WO2022249416A1 - 分析装置、分析方法、および、分析システム - Google Patents

分析装置、分析方法、および、分析システム Download PDF

Info

Publication number
WO2022249416A1
WO2022249416A1 PCT/JP2021/020302 JP2021020302W WO2022249416A1 WO 2022249416 A1 WO2022249416 A1 WO 2022249416A1 JP 2021020302 W JP2021020302 W JP 2021020302W WO 2022249416 A1 WO2022249416 A1 WO 2022249416A1
Authority
WO
WIPO (PCT)
Prior art keywords
attack
unit
command
intention
execution
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/JP2021/020302
Other languages
English (en)
French (fr)
Japanese (ja)
Inventor
琴海 黒木
楊 鐘本
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
NTT Inc
Original Assignee
Nippon Telegraph and Telephone Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nippon Telegraph and Telephone Corp filed Critical Nippon Telegraph and Telephone Corp
Priority to PCT/JP2021/020302 priority Critical patent/WO2022249416A1/ja
Priority to US18/563,346 priority patent/US12542806B2/en
Priority to JP2023523882A priority patent/JP7552897B2/ja
Publication of WO2022249416A1 publication Critical patent/WO2022249416A1/ja
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements

Definitions

  • the present invention relates to an analysis device, an analysis method, and an analysis system.
  • OS command injection is one of the methods of attacking a computer system from the outside, in which a fragment that can be interpreted as an operating system (OS) command is slipped into the input character string to the system and executed illegally. Attack.
  • OS operating system
  • WAF Web Application Firewall
  • the conventional technology has the problem that it is not possible to identify the intention of the detected OS command injection attack. Even if OS command injection can be detected, if it is unclear what kind of damage will be caused by the attack, it may not be possible to efficiently study the contents of countermeasures.
  • an analysis device extracts an attack command string inserted for the attack from the attack request sent in the attack.
  • an extraction unit for extraction an execution unit for acquiring information obtained by executing the attack command sequence extracted by the extraction unit, and an attack by the command injection using the information acquired by the execution unit and an output unit for outputting information indicating the attack intention determined by the identification unit.
  • FIG. 1 is a diagram showing a configuration example of an analysis system according to the first embodiment.
  • FIG. 2 is a diagram showing a configuration example of an analysis device according to the first embodiment.
  • FIG. 3 is a diagram showing an example of a command list.
  • FIG. 4 is a diagram showing an example of an attack request.
  • FIG. 5 is a diagram illustrating processing for extracting an attack command string included in an attack request.
  • FIG. 6 is a diagram illustrating an example of processing for dividing an attack request.
  • FIG. 7 is a diagram illustrating an example of processing for extracting an attack command string.
  • FIG. 8 is a diagram showing an example of an execution environment of an emulator.
  • FIG. 9 is a flow chart showing the flow of identification processing of the analyzer according to the first embodiment.
  • FIG. 10 is a diagram illustrating an example of a computer that executes an analysis program;
  • FIG. 1 is a diagram showing a configuration example of an analysis system according to the first embodiment.
  • the analysis system 1 has an analysis device 10, an emulator 20, a detection device 30, and a server 40.
  • FIG. The server 40 is also connected to the Internet 50 via the detection device 30 .
  • the configuration shown in FIG. 1 is merely an example, and the specific configuration and the number of each device are not particularly limited.
  • the analysis device 10 receives an attack request for OS command injection from the detection device 30, extracts an attack command from the attack request, causes the attack command to be executed in an emulation environment, Presume the attack intention of the attack request.
  • the emulator 20 simulates attack commands in an emulation environment.
  • the detection device 30 detects an attack request by OS command injection, which is a Web request sent via the Internet 50 and aimed at attacking the server 40 .
  • the server 40 is, for example, a web server published on the Internet 50.
  • the server 40 executes a database or a web application that utilizes the database.
  • the server 40 receives a web request via the Internet 50, executes processing according to the web request, and returns a response.
  • FIG. 2 is a diagram showing a configuration example of an analysis device according to the first embodiment.
  • the analysis device 10 has a communication section 11 , a storage section 12 and a control section 13 .
  • the communication unit 11 is realized by a NIC (Network Interface Card) or the like, and controls communication with external devices via electric communication lines such as a LAN (Local Area Network) and the Internet. For example, the communication unit 11 receives an attack request from the detection device 30 .
  • NIC Network Interface Card
  • LAN Local Area Network
  • the storage unit 12 is a storage device such as an HDD (Hard Disk Drive), an SSD (Solid State Drive), or an optical disc. Note that the storage unit 12 may be a rewritable semiconductor memory such as RAM (Random Access Memory), flash memory, NVSRAM (Non Volatile Static Random Access Memory).
  • the storage unit 12 stores an OS (Operating System) and various programs executed by the analysis device 10 .
  • the storage unit 12 has a command list storage unit 12a, an attack request storage unit 12b, and an attack command string storage unit 12c.
  • the command list storage unit 12a stores the command list of the OS.
  • the command list storage unit 12a stores a general OS command list as illustrated in FIG.
  • FIG. 3 is a diagram showing an example of a command list.
  • the attack request storage unit 12b stores attack requests.
  • the attack request storage unit 12 b stores an OS command injection attack request received from the detection device 30 .
  • FIG. 4 is a diagram showing an example of an attack request.
  • the GET method web request illustrated in FIG. 4 is a web request detected by the detection device 30 .
  • the attack command sequence storage unit 12c stores attack command sequences extracted by the extraction unit 13a, which will be described later.
  • the attack command string is a command string inserted by an attacker for attack.
  • the control unit 13 has an internal memory for storing programs defining various processing procedures and required data, and executes various processing using these.
  • the control unit 13 has an extraction unit 13a, an execution unit 13b, an identification unit 13c, and an output unit 13d.
  • the control unit 13 is an electronic circuit such as a CPU (Central Processing Unit) or MPU (Micro Processing Unit), or an integrated circuit such as an ASIC (Application Specific Integrated Circuit) or FPGA (Field Programmable Gate Array).
  • FIG. 5 is a diagram illustrating processing for extracting an attack command string included in an attack request.
  • the extraction unit 13a extracts an attack command string using a preset command list.
  • An example of specific processing of the extraction unit 13a will be described below with reference to FIGS. 6 and 7.
  • FIG. 6 is a diagram illustrating an example of processing for dividing an attack request.
  • FIG. 7 is a diagram illustrating an example of processing for extracting an attack command string.
  • the extraction unit 13a acquires the command list from the command list storage unit 12a, and acquires the attack request to be processed from the attack request storage unit 12b. Then, as exemplified in FIG. 6, the extracting unit 13a divides the content of the attack request into fine elements and extracts parts that may include an attack command string.
  • the extraction unit 13a refers to the command list and extracts the attack command string "cat/etc/passed" from the part that may contain the attack command string.
  • the extracting unit 13a extracts a character string starting with a command in the command list, or a character string after the command if there is a symbol immediately before the command list, out of the portion that may include the attack command string. is extracted as an attack command sequence.
  • the execution unit 13b acquires information obtained by executing the attack command sequence extracted by the extraction unit 13a.
  • the execution unit 13b causes the emulator 20 to execute the extracted command sequence, and acquires information necessary for determining the intention of the attack.
  • FIG. 8 is a diagram showing an example of the execution environment of the emulator. As illustrated in FIG. 8 , in the emulator 20 , a command execution emulator 21 that executes commands and an http server 22 are connected via an internal network 23 . Then, the http server 22 in the emulator 20 returns a shell script that outputs a specific character string (hereinafter referred to as an identification character string) regardless of which URL is accessed.
  • an identification character string a specific character string
  • the execution unit 13b replaces the IP address and domain name included in the command string with the IP address of the http server 22 in the internal network 23 of the emulator 20. Also, the execution unit 13b divides the command string into one command unit. Then, the execution unit 13b causes the command execution emulator 21 to sequentially execute the divided command strings, and acquires information necessary for determining the intention of the attack.
  • the execution unit 13b acquires, for example, the standard output or standard error output resulting from the execution of emulation, the execution time, and the trace log of system calls as information necessary for determining the intention of an attack. For example, the execution unit 13b acquires a system call log by executing an attack command sequence. Also, the execution unit 13b acquires the execution time of the attack command sequence.
  • the identification unit 13c uses the information acquired by the execution unit 13b to determine the intention of the attack by command injection. For example, when the standard output includes an identification character string prepared in the http server 22 in the emulator 20, the identification unit 13c determines that the intention of the attack is execution of an arbitrary command script.
  • the identification character string is, for example, an arbitrary character string that is output when a script prepared in the http server 22 in the emulator 20 is executed.
  • the identification unit 13c determines that the intent of the attack is falsification. In other words, when the system call log includes open with permission to write to a file, the identification unit 13c identifies that the intention of the attack by command injection is an attack that attempts to overwrite the file.
  • the identification unit 13c determines that it is a DoS attack.
  • the DoS determination time is, for example, 10 seconds. Note that the DoS judgment time can be arbitrarily changed.
  • the identification unit 13c detects that the attack Intention is determined as information leakage.
  • the identification unit 13c determines that the intention of the attack is information leakage. . Further, when the system call log includes a write and includes before the write a geteuid or uname which obtains information about the system, the identification unit 13c determines that the intention of the attack is information leakage. .
  • the identification unit 13c recognizes the intention of the attack. Determined as vulnerability reconnaissance.
  • the reconnaissance determination reference time is, for example, 1 second. Note that the reconnaissance determination reference time can be arbitrarily changed.
  • the output unit 13d outputs information indicating the attack intention determined by the identification unit 13c.
  • the output unit 13d may display information indicating the intention of the attack, or may output it to an external device.
  • the analysis device 10 extracts the attack command string inserted for the attack from the attack request sent in the attack, and the extracted attack command string is Acquire information obtained by executing. Then, using the acquired information, the analysis device 10 determines the intention of the attack by command injection, and outputs information indicating the determined intention of the attack. As a result, when command injection is detected, analysis device 10 can estimate the intention of the attack. In addition, the analysis device 10 can easily grasp the impact of a successful attack by estimating the intention, and can contribute to detailed analysis of the attack and speeding up of countermeasures.
  • FIG. 9 is a flow chart showing the flow of identification processing of the analyzer according to the first embodiment.
  • the identification unit 13c of the analysis device 10 determines whether the execution result (standard output) includes an identification character string prepared in the http server 22 in the emulator 20 (step S101). As a result, when the identification unit 13c determines that the standard output includes the identification character string prepared in the http server 22 in the emulator (Yes at step S101), the intention of the attack is to execute an arbitrary command script. Determine (step S102).
  • the identification unit 13c sets the system call log to open with permission to write to the file. is included (step S103). As a result, when the identifying unit 13c determines that the system call log includes open with file writing authority (Yes at step S103), the identifying unit 13c determines that the intention of the attack is falsification (step S104).
  • the identification unit 13c determines that the system call log does not include the open with the authority to write to the file (No at step S103), the execution time of the attack command sequence is longer than the DoS determination time. Determine (step S105). As a result, when the identification unit 13c determines that the execution time of the attack command sequence is longer than the preset DoS determination time (Yes at step S105), it determines that it is a DoS attack (step S106).
  • the identification unit 13c determines that the execution time of the attack command string is equal to or less than the preset DoS determination time (No at step S105), it determines whether write is included in the system call log (step S107).
  • the identification unit 13c determines whether open and read for the file are included before write (step S108).
  • the identification unit 13c determines that the open and read operations for the file are included before the write (Yes at step S108).
  • the identifying unit 13c determines that the intention of the attack is information leakage (step S111).
  • the identification unit 13c determines that open and read for the file are not included before write (No at step S108)
  • the identification unit 13c includes those for obtaining system-related information such as geteuid and uname before write. (step S109).
  • the identification unit 13c determines that the geteuid or uname for acquiring information about the system is included before the write (Yes at step S109)
  • the identification unit 13c determines that the intention of the attack is information leakage (step S111).
  • the identification unit 13c determines that the geteuid or uname for acquiring information about the system is not included before the write (No at step S109), the identification unit 13c determines that the intention of the attack is vulnerability reconnaissance. (Step S112).
  • step S110 when determining that write is not included in the system call log (No at step S107), the identification unit 13c determines whether the execution time is longer than the reconnaissance determination reference time (step S110). ). As a result, when the identification unit 13c determines that the execution time is longer than the reconnaissance determination reference time (Yes at step S110), the identification unit 13c determines that the attack intention is vulnerability reconnaissance (step S112). When the identification unit 13c determines that the execution time is equal to or less than the reconnaissance determination reference time (No at step S110), the identification unit 13c determines that the attack intention cannot be identified (step S113).
  • the analysis device 10 when an attack by command injection is detected, extracts the attack command string inserted for the attack from the attack request sent in the attack, and extracts it. Acquire the information obtained by executing the attack command sequence. Then, using the acquired information, the analysis device 10 determines the intention of the attack by command injection, and outputs information indicating the determined intention of the attack.
  • the analysis device 10 can identify the intention of the detected OS command injection attack.
  • the analysis device 10 can easily grasp the impact of a successful attack by estimating the intention, and can contribute to detailed analysis of the attack and speeding up of countermeasures.
  • each component of each device illustrated is functionally conceptual, and does not necessarily need to be physically configured as illustrated.
  • the specific form of distribution and integration of each device is not limited to the illustrated one, and all or part of them can be functionally or physically distributed or Can be integrated and configured.
  • all or any part of each processing function performed by each device can be realized by a CPU and a program analyzed and executed by the CPU, or realized as hardware by wired logic.
  • the analysis device 10 can be implemented by installing an analysis program for executing the above analysis processing as package software or online software on a desired computer.
  • the information processing device can function as the analysis device 10 by causing the information processing device to execute the above analysis program.
  • the information processing apparatus referred to here includes a desktop or notebook personal computer.
  • information processing devices include smart phones, mobile communication terminals such as mobile phones and PHSs (Personal Handyphone Systems), and slate terminals such as PDAs (Personal Digital Assistants).
  • the functions of the analysis device 10 may be implemented in a cloud server.
  • FIG. 10 is a diagram showing an example of a computer that executes an analysis program.
  • Computer 1000 includes, for example, memory 1010 , CPU 1020 , hard disk drive interface 1030 , disk drive interface 1040 , serial port interface 1050 , video adapter 1060 and network interface 1070 . These units are connected by a bus 1080 .
  • the memory 1010 includes a ROM (Read Only Memory) 1011 and a RAM 1012 .
  • the ROM 1011 stores a boot program such as BIOS (Basic Input Output System).
  • BIOS Basic Input Output System
  • Hard disk drive interface 1030 is connected to hard disk drive 1090 .
  • a disk drive interface 1040 is connected to the disk drive 1100 .
  • a removable storage medium such as a magnetic disk or an optical disk is inserted into the disk drive 1100, for example.
  • a mouse 1110 and a keyboard 1120 are connected to the serial port interface 1050, for example.
  • a display 1130 is connected to the video adapter 1060 .
  • the hard disk drive 1090 stores an OS 1091, application programs 1092, program modules 1093 and program data 1094, for example. Each piece of information described in the above embodiment is stored in the hard disk drive 1090 or the memory 1010, for example.
  • the analysis program is stored in the hard disk drive 1090 as a program module 1093 in which commands to be executed by the computer 1000 are written, for example.
  • the hard disk drive 1090 stores a program module 1093 that describes each process executed by the analysis apparatus 10 described in the above embodiment.
  • Data used for information processing by the analysis program is stored as program data 1094 in the hard disk drive 1090, for example. Then, CPU 1020 reads out program module 1093 and program data 1094 stored in hard disk drive 1090 to RAM 1012 as necessary, and executes each procedure described above.
  • program module 1093 and program data 1094 related to the analysis program are not limited to being stored in the hard disk drive 1090.
  • they are stored in a removable storage medium and read by the CPU 1020 via the disk drive 1100 or the like.
  • the program module 1093 and program data 1094 related to the analysis program are stored in another computer connected via a network such as LAN or WAN (Wide Area Network), and are read out by the CPU 1020 via the network interface 1070.
  • analysis system 10 analysis device 11 communication unit 12 storage unit 12a command list storage unit 12b attack request storage unit 12c attack command sequence storage unit 13 control unit 13a extraction unit 13b execution unit 13c identification unit 13d output unit 20 emulator 30 detection device 40 server 50 Internet

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Computing Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Health & Medical Sciences (AREA)
  • Computer And Data Communications (AREA)
  • Debugging And Monitoring (AREA)
PCT/JP2021/020302 2021-05-27 2021-05-27 分析装置、分析方法、および、分析システム Ceased WO2022249416A1 (ja)

Priority Applications (3)

Application Number Priority Date Filing Date Title
PCT/JP2021/020302 WO2022249416A1 (ja) 2021-05-27 2021-05-27 分析装置、分析方法、および、分析システム
US18/563,346 US12542806B2 (en) 2021-05-27 2021-05-27 Analysis device, analysis method, and analysis system
JP2023523882A JP7552897B2 (ja) 2021-05-27 2021-05-27 分析装置、分析方法、および、分析システム

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/JP2021/020302 WO2022249416A1 (ja) 2021-05-27 2021-05-27 分析装置、分析方法、および、分析システム

Publications (1)

Publication Number Publication Date
WO2022249416A1 true WO2022249416A1 (ja) 2022-12-01

Family

ID=84228488

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2021/020302 Ceased WO2022249416A1 (ja) 2021-05-27 2021-05-27 分析装置、分析方法、および、分析システム

Country Status (3)

Country Link
US (1) US12542806B2 (https=)
JP (1) JP7552897B2 (https=)
WO (1) WO2022249416A1 (https=)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US12393687B2 (en) * 2022-10-24 2025-08-19 Okta, Inc. Techniques for detecting command injection attacks

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2020155098A (ja) * 2019-03-22 2020-09-24 株式会社日立製作所 コンピュータネットワークにおける攻撃経路を予測するための方法およびシステム

Family Cites Families (19)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11695800B2 (en) * 2016-12-19 2023-07-04 SentinelOne, Inc. Deceiving attackers accessing network data
US11616812B2 (en) * 2016-12-19 2023-03-28 Attivo Networks Inc. Deceiving attackers accessing active directory data
US10762201B2 (en) * 2017-04-20 2020-09-01 Level Effect LLC Apparatus and method for conducting endpoint-network-monitoring
WO2019013266A1 (ja) * 2017-07-12 2019-01-17 日本電信電話株式会社 判定装置、判定方法、および、判定プログラム
WO2020006415A1 (en) * 2018-06-28 2020-01-02 Crowdstrike, Inc. Analysis of malware
US11403391B2 (en) * 2019-11-18 2022-08-02 Jf Rog Ltd Command injection identification
AU2019479339B2 (en) * 2019-12-17 2023-12-21 Ntt, Inc. Verification information correction device, verification information correction method and verification information correction program
EP4163809A4 (en) * 2020-06-05 2023-08-02 Fujitsu Limited Information processing program, information processing method, and information processing device
WO2022107290A1 (ja) * 2020-11-19 2022-05-27 日本電気株式会社 分析装置、分析システム、分析方法、及び分析プログラム
WO2022137883A1 (ja) * 2020-12-24 2022-06-30 日本電気株式会社 攻撃情報生成装置、制御方法、及び非一時的なコンピュータ可読媒体
KR20240036146A (ko) * 2020-12-29 2024-03-19 (주)기원테크 메일 보안 기반의 제로데이 url 공격 방어 서비스 제공 장치 및 그 동작 방법
CN114884684A (zh) * 2021-01-21 2022-08-09 华为技术有限公司 攻击成功识别方法及防护设备
JP2022135641A (ja) * 2021-03-05 2022-09-15 キオクシア株式会社 I/oコマンド制御装置およびストレージシステム
US20240152603A1 (en) * 2021-03-16 2024-05-09 Nippon Telegraph And Telephone Corporation Device for extracting trace of act, method for extracting trace of act, and program for extracting trace of act
US20240152615A1 (en) * 2021-03-16 2024-05-09 Nippon Telegraph And Telephone Corporation Device for extracting trace of act, method for extracting trace of act, and program for extracting trace of act
JP7552864B2 (ja) * 2021-03-19 2024-09-18 日本電気株式会社 分析条件生成装置、分析システム、分析条件生成プログラム、分析プログラム、分析条件生成方法、及び分析方法
JPWO2022195862A1 (https=) * 2021-03-19 2022-09-22
US12609943B2 (en) * 2021-04-16 2026-04-21 Ntt, Inc. Application attack determination device, application attack determination method, and application attack determination program
JP7505642B2 (ja) * 2021-04-16 2024-06-25 日本電信電話株式会社 判定装置、判定方法、および、判定プログラム

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2020155098A (ja) * 2019-03-22 2020-09-24 株式会社日立製作所 コンピュータネットワークにおける攻撃経路を予測するための方法およびシステム

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
KUROKI, KOTOMI ET AL.: "A Damage Identification Method Based on Syntax Analysis and Semantic Analysis for SQL Injection.", PREPRINTS OF 2020 SYMPOSIUM ON CRYPTOGRAPHY AND INFORMATION SECURITY, 21 January 2020 (2020-01-21), pages 1 - 8 *
KUROKI, KOTOMI ET AL.: "Attack Intention Estimation Based on Syntax Analysis and Dynamic Analysis for SQL Injection", 2020 IEEE 44TH ANNUAL COMPUTERS, SOFTWARE, AND APPLICATIONS CONFERENCE (COMPSAC)., 13 July 2020 (2020-07-13), pages 1510 - 1515, XP033828690, DOI: 10.1109/COMPSAC48688.2020.00-41 *
ZHONG, YANG ET AL.: "A Log Correlation Method to Identify the Target and the Effect of Web Attacks.", CSS2015 PROCEEDINGS OF COMPUTER SECURITY SYMPOSIUM 2015. JOINTLY HELD ANTI MALWARE ENGINEERING WORKSHOP 2015 AND PRIVACY WORKSHOP 2015, vol. 2015, no. 3, 14 October 2015 (2015-10-14), pages 132 - 139 *

Also Published As

Publication number Publication date
JP7552897B2 (ja) 2024-09-18
US20240214417A1 (en) 2024-06-27
JPWO2022249416A1 (https=) 2022-12-01
US12542806B2 (en) 2026-02-03

Similar Documents

Publication Publication Date Title
US10169585B1 (en) System and methods for advanced malware detection through placement of transition events
US7934261B1 (en) On-demand cleanup system
US11916937B2 (en) System and method for information gain for malware detection
US10642973B2 (en) System and method of analysis of files for maliciousness and determining an action
US10581879B1 (en) Enhanced malware detection for generated objects
US9239922B1 (en) Document exploit detection using baseline comparison
US9147073B2 (en) System and method for automatic generation of heuristic algorithms for malicious object identification
US9336389B1 (en) Rapid malware inspection of mobile applications
RU2726032C2 (ru) Системы и способы обнаружения вредоносных программ с алгоритмом генерации доменов (dga)
CN110119619B (zh) 创建防病毒记录的系统和方法
CN109558207B (zh) 在虚拟机中形成用于进行文件的防病毒扫描的日志的系统和方法
RU2724790C1 (ru) Система и способ формирования журнала при исполнении файла с уязвимостями в виртуальной машине
EP3547121B1 (en) Combining device, combining method and combining program
EP2881877A1 (en) Program execution device and program analysis device
CN110659478B (zh) 在隔离的环境中检测阻止分析的恶意文件的方法
JP2021111384A (ja) 不正なメモリダンプ改変を防ぐシステムおよび方法
JP7552897B2 (ja) 分析装置、分析方法、および、分析システム
JPWO2018131200A1 (ja) 解析装置、解析方法及び解析プログラム
WO2016095671A1 (zh) 一种应用程序的消息处理方法和装置
CN115344861A (zh) 一种恶意软件检测模型构建以及恶意软件检测方法、装置
CN111159111A (zh) 一种信息处理方法、设备、系统和计算机可读存储介质
EP3361406A1 (en) System and method of analysis of files for maliciousness in a virtual machine
US20260067303A1 (en) Attack analysis device, attack analysis method, and non-transitory computer readable medium
WO2020240637A1 (ja) 学習装置、判定装置、学習方法、判定方法、学習プログラムおよび判定プログラム
Surange et al. Check for updates

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 21943062

Country of ref document: EP

Kind code of ref document: A1

WWE Wipo information: entry into national phase

Ref document number: 2023523882

Country of ref document: JP

WWE Wipo information: entry into national phase

Ref document number: 18563346

Country of ref document: US

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 21943062

Country of ref document: EP

Kind code of ref document: A1

WWG Wipo information: grant in national office

Ref document number: 18563346

Country of ref document: US