Abstract: A difference extracting unit extracts, from an executable file converted from a source code and an executable file converted from a source code after vulnerability correction is made to the source code, a difference of a part where the vulnerability correction is made. A feature calculating unit calculates features of the difference extracted by the difference extracting unit. A difference extracting unit extracts, from an executable file converted from a source code and an executable file converted from a source code after correction is made to the source code, a difference of a predetermined part. A similarity calculating unit calculates similarity between the difference of the predetermined part calculated by the difference extracting unit and the features of the difference of the part where the vulnerability correction is made calculated by the feature calculating unit.

Abstract: For the purpose of reproducing a call stack accurately without restricting the range of application, a stack scanner extracts, from a stack area of a thread whose call stack is to be acquired in a memory space of an application process, possible return addresses that are addresses in a feasible region in the memory space each representing a command right after a function call command. A program analyzer analyzes a control flow representing a flow of control configured by a branch in a function that is called by the function call command right before the command represented by each of the possible return addresses and, when there is a route reaching a command currently being executed in the control flow, determines that the possible return address is a return address and, when there is not the route, determines that the possible return address is not a return address.

Abstract: An account identification apparatus sets browsing authority for each of accounts such that browsing permission/prohibition is different for each of Web pages. Furthermore, the account identification apparatus causes a user terminal having accessed a predetermined Web site to transmit a request to each of the Web pages so as to acquire information about browsing permission/prohibition for each of the Web pages with regard to the user terminal and uses the acquired information about browsing permission/prohibition to identify an account with which the user terminal has logged in.

Abstract: A call stack acquisition device reproduces, from a memory dump, a memory space of a process to which a thread as a production target of a call stack belongs. Then, the call stack acquisition device acquires execution context of the thread by acquiring, from a virtual memory space, register information of the thread, which is stored in a memory by an OS. In addition, the call stack acquisition device acquires a current stack position and a currently executed function from the acquired execution context. Thereafter, the call stack acquisition device acquires the call stack by tracing return addresses of a series of functions as callers of the currently executed function on the stack from metadata of an execution file of the process including the thread.

Abstract: A command server identification device adds a tag to data received by malware upon execution of the malware, the tag capable of uniquely identifying identification information for a transmission source of the data, and tracks propagation of the data added with the tag. The command server identification device acquires a tag of data referenced by a branch instruction executed by the malware, among the tracked data. The command server identification device analyzes information on an instruction of a branch destination not executed by the malware after the branch instruction. Then, the command server identification device identifies identification information of a command server for issuing a command to the malware from the identification information of the transmission source corresponding to the acquired tag, based on the result of analysis.

Abstract: For the purpose of reproducing a call stack accurately without restricting the range of application, a stack scanner extracts, from a stack area of a thread whose call stack is to be acquired in a memory space of an application process, possible return addresses that are addresses in a feasible region in the memory space each representing a command right after a function call command. A program analyzer analyzes a control flow representing a flow of control configured by a branch in a function that is called by the function call command right before the command represented by each of the possible return addresses and, when there is a route reaching a command currently being executed in the control flow, determines that the possible return address is a return address and, when there is not the route, determines that the possible return address is not a return address.

Abstract: A call stack acquisition device reproduces, from a memory dump, a memory space of a process to which a thread as a production target of a call stack belongs. Then, the call stack acquisition device acquires execution context of the thread by acquiring, from a virtual memory space, register information of the thread, which is stored in a memory by an OS. In addition, the call stack acquisition device acquires a current stack position and a currently executed function from the acquired execution context. Thereafter, the call stack acquisition device acquires the call stack by tracing return addresses of a series of functions as callers of the currently executed function on the stack from metadata of an execution file of the process including the thread.

Abstract: An account identification apparatus sets browsing authority for each of accounts such that browsing permission/prohibition is different for each of Web pages. Furthermore, the account identification apparatus causes a user terminal having accessed a predetermined Web site to transmit a request to each of the Web pages so as to acquire information about browsing permission/prohibition for each of the Web pages with regard to the user terminal and uses the acquired information about browsing permission/prohibition to identify an account with which the user terminal has logged in.

Abstract: A malware analysis system includes a preliminary analysis unit, a determination unit, and a designation unit. The preliminary analysis unit executes malware obtained as a candidate for an analyzing subject to obtain information related to communication transmitted from the malware. The determination unit determines whether the malware is handled as an analyzing subject based on information obtained by the preliminary analysis unit. The designation unit designates an analyzing order with respect to malware having been determined by the determination unit as an analyzing subject based on information obtained by the preliminary analysis unit.

Abstract: A difference extracting unit extracts, from an executable file converted from a source code and an executable file converted from a source code after vulnerability correction is made to the source code, a difference of a part where the vulnerability correction is made. A feature calculating unit calculates features of the difference extracted by the difference extracting unit. A difference extracting unit extracts, from an executable file converted from a source code and an executable file converted from a source code after correction is made to the source code, a difference of a predetermined part. A similarity calculating unit calculates similarity between the difference of the predetermined part calculated by the difference extracting unit and the features of the difference of the part where the vulnerability correction is made calculated by the feature calculating unit.

Abstract: A vulnerability finding device has a vulnerability extracting unit, a normalization processing unit, and a matching unit. The vulnerability extracting unit extracts a first program code corresponding to a vulnerable part of software. The normalization processing unit performs normalization of a parameter included in the first program code extracted by the vulnerability extracting unit and a second program code of software to be inspected for a vulnerable part. The matching unit performs matching between the first program code after the normalization and the second program code after the normalization, and detects a program code, which is a program code that is the same as or similar to the first program code, from the second program code.

Abstract: A detection device includes a data-propagation tracking unit that gives communication data a tag including attribute information associated with communication destination information of the communication data and tracks propagation of communication data on which the tag including the attribute information is given, and a falsification detection unit that detects falsification on the communication data when, in the communication data, there is a tag including attribute information different from attribute information corresponding to a transmission destination or a transmission source of the communication data.

Abstract: An identifying device monitors malware to be analyzed and acquires, as log data, the malware, download data downloaded from a communication destination, and a relation of data transfer performed with the malware or the communication destination of the download data. Then, the identifying device creates, by using the acquired log data, a dependency relation graph that is a digraph in which the malware, download data, and communication destination are set as nodes and a dependency relation of each node is set as an edge. Then, the identifying device detects a malicious node by collating the respective nodes of the created dependency relation graph with the known maliciousness information, and traces an edge in a direction from a terminal point to a start point while setting the malicious node as a base point, and then identifies the traced node as a new malicious node.

Abstract: A command and control server identifying apparatus provides data received by malware upon execution of the malware with a tag that allows to uniquely identify communication destination information of a source of the data, and tracks propagation of the data provided with the tag. Then, the command and control server identifying apparatus obtains a tag of data referred to by a branch instruction executed by the malware among tracked data. Then, the command and control server identifying apparatus identifies communication destination information of a command and control server that issues a command to the malware, based on communication destination information of a source associated with the obtained tag.

Abstract: A virtual machine includes a shadow memory, a shadow disk, and a virtual NIC. A virtual machine includes a guest OS. The shadow memory and the shadow disk each store therein pieces of data and pieces of tag information assigned to the pieces of data, so as to be kept in correspondence with one another. When malware transmits data, the virtual NIC generates the transmission information containing the transmitted data and tag information assigned to the transmitted data and further transmits the generated transmission information to the virtual machine. The guest OS extracts the tag information from the received transmission information. Further, the guest OS determines a transfer destination of the transmission information on the basis of the extracted tag information and further transfers the transmission information to the determined transfer destination.

Abstract: An information processing device and method that monitor a behavior of malware (program), and generate a log which associates identification information of an invoked library function, input data to the library function, output data from the library function and a taint tag for uniquely specifying output data every time the program invokes a library function. Further, the information processing device and method refer to a taint tag set to output data from an information processing device and a log, track a dependent relationship between items of data input and output to and from libraries and specify a library function which has generated the output data from the information processing device.

Abstract: A monitoring device inspects a redirect code inserted into content of a compromised web site, and, in accordance with a result thereof, when information of a new malicious website is described in the redirect code, the monitoring device acquires information of the malicious website and registers the information on a blacklist. In addition, the monitoring device unregisters information of the malicious website that is no longer described in the redirect code in the content from the blacklist.

Abstract: An information processing apparatus includes an adding unit and an identifying unit. The adding unit adds, to data received from a communication destination device by a program to be analyzed, a tag, by which the communication destination device is identifiable. If the tag has been added to data executed by a new program when an activation of or an activation reservation for the new program is detected, the identifying unit identifies the communication destination device identified by the tag.

Abstract: A malware analysis system includes a preliminary analysis unit, a determination unit, and a designation unit. The preliminary analysis unit executes malware obtained as a candidate for an analyzing subject to obtain information related to communication transmitted from the malware. The determination unit determines whether the malware is handled as an analyzing subject based on information obtained by the preliminary analysis unit. The designation unit designates an analyzing order with respect to malware having been determined by the determination unit as an analyzing subject based on information obtained by the preliminary analysis unit.

Abstract: A command server identification device adds a tag to data received by malware upon execution of the malware, the tag capable of uniquely identifying identification information for a transmission source of the data, and tracks propagation of the data added with the tag. The command server identification device acquires a tag of data referenced by a branch instruction executed by the malware, among the tracked data. The command server identification device analyzes information on an instruction of a branch destination not executed by the malware after the branch instruction. Then, the command server identification device identifies identification information of a command server for issuing a command to the malware from the identification information of the transmission source corresponding to the acquired tag, based on the result of analysis.