Abstract: A selection apparatus includes a macro analysis unit that acquires a macro feature amount from a macro in a document file to which the macro is added, a text analysis unit that acquires a text feature amount from text in the document file, a cluster analysis unit that performs clustering using the macro feature amount and the text feature amount, and a selection unit that selects an analysis target document file based on a cluster analysis result, and is able to efficiently and accurately select the macro-added document file to be analyzed.

Abstract: An attack code detection apparatus includes a preprocessing unit that analyzes in advance a library file for learning used in an ROP (Return Oriented Programming) chain, and obtains sets including the addresses of ROP gadgets, which represent pieces of code in the library file, and increment values of the stack pointer at the time of execution of the ROP gadgets; and a detecting unit that refers to the obtaining result of the preprocessing unit, that verifies, regarding an unknown data series representing the examination target, whether or not the ROP chain is valid in which the ROP gadgets are correctly linked, and that detects whether or not the unknown data series representing the examination target is a malicious data series.

Abstract: An attack code detection device includes a learning unit configured to generate a model that learns, using a known labeled malicious document file including an ROP code, as learning data, a feature of a byte sequence being a component of a document file, and a feature of a byte sequence being a component of an ROP code, a detection unit configured to detect the ROP code included in an inspection target unknown document file, based on the model, and a malignancy determination unit configured to determine, based on a detection result, whether the inspection target unknown document file is a malicious data series that executes attack using ROP.

Abstract: A vulnerability detection device includes a vulnerability portion extracting unit that extracts a first program code corresponding to an uncorrected vulnerability portion of software, a normalization processing unit that normalizes a parameter varying depending on compilation environment, among parameters included in the extracted first program code and in a second program code of software as a target to be tested for the vulnerability portion, a similarity calculating unit that calculates a similarity of an arbitrary portion of the second program code after normalization as a comparison target to the first program code, and a determining unit that refers to vulnerability related information for a portion of the second program code in which the calculated first similarity exceeds a predetermined threshold, and that determines whether the portion of the second program code is an unknown vulnerability portion.

Abstract: A static code analysis unit specifies an implementation portion of a Java code in a cooperation mechanism that sends and receives data between an Android application implemented by the Java code and Web content implemented by a JavaScript code and specifies a method in which a return value that can be called by the JavaScript code is set in the cooperation mechanism; a code converting unit inserts, into the Java code, a call code of a simulation function in which the return value of the specified method is inserted into an argument; and a data flow analysis unit analyzes a data flow by observing, by using the argument and the return value of the simulation function and the specified method, the data that is sent and received between the Android application implemented by the Java code and the Web content implemented by the JavaScript code.

Abstract: An attack code detection device includes a learning unit configured to generate a model that learns, using a known labeled malicious document file including an ROP code, as learning data, a feature of a byte sequence being a component of a document file, and a feature of a byte sequence being a component of an ROP code, a detection unit configured to detect the ROP code included in an inspection target unknown document file, based on the model, and a malignancy determination unit configured to determine, based on a detection result, whether the inspection target unknown document file is a malicious data series that executes attack using ROP.

Abstract: A selection apparatus includes a macro analysis unit that acquires a macro feature amount from a macro in a document file to which the macro is added, a text analysis unit that acquires a text feature amount from text in the document file, a cluster analysis unit that performs clustering using the macro feature amount and the text feature amount, and a selection unit that selects an analysis target document file based on a cluster analysis result, and is able to efficiently and accurately select the macro-added document file to be analyzed.

Abstract: An attack code detection apparatus includes a preprocessing unit that analyzes in advance a library file for learning used in an ROP (Return Oriented Programming) chain, and obtains sets including the addresses of ROP gadgets, which represent pieces of code in the library file, and increment values of the stack pointer at the time of execution of the ROP gadgets; and a detecting unit that refers to the obtaining result of the preprocessing unit, that verifies, regarding an unknown data series representing the examination target, whether or not the ROP chain is valid in which the ROP gadgets are correctly linked, and that detects whether or not the unknown data series representing the examination target is a malicious data series.

Abstract: A vulnerability detection device includes a vulnerability portion extracting unit that extracts a first program code corresponding to an uncorrected vulnerability portion of software, a normalization processing unit that normalizes a parameter varying depending on compilation environment, among parameters included in the extracted first program code and in a second program code of software as a target to be tested for the vulnerability portion, a similarity calculating unit that calculates a similarity of an arbitrary portion of the second program code after normalization as a comparison target to the first program code, and a determining unit that refers to vulnerability related information for a portion of the second program code in which the calculated first similarity exceeds a predetermined threshold, and that determines whether the portion of the second program code is an unknown vulnerability portion.

Abstract: A static code analysis unit specifies an implementation portion of a Java code in a cooperation mechanism that sends and receives data between an Android application implemented by the Java code and Web content implemented by a JavaScript code and specifies a method in which a return value that can be called by the JavaScript code is set in the cooperation mechanism; a code converting unit inserts, into the Java code, a call code of a simulation function in which the return value of the specified method is inserted into an argument; and a data flow analysis unit analyzes a data flow by observing, by using the argument and the return value of the simulation function and the specified method, the data that is sent and received between the Android application implemented by the Java code and the Web content implemented by the JavaScript code.