WO2023228288A1 - Detection device, detection method, and detection program - Google Patents

Detection device, detection method, and detection program Download PDF

Info

Publication number
WO2023228288A1
WO2023228288A1 PCT/JP2022/021305 JP2022021305W WO2023228288A1 WO 2023228288 A1 WO2023228288 A1 WO 2023228288A1 JP 2022021305 W JP2022021305 W JP 2022021305W WO 2023228288 A1 WO2023228288 A1 WO 2023228288A1
Authority
WO
WIPO (PCT)
Prior art keywords
malware
graph
target
subject
detection
Prior art date
Application number
PCT/JP2022/021305
Other languages
French (fr)
Japanese (ja)
Inventor
稜 久保田
利宣 碓井
裕平 川古谷
誠 岩村
Original Assignee
日本電信電話株式会社
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 日本電信電話株式会社 filed Critical 日本電信電話株式会社
Priority to PCT/JP2022/021305 priority Critical patent/WO2023228288A1/en
Publication of WO2023228288A1 publication Critical patent/WO2023228288A1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements

Definitions

  • the present invention relates to a malware detection device, a detection method, and a detection program.
  • EDR Endpoint Detection & Response
  • IOC Indicators of Compromise
  • EIGER see Non-Patent Document 1
  • Non-Patent Document 1 is a technology that automatically generates an IOC from a malware execution log. By injecting a large number of IOCs generated by EIGER into existing EDR products, a wide range of malware can be detected.
  • POIROT is a method that uses graphs to detect malware on a terminal with high accuracy. POIROT uses graph pattern matching to detect the same (or variant) malware from past logs by manually creating a graph called a query graph that expresses the relationships between traces left behind by malware.
  • IOC can only express conditions for a single trace or conditions that combine multiple traces with AND or OR
  • the above query graph can also express dependencies between traces. Therefore, matching using a query graph allows malware to be detected with high accuracy.
  • an object of the present invention is to detect the latest malware with high accuracy and over a wide range.
  • the present invention uses a malware analysis unit that creates an execution log indicating a series of execution processes of the malware by analyzing an executable file of the malware, and an execution log of the malware, A first graph for creating a first graph in which the subject and target of operations in a series of execution processes of the malware are nodes, and the operations performed by the subject of the operation on the target of the operation are represented by edges connecting the nodes.
  • the method further includes: a matching unit that performs matching; and a detection result output unit that detects malware based on a matching rate between the second graph and one or more of the first graphs and outputs the result of the detection.
  • the latest malware can be detected with high precision and over a wide range.
  • FIG. 1 is a diagram illustrating an overview of a detection device.
  • FIG. 2 is a diagram showing an example of the configuration of the detection device.
  • FIG. 3 is a flowchart illustrating an example of processing executed by the malware analysis section of FIG. 2.
  • FIG. 4 is a diagram showing an example of an execution log.
  • FIG. 5 is a flowchart illustrating an example of processing executed by the first graph creation section in FIG.
  • FIG. 6 is a diagram showing an example of a query graph created by the first graph creation section in FIG.
  • FIG. 7 is a flowchart illustrating an example of a procedure in which the detection device creates a query graph.
  • FIG. 8 is a flowchart illustrating an example of a procedure in which the detection device detects malware.
  • FIG. 9 is a diagram showing an example of the configuration of a computer that executes the detection program.
  • the detection device 10 automatically creates a query graph from the executable file of malware, and uses the created query graph to detect malware on a terminal to be monitored.
  • the detection device 10 includes a creation unit 131 that creates a query graph from a malware executable file, and a detection unit 134 that performs malware detection using the query graph.
  • the creation unit 131 includes a malware analysis unit 132 and a first graph creation unit 133.
  • the malware analysis unit 132 dynamically analyzes the execution file of the malware and creates a log (execution log) indicating the behavior of the malware.
  • the first graph creation unit 133 creates a query graph using the malware execution log.
  • the detection unit 134 includes a second graph creation unit 135 and a matching unit 136.
  • the second graph creation unit 135 acquires the monitoring log of the terminal to be monitored, and creates a graph called a provenance graph.
  • the matching unit 136 detects malware on the monitored terminal by matching the above-mentioned provenance graph with the query graph. When the detection unit 134 detects malware from the monitored terminal, it outputs an alert or the like.
  • the detection device 10 automatically creates a malware query graph and detects malware, so it can detect the latest malware with high accuracy and over a wide range.
  • the detection device 10 includes, for example, an input/output section 11, a storage section 12, and a control section 13.
  • the input/output unit 11 is an interface that controls input and output of various data.
  • the input/output unit 11 receives inputs such as executable files of malware and monitoring logs of terminals to be monitored.
  • the input/output unit 11 outputs the results of malware detection by the control unit 13 and the like.
  • the storage unit 12 is realized by a semiconductor memory element such as a RAM (Random Access Memory) or a flash memory, or a storage device such as a hard disk or an optical disk.
  • a semiconductor memory element such as a RAM (Random Access Memory) or a flash memory
  • a storage device such as a hard disk or an optical disk.
  • the storage unit 12 stores, for example, processing programs for realizing the functions of the detection device 10, execution files of malware, monitoring logs of terminals to be monitored, and the like.
  • the control unit 13 is realized using, for example, a CPU (Central Processing Unit).
  • the control unit 13 functions as the creation unit 131 and the detection unit 134 by executing the processing program stored in the storage unit 12.
  • the creation unit 131 includes a malware analysis unit 132 and a first graph creation unit 133.
  • malware Analysis Department Upon receiving input of an executable file of malware, the malware analysis unit 132 executes the executable file and monitors its behavior, thereby creating an execution log indicating a series of processes executed by the malware. Details of the malware analysis unit 132 will be explained using FIG. 3.
  • malware analysis unit 132 when the malware analysis unit 132 acquires a malware sample (malware execution file) from the storage unit 12 (S1), the malware analysis unit 132 executes the malware sample for a predetermined period of time in an isolated environment (S2).
  • a malware sample malware execution file
  • S2 isolated environment
  • the malware analysis unit 132 uses an API (Application Programming Interface) tracer to monitor API calls (for example, Win32 API of Windows (registered trademark) OS (Operating System), syscall of Linux (registered trademark), etc.), and Each time the API is called, information regarding the call is output to the execution log file (S3).
  • API Application Programming Interface
  • the malware analysis unit 132 monitors API calls by using an API tracer that can monitor calls from malware to an OS API along with information on arguments and return values. Then, the malware analysis unit 132 outputs information regarding the call obtained through monitoring to an execution log file.
  • the APIs to be monitored here include, for example, reading/writing files, creating/terminating processes, operations related to injecting code into other processes, sending/receiving to sockets, and in the case of Windows OS, registry settings. Only those related to reading and writing.
  • the malware analysis unit 132 After S3, the malware analysis unit 132 returns the execution log file (S4) and returns to the process of S1.
  • the execution log file includes one or more execution logs.
  • the execution log shows the PID (process ID, identification information of the process that is the subject of the operation) of the caller of the execution process, the type of operation of the PID, the target of the operation, etc.
  • the types of operations include, for example, reading/writing files, creating/terminating processes, operations related to injecting code into other processes (for example, CreateRemoteThread, etc.), sending/receiving to sockets, etc.
  • the types of operations further include reading and writing the registry.
  • the target of the operation is, for example, the file path if the target is a file, the key/value path if it is a registry, the process ID (or parent process ID if creating a process), or the parent process ID if the target is a socket.
  • the IP address of the communication destination and the API related to code injection include the target process ID.
  • the target of the operation is a resource that is operated using a handle, such as when the target of the operation is a registry key
  • the target of the operation cannot be specified using only the information of the corresponding call.
  • the target of the operation is a registry key
  • the first graph creation unit 133 creates a query graph (first graph) using the malware execution log created by the malware analysis unit 132.
  • the first graph creation unit 133 sets the subject and target of an operation to be a node, and calculates the operation that the subject of the operation performs on the target of the operation between nodes. Create a query graph represented by edges connecting . Details of the first graph creation section 133 will be explained using FIG. 5.
  • the first graph creation unit 133 obtains the execution log of the malware created by the malware analysis unit 132, as shown in FIG. 5 (S11). Then, the first graph creation unit 133 prepares an empty graph G (S12), executes the processes of S13 to S16 shown below for each execution log acquired in S11, and then returns the graph G ( S17). After that, the process returns to S1.
  • the first graph creation unit 133 For example, if the node corresponding to the subject of the operation and the target of the operation indicated in the execution log of the malware acquired in S11 does not exist in the graph G, the first graph creation unit 133 generates the subject of the operation and the target of the operation. A node corresponding to is created (S13).
  • the first graph creation unit 133 determines whether the operation of interest in the execution log is read access or reception (S14), and determines whether the operation of interest is read access or reception. If it is determined that this is the case (Yes in S14), the process advances to S15. Then, the first graph creation unit 133 adds an edge to the graph G from the node that is the target of the operation to the node that is the subject of the operation if the edge labeled with the type of operation does not yet exist. (S15).
  • the process proceeds to S16. Then, the first graph creation unit 133 adds an edge to the graph G from the node that is the subject of the operation to the node that is the target of the operation if there is not yet an edge labeled with the type of operation. (S16).
  • the first graph creation unit 133 can create a query graph corresponding to the execution log of the malware.
  • the first graph creation unit 133 expresses processes, files, and sockets as nodes, similar to the provenance graph of POIROT (see Non-Patent Document 2), and expresses each specific Represent behavior as edges between nodes. Note that in the case of Windows OS, the first graph creation unit 133 also represents the registry as a node.
  • the above processes are distinguished by their PIDs, and the PID of a terminated process is reused by a new process. Therefore, the first graph creation unit 133 assigns another node to the above-mentioned new process.
  • the first graph creation unit 133 distinguishes the above-mentioned registries and files by path, and distinguishes sockets by IP address.
  • the first graph creation unit 133 sets the direction of the edge from the node that is the target of the operation to the node that is the subject of the operation. Otherwise, use the opposite direction.
  • the first graph creation unit 133 creates the query graph shown in FIG. 6 based on the execution log shown in FIG. 4. Note that in the query graph shown in FIG. 6, labels indicating the type of operation are not written on the edges.
  • the final query graph created by the first graph creation unit 133 does not include the PID in the node (process node) that is the subject of the operation. This allows the matching unit 136 to match an arbitrary process node when matching the provenance graph and the query graph.
  • the detection unit 134 detects malware from a terminal to be monitored. For example, the detection unit 134 obtains a monitoring log indicating a series of execution processes executed on a terminal to be monitored, and creates a provenance graph based on the monitoring log.
  • the detection unit 134 detects malware in the terminal to be monitored by matching the above provenance graph with the malware query graph created by the creation unit 131.
  • the detection unit 134 detects malware from the monitored terminal, it outputs an alert or the like.
  • the detection unit 134 includes a second graph creation unit 135, a matching unit 136, and a detection result output unit 137.
  • the second graph creation unit 135 Based on the monitoring log of the monitored terminal, the second graph creation unit 135 sets the subject and target of an operation in a series of execution processes of the monitored terminal as nodes, and the subject of the operation performs the operation on the target of the operation.
  • a provenance graph (second graph) is created in which operations are represented by edges connecting the nodes.
  • the method for creating the provenance graph is the same as the method for creating the query graph described above, so the explanation will be omitted. Note that it is preferable that the monitoring log used to create the provenance graph records all the execution processes of the terminal to be monitored.
  • the matching unit 136 performs matching between the provenance graph created by the second graph creation unit 135 and some query graphs created by the first graph creation unit 133.
  • Any matching method can be used here, such as strict subgraph matching or vague matching proposed in POIROT (see Non-Patent Document 2).
  • the detection result output unit 137 detects malware in the monitored terminal based on the matching result by the matching unit 136, and outputs the detection result. For example, the detection result output unit 137 detects malware for which the match rate between the provenance graph and the query graph is greater than or equal to a predetermined value as malware existing in the monitored terminal, and outputs the detection result.
  • Example of processing procedure Next, an example of a processing procedure executed by the detection device 10 will be described using FIGS. 7 and 8. First, an example of a processing procedure in which the detection device 10 creates a malware query graph will be described with reference to FIG.
  • the malware analysis unit 132 of the detection device 10 acquires the malware executable file (S21 in FIG. 7), it analyzes the acquired malware executable file and creates a malware execution log (S22). Then, the first graph creation unit 133 creates a query graph based on the execution log created in S22 (S23).
  • the second graph creation unit 135 creates a provenance graph corresponding to the acquired monitoring log (S32).
  • the matching unit 136 performs matching between the provenance graph created in S32 and the query graph created in S23 of FIG. 7 (S33).
  • the detection result output unit 137 detects malware based on the matching result in S33 (S34), and outputs the result of malware detection (S35).
  • the detection device 10 automatically creates a query graph from the malware executable file, and uses the created query graph to detect malware on the monitored terminal. As a result, the detection device 10 can detect the latest malware with high accuracy and over a wide range.
  • each component of each part shown in the drawings is functionally conceptual, and does not necessarily need to be physically configured as shown in the drawings.
  • the specific form of distributing and integrating each device is not limited to what is shown in the diagram, and all or part of the devices can be functionally or physically distributed or integrated in arbitrary units depending on various loads, usage conditions, etc. Can be integrated and configured.
  • all or any part of each processing function performed by each device may be realized by a CPU and a program executed by the CPU, or may be realized as hardware using wired logic.
  • the detection device 10 described above can be implemented by installing a program (detection program) in a desired computer as package software or online software. For example, by causing the information processing device to execute the above program, the information processing device can be made to function as the detection device 10.
  • the information processing device referred to here includes mobile communication terminals such as smartphones, mobile phones, and PHSs (Personal Handyphone Systems), as well as terminals such as PDAs (Personal Digital Assistants).
  • FIG. 9 is a diagram showing an example of a computer that executes the detection program.
  • Computer 1000 includes, for example, a memory 1010 and a CPU 1020.
  • the computer 1000 also includes a hard disk drive interface 1030, a disk drive interface 1040, a serial port interface 1050, a video adapter 1060, and a network interface 1070. These parts are connected by a bus 1080.
  • the memory 1010 includes a ROM (Read Only Memory) 1011 and a RAM (Random Access Memory) 1012.
  • the ROM 1011 stores, for example, a boot program such as BIOS (Basic Input Output System).
  • Hard disk drive interface 1030 is connected to hard disk drive 1090.
  • Disk drive interface 1040 is connected to disk drive 1100.
  • Serial port interface 1050 is connected to, for example, mouse 1110 and keyboard 1120.
  • Video adapter 1060 is connected to display 1130, for example.
  • the hard disk drive 1090 stores, for example, an OS 1091, an application program 1092, a program module 1093, and program data 1094. That is, a program that defines each process executed by the detection device 10 described above is implemented as a program module 1093 in which code executable by a computer is written.
  • Program module 1093 is stored in hard disk drive 1090, for example.
  • a program module 1093 for executing processing similar to the functional configuration of the detection device 10 is stored in the hard disk drive 1090.
  • the hard disk drive 1090 may be replaced by an SSD (Solid State Drive).
  • the data used in the processing of the embodiment described above is stored as program data 1094 in, for example, the memory 1010 or the hard disk drive 1090. Then, the CPU 1020 reads out the program module 1093 and program data 1094 stored in the memory 1010 and the hard disk drive 1090 to the RAM 1012 as necessary and executes them.
  • program module 1093 and the program data 1094 are not limited to being stored in the hard disk drive 1090, but may be stored in a removable storage medium, for example, and read by the CPU 1020 via the disk drive 1100 or the like.
  • the program module 1093 and the program data 1094 may be stored in another computer connected via a network (LAN (Local Area Network), WAN (Wide Area Network), etc.). The program module 1093 and program data 1094 may then be read by the CPU 1020 from another computer via the network interface 1070.
  • LAN Local Area Network
  • WAN Wide Area Network

Abstract

In the present invention, a detection device (10) dynamically analyzes a malware executable file and creates a malware execution log. Next, the detection device (10) creates a query graph using the malware executable file, in which a series of malware execution processes is indicated by nodes and edges. The detection device (10) also acquires a monitoring log that indicates a series of execution processes at the terminal being monitored and creates a provenance graph using the acquired monitoring log, in which the series of execution processes of the terminal being monitored is indicated by nodes and edges. Then, the detection device (10) matches the provenance graph with one or more malware query graphs so as to detect malware.

Description

検知装置、検知方法、および、検知プログラムDetection device, detection method, and detection program
 本発明は、マルウェアの検知装置、検知方法、および、検知プログラムに関する。 The present invention relates to a malware detection device, a detection method, and a detection program.
 従来、企業ネットワーク上のPC端末でマルウェア攻撃を検知するためにEndpoint Detection & Response(EDR)を導入することが広く行われている。EDRでは、端末にインストールされたエージェントが、マルウェアが実行されたときに残す痕跡についての検知ルールであるIndicator of Compromise(IOC)を使って常時監視を行う。 Traditionally, Endpoint Detection & Response (EDR) has been widely implemented to detect malware attacks on PC terminals on corporate networks. With EDR, an agent installed on a device constantly monitors the device using Indicators of Compromise (IOC), which are detection rules for traces left when malware is executed.
 EDRは、一般に、良性なプログラムを誤検知せず、かつ、マルウェアを見逃さないことが望ましい。誤検知が多いと人的対応コストが増加し、見逃しは被害拡大につながる。EIGER(非特許文献1参照)は、マルウェアの実行ログからIOCを自動的に生成する技術である。EIGERで大量に生成したIOCを既存のEDR製品に投入することによって、広範囲のマルウェアを検知することができる。 In general, it is desirable for EDR to not falsely detect benign programs and overlook malware. If there are many false positives, the cost of human response will increase, and if something is missed, it will lead to more damage. EIGER (see Non-Patent Document 1) is a technology that automatically generates an IOC from a malware execution log. By injecting a large number of IOCs generated by EIGER into existing EDR products, a wide range of malware can be detected.
 また、POIROT(非特許文献2参照)は、グラフを用いて端末上でマルウェアを高精度に検知する手法である。POIROTは、クエリグラフと呼ばれる、マルウェアが残す痕跡の間の関係を表現したグラフを人間が手作業で作成し、グラフパターンマッチングによって過去のログから同じ(あるいは亜種の)マルウェアを検知する。 Additionally, POIROT (see Non-Patent Document 2) is a method that uses graphs to detect malware on a terminal with high accuracy. POIROT uses graph pattern matching to detect the same (or variant) malware from past logs by manually creating a graph called a query graph that expresses the relationships between traces left behind by malware.
 IOCは、痕跡単体の条件、あるいは、複数の痕跡をANDやORで組み合わせた条件しか表現できないのに対し、上記のクエリグラフは、痕跡間の依存関係も含めて表現することができる。よって、クエリグラフを用いたマッチングによれば、マルウェアを高精度に検知することができる。 While IOC can only express conditions for a single trace or conditions that combine multiple traces with AND or OR, the above query graph can also express dependencies between traces. Therefore, matching using a query graph allows malware to be detected with high accuracy.
 POIROTは、高精度なマルウェアの検知が可能であるものの、専門家がクエリグラフを手作業で作成する必要がある。また、マルウェアは、日々新しいものが出現し、広範囲のマルウェアに対してクエリグラフを作成するのはコストが非常に大きい。そのため、高精度かつ広範囲に最新のマルウェアを検知することが難しいという問題があった。そこで、本発明は、高精度かつ広範囲に最新のマルウェアを検知することを課題とする。 Although POIROT is capable of highly accurate malware detection, it requires experts to manually create query graphs. Additionally, new malware appears every day, and creating query graphs for a wide range of malware is extremely costly. Therefore, there was a problem in that it was difficult to detect the latest malware with high accuracy and over a wide range. Therefore, an object of the present invention is to detect the latest malware with high accuracy and over a wide range.
 前記した課題を解決するため、本発明は、マルウェアの実行ファイルを解析することにより、前記マルウェアの一連の実行プロセスを示す実行ログを作成するマルウェア解析部と、前記マルウェアの実行ログを用いて、前記マルウェアの一連の実行プロセスにおける操作の主体および対象をノードとし、前記操作の主体が当該操作の対象へ実行する操作を前記ノード間を接続するエッジで表した第1のグラフを作成する第1のグラフ作成部と、監視対象の端末で実行された一連の実行プロセスを示す監視ログを用いて、前記端末の一連の実行プロセスにおける操作の主体および対象をノードとし、前記操作の主体が当該操作の対象に対し実行する操作を前記ノード間を接続するエッジで表した第2のグラフを作成する第2のグラフ作成部と、前記第2のグラフと、1以上の前記第1のグラフとのマッチングを行うマッチング部と、前記第2のグラフと、1以上の前記第1のグラフとのマッチ率に基づきマルウェアの検知を行い、前記検知の結果を出力する検知結果出力部とを備えることを特徴とする。 In order to solve the above-mentioned problems, the present invention uses a malware analysis unit that creates an execution log indicating a series of execution processes of the malware by analyzing an executable file of the malware, and an execution log of the malware, A first graph for creating a first graph in which the subject and target of operations in a series of execution processes of the malware are nodes, and the operations performed by the subject of the operation on the target of the operation are represented by edges connecting the nodes. Using the graph creation unit of a second graph creation unit that creates a second graph in which an operation to be performed on the target is represented by edges connecting the nodes; The method further includes: a matching unit that performs matching; and a detection result output unit that detects malware based on a matching rate between the second graph and one or more of the first graphs and outputs the result of the detection. Features.
 本発明によれば、高精度かつ広範囲に最新のマルウェアを検知することができる。 According to the present invention, the latest malware can be detected with high precision and over a wide range.
図1は、検知装置の概要を説明する図である。FIG. 1 is a diagram illustrating an overview of a detection device. 図2は、検知装置の構成例を示す図である。FIG. 2 is a diagram showing an example of the configuration of the detection device. 図3は、図2のマルウェア解析部が実行する処理の例を示すフローチャートである。FIG. 3 is a flowchart illustrating an example of processing executed by the malware analysis section of FIG. 2. 図4は、実行ログの例を示す図である。FIG. 4 is a diagram showing an example of an execution log. 図5は、図1の第1のグラフ作成部が実行する処理の例を示すフローチャートである。FIG. 5 is a flowchart illustrating an example of processing executed by the first graph creation section in FIG. 図6は、図1の第1のグラフ作成部が作成するクエリグラフの例を示す図である。FIG. 6 is a diagram showing an example of a query graph created by the first graph creation section in FIG. 図7は、検知装置がクエリグラフを作成する手順の例を示すフローチャートである。FIG. 7 is a flowchart illustrating an example of a procedure in which the detection device creates a query graph. 図8は、検知装置がマルウェアの検知を行う手順の例を示すフローチャートである。FIG. 8 is a flowchart illustrating an example of a procedure in which the detection device detects malware. 図9は、検知プログラムを実行するコンピュータの構成例を示す図である。FIG. 9 is a diagram showing an example of the configuration of a computer that executes the detection program.
 以下、図面を参照しながら、本発明を実施するための形態(実施形態)について説明する。本発明は、本実施形態に限定されない。 Hereinafter, modes for carrying out the present invention (embodiments) will be described with reference to the drawings. The present invention is not limited to this embodiment.
[概要]
 まず、図1を用いて、本実施形態の検知装置10の概要を説明する。検知装置10は、マルウェアの実行ファイルから自動でクエリグラフを作成し、作成したクエリグラフを用いて、監視対象の端末のマルウェアの検知を行う。 [overview]
First, the outline of the detection device 10 of this embodiment will be explained using FIG. The detection device 10 automatically creates a query graph from the executable file of malware, and uses the created query graph to detect malware on a terminal to be monitored.
 検知装置10は、マルウェアの実行ファイルからクエリグラフを作成する作成部131と、クエリグラフを用いてマルウェアの検知を行う検知部134とを備える。 The detection device 10 includes a creation unit 131 that creates a query graph from a malware executable file, and a detection unit 134 that performs malware detection using the query graph.
 作成部131は、マルウェア解析部132と、第1のグラフ作成部133とを備える。マルウェア解析部132は、マルウェアの実行ファイルを動的解析し、マルウェアの挙動を示すログ(実行ログ)を作成する。第1のグラフ作成部133は、マルウェアの実行ログを用いてクエリグラフを作成する。 The creation unit 131 includes a malware analysis unit 132 and a first graph creation unit 133. The malware analysis unit 132 dynamically analyzes the execution file of the malware and creates a log (execution log) indicating the behavior of the malware. The first graph creation unit 133 creates a query graph using the malware execution log.
 検知部134は、第2のグラフ作成部135とマッチング部136とを備える。第2のグラフ作成部135は、監視対象の端末の監視ログを取得し、provenanceグラフと呼ばれるグラフを作成する。マッチング部136は、上記のprovenanceグラフと、クエリグラフとのマッチングを行うことにより、監視対象の端末のマルウェアの検知を行う。そして、検知部134は、監視対象の端末からマルウェアを検知すると、アラート等を出力する。 The detection unit 134 includes a second graph creation unit 135 and a matching unit 136. The second graph creation unit 135 acquires the monitoring log of the terminal to be monitored, and creates a graph called a provenance graph. The matching unit 136 detects malware on the monitored terminal by matching the above-mentioned provenance graph with the query graph. When the detection unit 134 detects malware from the monitored terminal, it outputs an alert or the like.
 このように検知装置10は、マルウェアのクエリグラフを自動で作成し、マルウェアの検知を行うので、高精度かつ広範囲に最新のマルウェアを検知することができる。 In this way, the detection device 10 automatically creates a malware query graph and detects malware, so it can detect the latest malware with high accuracy and over a wide range.
[構成例]
 図2を用いて、検知装置10の構成例を説明する。検知装置10は、例えば、入出力部11、記憶部12、および、制御部13を備える。 [Configuration example]
A configuration example of the detection device 10 will be described using FIG. 2. The detection device 10 includes, for example, an input/output section 11, a storage section 12, and a control section 13.
 入出力部11は、各種データの入力および出力を司るインタフェースである。例えば、入出力部11は、マルウェアの実行ファイル、監視対象の端末の監視ログ等の入力を受け付ける。また、入出力部11は、制御部13によるマルウェアの検知結果等を出力する。 The input/output unit 11 is an interface that controls input and output of various data. For example, the input/output unit 11 receives inputs such as executable files of malware and monitoring logs of terminals to be monitored. In addition, the input/output unit 11 outputs the results of malware detection by the control unit 13 and the like.
 記憶部12は、RAM(Random Access Memory)、フラッシュメモリ(Flash Memory)等の半導体メモリ素子、または、ハードディスク、光ディスク等の記憶装置によって実現される。 The storage unit 12 is realized by a semiconductor memory element such as a RAM (Random Access Memory) or a flash memory, or a storage device such as a hard disk or an optical disk.
 記憶部12は、例えば、検知装置10の機能を実現するための処理プログラム、マルウェアの実行ファイル、監視対象の端末の監視ログ等を記憶する。 The storage unit 12 stores, for example, processing programs for realizing the functions of the detection device 10, execution files of malware, monitoring logs of terminals to be monitored, and the like.
 制御部13は、例えば、CPU(Central Processing Unit)等を用いて実現される。制御部13は、記憶部12に記憶された処理プログラムを実行することにより、作成部131および検知部134として機能する。 The control unit 13 is realized using, for example, a CPU (Central Processing Unit). The control unit 13 functions as the creation unit 131 and the detection unit 134 by executing the processing program stored in the storage unit 12.
[作成部]
 作成部131は、マルウェア解析部132と、第1のグラフ作成部133とを備える。 [Creation Department]
The creation unit 131 includes a malware analysis unit 132 and a first graph creation unit 133.
[マルウェア解析部]
 マルウェア解析部132は、マルウェアの実行ファイルの入力を受け付けると、当該実行ファイルを実行し、その挙動を監視することで、マルウェアによる一連の実行プロセスを示す実行ログを作成する。マルウェア解析部132の詳細を図3を用いて説明する。 [Malware Analysis Department]
Upon receiving input of an executable file of malware, the malware analysis unit 132 executes the executable file and monitors its behavior, thereby creating an execution log indicating a series of processes executed by the malware. Details of the malware analysis unit 132 will be explained using FIG. 3.
 例えば、マルウェア解析部132は、図3に示すように、記憶部12からマルウェア検体(マルウェアの実行ファイル)を取得すると(S1)、隔離された環境でマルウェア検体を所定時間実行する(S2)。 For example, as shown in FIG. 3, when the malware analysis unit 132 acquires a malware sample (malware execution file) from the storage unit 12 (S1), the malware analysis unit 132 executes the malware sample for a predetermined period of time in an isolated environment (S2).
 そして、マルウェア解析部132は、API(Application Programming Interface)トレーサで、API(例えば、Windows(登録商標)OS(Operating System)のWin32 API、Linux(登録商標)のsyscall等)呼び出しを監視し、所定のAPIが呼び出されるたびに、実行ログファイルに当該呼び出しに関する情報を出力する(S3)。例えば、マルウェア解析部132は、マルウェアからOSのAPIへの呼び出しを、引数や戻り値の情報とともに監視できるAPIトレーサを用いて、APIの呼び出しを監視する。そして、マルウェア解析部132は、監視により得られた呼び出しに関する情報を実行ログファイルに出力する。 The malware analysis unit 132 uses an API (Application Programming Interface) tracer to monitor API calls (for example, Win32 API of Windows (registered trademark) OS (Operating System), syscall of Linux (registered trademark), etc.), and Each time the API is called, information regarding the call is output to the execution log file (S3). For example, the malware analysis unit 132 monitors API calls by using an API tracer that can monitor calls from malware to an OS API along with information on arguments and return values. Then, the malware analysis unit 132 outputs information regarding the call obtained through monitoring to an execution log file.
 なお、ここでの監視対象のAPIは、例えば、ファイルの読み込み・書き込み、プロセスの作成・終了、他プロセスへのコード注入に関わる操作、ソケットへの送信・受信、Windows OSの場合は、レジストリの読み込み・書き込みに関わるもののみとする。 The APIs to be monitored here include, for example, reading/writing files, creating/terminating processes, operations related to injecting code into other processes, sending/receiving to sockets, and in the case of Windows OS, registry settings. Only those related to reading and writing.
 S3の後、マルウェア解析部132は、実行ログファイルを返し(S4)、S1の処理へ戻る。 After S3, the malware analysis unit 132 returns the execution log file (S4) and returns to the process of S1.
 ここで、図4を用いて、マルウェア解析部132により作成される実行ログファイルの例を説明する。図4に示すように、実行ログファイルには、1以上の実行ログが含まれる。 Here, an example of an execution log file created by the malware analysis unit 132 will be described using FIG. 4. As shown in FIG. 4, the execution log file includes one or more execution logs.
 実行ログには、実行プロセスの呼び出し元のPID(プロセスID、操作の主体となるプロセスの識別情報)、当該PIDの操作の種類、当該操作の対象等が示される。 The execution log shows the PID (process ID, identification information of the process that is the subject of the operation) of the caller of the execution process, the type of operation of the PID, the target of the operation, etc.
 操作の種類は、例えば、ファイルの読み込み・書き込み、プロセスの作成・終了、他プロセスへのコード注入に関わる操作(例えば、CreateRemoteThread等)、ソケットへの送信・受信等である。なお、Windows OSの場合、操作の種類として、レジストリの読み込み・書き込みをさらに含む。 The types of operations include, for example, reading/writing files, creating/terminating processes, operations related to injecting code into other processes (for example, CreateRemoteThread, etc.), sending/receiving to sockets, etc. In the case of Windows OS, the types of operations further include reading and writing the registry.
 操作の対象は、例えば、操作の対象がファイルの場合はファイルパス、レジストリの場合はキー・バリューのパス、プロセスの場合はプロセスID(プロセス作成の場合はさらに親プロセスID)、ソケットの場合は通信先のIPアドレス、コード注入関連のAPIは対象のプロセスID等である。 The target of the operation is, for example, the file path if the target is a file, the key/value path if it is a registry, the process ID (or parent process ID if creating a process), or the parent process ID if the target is a socket. The IP address of the communication destination and the API related to code injection include the target process ID.
 ただし、例えば、操作の対象がレジストリキーの場合等、操作の対象がハンドルを用いて操作されるリソースである場合、該当の呼び出しの情報だけでは操作の対象が特定できない可能性がある。ここで操作の対象がレジストリキーの場合は、RegOpenKeyで得られたハンドルを引数にして、さらにRegOpenKeyを呼び出すことで、さらに深いパスのキー(サブキー)をオープンすることができる。よって、マルウェア解析部132は、該当の呼び出しの情報だけでは操作の対象が特定できない場合、過去の呼び出しを再帰的にさかのぼって情報を取得し、実行ログファイルに書き込む。 However, if the target of the operation is a resource that is operated using a handle, such as when the target of the operation is a registry key, there is a possibility that the target of the operation cannot be specified using only the information of the corresponding call. If the target of the operation is a registry key, you can open a key (subkey) in a deeper path by calling RegOpenKey with the handle obtained by RegOpenKey as an argument. Therefore, if the malware analysis unit 132 cannot identify the target of the operation based only on the information on the corresponding call, the malware analysis unit 132 recursively traces past calls to obtain information and writes it into the execution log file.
[第1のグラフ作成部]
 図3の説明に戻る。第1のグラフ作成部133は、マルウェア解析部132により作成されたマルウェアの実行ログを用いてクエリグラフ(第1のグラフ)を作成する。 [First graph creation section]
Returning to the explanation of FIG. 3. The first graph creation unit 133 creates a query graph (first graph) using the malware execution log created by the malware analysis unit 132.
 例えば、第1のグラフ作成部133は、実行ログに示されるマルウェアの一連の実行プロセスにおける、操作の主体および対象をノードとし、操作の主体が当該操作の対象に対し実行する操作を、ノード間を接続するエッジで表したクエリグラフを作成する。第1のグラフ作成部133の詳細を図5を用いて説明する。 For example, in a series of execution processes of malware shown in an execution log, the first graph creation unit 133 sets the subject and target of an operation to be a node, and calculates the operation that the subject of the operation performs on the target of the operation between nodes. Create a query graph represented by edges connecting . Details of the first graph creation section 133 will be explained using FIG. 5.
 例えば、第1のグラフ作成部133は、図5に示すように、マルウェア解析部132により作成されたマルウェアの実行ログを取得する(S11)。そして、第1のグラフ作成部133は、空のグラフGを用意し(S12)、S11で取得した実行ログそれぞれに対し、以下に示すS13~S16の処理を実行した後、グラフGを返す(S17)。その後、S1へリターンする。 For example, the first graph creation unit 133 obtains the execution log of the malware created by the malware analysis unit 132, as shown in FIG. 5 (S11). Then, the first graph creation unit 133 prepares an empty graph G (S12), executes the processes of S13 to S16 shown below for each execution log acquired in S11, and then returns the graph G ( S17). After that, the process returns to S1.
 例えば、第1のグラフ作成部133は、S11で取得したマルウェアの実行ログに示される操作の主体、操作の対象に対応するノードがグラフG内に存在しなければ、操作の主体、操作の対象に対応するノードを作成する(S13)。 For example, if the node corresponding to the subject of the operation and the target of the operation indicated in the execution log of the malware acquired in S11 does not exist in the graph G, the first graph creation unit 133 generates the subject of the operation and the target of the operation. A node corresponding to is created (S13).
 次に、第1のグラフ作成部133は、実行ログ内で着目している操作が、読み込みアクセスまたは受信であるか否かを判定し(S14)、着目している操作が、読み込みアクセスまたは受信であると判定した場合(S14でYes)、S15へ進む。そして、第1のグラフ作成部133は、グラフGに、操作の対象のノードから当該操作の主体のノードへの当該操作の種類のラベルが付いたエッジがまだ存在しなければ、グラフGに追加する(S15)。 Next, the first graph creation unit 133 determines whether the operation of interest in the execution log is read access or reception (S14), and determines whether the operation of interest is read access or reception. If it is determined that this is the case (Yes in S14), the process advances to S15. Then, the first graph creation unit 133 adds an edge to the graph G from the node that is the target of the operation to the node that is the subject of the operation if the edge labeled with the type of operation does not yet exist. (S15).
 一方、第1のグラフ作成部133は、実行ログ内で着目している操作が、操作の対象の読み込みアクセス、受信のいずれでもないと判定した場合(S14でNo)、S16へ進む。そして、第1のグラフ作成部133は、グラフGに、操作の主体のノードから当該操作の対象のノードへの当該操作の種類のラベルが付いたエッジがまだ存在しなければ、グラフGに追加する(S16)。 On the other hand, if the first graph creation unit 133 determines that the operation of interest in the execution log is neither read access nor reception (No in S14), the process proceeds to S16. Then, the first graph creation unit 133 adds an edge to the graph G from the node that is the subject of the operation to the node that is the target of the operation if there is not yet an edge labeled with the type of operation. (S16).
 このようにすることで第1のグラフ作成部133は、マルウェアの実行ログに対応するクエリグラフを作成することができる。 By doing so, the first graph creation unit 133 can create a query graph corresponding to the execution log of the malware.
 なお、第1のグラフ作成部133は、上記のクエリグラフの作成において、POIROT(非特許文献2参照)のprovenanceグラフと同様に、プロセス、ファイル、ソケットをノードとして表現し、それぞれの具体的な挙動をノード間のエッジとして表現する。なお、Windows OSの場合、第1のグラフ作成部133は、レジストリもノードとして表現する。 Note that in creating the above query graph, the first graph creation unit 133 expresses processes, files, and sockets as nodes, similar to the provenance graph of POIROT (see Non-Patent Document 2), and expresses each specific Represent behavior as edges between nodes. Note that in the case of Windows OS, the first graph creation unit 133 also represents the registry as a node.
 また、上記のプロセスはPIDで区別されるが、終了したプロセスのPIDは新しいプロセスに再利用される。そのため、第1のグラフ作成部133は、上記のような新しいプロセスには別のノードを割り当てる。 Additionally, the above processes are distinguished by their PIDs, and the PID of a terminated process is reused by a new process. Therefore, the first graph creation unit 133 assigns another node to the above-mentioned new process.
 なお、第1のグラフ作成部133は、上記のレジストリおよびファイルをパスで区別し、ソケットをIPアドレスで区別する。 Note that the first graph creation unit 133 distinguishes the above-mentioned registries and files by path, and distinguishes sockets by IP address.
 また、第1のグラフ作成部133は、操作の種類が、読み込みアクセスまたは受信の場合は、エッジの向きを操作の対象のノードから操作の主体のノードへの方向とする。それ以外の場合は逆の方向とする。 Furthermore, when the type of operation is read access or reception, the first graph creation unit 133 sets the direction of the edge from the node that is the target of the operation to the node that is the subject of the operation. Otherwise, use the opposite direction.
 例えば、第1のグラフ作成部133は、図4に示した実行ログに基づき、図6に示すクエリグラフを作成する。なお、図6に示すクエリグラフにおいて、エッジには操作の種類を示すラベルの記載は省いている。 For example, the first graph creation unit 133 creates the query graph shown in FIG. 6 based on the execution log shown in FIG. 4. Note that in the query graph shown in FIG. 6, labels indicating the type of operation are not written on the edges.
 例えば、第1のグラフ作成部133は、図6に示すように、図4に示す実行ログにおける操作の主体(例えば、pid:14)と、当該操作の主体による操作の対象(例えば、path=C:\Temp\logger.exe、path=HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run、image path=C:\Temp\logger.exe, pid=20)とを示すノードを作成する。 For example, as shown in FIG. 6, the first graph creation unit 133 identifies the subject of the operation (for example, pid:14) in the execution log shown in FIG. 4, and the target of the operation by the subject of the operation (for example, path= Create a node indicating C:\Temp\logger.exe, path=HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run, image path=C:\Temp\logger.exe, pid=20).
 また、図4に示す実行ログにおける操作の主体(例えば、pid:20)と、当該操作の主体による操作の対象(例えば、path=C:\Temp\logs)とを示すノードを作成する。そして、第1のグラフ作成部133は、操作の主体のノードと当該操作の主体による操作の対象のノードとをエッジで接続する。 Additionally, a node is created that indicates the subject of the operation (for example, pid:20) in the execution log shown in FIG. 4 and the target of the operation by the subject of the operation (for example, path=C:\Temp\logs). Then, the first graph creation unit 133 connects the node that is the subject of the operation and the node that is the target of the operation by the subject of the operation, using an edge.
 なお、図4に示す実行ログにおけるpid:14の操作の対象「image path=C:\Temp\logger.exe, pid=20」は、pid=20のプロセスの作成なので、第1のグラフ作成部133は、pid:14のノードとpid:20のノードとをエッジで接続する。 Note that in the execution log shown in Figure 4, the target of the operation with pid:14 "image path=C:\Temp\logger.exe, pid=20" is the creation of a process with pid=20, so the first graph creation section 133 connects the node with pid:14 and the node with pid:20 by an edge.
 また、第1のグラフ作成部133が作成する最終的なクエリグラフには、操作の主体のノード(プロセスノード)にPIDを含めない。これにより、マッチング部136が、provenanceグラフとクエリグラフとのマッチングを行う際、任意のプロセスノードにマッチさせることができる。 Furthermore, the final query graph created by the first graph creation unit 133 does not include the PID in the node (process node) that is the subject of the operation. This allows the matching unit 136 to match an arbitrary process node when matching the provenance graph and the query graph.
[検知部]
 図2に戻る。検知部134は、監視対象の端末からマルウェアを検知する。例えば、検知部134は、監視対象の端末で実行された一連の実行プロセスを示す監視ログを取得し、監視ログに基づきprovenanceグラフを作成する。 [Detection part]
Return to Figure 2. The detection unit 134 detects malware from a terminal to be monitored. For example, the detection unit 134 obtains a monitoring log indicating a series of execution processes executed on a terminal to be monitored, and creates a provenance graph based on the monitoring log.
 次に、検知部134は、上記のprovenanceグラフと、作成部131により作成されたマルウェアのクエリグラフとのマッチングを行うことにより、監視対象の端末のマルウェアの検知を行う。そして、検知部134は、監視対象の端末からマルウェアを検知すると、アラート等を出力する。 Next, the detection unit 134 detects malware in the terminal to be monitored by matching the above provenance graph with the malware query graph created by the creation unit 131. When the detection unit 134 detects malware from the monitored terminal, it outputs an alert or the like.
 検知部134は、第2のグラフ作成部135と、マッチング部136と、検知結果出力部137とを備える。 The detection unit 134 includes a second graph creation unit 135, a matching unit 136, and a detection result output unit 137.
[第2のグラフ作成部]
 第2のグラフ作成部135は、監視対象の端末の監視ログに基づき、監視対象の端末の一連の実行プロセスにおける操作の主体および対象をノードとし、操作の主体が当該操作の対象に対し実行する操作を前記ノード間を接続するエッジで表したprovenanceグラフ(第2のグラフ)を作成する。 [Second graph creation section]
Based on the monitoring log of the monitored terminal, the second graph creation unit 135 sets the subject and target of an operation in a series of execution processes of the monitored terminal as nodes, and the subject of the operation performs the operation on the target of the operation. A provenance graph (second graph) is created in which operations are represented by edges connecting the nodes.
 provenanceグラフの作成方法は、前記したクエリグラフの作成方法と同様の方法なので説明を省略する。なお、provenanceグラフの作成に用いる監視ログは、監視対象の端末のすべての実行プロセスを記録したものが好ましい。 The method for creating the provenance graph is the same as the method for creating the query graph described above, so the explanation will be omitted. Note that it is preferable that the monitoring log used to create the provenance graph records all the execution processes of the terminal to be monitored.
[マッチング部]
 マッチング部136は、第2のグラフ作成部135で作成されたprovenanceグラフと、第1のグラフ作成部133で作成されたいくつかのクエリグラフとのマッチングを行う。 [Matching section]
The matching unit 136 performs matching between the provenance graph created by the second graph creation unit 135 and some query graphs created by the first graph creation unit 133.
 ここでのマッチング方法は、厳密なサブグラフマッチングや、POIROT(非特許文献2参照)で提案されているあいまいなマッチング等、任意のものを用いることができる。 Any matching method can be used here, such as strict subgraph matching or vague matching proposed in POIROT (see Non-Patent Document 2).
[検知結果出力部]
 検知結果出力部137は、マッチング部136によるマッチングの結果に基づき、監視対象の端末におけるマルウェアの検知を行い、検知の結果を出力する。例えば、検知結果出力部137は、provenanceグラフとクエリグラフとのマッチ率が所定以上のマルウェアを、監視対象の端末に存在するマルウェアとして検知し、その検知の結果を出力する。 [Detection result output section]
The detection result output unit 137 detects malware in the monitored terminal based on the matching result by the matching unit 136, and outputs the detection result. For example, the detection result output unit 137 detects malware for which the match rate between the provenance graph and the query graph is greater than or equal to a predetermined value as malware existing in the monitored terminal, and outputs the detection result.
[処理手順の例]
 次に、図7および図8を用いて、検知装置10が実行する処理手順の例を説明する。まず、図7を用いて検知装置10が、マルウェアのクエリグラフを作成する処理手順の例を説明する。 [Example of processing procedure]
Next, an example of a processing procedure executed by the detection device 10 will be described using FIGS. 7 and 8. First, an example of a processing procedure in which the detection device 10 creates a malware query graph will be described with reference to FIG.
 検知装置10のマルウェア解析部132がマルウェアの実行ファイルを取得すると(図7のS21)、取得したマルウェアの実行ファイルを解析し、マルウェアの実行ログを作成する(S22)。そして、第1のグラフ作成部133は、S22で作成された実行ログに基づきクエリグラフを作成する(S23)。 When the malware analysis unit 132 of the detection device 10 acquires the malware executable file (S21 in FIG. 7), it analyzes the acquired malware executable file and creates a malware execution log (S22). Then, the first graph creation unit 133 creates a query graph based on the execution log created in S22 (S23).
 次に、第2のグラフ作成部135は、監視対象の端末の監視ログを取得すると(図8のS31)、取得した監視ログに対応するprovenanceグラフを作成する(S32)。その後、マッチング部136は、S32で作成されたprovenanceグラフと、図7のS23で作成されたクエリグラフとのマッチングを行う(S33)。そして、検知結果出力部137は、S33におけるマッチングの結果に基づきマルウェアの検知を行い(S34)、マルウェアの検知の結果を出力する(S35)。 Next, upon acquiring the monitoring log of the terminal to be monitored (S31 in FIG. 8), the second graph creation unit 135 creates a provenance graph corresponding to the acquired monitoring log (S32). After that, the matching unit 136 performs matching between the provenance graph created in S32 and the query graph created in S23 of FIG. 7 (S33). Then, the detection result output unit 137 detects malware based on the matching result in S33 (S34), and outputs the result of malware detection (S35).
 このように、検知装置10は、マルウェアの実行ファイルから自動でクエリグラフを作成し、作成したクエリグラフを用いて監視対象の端末のマルウェアの検知を行う。その結果、検知装置10は、高精度かつ広範囲に最新のマルウェアを検知することができる。 In this way, the detection device 10 automatically creates a query graph from the malware executable file, and uses the created query graph to detect malware on the monitored terminal. As a result, the detection device 10 can detect the latest malware with high accuracy and over a wide range.
[システム構成等]
 また、図示した各部の各構成要素は機能概念的なものであり、必ずしも物理的に図示のように構成されていることを要しない。すなわち、各装置の分散・統合の具体的形態は図示のものに限られず、その全部又は一部を、各種の負荷や使用状況等に応じて、任意の単位で機能的又は物理的に分散・統合して構成することができる。さらに、各装置にて行われる各処理機能は、その全部又は任意の一部が、CPU及び当該CPUにて実行されるプログラムにて実現され、あるいは、ワイヤードロジックによるハードウェアとして実現され得る。 [System configuration, etc.]
Further, each component of each part shown in the drawings is functionally conceptual, and does not necessarily need to be physically configured as shown in the drawings. In other words, the specific form of distributing and integrating each device is not limited to what is shown in the diagram, and all or part of the devices can be functionally or physically distributed or integrated in arbitrary units depending on various loads, usage conditions, etc. Can be integrated and configured. Furthermore, all or any part of each processing function performed by each device may be realized by a CPU and a program executed by the CPU, or may be realized as hardware using wired logic.
 また、前記した実施形態において説明した処理のうち、自動的に行われるものとして説明した処理の全部又は一部を手動的に行うこともでき、あるいは、手動的に行われるものとして説明した処理の全部又は一部を公知の方法で自動的に行うこともできる。この他、上記文書中や図面中で示した処理手順、制御手順、具体的名称、各種のデータやパラメータを含む情報については、特記する場合を除いて任意に変更することができる。 Further, among the processes described in the embodiments described above, all or part of the processes described as being performed automatically can be performed manually, or the processes described as being performed manually can be performed manually. All or part of this can also be performed automatically using known methods. In addition, information including processing procedures, control procedures, specific names, and various data and parameters shown in the above documents and drawings may be changed arbitrarily, unless otherwise specified.
[プログラム]
 前記した検知装置10は、パッケージソフトウェアやオンラインソフトウェアとしてプログラム(検知プログラム)を所望のコンピュータにインストールさせることによって実装できる。例えば、上記のプログラムを情報処理装置に実行させることにより、情報処理装置を検知装置10として機能させることができる。ここで言う情報処理装置にはスマートフォン、携帯電話機やPHS(Personal Handyphone System)等の移動体通信端末、さらには、PDA(Personal Digital Assistant)等の端末等がその範疇に含まれる。 [program]
The detection device 10 described above can be implemented by installing a program (detection program) in a desired computer as package software or online software. For example, by causing the information processing device to execute the above program, the information processing device can be made to function as the detection device 10. The information processing device referred to here includes mobile communication terminals such as smartphones, mobile phones, and PHSs (Personal Handyphone Systems), as well as terminals such as PDAs (Personal Digital Assistants).
 図9は、検知プログラムを実行するコンピュータの一例を示す図である。コンピュータ1000は、例えば、メモリ1010、CPU1020を有する。また、コンピュータ1000は、ハードディスクドライブインタフェース1030、ディスクドライブインタフェース1040、シリアルポートインタフェース1050、ビデオアダプタ1060、ネットワークインタフェース1070を有する。これらの各部は、バス1080によって接続される。 FIG. 9 is a diagram showing an example of a computer that executes the detection program. Computer 1000 includes, for example, a memory 1010 and a CPU 1020. The computer 1000 also includes a hard disk drive interface 1030, a disk drive interface 1040, a serial port interface 1050, a video adapter 1060, and a network interface 1070. These parts are connected by a bus 1080.
 メモリ1010は、ROM(Read Only Memory)1011及びRAM(Random Access Memory)1012を含む。ROM1011は、例えば、BIOS(Basic Input Output System)等のブートプログラムを記憶する。ハードディスクドライブインタフェース1030は、ハードディスクドライブ1090に接続される。ディスクドライブインタフェース1040は、ディスクドライブ1100に接続される。例えば磁気ディスクや光ディスク等の着脱可能な記憶媒体が、ディスクドライブ1100に挿入される。シリアルポートインタフェース1050は、例えばマウス1110、キーボード1120に接続される。ビデオアダプタ1060は、例えばディスプレイ1130に接続される。 The memory 1010 includes a ROM (Read Only Memory) 1011 and a RAM (Random Access Memory) 1012. The ROM 1011 stores, for example, a boot program such as BIOS (Basic Input Output System). Hard disk drive interface 1030 is connected to hard disk drive 1090. Disk drive interface 1040 is connected to disk drive 1100. For example, a removable storage medium such as a magnetic disk or an optical disk is inserted into disk drive 1100. Serial port interface 1050 is connected to, for example, mouse 1110 and keyboard 1120. Video adapter 1060 is connected to display 1130, for example.
 ハードディスクドライブ1090は、例えば、OS1091、アプリケーションプログラム1092、プログラムモジュール1093、プログラムデータ1094を記憶する。すなわち、上記の検知装置10が実行する各処理を規定するプログラムは、コンピュータにより実行可能なコードが記述されたプログラムモジュール1093として実装される。プログラムモジュール1093は、例えばハードディスクドライブ1090に記憶される。例えば、検知装置10における機能構成と同様の処理を実行するためのプログラムモジュール1093が、ハードディスクドライブ1090に記憶される。なお、ハードディスクドライブ1090は、SSD(Solid State Drive)により代替されてもよい。 The hard disk drive 1090 stores, for example, an OS 1091, an application program 1092, a program module 1093, and program data 1094. That is, a program that defines each process executed by the detection device 10 described above is implemented as a program module 1093 in which code executable by a computer is written. Program module 1093 is stored in hard disk drive 1090, for example. For example, a program module 1093 for executing processing similar to the functional configuration of the detection device 10 is stored in the hard disk drive 1090. Note that the hard disk drive 1090 may be replaced by an SSD (Solid State Drive).
 また、上述した実施形態の処理で用いられるデータは、プログラムデータ1094として、例えばメモリ1010やハードディスクドライブ1090に記憶される。そして、CPU1020が、メモリ1010やハードディスクドライブ1090に記憶されたプログラムモジュール1093やプログラムデータ1094を必要に応じてRAM1012に読み出して実行する。 Further, the data used in the processing of the embodiment described above is stored as program data 1094 in, for example, the memory 1010 or the hard disk drive 1090. Then, the CPU 1020 reads out the program module 1093 and program data 1094 stored in the memory 1010 and the hard disk drive 1090 to the RAM 1012 as necessary and executes them.
 なお、プログラムモジュール1093やプログラムデータ1094は、ハードディスクドライブ1090に記憶される場合に限らず、例えば着脱可能な記憶媒体に記憶され、ディスクドライブ1100等を介してCPU1020によって読み出されてもよい。あるいは、プログラムモジュール1093及びプログラムデータ1094は、ネットワーク(LAN(Local Area Network)、WAN(Wide Area Network)等)を介して接続される他のコンピュータに記憶されてもよい。そして、プログラムモジュール1093及びプログラムデータ1094は、他のコンピュータから、ネットワークインタフェース1070を介してCPU1020によって読み出されてもよい。 Note that the program module 1093 and the program data 1094 are not limited to being stored in the hard disk drive 1090, but may be stored in a removable storage medium, for example, and read by the CPU 1020 via the disk drive 1100 or the like. Alternatively, the program module 1093 and the program data 1094 may be stored in another computer connected via a network (LAN (Local Area Network), WAN (Wide Area Network), etc.). The program module 1093 and program data 1094 may then be read by the CPU 1020 from another computer via the network interface 1070.
10 検知装置
11 入出力部
12 記憶部
13 制御部
131 作成部
132 マルウェア解析部
133 第1のグラフ作成部
134 検知部
135 第2のグラフ作成部
136 マッチング部
137 検知結果出力部 10 Detection device 11 Input/output section 12 Storage section 13 Control section 131 Creation section 132 Malware analysis section 133 First graph creation section 134 Detection section 135 Second graph creation section 136 Matching section 137 Detection result output section

Claims (7)

  1.  マルウェアの実行ファイルを解析することにより、前記マルウェアの一連の実行プロセスを示す実行ログを作成するマルウェア解析部と、
     前記マルウェアの実行ログを用いて、前記マルウェアの一連の実行プロセスにおける操作の主体および対象をノードとし、前記操作の主体が当該操作の対象へ実行する操作を前記ノード間を接続するエッジで表した第1のグラフを作成する第1のグラフ作成部と、
     監視対象の端末で実行された一連の実行プロセスを示す監視ログを用いて、前記端末の一連の実行プロセスにおける操作の主体および対象をノードとし、前記操作の主体が当該操作の対象に対し実行する操作を前記ノード間を接続するエッジで表した第2のグラフを作成する第2のグラフ作成部と、
     前記第2のグラフと、1以上の前記第1のグラフとのマッチングを行うマッチング部と、
     前記第2のグラフと、1以上の前記第1のグラフとのマッチ率に基づきマルウェアの検知を行い、前記検知の結果を出力する検知結果出力部と
     を備えることを特徴とする検知装置。     a malware analysis unit that creates an execution log indicating a series of execution processes of the malware by analyzing an executable file of the malware;
    Using the execution log of the malware, the subject and target of operations in a series of execution processes of the malware are represented by nodes, and the operations performed by the subject of the operation on the target of the operation are represented by edges connecting the nodes. a first graph creation unit that creates a first graph;
    Using a monitoring log showing a series of execution processes executed on a monitored terminal, the subject and target of an operation in the series of execution processes of the terminal are nodes, and the subject of the operation executes on the target of the operation. a second graph creation unit that creates a second graph in which operations are represented by edges connecting the nodes;
    a matching unit that matches the second graph and one or more of the first graphs;
    A detection device comprising: a detection result output unit that detects malware based on a match rate between the second graph and one or more of the first graphs, and outputs a result of the detection.
  2.  前記検知結果出力部は、
     前記マッチ率が所定値以上のマルウェアを、前記監視対象の端末に存在するマルウェアとして検知し、前記検知の結果を出力する
     ことを特徴とする請求項1に記載の検知装置。     The detection result output section includes:
    The detection device according to claim 1, wherein the detection device detects malware for which the match rate is equal to or higher than a predetermined value as malware existing in the monitored terminal, and outputs a result of the detection.
  3.  前記マッチング部は、
     前記第2のグラフの中に前記第1のグラフがサブグラフとして存在するか否かを判定する厳密サブグラフマッチングを行う、または、POIROTにおけるあいまいなマッチングを行う
     ことを特徴とする請求項1に記載の検知装置。     The matching section is
    2. The method according to claim 1, wherein strict subgraph matching is performed to determine whether or not the first graph exists as a subgraph in the second graph, or ambiguous matching in POIROT is performed. Detection device.
  4.  前記第1のグラフおよび前記第2のグラフにおけるエッジは、
     前記操作の主体が当該操作の対象に実行した操作の種類を示すラベルを含む
     ことを特徴とする請求項1に記載の検知装置。     The edges in the first graph and the second graph are
    The detection device according to claim 1, further comprising a label indicating a type of operation performed by the subject of the operation on the target of the operation.
  5.  前記操作の種類が、操作の対象の読み込みアクセスまたは受信の場合、前記エッジは、前記操作の対象のノードから当該操作の主体のノードへのエッジであり、前記操作の主体が行った操作の種類が、操作の対象の読み込みアクセスおよび受信のいずれでもない場合、前記エッジは、前記操作の主体のノードから当該操作の対象のノードへのエッジであり、
     前記マッチング部は、さらに、
     前記エッジの方向を考慮して、前記第2のグラフと、1以上の前記第1のグラフとのマッチングを行う
     ことを特徴とする請求項1に記載の検知装置。     If the type of the operation is read access or reception of the target of the operation, the edge is an edge from the node of the target of the operation to the node of the subject of the operation, and the type of operation performed by the subject of the operation is neither read access nor reception of the target of the operation, the edge is an edge from the node of the subject of the operation to the node of the target of the operation,
    The matching section further includes:
    The detection device according to claim 1, wherein the second graph and one or more of the first graphs are matched in consideration of the direction of the edge.
  6.  検知装置により実行される検知方法であって、
     マルウェアの実行ファイルを解析することにより、前記マルウェアの一連の実行プロセスを示す実行ログを作成する工程と、
     前記マルウェアの実行ログを用いて、前記マルウェアの一連の実行プロセスにおける操作の主体および対象をノードとし、前記操作の主体が当該操作の対象へ実行する操作を前記ノード間を接続するエッジで表した第1のグラフを作成する工程と、
     監視対象の端末で実行された一連の実行プロセスを示す監視ログを用いて、前記端末の一連の実行プロセスにおける操作の主体および対象をノードとし、前記操作の主体が当該操作の対象に対し実行する操作を前記ノード間を接続するエッジで表した第2のグラフを作成する工程と、
     前記第2のグラフと、1以上の前記第1のグラフとのマッチングを行う工程と、
     前記第2のグラフと、1以上の前記第1のグラフとのマッチ率に基づきマルウェアの検知の結果を出力する工程と
     を含むことを特徴とする検知方法。     A detection method performed by a detection device, comprising:
    creating an execution log indicating a series of execution processes of the malware by analyzing an executable file of the malware;
    Using the execution log of the malware, the subject and target of operations in a series of execution processes of the malware are represented by nodes, and the operations performed by the subject of the operation on the target of the operation are represented by edges connecting the nodes. creating a first graph;
    Using a monitoring log showing a series of execution processes executed on a monitored terminal, the subject and target of an operation in the series of execution processes of the terminal are nodes, and the subject of the operation executes on the target of the operation. creating a second graph in which operations are represented by edges connecting the nodes;
    a step of matching the second graph with one or more of the first graphs;
    A detection method comprising: outputting a malware detection result based on a match rate between the second graph and one or more of the first graphs.
  7.  マルウェアの実行ファイルを解析することにより、前記マルウェアの一連の実行プロセスを示す実行ログを作成する工程と、
     前記マルウェアの実行ログを用いて、前記マルウェアの一連の実行プロセスにおける操作の主体および対象をノードとし、前記操作の主体が当該操作の対象へ実行する操作を前記ノード間を接続するエッジで表した第1のグラフを作成する工程と、
     監視対象の端末で実行された一連の実行プロセスを示す監視ログを用いて、前記端末の一連の実行プロセスにおける操作の主体および対象をノードとし、前記操作の主体が当該操作の対象に対し実行する操作を前記ノード間を接続するエッジで表した第2のグラフを作成する工程と、
     前記第2のグラフと、1以上の前記第1のグラフとのマッチングを行う工程と、
     前記第2のグラフと、1以上の前記第1のグラフとのマッチ率に基づきマルウェアの検知の結果を出力する工程と
     をコンピュータに実行させるための検知プログラム。     creating an execution log indicating a series of execution processes of the malware by analyzing an executable file of the malware;
    Using the execution log of the malware, the subject and target of operations in a series of execution processes of the malware are represented by nodes, and the operations performed by the subject of the operation on the target of the operation are represented by edges connecting the nodes. creating a first graph;
    Using a monitoring log showing a series of execution processes executed on a monitored terminal, the subject and target of an operation in the series of execution processes of the terminal are nodes, and the subject of the operation executes on the target of the operation. creating a second graph in which operations are represented by edges connecting the nodes;
    a step of matching the second graph with one or more of the first graphs;
    A detection program for causing a computer to execute a step of outputting a malware detection result based on a match rate between the second graph and one or more of the first graphs.
PCT/JP2022/021305 2022-05-24 2022-05-24 Detection device, detection method, and detection program WO2023228288A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/JP2022/021305 WO2023228288A1 (en) 2022-05-24 2022-05-24 Detection device, detection method, and detection program

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/JP2022/021305 WO2023228288A1 (en) 2022-05-24 2022-05-24 Detection device, detection method, and detection program

Publications (1)

Publication Number Publication Date
WO2023228288A1 true WO2023228288A1 (en) 2023-11-30

Family

ID=88918848

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2022/021305 WO2023228288A1 (en) 2022-05-24 2022-05-24 Detection device, detection method, and detection program

Country Status (1)

Country Link
WO (1) WO2023228288A1 (en)

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2010267128A (en) * 2009-05-15 2010-11-25 Ntt Docomo Inc Analysis system, analysis device, detection method, analysis method and program
US20190317728A1 (en) * 2018-04-17 2019-10-17 International Business Machines Corporation Graph similarity analytics

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2010267128A (en) * 2009-05-15 2010-11-25 Ntt Docomo Inc Analysis system, analysis device, detection method, analysis method and program
US20190317728A1 (en) * 2018-04-17 2019-10-17 International Business Machines Corporation Graph similarity analytics

Similar Documents

Publication Publication Date Title
US20210064751A1 (en) Provenance-based threat detection tools and stealthy malware detection
Alazab et al. Towards understanding malware behaviour by the extraction of API calls
US9781144B1 (en) Determining duplicate objects for malware analysis using environmental/context information
US10505960B2 (en) Malware detection by exploiting malware re-composition variations using feature evolutions and confusions
US11356467B2 (en) Log analysis device, log analysis method, and log analysis program
US7802299B2 (en) Binary function database system
US11775636B1 (en) Systems and methods of detecting malicious powershell scripts
US20190147163A1 (en) Inferential exploit attempt detection
WO2015030748A1 (en) Hardware and software execution profiling
US20130239214A1 (en) Method for detecting and removing malware
CN107403093B (en) System and method for detecting redundant software
US11232193B1 (en) Automated generation of a sandbox configuration for malware detection
US20180285565A1 (en) Malware detection in applications based on presence of computer generated strings
US20180341770A1 (en) Anomaly detection method and anomaly detection apparatus
US10318731B2 (en) Detection system and detection method
JP2022100232A (en) System and method for over-time cross reference of forensic snap shot for root cause analysis
US20220004636A1 (en) Statistical detection of firmware-level compromises
WO2023228288A1 (en) Detection device, detection method, and detection program
Duby et al. Malware family classification via residual prefetch artifacts
US10893090B2 (en) Monitoring a process on an IoT device
JP6454617B2 (en) Malware operating environment estimation method, apparatus and system thereof
US20230096108A1 (en) Behavior analysis based on finite-state machine for malware detection
Ravula et al. Learning attack features from static and dynamic analysis of malware
CN111897559B (en) Hot update code detection method and device, electronic equipment and storage medium
US10909243B2 (en) Normalizing entry point instructions in executable program files

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 22943692

Country of ref document: EP

Kind code of ref document: A1