Abstract: A search apparatus includes processing circuitry configured to extract fingerprints that are combinations of first communication data corresponding to requests and second communication data corresponding to responses to the requests, from communication data obtained by executing known malware, give degrees of priority corresponding to degrees of maliciousness of the malware, to the fingerprints, generate probes that are requests based on the first communication data included in the fingerprints and signatures based on the second communication data included in the fingerprints, decide, based on information about communication of sending-out destinations, search-target sending-out destinations from among the sending-out destinations, send out the probes generated to the search-target sending-out destinations decided in order according to the degrees of priority given, and determine whether the search-target sending-out destinations are malicious or not, based on whether responses to the probes sent out match th

Abstract: An identifying device (10) includes a preprocessing (11) that extracts a communication connection pattern including a set of a communication source identifier and a communication destination identifier from traffic data, a comparing unit (131) that adds an ID to a communication connection pattern group including a new communication connection pattern not included in a whitelist when the new communication connection pattern is present in the communication connection pattern group, a graph feature amount generating unit (14) that generates a graph feature amount of the communication connection pattern group to which the ID has been added and adds this ID to the graph feature amount, an abnormality determining unit (16) that determines whether the generated graph feature amount is normal using a model (161) having learned the graph feature amount, and an identifying unit (132) that retrieves a new communication.

Abstract: A playback device reads a traffic file which is a dump file of traffic when malicious or benign traffic is generated and generates traffic based on the traffic file on a network having a security instrument that generates an event in accordance with the traffic. In addition, a determination device collects an event generated by the security instrument for the generated traffic and, on the basis of a feature extracted from the collected event, determines whether the event to be determined is for malicious traffic or benign traffic.

Abstract: A traffic anomaly sensing system 10 includes a preprocessing unit 11, a local graph feature generation unit 12, a global graph feature generation unit 13, a learning unit 14, and an anomaly determination unit 15. The preprocessing unit 11 generates a communication history graph from traffic data. The local graph feature generation unit 12 generates, from the communication history graph, a local graph feature about a certain vertex. The global graph feature generation unit 13 generates, from the communication history graph, a global graph feature about a vertex. The learning unit 14 generates a feature vector by combining the generated local graph feature and the generated global graph feature and generates a learned model for each host identifier. The anomaly determination unit 15 determines whether the traffic data is anomalous or not by inputting the graph feature to the generated learned model.

Abstract: A classification apparatus 10 acquires a communication log including a plurality of pieces of traffic data, and extracts different types of feature values from the plurality of pieces of traffic data. Subsequently, the classification apparatus 10 classifies the traffic data on a per IP address basis based on the extracted different types of feature values, and uses a plurality of classification results to count the number of times of appearance of a pattern having the same combination of the classification results.

Abstract: A traffic characteristic information extracting device includes a memory, and processing circuitry coupled to the memory and configured to acquire traffic information satisfying a predetermined condition from network traffic data, extract characteristic information from the acquired traffic information, classify the traffic information based on the extracted characteristic information, analyze a classification result obtained at the classifying and generate signatures, and output a signature satisfying a predetermined condition among the generated signatures.

Abstract: A detecting apparatus generates a collection of events, the collection being formed based on a predetermined condition, from events obtained for each identifier identifying a terminal in a monitoring target network or a piece of malware. The detecting apparatus then extracts, from a cluster formed of collections of events, the collections having a similarity therebetween equal to or larger than a certain similarity, events commonly appearing in the collections of events belonging to the same cluster, and extracts, according to a predetermined condition, the taken out events as a collection of detection purpose events. The detecting apparatus then detects that a malware infected terminal is present in the monitoring target network, if a generated collection of events based on communications in the monitoring target network is determined to match the extracted collection of detection purpose events.

Abstract: A flow information analysis apparatus receives flow information containing a header sample, determines whether the header sample of the flow information matches any of templates that are based on tunneling protocols, and when determining that the header sample matches any of the templates, extract information on a header of the IP packet from the header sample on the basis of the matched template. Further, when determining that the header sample does not match any of the templates, the flow information analysis apparatus extracts information on the header of the IP packet from the header sample on the basis of a result of a search through the header sample for a byte sequence that matches search data in which a value that is set in a specific field of the tunnel header and a value that is set in a specific field of the IP packet are combined.

Abstract: A traffic feature information extraction method including a regular expression process, a clustering process, and a feature information extraction process. The regular expression process extracts an item set in advance from a traffic log and represents a partial character string included in the item in a regular expression based on a predetermined rule. The clustering process clusters an entry of the traffic log represented in the regular expression. The feature information extraction process extracts, as traffic feature information of each of clusters, an entry having a minimum total sum of distances among entries included in the clustered traffic logs.

Abstract: A playback device reads a traffic file which is a dump file of traffic when malicious or benign traffic is generated and generates traffic based on the traffic file on a network having a security instrument that generates an event in accordance with the traffic. In addition, a determination device collects an event generated by the security instrument for the generated traffic and. on the basis of a feature extracted from the collected event, determines whether the event to be determined is for malicious traffic or benign traffic.

Abstract: A blacklist generating device acquires a malicious communication log and a normal communication log. A malicious communication profile extracting function calculates statistics on communication patterns included in the malicious communication log and outputs a communication pattern satisfying a certain condition to a potential blacklist. A normal communication profile extracting function calculates statistics on communication patterns included in the normal communication log and outputs a communication pattern satisfying a certain condition to a whitelist. A blacklist creating function searches the potential blacklist for a value with the value on the whitelist, excludes a coincident communication pattern from the potential blacklist, and creates a blacklist.

Abstract: A malicious URL candidate extraction device extracts, from an access log including URLs accessed from a managed network, a known malicious URL excluded access log obtained by excluding an access log to known malicious URLs. The malicious URL candidate extraction device creates a minor URL list obtained by preferentially extracting, from URLs indicated in the known malicious URL excluded access log, URLs having a small number of times of access from the managed network. The malicious URL candidate extraction device also creates a popular URL excluded list obtained by preferentially excluding URLs having a large number of times of access from the managed network during a predetermined period of time. The malicious URL candidate extraction device outputs these lists as a malicious URL candidate list.

Abstract: A malicious communication pattern extraction apparatus extracts communication patterns of traffic group of malwares, and replaces the values of predetermined field with variation in a traffic group with a wild card. Further, the malicious communication pattern extraction apparatus classifies pieces of malware having similar communication patterns in the traffic group into the same cluster, and for each cluster, extracts, as a malicious communication pattern, a communication pattern group having an appearance rate in a traffic group of respective pieces of malware in the cluster, the appearance rate being equal to or larger than a predetermined value. Thereafter, the malicious communication pattern extraction apparatus eliminates, from the extracted malicious communication patterns, any malicious communication pattern having a conformance rate to a traffic group not infected with malware, the conformance rate being equal to or larger than a predetermined value.

Abstract: A URL selection method disclosed in the present application includes a first extraction step and a second extraction step. The first extraction step extracts URLs up to an upper limit value of the number of URLs set to each of URL groups in a range where a total number of URLs is within a predetermined number of URLs, in order of priority set to each of the URL groups, from each of the URL groups identified by analyzing a traffic log by techniques in different categories. The second extraction step further extracts URLs within the predetermined number of URLs, based on the priority, when the total number of URLs extracted from each of the URL groups in the first extraction step is less than the predetermined number of URLs.

Abstract: A flow information analysis apparatus receives flow information containing a header sample, determines whether the header sample of the flow information matches any of templates that are based on tunneling protocols, and when determining that the header sample matches any of the templates, extract information on a header of the IP packet from the header sample on the basis of the matched template. Further, when determining that the header sample does not match any of the templates, the flow information analysis apparatus extracts information on the header of the IP packet from the header sample on the basis of a result of a search through the header sample for a byte sequence that matches search data in which a value that is set in a specific field of the tunnel header and a value that is set in a specific field of the IP packet are combined.

Abstract: A malicious communication pattern extraction device includes: a statistical value calculation unit that calculates a statistical value for an appearance frequency of each of plural communication patterns, from a traffic log obtained from traffic caused by malware, and a traffic log obtained from traffic in a predetermined communication environment; a malicious list candidate extraction unit that compares between the appearance frequency of the traffic logs for each of the communication patterns, based on the calculated statistical value, and extracts the communication pattern as the malicious communication pattern when a difference between both of the appearance frequencies is equal to or more than a predetermined threshold; and a threshold setting unit that sets a threshold so that an erroneous detection rate probability of erroneously detecting the traffic caused by malware and a detection rate probability of detecting the traffic caused by malware is equal to or more than a certain value.

Abstract: A detection device generates an event sequence from events that are acquired for each of identifiers that distinguish among terminals in a monitoring target network or pieces of malware, by taking into account an order of occurrence of the events. The detection device retrieves events that commonly occur in event sequences belonging to a same cluster among clusters including event sequences with similarities at a predetermined level or higher, and extracts, as a detection event sequence, a representative event sequence based on a relationship between events that have high occurrence rates in similar common event sequences. The detection device detects a malware infected terminal in the monitoring target network based on whether the event sequence generated based on a communication in the monitoring target network and the extracted detection event sequence match each other.

Abstract: An extraction criterion determination method performed by an extraction criterion determination apparatus includes collecting a log information entry that is in a predetermined period of time and determined to be a specific communication, extracting a communication satisfying a criterion used to extract the specific communication from log information entries from the collected log information entries with reference to a storage unit storing an extraction criterion in which the criterion is defined, determining to adopt the extraction criterion when the ratio of the specific communications to the extracted communications is larger than or equal to a threshold, and performing a control to output the adopted extraction criterion.

Abstract: There is provided an analysis rule adjustment device that adjusts an analysis rule used in a communication log analysis performed to detect malicious communication through a network. The analysis rule adjustment device includes a log acquisition unit, a log analysis unit, and a first analysis unit. The log acquisition unit acquires a communication log through a network to be defended and a communication log generated by malware. The log analysis unit analyzes the communication log acquired by the log acquisition unit on the basis of predetermined analysis rule and tuning condition. The first analysis unit analyzes an analysis result by the log analysis unit and calculates a recommended tuning value used in an adjustment of the predetermined analysis rule and satisfying the tuning condition.

Abstract: A blacklist generating device acquires a malicious communication log and a normal communication log. A malicious communication profile extracting function calculates statistics on communication patterns included in the malicious communication log and outputs a communication pattern satisfying a certain condition to a potential blacklist. A normal communication profile extracting function calculates statistics on communication patterns included in the normal communication log and outputs a communication pattern satisfying a certain condition to a whitelist. A blacklist creating function searches the potential blacklist for a value with the value on the whitelist, excludes a coincident communication pattern from the potential blacklist, and creates a blacklist.