Abstract: An activity trace extraction device includes: an acquisition unit that acquires information regarding behavior of malware; a detection unit that detects an activity trace of the malware on the basis of the information regarding behavior of malware acquired by the acquisition unit; an addition unit that executes taint analysis on the malware and adds a taint tag based on the taint analysis to an output value of a predetermined application programming interface (API) in a case where the malware calls the API; a determination unit that determines presence or absence of dependency of the activity trace on the basis of the taint tag added by the addition unit; and an extraction unit that extracts the activity trace as an activity trace effective for detecting the malware in a case where the determination unit determines that there is no dependency of the activity trace.

Abstract: A trace information determination device includes an extraction unit that extracts a feature of malware, a classification unit that performs clustering on the basis of the feature of malware extracted by the extraction unit and classifies the malware into a predetermined cluster, an attack tendency determination unit that determines a tendency of an attack of the malware on the basis of the cluster classified by the classification unit, and a validity determination unit that determines validity of trace information generated from an activity trace of the malware on the basis of a result of determination by the attack tendency determination unit.

Abstract: An activity trace extraction device executes malware to collect an analysis log including a plurality of activity traces of the malware, and executes the malware again in an environment indicating time information different from time information at the time of executing the malware to collect a time change analysis log including a plurality of activity traces of the malware. The activity trace extraction device updates the analysis log by removing, from the analysis log, the activity trace different from the activity trace of the time change analysis log among the plurality of activity traces included in the analysis log based on the analysis log and the time change analysis log. The activity trace extraction device generates trace information of the malware independent of time lapse based on the updated analysis log.

Abstract: An activity trace extraction device executes malware to collect an analysis log including a plurality of activity traces of the malware, and executes the malware again to collect an environment change analysis log including the plurality of activity traces of the malware assumed in a case where an execution environment of a system and a device used at execution of the malware and information unique to application software are changed. The activity trace extraction device updates, based on the analysis log and the environment change analysis log, the analysis log by removing, from the analysis log, an activity trace different from an activity trace of the environment change analysis log among the plurality of activity traces included in the analysis log. The activity trace extraction device generates trace information of the malware independent of the execution environment based on the analysis log updated.

Abstract: A log determination device comprises a log acquisition unit that is configured to acquire a security log generated upon detecting an abnormality in an electronic control system, and a false positive log determination unit that is configured to determine, based on a frequency of generation of the security log, whether or not the detected security log is a false positive log, and to output a determination result, wherein the false positive log is the security log generated by detecting the abnormality caused not by the electronic control system being attacked.

Abstract: A log determination device is configured to acquire a plurality of security logs each including an abnormality information and a position information, store an occurrence pattern of a security log which is predicted to occur due to a maintenance, and compare the plurality of security logs with the occurrence pattern to determine whether or not the plurality of security logs is a false positive log.

Abstract: The analysis function imparting device acquires a plurality of execution traces related to a branch instruction and memory access, by inputting a test script to a script engine and causing the script engine to execute the test script. The analysis function imparting device specifies a similar sequence on the basis of the plurality of execution traces and detects a function call included in the specified sequence as a candidate of a type conversion function. The analysis function imparting device detects a variable having an input/output relationship from a variable of a candidate argument and a return value of the type conversion function among the execution traces. The analysis function imparting device executes a taint analysis on the type variable function of the variable having an input/output relationship of the type conversion function, and detects a propagation leakage function indicating a type variable function.

Abstract: An analysis function imparting device (10) includes a virtual machine analyzing unit (121) that analyzes a virtual machine of a script engine, a command set architecture analyzing unit (122) that analyzes a command set architecture that is a command system of the virtual machine, and an analysis function imparting unit (123) that performs hooking for imparting multipath execution functions to the script engine, on the basis of architecture information acquired by the analysis performed by the virtual machine analyzing unit (121) and the command set architecture analyzing unit (122).

Abstract: An attack code detection device includes a learning unit configured to generate a model that learns, using a known labeled malicious document file including an ROP code, as learning data, a feature of a byte sequence being a component of a document file, and a feature of a byte sequence being a component of an ROP code, a detection unit configured to detect the ROP code included in an inspection target unknown document file, based on the model, and a malignancy determination unit configured to determine, based on a detection result, whether the inspection target unknown document file is a malicious data series that executes attack using ROP.

Abstract: A command server identification device adds a tag to data received by malware upon execution of the malware, the tag capable of uniquely identifying identification information for a transmission source of the data, and tracks propagation of the data added with the tag. The command server identification device acquires a tag of data referenced by a branch instruction executed by the malware, among the tracked data. The command server identification device analyzes information on an instruction of a branch destination not executed by the malware after the branch instruction. Then, the command server identification device identifies identification information of a command server for issuing a command to the malware from the identification information of the transmission source corresponding to the acquired tag, based on the result of analysis.

Abstract: A malware analysis system includes a preliminary analysis unit, a determination unit, and a designation unit. The preliminary analysis unit executes malware obtained as a candidate for an analyzing subject to obtain information related to communication transmitted from the malware. The determination unit determines whether the malware is handled as an analyzing subject based on information obtained by the preliminary analysis unit. The designation unit designates an analyzing order with respect to malware having been determined by the determination unit as an analyzing subject based on information obtained by the preliminary analysis unit.

Abstract: An attack code detection device includes a learning unit configured to generate a model that learns, using a known labeled malicious document file including an ROP code, as learning data, a feature of a byte sequence being a component of a document file, and a feature of a byte sequence being a component of an ROP code, a detection unit configured to detect the ROP code included in an inspection target unknown document file, based on the model, and a malignancy determination unit configured to determine, based on a detection result, whether the inspection target unknown document file is a malicious data series that executes attack using ROP.

Abstract: A detection device includes a data-propagation tracking unit that gives communication data a tag including attribute information associated with communication destination information of the communication data and tracks propagation of communication data on which the tag including the attribute information is given, and a falsification detection unit that detects falsification on the communication data when, in the communication data, there is a tag including attribute information different from attribute information corresponding to a transmission destination or a transmission source of the communication data.

Abstract: An identifying device monitors malware to be analyzed and acquires, as log data, the malware, download data downloaded from a communication destination, and a relation of data transfer performed with the malware or the communication destination of the download data. Then, the identifying device creates, by using the acquired log data, a dependency relation graph that is a digraph in which the malware, download data, and communication destination are set as nodes and a dependency relation of each node is set as an edge. Then, the identifying device detects a malicious node by collating the respective nodes of the created dependency relation graph with the known maliciousness information, and traces an edge in a direction from a terminal point to a start point while setting the malicious node as a base point, and then identifies the traced node as a new malicious node.

Abstract: A command and control server identifying apparatus provides data received by malware upon execution of the malware with a tag that allows to uniquely identify communication destination information of a source of the data, and tracks propagation of the data provided with the tag. Then, the command and control server identifying apparatus obtains a tag of data referred to by a branch instruction executed by the malware among tracked data. Then, the command and control server identifying apparatus identifies communication destination information of a command and control server that issues a command to the malware, based on communication destination information of a source associated with the obtained tag.

Abstract: A virtual machine includes a shadow memory, a shadow disk, and a virtual NIC. A virtual machine includes a guest OS. The shadow memory and the shadow disk each store therein pieces of data and pieces of tag information assigned to the pieces of data, so as to be kept in correspondence with one another. When malware transmits data, the virtual NIC generates the transmission information containing the transmitted data and tag information assigned to the transmitted data and further transmits the generated transmission information to the virtual machine. The guest OS extracts the tag information from the received transmission information. Further, the guest OS determines a transfer destination of the transmission information on the basis of the extracted tag information and further transfers the transmission information to the determined transfer destination.

Abstract: A malware analysis system includes a preliminary analysis unit, a determination unit, and a designation unit. The preliminary analysis unit executes malware obtained as a candidate for an analyzing subject to obtain information related to communication transmitted from the malware. The determination unit determines whether the malware is handled as an analyzing subject based on information obtained by the preliminary analysis unit. The designation unit designates an analyzing order with respect to malware having been determined by the determination unit as an analyzing subject based on information obtained by the preliminary analysis unit.

Abstract: A command server identification device adds a tag to data received by malware upon execution of the malware, the tag capable of uniquely identifying identification information for a transmission source of the data, and tracks propagation of the data added with the tag. The command server identification device acquires a tag of data referenced by a branch instruction executed by the malware, among the tracked data. The command server identification device analyzes information on an instruction of a branch destination not executed by the malware after the branch instruction. Then, the command server identification device identifies identification information of a command server for issuing a command to the malware from the identification information of the transmission source corresponding to the acquired tag, based on the result of analysis.

Abstract: An identifying device monitors malware to be analyzed and acquires, as log data, the malware, download data downloaded from a communication destination, and a relation of data transfer performed with the malware or the communication destination of the download data. Then, the identifying device creates, by using the acquired log data, a dependency relation graph that is a digraph in which the malware, download data, and communication destination are set as nodes and a dependency relation of each node is set as an edge. Then, the identifying device detects a malicious node by collating the respective nodes of the created dependency relation graph with the known maliciousness information, and traces an edge in a direction from a terminal point to a start point while setting the malicious node as a base point, and then identifies the traced node as a new malicious node.

Abstract: A virtual machine includes a shadow memory, a shadow disk, and a virtual NIC. A virtual machine includes a guest OS. The shadow memory and the shadow disk each store therein pieces of data and pieces of tag information assigned to the pieces of data, so as to be kept in correspondence with one another. When malware transmits data, the virtual NIC generates the transmission information containing the transmitted data and tag information assigned to the transmitted data and further transmits the generated transmission information to the virtual machine. The guest OS extracts the tag information from the received transmission information. Further, the guest OS determines a transfer destination of the transmission information on the basis of the extracted tag information and further transfers the transmission information to the determined transfer destination.