WO2018179628A1 - シグネチャ生成装置、シグネチャ生成方法、プログラムが格納された非一時的なコンピュータ可読媒体 - Google Patents
シグネチャ生成装置、シグネチャ生成方法、プログラムが格納された非一時的なコンピュータ可読媒体 Download PDFInfo
- Publication number
- WO2018179628A1 WO2018179628A1 PCT/JP2017/045830 JP2017045830W WO2018179628A1 WO 2018179628 A1 WO2018179628 A1 WO 2018179628A1 JP 2017045830 W JP2017045830 W JP 2017045830W WO 2018179628 A1 WO2018179628 A1 WO 2018179628A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- signature
- character string
- attack data
- generated
- generation
- Prior art date
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/562—Static detection
- G06F21/564—Static detection by virus signature recognition
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/90—Details of database functions independent of the retrieved data types
- G06F16/903—Querying
- G06F16/90335—Query processing
- G06F16/90344—Query processing by using string matching techniques
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
Definitions
- the present invention relates to a signature generation device, a signature generation method, and a program.
- the computer may be attacked by attack data such as malware from the outside.
- Malware is malicious software created with the intention of causing a computer to operate illegally and harmfully, such as computer viruses and worms.
- the signature type is a method of registering a signature defining attack data and determining whether or not the data from the outside is attack data using the signature.
- Patent Documents 1 and 2 Recently, techniques for collecting threat information and automatically generating signatures based on the collected threat information have been proposed (for example, Patent Documents 1 and 2).
- Patent Documents 1 and 2 do not particularly verify the signature generated based on the threat information. Therefore, there is a problem that the signature may erroneously determine non-attack data as attack data.
- an object of the present invention is to provide a signature generation device, a signature generation method, and a program that can generate a signature that reduces the possibility of determining non-attack data as attack data. It is in.
- the signature generation device comprises: A collection unit that collects threat information; An extraction unit for extracting attack data from the threat information collected by the collection unit; A generation unit that generates a signature based on the attack data extracted by the extraction unit,
- the generator is When a plurality of attack data having a common character string is extracted by the extraction unit, a signature including the common character string is temporarily generated, Evaluate whether the tentatively generated signature contains a character string used for non-attack data, When the tentatively generated signature includes a character string used for non-attack data, the signature is generated by removing the character string from the tentatively generated signature.
- the signature generation method comprises: A signature generation method by a signature generation device, comprising: A collection step for collecting threat information; An extraction step for extracting attack data from the threat information collected by the collecting step; Generating a signature based on the attack data extracted by the extraction step, and In the generating step, When a plurality of attack data having a common character string is extracted by the extraction step, a signature including the common character string is temporarily generated, Evaluate whether the tentatively generated signature contains a character string used for non-attack data, When the tentatively generated signature includes a character string used for non-attack data, the signature is generated by removing the character string from the tentatively generated signature.
- the program is On the computer, A collection procedure to collect threat information; An extraction procedure for extracting attack data from the threat information collected by the collection procedure; A generation procedure for generating a signature based on attack data extracted by the extraction procedure, In the generation procedure, When a plurality of attack data having a common character string is extracted by the extraction procedure, a signature including the common character string is provisionally generated, Evaluate whether the tentatively generated signature contains a character string used for non-attack data, A program for generating a signature by removing the character string from the temporarily generated signature when the temporarily generated signature includes a character string used for non-attack data.
- FIG. 1 is a diagram illustrating a configuration example of a signature generation device 1 according to the present embodiment.
- the signature generation device 1 includes a collection unit 10, an extraction unit 20, a signature generation unit 30, a signature input unit 40, a collection rule DB (Database, hereinafter the same) 50, an extraction rule DB 60, and a generation rule DB 70. And an input rule DB 80.
- the collection rule DB 50, the extraction rule DB 60, the generation rule DB 70, and the input rule DB 80 are not limited to being provided inside the signature generation apparatus 1, and may be provided outside the signature generation apparatus 1.
- the collection unit 10 collects threat information according to the collection rules registered in the collection rule DB 50.
- the threat information is information indicating threats generated in the computer, and is provided by many threat information providing companies.
- the collection rule includes, for example, a URL (Uniform Resource Locator) of a threat information collection source (for example, a server of a threat information provider), and a type of threat information (eg, an IP (Internet Protocol) address) collected from the collection source. Information).
- a URL Uniform Resource Locator
- IP Internet Protocol
- the extraction unit 20 extracts attack data from the threat information collected by the collection unit 10 in accordance with the extraction rules registered in the extraction rule DB 60. Details of the operation of the extraction unit 20 will be described later.
- the signature generation unit 30 generates a signature based on the attack data extracted by the extraction unit 20 in accordance with the generation rule registered in the generation rule DB 70. Details of the operation of the signature generation unit 30 will be described later.
- the signature input unit 40 inputs the signature generated by the signature generation unit 30 to the input destination according to the input rule registered in the input rule DB 80.
- the signature input destination is a device that detects attack data from the outside to the computer, such as a security server arranged on the network, a security module arranged in the client terminal, or the like.
- the input rule defines, for example, an input destination for inputting a signature, an access method (ID (Identification), password, etc.) to the input destination, and the like.
- ID Identity
- password password
- FIG. 2 is a diagram illustrating an example of an extraction rule registered in the extraction rule DB 60.
- the extraction rule shown in FIG. 2 includes the type of threat information (“Type” in the figure), a rule for extracting attack data from the threat information (“rule” in the figure), and a tag (FIG. 2) set in the extracted attack data. "Tag” in the figure) and URL (“URL (Source)” in the figure) from which threat information is collected.
- the extraction unit 20 extracts attack data from the threat information of the type specified by the extraction rule, collected from the URL collection source specified by the extraction rule, according to the rule specified by the extraction rule. . And the extraction part 20 sets the tag prescribed
- the extraction unit 20 uses the rule “parser1”. To extract attack data. Then, the extraction unit 20 sets a tag “tor” in the extracted attack data.
- the extraction unit 20 holds the attack data extracted above, and the signature generation unit 30 generates a signature based on the attack data held by the extraction unit 20.
- the threat information has a different data format for each collection source. If the extraction unit 20 holds the attack data in different data formats, the signature generation unit 30 recognizes the data format of the attack data in order to read the attack data held by the extraction unit 20 It takes a long time to generate a signature.
- FIG. 3 is a diagram illustrating an example of a data format of attack data held by the extraction unit 20.
- the items of the data format shown in FIG. 3 include the threat information collection source (“Source” in the figure) from which the attack data is extracted, the type of threat information (“Type” in the figure), and an object representing the attack data. (“Object” in the figure), the date (“date” in the figure) when the attack data was extracted, and the tag (“tag” in the figure) set in the attack data.
- the object representing the attack data may be the attack data itself or a hash value of the attack data.
- the calculation method of the hash value can be defined by the rule.
- the extraction unit 20 converts the attack data into a predetermined data format and holds the data, so that the signature generation unit 30 can quickly read the attack data from the extraction unit 20, thereby generating the signature. Can be shortened.
- FIG. 4 is a diagram illustrating an operation example of the signature generation unit 30.
- attack data is malware
- the generation rule registered in the generation rule DB 70 stipulates that a signature including a common character string is generated when a plurality of attack data having a common character string is extracted by the extraction unit 20. Therefore, when a plurality of attack data having a common character string is extracted by the extraction unit 20, the signature generation unit 30 extracts a common character string (step S11), and obtains a signature including the common character string. Temporary generation is performed (step S12).
- the signature generation unit 30 extracts five character strings A, B, C, D, and E as common character strings in step S11, and in step S12, “A and B and (C or D) and E ”is a temporary signature that defines malware.
- a white list that is a list of character strings used for non-attack data that is not attack data is registered in the generation rule DB 70.
- the generation rule stipulates that the character string included in the temporarily generated signature is matched with the character string of the white list. Therefore, the signature generation unit 30 performs matching between the character string included in the tentatively generated signature and the character string of the white list, so that the tentatively generated signature includes a character string used for non-attack data. To evaluate. Then, if the temporarily generated signature includes a character string used for non-attack data, the signature generating unit 30 removes the corresponding character string from the temporarily generated signature and corrects the temporarily generated signature (step). S13). In this way, a signature is generated.
- the signature generation unit 30 matches the five character strings A, B, C, D, and E included in the tentatively generated signature with the character strings of the white list, and as a result, is temporarily generated.
- a tag is set for the modified signature. In this way, a signature is generated.
- the signature generation unit 30 temporarily generates a signature including a common character string included in a plurality of attack data. If the temporarily generated signature includes a character string used for non-attack data, the signature generation unit 30 temporarily generates the signature. The signature is generated by removing the character string from the signature. Thereby, it is possible to reduce the possibility that the signature will determine the non-attack data as attack data.
- FIG. 5 is a flowchart showing an example of a processing flow of the signature generation apparatus 1 according to the present embodiment.
- the collection unit 10 collects threat information according to the collection rules registered in the collection rule DB 50 (step S21). Subsequently, the extraction unit 20 extracts attack data from the threat information collected by the collection unit 10 according to the extraction rules registered in the extraction rule DB 60 (step S22).
- the signature generation unit 30 generates a signature as follows according to the generation rule registered in the generation rule DB 70.
- the signature generation unit 30 waits until a plurality of attack data having a common character string is extracted by the extraction unit 20. When a plurality of attack data having a common character string is extracted by the extraction unit 20, the signature generation unit 30 extracts the common character string (step S23), and temporarily creates a signature including the extracted common character string. Generate (step S24).
- the signature generation unit 30 performs matching between the character string included in the tentatively generated signature and the character string of the white list, so that the tentatively generated signature includes a character string used for non-attack data. No is evaluated (step S25).
- step S25 when the temporarily generated signature includes a character string used for non-attack data (Yes in step S25), the signature generation unit 30 removes the corresponding character string from the temporarily generated signature. Then, the temporarily generated signature is corrected (step S26). In this case, the signature generation unit 30 sets the corrected signature as a newly generated signature.
- step S25 if the temporarily generated signature does not include a character string used for non-attack data (No in step S25), the temporarily generated signature is not corrected and is a newly generated signature. .
- the signature input unit 40 inputs the signature generated by the signature generation unit 30 to the input destination according to the input rule registered in the input rule DB 80 (step S27).
- the signature generation unit 30 temporarily generates a signature including a common character string included in a plurality of attack data, and the temporarily generated signature is When the character string used for the attack data is included, the signature is generated by removing the character string from the temporarily generated signature. Thereby, it is possible to reduce the possibility that the signature will determine the non-attack data as attack data.
- FIG. 6 is a diagram showing a configuration example of the signature generation device 2 according to the present invention.
- the signature generation device 2 includes a collection unit 11, an extraction unit 21, and a generation unit 31.
- the collection unit 11 collects threat information.
- the collection unit 11 corresponds to the collection unit 10.
- the extraction unit 21 extracts attack data from the threat information collected by the collection unit 11.
- the extraction unit 21 corresponds to the extraction unit 20.
- the generation unit 31 generates a signature based on the attack data extracted by the extraction unit 21. Specifically, when the extraction unit 21 extracts a plurality of attack data having a common character string, the generation unit 31 provisionally generates a signature including the common character string. Subsequently, the generation unit 31 evaluates whether or not the temporarily generated signature includes a character string used for non-attack data. When the tentatively generated signature includes a character string used for non-attack data, the generation unit 31 generates the signature by removing the character string from the tentatively generated signature. The generation unit 31 corresponds to the signature generation unit 30.
- the generation unit 31 temporarily generates a signature including a common character string included in a plurality of attack data, and the temporarily generated signature is converted into non-attack data.
- the signature is generated by removing the character string from the temporarily generated signature. Thereby, it is possible to reduce the possibility that the signature will determine the non-attack data as attack data.
- each functional block (collection unit, extraction unit, signature generation unit (or generation unit), and signature input unit) is provided in the same apparatus, but is not limited thereto.
- These functional blocks may be provided in separate devices and connected to each other by wire or wirelessly.
- each functional block in the above embodiment is configured by hardware and / or software, and may be configured by one piece of hardware or software, or may be configured by a plurality of pieces of hardware or software. good.
- the function (processing) of each device may be realized by a computer having a CPU (Central Processing Unit), a memory, and the like.
- a program for performing the signature generation method according to the embodiment may be stored in the memory, and each function may be realized by executing the program stored in the memory by the CPU.
- Non-transitory computer readable media include various types of tangible storage media (tangible storage medium).
- Examples of non-transitory computer-readable media include magnetic recording media (eg, flexible disk, magnetic tape, hard disk drive), magneto-optical recording media (eg, magneto-optical disc), CD-ROM (compact disc read only memory), CD-R (compact-disc-recordable), CD-R / W (compact-disc-rewritable), semiconductor memory (eg mask ROM, PROM (programmable-ROM), EPROM (erasable-PROM), flash ROM, RAM (random-access memory)) including.
- magnetic recording media eg, flexible disk, magnetic tape, hard disk drive
- magneto-optical recording media eg, magneto-optical disc
- CD-ROM compact disc read only memory
- CD-R compact-disc-recordable
- CD-R / W compact-disc-rewritable
- semiconductor memory eg mask ROM, PROM (programmable-ROM), EPROM (era
- the program may also be supplied to the computer by various types of temporary computer readable media.
- Examples of transitory computer readable media include electrical signals, optical signals, and electromagnetic waves.
- the temporary computer-readable medium can supply the program to the computer via a wired communication path such as an electric wire and an optical fiber, or a wireless communication path.
- a collection unit that collects threat information
- An extraction unit for extracting attack data from the threat information collected by the collection unit
- a generation unit that generates a signature based on the attack data extracted by the extraction unit,
- the generator is When a plurality of attack data having a common character string is extracted by the extraction unit, a signature including the common character string is temporarily generated, Evaluate whether the tentatively generated signature contains a character string used for non-attack data, When the tentatively generated signature includes a character string used for non-attack data, the signature is generated by removing the character string from the tentatively generated signature.
- Signature generator is When a plurality of attack data having a common character string is extracted by the extraction unit, a signature including the common character string is temporarily generated, Evaluate whether the tentatively generated signature contains a character string used for non-attack data, When the tentatively generated signature includes a character string used for non-attack data, the signature is generated by removing the character string from the tentatively generated signature.
- the strings used for non-attack data are stored in the database, The generation unit performs matching between a character string included in the provisionally generated signature and a character string stored in the database, so that the provisionally generated signature includes a character string used for non-attack data.
- the signature generation device according to attachment 1. (Appendix 3) The extraction unit includes: The attack data is converted into a predetermined data format and held, The signature generation device according to attachment 1 or 2. (Appendix 4) Further comprising an input unit that inputs the signature generated by the generation unit into a specific input destination; The signature generation device according to any one of supplementary notes 1 to 3.
- a signature generation method by a signature generation device comprising: A collection step for collecting threat information; An extraction step for extracting attack data from the threat information collected by the collecting step; Generating a signature based on the attack data extracted by the extraction step, and In the generating step, When a plurality of attack data having a common character string is extracted by the extraction step, a signature including the common character string is temporarily generated, Evaluate whether the tentatively generated signature contains a character string used for non-attack data, When the tentatively generated signature includes a character string used for non-attack data, the signature is generated by removing the character string from the tentatively generated signature.
- Signature generation method comprising: A collection step for collecting threat information; An extraction step for extracting attack data from the threat information collected by the collecting step; Generating a signature based on the attack data extracted by the extraction step, and In the generating step, When a plurality of attack data having a common character string is extracted by the extraction step, a signature including the common character string is temporarily generated, Evaluate whether the tentatively generated signature contains
- a collection procedure to collect threat information On the computer, A collection procedure to collect threat information; An extraction procedure for extracting attack data from the threat information collected by the collection procedure; A generation procedure for generating a signature based on attack data extracted by the extraction procedure, In the generation procedure, When a plurality of attack data having a common character string is extracted by the extraction procedure, a signature including the common character string is provisionally generated, Evaluate whether the tentatively generated signature contains a character string used for non-attack data, When the tentatively generated signature includes a character string used for non-attack data, the signature is generated by removing the character string from the tentatively generated signature. program.
- the strings used for non-attack data are stored in the database, In the generation procedure, whether or not the temporarily generated signature includes a character string used for non-attack data by matching a character string included in the temporarily generated signature with a character string stored in the database. To evaluate, The program according to appendix 9. (Appendix 11) In the extraction procedure, The attack data is converted into a predetermined data format and held, The program according to appendix 9 or 10. (Appendix 12) The method further includes an input step of inputting the signature generated by the generation procedure to a specific input destination. The program according to any one of appendices 9 to 11.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- General Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- Software Systems (AREA)
- Virology (AREA)
- Health & Medical Sciences (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- General Health & Medical Sciences (AREA)
- Databases & Information Systems (AREA)
- Computing Systems (AREA)
- Data Mining & Analysis (AREA)
- Computational Linguistics (AREA)
- Signal Processing (AREA)
- Computer Networks & Wireless Communication (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
- Computer And Data Communications (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Storage Device Security (AREA)
Abstract
Description
脅威情報を収集する収集部と、
前記収集部により収集された脅威情報から攻撃データを抽出する抽出部と、
前記抽出部により抽出された攻撃データに基づいてシグネチャを生成する生成部と、を備え、
前記生成部は、
前記抽出部により共通の文字列を有する複数の攻撃データが抽出された場合、前記共通の文字列を含むシグネチャを仮生成し、
仮生成したシグネチャが、非攻撃データに使用される文字列を含むか否かを評価し、
仮生成したシグネチャが、非攻撃データに使用される文字列を含む場合、該文字列を、仮生成したシグネチャから除去することで、シグネチャを生成する。
シグネチャ生成装置によるシグネチャ生成方法であって、
脅威情報を収集する収集ステップと、
前記収集ステップにより収集された脅威情報から攻撃データを抽出する抽出ステップと、
前記抽出ステップにより抽出された攻撃データに基づいてシグネチャを生成する生成ステップと、を含み、
前記生成ステップでは、
前記抽出ステップにより共通の文字列を有する複数の攻撃データが抽出された場合、前記共通の文字列を含むシグネチャを仮生成し、
仮生成したシグネチャが、非攻撃データに使用される文字列を含むか否かを評価し、
仮生成したシグネチャが、非攻撃データに使用される文字列を含む場合、該文字列を、仮生成したシグネチャから除去することで、シグネチャを生成する。
コンピュータに、
脅威情報を収集する収集手順と、
前記収集手順により収集された脅威情報から攻撃データを抽出する抽出手順と、
前記抽出手順により抽出された攻撃データに基づいてシグネチャを生成する生成手順と、を実行させるためのプログラムであって、
前記生成手順では、
前記抽出手順により共通の文字列を有する複数の攻撃データが抽出された場合、前記共通の文字列を含むシグネチャを仮生成し、
仮生成したシグネチャが、非攻撃データに使用される文字列を含むか否かを評価し、
仮生成したシグネチャが、非攻撃データに使用される文字列を含む場合、該文字列を、仮生成したシグネチャから除去することで、シグネチャを生成する、プログラム。
まず、図1を参照して、本実施の形態に係るシグネチャ生成装置1の構成について説明する。図1は、本実施の形態に係るシグネチャ生成装置1の構成例を示す図である。シグネチャ生成装置1は、収集部10と、抽出部20と、シグネチャ生成部30と、シグネチャ投入部40と、収集ルールDB(Database。以下、同じ)50と、抽出ルールDB60と、生成ルールDB70と、投入ルールDB80と、を備えている。なお、収集ルールDB50、抽出ルールDB60、生成ルールDB70、及び投入ルールDB80は、シグネチャ生成装置1の内部に設けることには限定されず、シグネチャ生成装置1の外部に設けても良い。
ただし、脅威情報は、収集元毎にデータフォーマットが異なる。もし、抽出部20が、攻撃データを互いに異なるデータフォーマットのままで保持していた場合、シグネチャ生成部30は、抽出部20が保持する攻撃データを読み出すには、その攻撃データのデータフォーマットを認識する必要があり、シグネチャの生成に時間が掛かってしまう。
(付記1)
脅威情報を収集する収集部と、
前記収集部により収集された脅威情報から攻撃データを抽出する抽出部と、
前記抽出部により抽出された攻撃データに基づいてシグネチャを生成する生成部と、を備え、
前記生成部は、
前記抽出部により共通の文字列を有する複数の攻撃データが抽出された場合、前記共通の文字列を含むシグネチャを仮生成し、
仮生成したシグネチャが、非攻撃データに使用される文字列を含むか否かを評価し、
仮生成したシグネチャが、非攻撃データに使用される文字列を含む場合、該文字列を、仮生成したシグネチャから除去することで、シグネチャを生成する、
シグネチャ生成装置。
(付記2)
非攻撃データに使用される文字列は、データベースに格納されており、
前記生成部は、仮生成したシグネチャに含まれる文字列と前記データベースに格納された文字列とのマッチングを行うことで、仮生成したシグネチャが、非攻撃データに使用される文字列を含むか否かを評価する、
付記1に記載のシグネチャ生成装置。
(付記3)
前記抽出部は、
前記攻撃データを所定のデータフォーマットに変換して保持する、
付記1又は2に記載のシグネチャ生成装置。
(付記4)
前記生成部により生成されたシグネチャを、特定の投入先に投入する投入部をさらに備える、
付記1から3のいずれか1項に記載のシグネチャ生成装置。
(付記5)
シグネチャ生成装置によるシグネチャ生成方法であって、
脅威情報を収集する収集ステップと、
前記収集ステップにより収集された脅威情報から攻撃データを抽出する抽出ステップと、
前記抽出ステップにより抽出された攻撃データに基づいてシグネチャを生成する生成ステップと、を含み、
前記生成ステップでは、
前記抽出ステップにより共通の文字列を有する複数の攻撃データが抽出された場合、前記共通の文字列を含むシグネチャを仮生成し、
仮生成したシグネチャが、非攻撃データに使用される文字列を含むか否かを評価し、
仮生成したシグネチャが、非攻撃データに使用される文字列を含む場合、該文字列を、仮生成したシグネチャから除去することで、シグネチャを生成する、
シグネチャ生成方法。
(付記6)
非攻撃データに使用される文字列は、データベースに格納されており、
前記生成ステップでは、仮生成したシグネチャに含まれる文字列と前記データベースに格納された文字列とのマッチングを行うことで、仮生成したシグネチャが、非攻撃データに使用される文字列を含むか否かを評価する、
付記5に記載のシグネチャ生成方法。
(付記7)
前記抽出ステップでは、
前記攻撃データを所定のデータフォーマットに変換して保持する、
付記5又は6に記載のシグネチャ生成方法。
(付記8)
前記生成ステップにより生成されたシグネチャを、特定の投入先に投入する投入ステップをさらに含む、
付記5から7のいずれか1項に記載のシグネチャ生成方法。
(付記9)
コンピュータに、
脅威情報を収集する収集手順と、
前記収集手順により収集された脅威情報から攻撃データを抽出する抽出手順と、
前記抽出手順により抽出された攻撃データに基づいてシグネチャを生成する生成手順と、を実行させるためのプログラムであって、
前記生成手順では、
前記抽出手順により共通の文字列を有する複数の攻撃データが抽出された場合、前記共通の文字列を含むシグネチャを仮生成し、
仮生成したシグネチャが、非攻撃データに使用される文字列を含むか否かを評価し、
仮生成したシグネチャが、非攻撃データに使用される文字列を含む場合、該文字列を、仮生成したシグネチャから除去することで、シグネチャを生成する、
プログラム。
(付記10)
非攻撃データに使用される文字列は、データベースに格納されており、
前記生成手順では、仮生成したシグネチャに含まれる文字列と前記データベースに格納された文字列とのマッチングを行うことで、仮生成したシグネチャが、非攻撃データに使用される文字列を含むか否かを評価する、
付記9に記載のプログラム。
(付記11)
前記抽出手順では、
前記攻撃データを所定のデータフォーマットに変換して保持する、
付記9又は10に記載のプログラム。
(付記12)
前記生成手順により生成されたシグネチャを、特定の投入先に投入する投入ステップをさらに含む、
付記9から11のいずれか1項に記載のプログラム。
10 収集部
20 抽出部
30 シグネチャ生成部
40 シグネチャ投入部
50 収集ルールDB
60 抽出ルールDB
70 生成ルールDB
80 投入ルールDB
2 シグネチャ生成装置
11 収集部
21 抽出部
31 生成部
Claims (9)
- 脅威情報を収集する収集部と、
前記収集部により収集された脅威情報から攻撃データを抽出する抽出部と、
前記抽出部により抽出された攻撃データに基づいてシグネチャを生成する生成部と、を備え、
前記生成部は、
前記抽出部により共通の文字列を有する複数の攻撃データが抽出された場合、前記共通の文字列を含むシグネチャを仮生成し、
仮生成したシグネチャが、非攻撃データに使用される文字列を含むか否かを評価し、
仮生成したシグネチャが、非攻撃データに使用される文字列を含む場合、該文字列を、仮生成したシグネチャから除去することで、シグネチャを生成する、
シグネチャ生成装置。 - 非攻撃データに使用される文字列は、データベースに格納されており、
前記生成部は、仮生成したシグネチャに含まれる文字列と前記データベースに格納された文字列とのマッチングを行うことで、仮生成したシグネチャが、非攻撃データに使用される文字列を含むか否かを評価する、
請求項1に記載のシグネチャ生成装置。 - 前記抽出部は、
前記攻撃データを所定のデータフォーマットに変換して保持する、
請求項1又は2に記載のシグネチャ生成装置。 - 前記生成部により生成されたシグネチャを、特定の投入先に投入する投入部をさらに備える、
請求項1から3のいずれか1項に記載のシグネチャ生成装置。 - シグネチャ生成装置によるシグネチャ生成方法であって、
脅威情報を収集する収集ステップと、
前記収集ステップにより収集された脅威情報から攻撃データを抽出する抽出ステップと、
前記抽出ステップにより抽出された攻撃データに基づいてシグネチャを生成する生成ステップと、を含み、
前記生成ステップでは、
前記抽出ステップにより共通の文字列を有する複数の攻撃データが抽出された場合、前記共通の文字列を含むシグネチャを仮生成し、
仮生成したシグネチャが、非攻撃データに使用される文字列を含むか否かを評価し、
仮生成したシグネチャが、非攻撃データに使用される文字列を含む場合、該文字列を、仮生成したシグネチャから除去することで、シグネチャを生成する、
シグネチャ生成方法。 - 非攻撃データに使用される文字列は、データベースに格納されており、
前記生成ステップでは、仮生成したシグネチャに含まれる文字列と前記データベースに格納された文字列とのマッチングを行うことで、仮生成したシグネチャが、非攻撃データに使用される文字列を含むか否かを評価する、
請求項5に記載のシグネチャ生成方法。 - 前記抽出ステップでは、
前記攻撃データを所定のデータフォーマットに変換して保持する、
請求項5又は6に記載のシグネチャ生成方法。 - 前記生成ステップにより生成されたシグネチャを、特定の投入先に投入する投入ステップをさらに含む、
請求項5から7のいずれか1項に記載のシグネチャ生成方法。 - コンピュータに、
脅威情報を収集する収集手順と、
前記収集手順により収集された脅威情報から攻撃データを抽出する抽出手順と、
前記抽出手順により抽出された攻撃データに基づいてシグネチャを生成する生成手順と、を実行させるためのプログラムであって、
前記生成手順では、
前記抽出手順により共通の文字列を有する複数の攻撃データが抽出された場合、前記共通の文字列を含むシグネチャを仮生成し、
仮生成したシグネチャが、非攻撃データに使用される文字列を含むか否かを評価し、
仮生成したシグネチャが、非攻撃データに使用される文字列を含む場合、該文字列を、仮生成したシグネチャから除去することで、シグネチャを生成する、
プログラムが格納された非一時的なコンピュータ可読媒体。
Priority Applications (5)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US16/497,124 US11429717B2 (en) | 2017-03-28 | 2017-12-20 | Signature generating device, signature generating method, and non-transitory computer-readable medium storing program |
JP2019508574A JPWO2018179628A1 (ja) | 2017-03-28 | 2017-12-20 | シグネチャ生成装置、シグネチャ生成方法、プログラムが格納された非一時的なコンピュータ可読媒体 |
CN201780089063.0A CN110506268A (zh) | 2017-03-28 | 2017-12-20 | 签名产生设备、签名产生方法和存储程序的非暂时性计算机可读介质 |
KR1020197027930A KR20190120312A (ko) | 2017-03-28 | 2017-12-20 | 서명 생성 장치, 서명 생성 방법, 컴퓨터 판독가능 기록 매체에 저장된 프로그램 |
RU2019130058A RU2019130058A (ru) | 2017-03-28 | 2017-12-20 | Устройство формирования подписей, способ формирования подписей и энергонезависимый считываемый компьютером носитель, сохраняющий программу |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
JP2017062918 | 2017-03-28 | ||
JP2017-062918 | 2017-03-28 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2018179628A1 true WO2018179628A1 (ja) | 2018-10-04 |
Family
ID=63674508
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/JP2017/045830 WO2018179628A1 (ja) | 2017-03-28 | 2017-12-20 | シグネチャ生成装置、シグネチャ生成方法、プログラムが格納された非一時的なコンピュータ可読媒体 |
Country Status (6)
Country | Link |
---|---|
US (1) | US11429717B2 (ja) |
JP (1) | JPWO2018179628A1 (ja) |
KR (1) | KR20190120312A (ja) |
CN (1) | CN110506268A (ja) |
RU (1) | RU2019130058A (ja) |
WO (1) | WO2018179628A1 (ja) |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2006350708A (ja) * | 2005-06-16 | 2006-12-28 | Hitachi Ltd | セキュリティ設計支援方法及び支援装置 |
JP2012529690A (ja) * | 2009-06-10 | 2012-11-22 | エフ−セキュア コーポレーション | マルウェアスキャンに関する誤警報検出 |
US20140007238A1 (en) * | 2012-06-29 | 2014-01-02 | Vigilant Inc. | Collective Threat Intelligence Gathering System |
Family Cites Families (15)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CA2472268A1 (en) | 2001-12-31 | 2003-07-17 | Citadel Security Software Inc. | Automated computer vulnerability resolution system |
US20030172291A1 (en) | 2002-03-08 | 2003-09-11 | Paul Judge | Systems and methods for automated whitelisting in monitored communications |
WO2005047862A2 (en) * | 2003-11-12 | 2005-05-26 | The Trustees Of Columbia University In The City Of New York | Apparatus method and medium for identifying files using n-gram distribution of data |
WO2006036763A2 (en) * | 2004-09-22 | 2006-04-06 | Cyberdefender Corporation | System for distributing information using a secure peer-to-peer network |
US7730040B2 (en) | 2005-07-27 | 2010-06-01 | Microsoft Corporation | Feedback-driven malware detector |
US8713686B2 (en) | 2006-01-25 | 2014-04-29 | Ca, Inc. | System and method for reducing antivirus false positives |
US8201244B2 (en) * | 2006-09-19 | 2012-06-12 | Microsoft Corporation | Automated malware signature generation |
JP2012003463A (ja) | 2010-06-16 | 2012-01-05 | Kddi Corp | シグネチャの生成を支援する支援装置、方法及びプログラム |
JP5868515B2 (ja) * | 2012-09-25 | 2016-02-24 | 三菱電機株式会社 | シグニチャ検証装置及びシグニチャ検証方法及びプログラム |
RU2573262C2 (ru) | 2014-05-12 | 2016-01-20 | Самсунг Электроникс Ко., Лтд. | Способ теплового анализа портативных электронных устройств на основе измерений |
US9665716B2 (en) * | 2014-12-23 | 2017-05-30 | Mcafee, Inc. | Discovery of malicious strings |
KR102390355B1 (ko) * | 2015-11-16 | 2022-04-26 | 한국전자통신연구원 | 시그니처 기반 네트워크 공격 탐지 및 공격 시그니처 생성 방법 및 장치 |
US10547627B2 (en) * | 2016-03-08 | 2020-01-28 | Palo Alto Networks, Inc. | Malicious HTTP cookies detection and clustering |
US10855701B2 (en) * | 2017-11-03 | 2020-12-01 | F5 Networks, Inc. | Methods and devices for automatically detecting attack signatures and generating attack signature identifications |
WO2020186033A1 (en) * | 2019-03-13 | 2020-09-17 | Arun Lakhotia | Method for automatic creation of malware detection signature |
-
2017
- 2017-12-20 RU RU2019130058A patent/RU2019130058A/ru not_active Application Discontinuation
- 2017-12-20 US US16/497,124 patent/US11429717B2/en active Active
- 2017-12-20 CN CN201780089063.0A patent/CN110506268A/zh active Pending
- 2017-12-20 WO PCT/JP2017/045830 patent/WO2018179628A1/ja active Application Filing
- 2017-12-20 KR KR1020197027930A patent/KR20190120312A/ko not_active Application Discontinuation
- 2017-12-20 JP JP2019508574A patent/JPWO2018179628A1/ja active Pending
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2006350708A (ja) * | 2005-06-16 | 2006-12-28 | Hitachi Ltd | セキュリティ設計支援方法及び支援装置 |
JP2012529690A (ja) * | 2009-06-10 | 2012-11-22 | エフ−セキュア コーポレーション | マルウェアスキャンに関する誤警報検出 |
US20140007238A1 (en) * | 2012-06-29 | 2014-01-02 | Vigilant Inc. | Collective Threat Intelligence Gathering System |
Non-Patent Citations (1)
Title |
---|
SUMEET , SINGH ET AL.: "Automated Worm Fingerprinting", OSDI, 4 December 2004 (2004-12-04), Retrieved from the Internet <URL:URL:https://cseweb.used.Edu/-savage/papers/OSDI04.pdf> * |
Also Published As
Publication number | Publication date |
---|---|
CN110506268A (zh) | 2019-11-26 |
RU2019130058A3 (ja) | 2021-04-28 |
US11429717B2 (en) | 2022-08-30 |
US20200380128A1 (en) | 2020-12-03 |
RU2019130058A (ru) | 2021-04-28 |
JPWO2018179628A1 (ja) | 2020-01-16 |
KR20190120312A (ko) | 2019-10-23 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
WO2020249112A1 (zh) | 基于内存取证和区块链的电子证据固定和网络取证方法及系统 | |
JP6397932B2 (ja) | エンドポイントからのネットワークリクエストに言語分析を適用するマルウェアに感染しているマシンを識別するためのシステム | |
CN109951435B (zh) | 一种设备标识提供方法及装置和风险控制方法及装置 | |
WO2015186662A1 (ja) | ログ分析装置、攻撃検知装置、攻撃検知方法およびプログラム | |
US10027488B2 (en) | Numeric pattern normalization for cryptographic signatures | |
CN107733581B (zh) | 基于全网环境下的快速互联网资产特征探测方法及装置 | |
KR20170060280A (ko) | 탐지 규칙 자동 생성 장치 및 방법 | |
US11544575B2 (en) | Machine-learning based approach for malware sample clustering | |
CN112468520A (zh) | 一种数据检测方法、装置、设备及可读存储介质 | |
US11140196B1 (en) | Malware fingerprinting on encrypted transport layer security (TLS) traffic | |
KR101859562B1 (ko) | 취약점 정보 분석 방법 및 장치 | |
CN108075888B (zh) | 动态url生成方法及装置、存储介质、电子设备 | |
EP3242240B1 (en) | Malicious communication pattern extraction device, malicious communication pattern extraction system, malicious communication pattern extraction method and malicious communication pattern extraction program | |
JP2016091549A (ja) | マルウェアイベントとバックグラウンドイベントとを分離するためのシステム、デバイス、および方法 | |
CN113595967A (zh) | 数据识别方法、设备、存储介质及装置 | |
US8910281B1 (en) | Identifying malware sources using phishing kit templates | |
CN114785567B (zh) | 一种流量识别方法、装置、设备及介质 | |
CN113726818B (zh) | 一种失陷主机检测方法及装置 | |
US11159566B2 (en) | Countering phishing attacks | |
JP2015106914A (ja) | マルウェア通信解析装置、及びマルウェア通信解析方法 | |
WO2018179628A1 (ja) | シグネチャ生成装置、シグネチャ生成方法、プログラムが格納された非一時的なコンピュータ可読媒体 | |
Chiba et al. | Botprofiler: Profiling variability of substrings in http requests to detect malware-infected hosts | |
CN110719263A (zh) | 多租户dns安全管理方法、装置及存储介质 | |
CN113726826B (zh) | 一种威胁情报生成方法及装置 | |
JP2012175296A (ja) | 通信分類装置及び方法 |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 17903022 Country of ref document: EP Kind code of ref document: A1 |
|
ENP | Entry into the national phase |
Ref document number: 2019508574 Country of ref document: JP Kind code of ref document: A |
|
ENP | Entry into the national phase |
Ref document number: 20197027930 Country of ref document: KR Kind code of ref document: A |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
WWE | Wipo information: entry into national phase |
Ref document number: 2019130058 Country of ref document: RU |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 17903022 Country of ref document: EP Kind code of ref document: A1 |