FD), a CD-ROM, an MO, and a DVD, and being read from the recording medium by the computer.
- a computer-readable recording medium such as a hard disk, a flexible disk (FD), a CD-ROM, an MO, and a DVD
- Information processing apparatus 20 Physical machine 21 Hardware 22 Host OS 23 Virtual Machine Software 30 Virtual Machine 31 Virtual Hardware 32 Guest OS 33 Analysis target program 41a Virtual memory 41b Shadow memory 42a Virtual disk 42b Shadow disk 43 Virtual NIC 44 Communication destination information table 45 Virtual CPU 45a Program execution unit 45b Giving unit 45c Updating unit 45d Identification unit 1000 Computer 1010 Memory 1011 ROM 1012 RAM 1020 CPU 1030 Hard disk drive interface 1040 Disk drive interface 1050 Serial port interface 1060 Video adapter 1070 Network interface 1080 Bus 1090 Hard disk drive 1091 OS 1092 Application program 1093 Program module 1094 Program data 1100 Disk drive 1110 Mouse 1120 Keyboard 1130 Display
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Software Systems (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Health & Medical Sciences (AREA)
- Signal Processing (AREA)
- Computer Networks & Wireless Communication (AREA)
- General Physics & Mathematics (AREA)
- Physics & Mathematics (AREA)
- Computing Systems (AREA)
- Stored Programmes (AREA)
- Information Transfer Between Computers (AREA)
Abstract
Description
図1は、情報処理装置10の構成例を示す図である。図1に示すように、情報処理装置10は、物理マシン20と、仮想マシン30とを有する。物理マシン20は、ハードウェア21と、ホストOS(Operating System)22と、仮想マシンソフトウェア23とを有する。
さて、これまで本発明の実施形態について説明したが、本発明は上述した実施形態以外にも、その他の実施形態にて実施されてもよい。そこで、以下では、その他の実施形態を示す。
また、本実施形態において説明した各処理のうち、自動的に行われるものとして説明した処理の全部又は一部を手動的に行うこともでき、あるいは、手動的に行われるものとして説明した処理の全部又は一部を公知の方法で自動的に行うこともできる。この他、上述文書中や図面中で示した処理手順、制御手順、具体的名称、各種のデータやパラメータを含む情報については(例えば、図1~図6)、特記する場合を除いて任意に変更することができる。
また、上記実施例1に係る情報処理装置が実行する処理をコンピュータが実行可能な言語で記述した特定プログラムを作成することもできる。この場合、コンピュータが特定プログラムを実行することにより、上記実施形態と同様の効果を得ることができる。更に、かかる特定プログラムをコンピュータ読み取り可能な記録媒体に記録して、この記録媒体に記録された特定プログラムをコンピュータに読み込ませて実行することにより上記実施形態と同様の処理を実現してもよい。以下に、図1等に示した情報処理装置10と同様の機能を実現する特定プログラムを実行するコンピュータの一例を説明する。
なお、本実施形態で説明した特定プログラムは、インターネットなどのネットワークを介して配布することができる。また、特定プログラムは、ハードディスク、フレキシブルディスク(FD)、CD-ROM、MO、DVDなどのコンピュータで読み取り可能な記録媒体に記録され、コンピュータによって記録媒体から読み出されることによって実行することもできる。
20 物理マシン
21 ハードウェア
22 ホストOS
23 仮想マシンソフトウェア
30 仮想マシン
31 仮想ハードウェア
32 ゲストOS
33 解析対象プログラム
41a 仮想メモリ
41b シャドウメモリ
42a 仮想ディスク
42b シャドウディスク
43 仮想NIC
44 通信先情報テーブル
45 仮想CPU
45a プログラム実行部
45b 付与部
45c 更新部
45d 特定部
1000 コンピュータ
1010 メモリ
1011 ROM
1012 RAM
1020 CPU
1030 ハードディスクドライブインタフェース
1040 ディスクドライブインタフェース
1050 シリアルポートインタフェース
1060 ビデオアダプタ
1070 ネットワークインタフェース
1080 バス
1090 ハードディスクドライブ
1091 OS
1092 アプリケーションプログラム
1093 プログラムモジュール
1094 プログラムデータ
1100 ディスクドライブ
1110 マウス
1120 キーボード
1130 ディスプレイ
Claims (8)
- 解析対象であるプログラムによって通信先装置から受信したデータに、当該通信先装置を識別可能なタグを付与する付与部と、
新たなプログラムの起動又は起動予約を検出したときに、当該新たなプログラムが実行するデータに前記タグが付与されているか否かを判断し、前記タグが付与されている場合に、当該タグにより識別される通信先装置を特定する特定部と
を有することを特徴とする情報処理装置。 - 前記付与部は、前記タグと、前記通信先装置の識別子とを対応付けた通信先情報を生成するとともに、前記データの記憶領域における格納位置を示す情報と、前記タグとを対応付けた位置情報を生成することを特徴とする請求項1に記載の情報処理装置。
- 前記付与部は、前記通信先装置から受信したデータを含むパケットから前記通信先装置の識別子を抽出することを特徴とする請求項2に記載の情報処理装置。
- 前記付与部は、監視対象命令が呼び出された際に、当該監視対象命令の記憶領域における格納位置に対応付けて当該監視対象命令が通信用であることを示す通信情報が記憶されている場合、当該監視対象命令から前記通信先装置の識別子を抽出することを特徴とする請求項2又は3に記載の情報処理装置。
- 前記データのフローに応じて、前記位置情報を更新する更新部を更に有することを特徴とする請求項2又は3に記載の情報処理装置。
- 前記特定部は、監視対象命令が呼び出された際に、当該監視対象命令の記憶領域における格納位置に対応付けてプログラムの起動用又はプログラムの起動予約用であることを示す起動情報が記憶されている場合、プログラムの起動又は起動予約を検出することを特徴とする請求項1に記載の情報処理装置。
- 前記特定部は、実行する機械語命令の記憶領域における格納位置に対応付けて前記タグが付与されている場合、当該タグにより識別される通信先装置を特定することを特徴とする請求項1に記載の情報処理装置。
- コンピュータが、
解析対象であるプログラムによって通信先装置から受信されたデータに、当該通信先装置を識別可能なタグを付与する付与工程と、
新たなプログラムの起動又は起動予約を検出したときに、当該新たなプログラムが実行するデータに前記タグが付与されている場合、当該タグにより識別される通信先装置を特定する特定工程と
を含んだことを特徴とする特定方法。
Priority Applications (4)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
JP2015518136A JP5965059B2 (ja) | 2013-05-20 | 2014-03-26 | 情報処理装置及び特定方法 |
CN201480027875.9A CN105247533B (zh) | 2013-05-20 | 2014-03-26 | 信息处理装置和确定方法 |
EP14801488.9A EP2985716B1 (en) | 2013-05-20 | 2014-03-26 | Information processing device and identifying method |
US14/890,058 US10097567B2 (en) | 2013-05-20 | 2014-03-26 | Information processing apparatus and identifying method |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
JP2013-106088 | 2013-05-20 | ||
JP2013106088 | 2013-05-20 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2014188780A1 true WO2014188780A1 (ja) | 2014-11-27 |
Family
ID=51933346
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/JP2014/058692 WO2014188780A1 (ja) | 2013-05-20 | 2014-03-26 | 情報処理装置及び特定方法 |
Country Status (5)
Country | Link |
---|---|
US (1) | US10097567B2 (ja) |
EP (1) | EP2985716B1 (ja) |
JP (1) | JP5965059B2 (ja) |
CN (1) | CN105247533B (ja) |
WO (1) | WO2014188780A1 (ja) |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2016122262A (ja) * | 2014-12-24 | 2016-07-07 | 日本電信電話株式会社 | 特定装置、特定方法および特定プログラム |
JP6018346B2 (ja) * | 2014-06-17 | 2016-11-02 | 日本電信電話株式会社 | 情報処理システム、制御方法及び制御プログラム |
JP2017004521A (ja) * | 2015-06-05 | 2017-01-05 | フィッシャー−ローズマウント システムズ,インコーポレイテッド | インテグリティに基づき産業企業システムにおけるエンドポイントの通信を制御する方法および装置 |
WO2022195739A1 (ja) * | 2021-03-16 | 2022-09-22 | 日本電信電話株式会社 | 活動痕跡抽出装置、活動痕跡抽出方法および活動痕跡抽出プログラム |
Families Citing this family (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP6174826B2 (ja) * | 2015-01-28 | 2017-08-02 | 日本電信電話株式会社 | マルウェア解析システム、マルウェア解析方法およびマルウェア解析プログラム |
US11016874B2 (en) * | 2018-09-19 | 2021-05-25 | International Business Machines Corporation | Updating taint tags based on runtime behavior profiles |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20070250930A1 (en) * | 2004-04-01 | 2007-10-25 | Ashar Aziz | Virtual machine with dynamic data flow analysis |
JP2011257901A (ja) * | 2010-06-08 | 2011-12-22 | Nippon Telegr & Teleph Corp <Ntt> | 解析システム、解析装置、解析方法及び解析プログラム |
JP2012083798A (ja) | 2010-10-06 | 2012-04-26 | Nippon Telegr & Teleph Corp <Ntt> | 解析方法、解析装置及び解析プログラム |
JP2012234540A (ja) * | 2011-05-04 | 2012-11-29 | Nhn Business Platform Corp | 悪性コード検出システム及び悪性コード検出方法 |
Family Cites Families (17)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US8528086B1 (en) | 2004-04-01 | 2013-09-03 | Fireeye, Inc. | System and method of detecting computer worms |
US8566946B1 (en) | 2006-04-20 | 2013-10-22 | Fireeye, Inc. | Malware containment on connection |
US8539582B1 (en) | 2004-04-01 | 2013-09-17 | Fireeye, Inc. | Malware containment and security analysis on connection |
US8204984B1 (en) * | 2004-04-01 | 2012-06-19 | Fireeye, Inc. | Systems and methods for detecting encrypted bot command and control communication channels |
US8561177B1 (en) | 2004-04-01 | 2013-10-15 | Fireeye, Inc. | Systems and methods for detecting communication channels of bots |
US7870610B1 (en) | 2007-03-16 | 2011-01-11 | The Board Of Directors Of The Leland Stanford Junior University | Detection of malicious programs |
US8468310B2 (en) * | 2007-07-31 | 2013-06-18 | Vmware, Inc. | Method and system for tracking data correspondences |
US8074281B2 (en) * | 2008-01-14 | 2011-12-06 | Microsoft Corporation | Malware detection with taint tracking |
US8893280B2 (en) * | 2009-12-15 | 2014-11-18 | Intel Corporation | Sensitive data tracking using dynamic taint analysis |
US9298918B2 (en) * | 2011-11-30 | 2016-03-29 | Elwha Llc | Taint injection and tracking |
US9111092B2 (en) * | 2011-08-29 | 2015-08-18 | Novell, Inc. | Security event management apparatus, systems, and methods |
US9053319B2 (en) * | 2011-09-29 | 2015-06-09 | Hewlett-Packard Development Company, L.P. | Context-sensitive taint processing for application security |
US9792430B2 (en) * | 2011-11-03 | 2017-10-17 | Cyphort Inc. | Systems and methods for virtualized malware detection |
US9519781B2 (en) * | 2011-11-03 | 2016-12-13 | Cyphort Inc. | Systems and methods for virtualization and emulation assisted malware detection |
US9176843B1 (en) * | 2013-02-23 | 2015-11-03 | Fireeye, Inc. | Framework for efficient security coverage of mobile software applications |
CN105210077B (zh) * | 2013-05-16 | 2018-04-13 | 日本电信电话株式会社 | 信息处理装置以及信息处理方法 |
TWI553503B (zh) * | 2014-02-27 | 2016-10-11 | 國立交通大學 | 產生候選鈎點以偵測惡意程式之方法及其系統 |
-
2014
- 2014-03-26 EP EP14801488.9A patent/EP2985716B1/en active Active
- 2014-03-26 CN CN201480027875.9A patent/CN105247533B/zh active Active
- 2014-03-26 WO PCT/JP2014/058692 patent/WO2014188780A1/ja active Application Filing
- 2014-03-26 US US14/890,058 patent/US10097567B2/en active Active
- 2014-03-26 JP JP2015518136A patent/JP5965059B2/ja active Active
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20070250930A1 (en) * | 2004-04-01 | 2007-10-25 | Ashar Aziz | Virtual machine with dynamic data flow analysis |
JP2011257901A (ja) * | 2010-06-08 | 2011-12-22 | Nippon Telegr & Teleph Corp <Ntt> | 解析システム、解析装置、解析方法及び解析プログラム |
JP2012083798A (ja) | 2010-10-06 | 2012-04-26 | Nippon Telegr & Teleph Corp <Ntt> | 解析方法、解析装置及び解析プログラム |
JP2012234540A (ja) * | 2011-05-04 | 2012-11-29 | Nhn Business Platform Corp | 悪性コード検出システム及び悪性コード検出方法 |
Non-Patent Citations (1)
Title |
---|
See also references of EP2985716A4 |
Cited By (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP6018346B2 (ja) * | 2014-06-17 | 2016-11-02 | 日本電信電話株式会社 | 情報処理システム、制御方法及び制御プログラム |
US10248790B2 (en) | 2014-06-17 | 2019-04-02 | Nippon Telegraph And Telephone Corporation | Information processing system, controlling method, and controlling computer program |
JP2016122262A (ja) * | 2014-12-24 | 2016-07-07 | 日本電信電話株式会社 | 特定装置、特定方法および特定プログラム |
JP2017004521A (ja) * | 2015-06-05 | 2017-01-05 | フィッシャー−ローズマウント システムズ,インコーポレイテッド | インテグリティに基づき産業企業システムにおけるエンドポイントの通信を制御する方法および装置 |
WO2022195739A1 (ja) * | 2021-03-16 | 2022-09-22 | 日本電信電話株式会社 | 活動痕跡抽出装置、活動痕跡抽出方法および活動痕跡抽出プログラム |
Also Published As
Publication number | Publication date |
---|---|
CN105247533B (zh) | 2017-12-12 |
EP2985716A4 (en) | 2016-12-21 |
JPWO2014188780A1 (ja) | 2017-02-23 |
CN105247533A (zh) | 2016-01-13 |
EP2985716A1 (en) | 2016-02-17 |
US10097567B2 (en) | 2018-10-09 |
JP5965059B2 (ja) | 2016-08-03 |
EP2985716B1 (en) | 2020-08-12 |
US20160127396A1 (en) | 2016-05-05 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
JP5965059B2 (ja) | 情報処理装置及び特定方法 | |
US7444621B2 (en) | Method and system for providing a common operating system | |
US20180039507A1 (en) | System and method for management of a virtual machine environment | |
CN114207586A (zh) | 用于容器部署的动态映像合成 | |
US20170223040A1 (en) | Identifying device, identifying method and identifying program | |
JP5832954B2 (ja) | タグ付与装置及びタグ付与方法 | |
JP2012079130A (ja) | デバッグ支援プログラム、デバッグ支援装置、及びデバッグ支援方法 | |
US11068281B2 (en) | Isolating applications at the edge | |
US8677339B2 (en) | Component relinking in migrations | |
WO2019013033A1 (ja) | コールスタック取得装置、コールスタック取得方法、および、コールスタック取得プログラム | |
US9898389B2 (en) | Debugging a transaction in a replica execution environment | |
JP6018346B2 (ja) | 情報処理システム、制御方法及び制御プログラム | |
US20140372984A1 (en) | Safe low cost web services software deployments | |
US20070250814A1 (en) | Debugging in an operating system with multiple subsystems | |
US8104019B2 (en) | Debugging in an operating system with multiple subsystems | |
JP5766650B2 (ja) | 情報処理装置、監視方法および監視プログラム | |
JP6736927B2 (ja) | 配備装置、配備方法および配備プログラム | |
JP6770335B2 (ja) | 解析装置及びプログラム | |
JP2019125243A (ja) | マルウェア検知システムおよびマルウェア検知方法 | |
JP2019168945A (ja) | 管理システム、端末装置、管理装置、管理方法、およびプログラム | |
JP5710547B2 (ja) | 情報処理装置、監視方法および監視プログラム | |
Valsamakis | Windows Malware Analysis | |
JP4681669B2 (ja) | 要求内容抽出プログラム、要求内容抽出方法および要求内容抽出装置 |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 14801488 Country of ref document: EP Kind code of ref document: A1 |
|
ENP | Entry into the national phase |
Ref document number: 2015518136 Country of ref document: JP Kind code of ref document: A |
|
WWE | Wipo information: entry into national phase |
Ref document number: 14890058 Country of ref document: US |
|
WWE | Wipo information: entry into national phase |
Ref document number: 2014801488 Country of ref document: EP |
|
NENP | Non-entry into the national phase |
Ref country code: DE |