Abstract: An activity trace extraction device includes: an acquisition unit that acquires information regarding behavior of malware; a detection unit that detects an activity trace of the malware on the basis of the information regarding behavior of malware acquired by the acquisition unit; an addition unit that executes taint analysis on the malware and adds a taint tag based on the taint analysis to an output value of a predetermined application programming interface (API) in a case where the malware calls the API; a determination unit that determines presence or absence of dependency of the activity trace on the basis of the taint tag added by the addition unit; and an extraction unit that extracts the activity trace as an activity trace effective for detecting the malware in a case where the determination unit determines that there is no dependency of the activity trace.

Abstract: An analysis function imparting device according to the present invention includes processing circuitry configured to execute a script engine while monitoring the script engine to acquire an execution trace including an application programming interface (API) trace and a branch trace, analyze the execution trace, and detect a hook point that is a location to which a hook is applied and a code for analysis is inserted, detect, based on monitoring at the hook point, a tap point that is a memory monitoring location at which the code for analysis outputs a log, and apply a hook to the script engine to impart an analysis function to the script engine based on the hook point and the tap point.

Abstract: A trace information determination device includes an extraction unit that extracts a feature of malware, a classification unit that performs clustering on the basis of the feature of malware extracted by the extraction unit and classifies the malware into a predetermined cluster, an attack tendency determination unit that determines a tendency of an attack of the malware on the basis of the cluster classified by the classification unit, and a validity determination unit that determines validity of trace information generated from an activity trace of the malware on the basis of a result of determination by the attack tendency determination unit.

Abstract: An activity trace extraction device executes malware to collect an analysis log including a plurality of activity traces of the malware, and executes the malware again to collect an environment change analysis log including the plurality of activity traces of the malware assumed in a case where an execution environment of a system and a device used at execution of the malware and information unique to application software are changed. The activity trace extraction device updates, based on the analysis log and the environment change analysis log, the analysis log by removing, from the analysis log, an activity trace different from an activity trace of the environment change analysis log among the plurality of activity traces included in the analysis log. The activity trace extraction device generates trace information of the malware independent of the execution environment based on the analysis log updated.

Abstract: An activity trace extraction device executes malware to collect an analysis log including a plurality of activity traces of the malware, and executes the malware again in an environment indicating time information different from time information at the time of executing the malware to collect a time change analysis log including a plurality of activity traces of the malware. The activity trace extraction device updates the analysis log by removing, from the analysis log, the activity trace different from the activity trace of the time change analysis log among the plurality of activity traces included in the analysis log based on the analysis log and the time change analysis log. The activity trace extraction device generates trace information of the malware independent of time lapse based on the updated analysis log.

Abstract: In a driving assistance control apparatus for a vehicle, an acquirer acquires a detected traveling state of the vehicle and a detected traveling state of another vehicle. A controller determines whether to perform braking assistance using a deterministic indicator for collision including at least one of a time, a distance, and a required deceleration to collision with the other vehicle and a deterministic indicator for crossing including at least one of a time, a distance, and a required deceleration to reaching a path of travel of the other vehicle. The deterministic indicator for collision and the deterministic indicator for crossing are acquired using the acquired traveling state of the vehicle and the acquired traveling state of the other vehicle. Further, in response to determining to perform the braking assistance, the controller causes a driving assistance unit to perform the braking assistance.

Abstract: The analysis function imparting device acquires a plurality of execution traces related to a branch instruction and memory access, by inputting a test script to a script engine and causing the script engine to execute the test script. The analysis function imparting device specifies a similar sequence on the basis of the plurality of execution traces and detects a function call included in the specified sequence as a candidate of a type conversion function. The analysis function imparting device detects a variable having an input/output relationship from a variable of a candidate argument and a return value of the type conversion function among the execution traces. The analysis function imparting device executes a taint analysis on the type variable function of the variable having an input/output relationship of the type conversion function, and detects a propagation leakage function indicating a type variable function.

Abstract: An analysis function imparting device (10) includes a virtual machine analyzing unit (121) that analyzes a virtual machine of a script engine, a command set architecture analyzing unit (122) that analyzes a command set architecture that is a command system of the virtual machine, and an analysis function imparting unit (123) that performs hooking for imparting multipath execution functions to the script engine, on the basis of architecture information acquired by the analysis performed by the virtual machine analyzing unit (121) and the command set architecture analyzing unit (122).

Abstract: A calculating unit calculates a semantics set relating to an entirety of state of a recursive neural network satisfying a specification. A determining unit determines whether or not the recursive neural network that is an object of checking satisfies the specification, on the basis of the semantics set and an initial state of the recursive neural network that is the object of checking.

Abstract: A selection apparatus includes a macro analysis unit that acquires a macro feature amount from a macro in a document file to which the macro is added, a text analysis unit that acquires a text feature amount from text in the document file, a cluster analysis unit that performs clustering using the macro feature amount and the text feature amount, and a selection unit that selects an analysis target document file based on a cluster analysis result, and is able to efficiently and accurately select the macro-added document file to be analyzed.

Abstract: An analysis function imparting device according to the present invention includes processing circuitry configured to execute a script engine while monitoring the script engine to acquire an execution trace including an application programming interface (API) trace and a branch trace, analyze the execution trace, and detect a hook point that is a location to which a hook is applied and a code for analysis is inserted, detect, based on monitoring at the hook point, a tap point that is a memory monitoring location at which the code for analysis outputs a log, and apply a hook to the script engine to impart an analysis function to the script engine based on the hook point and the tap point.

Abstract: An attack code detection apparatus includes a preprocessing unit that analyzes in advance a library file for learning used in an ROP (Return Oriented Programming) chain, and obtains sets including the addresses of ROP gadgets, which represent pieces of code in the library file, and increment values of the stack pointer at the time of execution of the ROP gadgets; and a detecting unit that refers to the obtaining result of the preprocessing unit, that verifies, regarding an unknown data series representing the examination target, whether or not the ROP chain is valid in which the ROP gadgets are correctly linked, and that detects whether or not the unknown data series representing the examination target is a malicious data series.

Abstract: An attack code detection device includes a learning unit configured to generate a model that learns, using a known labeled malicious document file including an ROP code, as learning data, a feature of a byte sequence being a component of a document file, and a feature of a byte sequence being a component of an ROP code, a detection unit configured to detect the ROP code included in an inspection target unknown document file, based on the model, and a malignancy determination unit configured to determine, based on a detection result, whether the inspection target unknown document file is a malicious data series that executes attack using ROP.

Abstract: An attack code detection device includes a learning unit configured to generate a model that learns, using a known labeled malicious document file including an ROP code, as learning data, a feature of a byte sequence being a component of a document file, and a feature of a byte sequence being a component of an ROP code, a detection unit configured to detect the ROP code included in an inspection target unknown document file, based on the model, and a malignancy determination unit configured to determine, based on a detection result, whether the inspection target unknown document file is a malicious data series that executes attack using ROP.

Abstract: A selection apparatus includes a macro analysis unit that acquires a macro feature amount from a macro in a document file to which the macro is added, a text analysis unit that acquires a text feature amount from text in the document file, a cluster analysis unit that performs clustering using the macro feature amount and the text feature amount, and a selection unit that selects an analysis target document file based on a cluster analysis result, and is able to efficiently and accurately select the macro-added document file to be analyzed.

Abstract: An attack code detection apparatus includes a preprocessing unit that analyzes in advance a library file for learning used in an ROP (Return Oriented Programming) chain, and obtains sets including the addresses of ROP gadgets, which represent pieces of code in the library file, and increment values of the stack pointer at the time of execution of the ROP gadgets; and a detecting unit that refers to the obtaining result of the preprocessing unit, that verifies, regarding an unknown data series representing the examination target, whether or not the ROP chain is valid in which the ROP gadgets are correctly linked, and that detects whether or not the unknown data series representing the examination target is a malicious data series.