Abstract: A communication device is installed in between a client terminal and a web server which performs communication with the client terminal. The communication device includes a memory, and processing circuitry coupled to the memory and configured to of information included in communication between the web server and the client terminal, perform obfuscation with respect to information related to web application, and send communication, which includes information obfuscated at the performing, to destination.

Abstract: A malware analysis system includes a preliminary analysis unit, a determination unit, and a designation unit. The preliminary analysis unit executes malware obtained as a candidate for an analyzing subject to obtain information related to communication transmitted from the malware. The determination unit determines whether the malware is handled as an analyzing subject based on information obtained by the preliminary analysis unit. The designation unit designates an analyzing order with respect to malware having been determined by the determination unit as an analyzing subject based on information obtained by the preliminary analysis unit.

Abstract: A blacklist generating device acquires a malicious communication log and a normal communication log. A malicious communication profile extracting function calculates statistics on communication patterns included in the malicious communication log and outputs a communication pattern satisfying a certain condition to a potential blacklist. A normal communication profile extracting function calculates statistics on communication patterns included in the normal communication log and outputs a communication pattern satisfying a certain condition to a whitelist. A blacklist creating function searches the potential blacklist for a value with the value on the whitelist, excludes a coincident communication pattern from the potential blacklist, and creates a blacklist.

Abstract: A malicious communication pattern extraction apparatus extracts communication patterns of traffic group of malwares, and replaces the values of predetermined field with variation in a traffic group with a wild card. Further, the malicious communication pattern extraction apparatus classifies pieces of malware having similar communication patterns in the traffic group into the same cluster, and for each cluster, extracts, as a malicious communication pattern, a communication pattern group having an appearance rate in a traffic group of respective pieces of malware in the cluster, the appearance rate being equal to or larger than a predetermined value. Thereafter, the malicious communication pattern extraction apparatus eliminates, from the extracted malicious communication patterns, any malicious communication pattern having a conformance rate to a traffic group not infected with malware, the conformance rate being equal to or larger than a predetermined value.

Abstract: A detection device includes a data-propagation tracking unit that gives communication data a tag including attribute information associated with communication destination information of the communication data and tracks propagation of communication data on which the tag including the attribute information is given, and a falsification detection unit that detects falsification on the communication data when, in the communication data, there is a tag including attribute information different from attribute information corresponding to a transmission destination or a transmission source of the communication data.

Abstract: An identifying device monitors malware to be analyzed and acquires, as log data, the malware, download data downloaded from a communication destination, and a relation of data transfer performed with the malware or the communication destination of the download data. Then, the identifying device creates, by using the acquired log data, a dependency relation graph that is a digraph in which the malware, download data, and communication destination are set as nodes and a dependency relation of each node is set as an edge. Then, the identifying device detects a malicious node by collating the respective nodes of the created dependency relation graph with the known maliciousness information, and traces an edge in a direction from a terminal point to a start point while setting the malicious node as a base point, and then identifies the traced node as a new malicious node.

Abstract: A command and control server identifying apparatus provides data received by malware upon execution of the malware with a tag that allows to uniquely identify communication destination information of a source of the data, and tracks propagation of the data provided with the tag. Then, the command and control server identifying apparatus obtains a tag of data referred to by a branch instruction executed by the malware among tracked data. Then, the command and control server identifying apparatus identifies communication destination information of a command and control server that issues a command to the malware, based on communication destination information of a source associated with the obtained tag.

Abstract: A malicious communication pattern extraction device includes: a statistical value calculation unit that calculates a statistical value for an appearance frequency of each of plural communication patterns, from a traffic log obtained from traffic caused by malware, and a traffic log obtained from traffic in a predetermined communication environment; a malicious list candidate extraction unit that compares between the appearance frequency of the traffic logs for each of the communication patterns, based on the calculated statistical value, and extracts the communication pattern as the malicious communication pattern when a difference between both of the appearance frequencies is equal to or more than a predetermined threshold; and a threshold setting unit that sets a threshold so that an erroneous detection rate probability of erroneously detecting the traffic caused by malware and a detection rate probability of detecting the traffic caused by malware is equal to or more than a certain value.

Abstract: A detection device generates an event sequence from events that are acquired for each of identifiers that distinguish among terminals in a monitoring target network or pieces of malware, by taking into account an order of occurrence of the events. The detection device retrieves events that commonly occur in event sequences belonging to a same cluster among clusters including event sequences with similarities at a predetermined level or higher, and extracts, as a detection event sequence, a representative event sequence based on a relationship between events that have high occurrence rates in similar common event sequences. The detection device detects a malware infected terminal in the monitoring target network based on whether the event sequence generated based on a communication in the monitoring target network and the extracted detection event sequence match each other.

Abstract: A virtual machine includes a shadow memory, a shadow disk, and a virtual NIC. A virtual machine includes a guest OS. The shadow memory and the shadow disk each store therein pieces of data and pieces of tag information assigned to the pieces of data, so as to be kept in correspondence with one another. When malware transmits data, the virtual NIC generates the transmission information containing the transmitted data and tag information assigned to the transmitted data and further transmits the generated transmission information to the virtual machine. The guest OS extracts the tag information from the received transmission information. Further, the guest OS determines a transfer destination of the transmission information on the basis of the extracted tag information and further transfers the transmission information to the determined transfer destination.

Abstract: A device including: a parameter extracting unit that extracts each parameter from an access request, a character-string class converting unit that, with regard to each parameter, compares each part of a parameter value with a previously defined character string class, replaces the part with a longest matching character string class, and conducting conversion for a class sequence that is sequentially arranged in order of replacement, a profile storing unit that stores, as a profile in a storage unit, a class sequence with the appearance frequency of equal to or more than a predetermined value in the above-described group of class sequences with regard to the access request of the normal data as learning data, and a failure detecting unit that determines the presence or absence of an attack in accordance with the degree of similarity between the above-described class sequence and the profile with regard to the access request.

Abstract: A blacklist generating device acquires a malicious communication log and a normal communication log. A malicious communication profile extracting function calculates statistics on communication patterns included in the malicious communication log and outputs a communication pattern satisfying a certain condition to a potential blacklist. A normal communication profile extracting function calculates statistics on communication patterns included in the normal communication log and outputs a communication pattern satisfying a certain condition to a whitelist. A blacklist creating function searches the potential blacklist for a value with the value on the whitelist, excludes a coincident communication pattern from the potential blacklist, and creates a blacklist.

Abstract: A detection device generates an event sequence from events that are acquired for each of identifiers that distinguish among terminals in a monitoring target network or pieces of malware, by taking into account an order of occurrence of the events. The detection device retrieves events that commonly occur in event sequences belonging to a same cluster among clusters including event sequences with similarities at a predetermined level or higher, and extracts, as a detection event sequence, a representative event sequence based on a relationship between events that have high occurrence rates in similar common event sequences. The detection device detects a malware infected terminal in the monitoring target network based on whether the event sequence generated based on a communication in the monitoring target network and the extracted detection event sequence match each other.

Abstract: A malicious communication pattern extraction device includes: a statistical value calculation unit that calculates a statistical value for an appearance frequency of each of plural communication patterns, from a traffic log obtained from traffic caused by malware, and a traffic log obtained from traffic in a predetermined communication environment; a malicious list candidate extraction unit that compares between the appearance frequency of the traffic logs for each of the communication patterns, based on the calculated statistical value, and extracts the communication pattern as the malicious communication pattern when a difference between both of the appearance frequencies is equal to or more than a predetermined threshold; and a threshold setting unit that sets a threshold so that an erroneous detection rate probability of erroneously detecting the traffic caused by malware and a detection rate probability of detecting the traffic caused by malware is equal to or more than a certain value.

Abstract: A malware analysis system includes a preliminary analysis unit, a determination unit, and a designation unit. The preliminary analysis unit executes malware obtained as a candidate for an analyzing subject to obtain information related to communication transmitted from the malware. The determination unit determines whether the malware is handled as an analyzing subject based on information obtained by the preliminary analysis unit. The designation unit designates an analyzing order with respect to malware having been determined by the determination unit as an analyzing subject based on information obtained by the preliminary analysis unit.

Abstract: A detecting apparatus generates a collection of events, the collection being formed based on a predetermined condition, from events obtained for each identifier identifying a terminal in a monitoring target network or a piece of malware. The detecting apparatus then extracts, from a cluster formed of collections of events, the collections having a similarity therebetween equal to or larger than a certain similarity, events commonly appearing in the collections of events belonging to the same cluster, and extracts, according to a predetermined condition, the taken out events as a collection of detection purpose events. The detecting apparatus then detects that a malware infected terminal is present in the monitoring target network, if a generated collection of events based on communications in the monitoring target network is determined to match the extracted collection of detection purpose events.

Abstract: A command server identification device adds a tag to data received by malware upon execution of the malware, the tag capable of uniquely identifying identification information for a transmission source of the data, and tracks propagation of the data added with the tag. The command server identification device acquires a tag of data referenced by a branch instruction executed by the malware, among the tracked data. The command server identification device analyzes information on an instruction of a branch destination not executed by the malware after the branch instruction. Then, the command server identification device identifies identification information of a command server for issuing a command to the malware from the identification information of the transmission source corresponding to the acquired tag, based on the result of analysis.

Abstract: A malicious communication pattern extraction apparatus extracts communication patterns of traffic group of malwares, and replaces the values of predetermined field with variation in a traffic group with a wild card. Further, the malicious communication pattern extraction apparatus classifies pieces of malware having similar communication patterns in the traffic group into the same cluster, and for each cluster, extracts, as a malicious communication pattern, a communication pattern group having an appearance rate in a traffic group of respective pieces of malware in the cluster, the appearance rate being equal to or larger than a predetermined value. Thereafter, the malicious communication pattern extraction apparatus eliminates, from the extracted malicious communication patterns, any malicious communication pattern having a conformance rate to a traffic group not infected with malware, the conformance rate being equal to or larger than a predetermined value.

Abstract: An identifying device monitors malware to be analyzed and acquires, as log data, the malware, download data downloaded from a communication destination, and a relation of data transfer performed with the malware or the communication destination of the download data. Then, the identifying device creates, by using the acquired log data, a dependency relation graph that is a digraph in which the malware, download data, and communication destination are set as nodes and a dependency relation of each node is set as an edge. Then, the identifying device detects a malicious node by collating the respective nodes of the created dependency relation graph with the known maliciousness information, and traces an edge in a direction from a terminal point to a start point while setting the malicious node as a base point, and then identifies the traced node as a new malicious node.

Abstract: A virtual machine includes a shadow memory, a shadow disk, and a virtual NIC. A virtual machine includes a guest OS. The shadow memory and the shadow disk each store therein pieces of data and pieces of tag information assigned to the pieces of data, so as to be kept in correspondence with one another. When malware transmits data, the virtual NIC generates the transmission information containing the transmitted data and tag information assigned to the transmitted data and further transmits the generated transmission information to the virtual machine. The guest OS extracts the tag information from the received transmission information. Further, the guest OS determines a transfer destination of the transmission information on the basis of the extracted tag information and further transfers the transmission information to the determined transfer destination.