Abstract: In an email inspection device (10), a learning unit (20) learns a relationship between a feature of each email included in a plurality of emails and a feature of a resource accompanying each email. The resource accompanying each email includes at least either one of a file attached to each email and a resource specified by a URL in a message body of each email. A determination unit (30) extracts a feature of an inspection-target email and a feature of a resource accompanying the inspection-target email, and determines whether or not the inspection-target email is a suspicious email depending on whether or not the relationship learned by the learning unit (20) exists between the extracted features.

Abstract: A fraudulent email decision device (10) is provided with a consistency analysis unit (24). The consistency analysis unit (24) identifies an intention of a subject email by, for example, a method of, with respect to a newly received incoming email as a subject email, extracting a function term, being a word expressing a reason the subject email was sent, from a body of the subject email. The consistency analysis unit (24) decides whether or not the subject email is a fraudulent email, from a relationship between another incoming email received in the past from the same sender as the sender of the subject email, and the identified intention of the subject email.

Abstract: An operation unit (120) calculates a feature quantity of an object mail which is an email to be tested. Then, the operation unit acquires, based on the feature quantity of the object mail, a status identifier of the object mail from a status definition file. Then, the operation unit selects a mail thread which the object mail belongs to, from one mail thread or more as an object thread, and adds the status identifier of the object mail to a status group of the object thread. Then, the operation unit decides whether the status group, to which the status identifier of the object mail has been added, of the object thread complies with a detection rule. When the status group of the object thread complies with the detection rule, the operation unit produces an alert.

Abstract: A correlation value calculation unit calculates a correlation value between input data input to an inspection-targeted apparatus whose internal specifications are unknown and output data for the input data from the inspection-targeted apparatus. A state transition determination unit analyzes in a time-series manner, a plurality of correlation values calculated by the correlation value calculation unit for a plurality of pieces of input data and a plurality of pieces of output data for the plurality of pieces of input data, and determines whether or not a state transition has occurred in the inspection-targeted apparatus.

Abstract: A people network detection unit (110) detects, based on public information of a target person, a people network that indicates a connection between the target person and a group of related persons. A disclosure risk calculation unit (120) calculates a disclosure risk of the target person based on the public information of the target person, and calculates a group of disclosure risks corresponding to the group of related persons based on a group of public information corresponding to the group of related persons. A connection risk determination unit (130) determines a representative value of the group of disclosure risks as a connection risk of the target person based on the group of disclosure risks corresponding to the group of related persons. A security risk calculation unit (140) calculates a security risk of the target person with respect to a cyberattack, using the disclosure risk of the target person and the connection risk of the target person.

Abstract: In an evaluation apparatus (10), a profile database (31) is a database to store profile information indicating an individual characteristic of each of a plurality of persons. A security database (32) is a database to store security information indicating a behavior characteristic of each of the plurality of persons, which may become a security incident factor. A model generation unit (22) derives a relationship between the characteristic indicated by the profile information stored in the profile database (31) and the characteristic indicated by the security information stored in the security database (32), as a model. Upon receipt of an input of information indicating a characteristic of a different person, an estimation unit (23) estimates a behavior characteristic of the different person, which may become the security incident factor, by using the model derived by the model generation unit (22).

Abstract: In an exchange-type attack simulation device (10), an e-mail reception unit (22) receives a reply e-mail to an e-mail transmitted by an e-mail transmission unit (26). A state transition unit (24) refers to correspondence information (31) indicating feature of e-mails corresponding to each of state transitions in a state transition model and thereby identifies a state transition corresponding to the reply e-mail received by the e-mail reception unit (22). An e-mail generation unit (25) generates an e-mail corresponding to the state transition identified by the state transition unit (24). The e-mail generation unit (25) makes the e-mail transmission unit (26) transmit the generated e-mail.

Abstract: A packet format inference apparatus includes a classification unit and an inference unit. The classification unit classifies, among a plurality of packets which are included in a packet data set as packet data and of which formats are unknown, relevant packets transmitted in a fixed cycle, as a packet group having a same arrival cycle. The inference unit infers a packet format for each packet group having the same arrival cycle.

Abstract: In an evaluation device (100), an attack generation unit (111) generates an attack sample. The attack sample is data for simulating an unauthorized act on a system. A comparison unit (112) compares the attack sample generated by the attack generation unit (111) and a normal state model. The normal state model is data acquired by modeling an authorized act on the system. Based on the comparison result, the comparison unit (112) generates information for generating an attack sample similar to the normal state model, and feeds back the generated information to the attack generation unit (111). A verification unit (113) checks whether the attack sample generated by the attack generation unit (111) satisfies a requirement for simulating an unauthorized act, and verifies, by using the attack sample satisfying the requirement, a detection technique implemented in a security product.

Abstract: The present invention relates to a process analysis apparatus for analyzing a process executed in an information processing unit and extracting encryption logic such as an encryption function or a decryption function used in the process.

Abstract: A test memory extracting unit 110 extracts a test memory image 191 from a memory area of a target system. A template memory extracting unit 120 extracts a template memory image 192 from a template system not infected with malware. An injected code detecting unit 130 compares the test memory image 191 with the template memory image 192, and generates an injected code list 193. An injected code testing unit 140 generates a malicious code list 195 based on the injected code list 193 and a test rule list 194. A test result output unit 150 generates a test result file 196 based on the malicious code list 195.

Abstract: The present invention relates to a cryptographic block identification apparatus which, in order to analyze encryption logic used by malware to conceal communication, identifies a cryptographic block where encryption logic is stored within a program of the malware. The cryptographic block identification apparatus includes a block candidate extraction part and a cryptographic block identification part. The block candidate extraction part analyzes an execution trace in which an execution step of malware is recorded, calculates an evaluation value representing cipher likeliness of the execution step based on whether or not an operation type that characterizes cipher likeliness of the execution step is included in the execution step, and extracts an execution step where the evaluation value exceeds a threshold L, as a block candidate which is a candidate of a cryptographic block.

Abstract: The present invention relates to a cryptographic block identification apparatus which, in order to analyze encryption logic used by malware to conceal communication, identifies a cryptographic block where encryption logic is stored within a program of the malware. The cryptographic block identification apparatus includes a block candidate extraction part and a cryptographic block identification part. The block candidate extraction part analyzes an execution trace in which an execution step of malware is recorded, calculates an evaluation value representing cipher likeliness of the execution step based on whether or not an operation type that characterizes cipher likeliness of the execution step is included in the execution step, and extracts an execution step where the evaluation value exceeds a threshold L, as a block candidate which is a candidate of a cryptographic block.

Abstract: The present invention relates to a process analysis apparatus for analyzing a process executed in an information processing unit and extracting encryption logic such as an encryption function or a decryption function used in the process.

Abstract: A necessary information extraction unit extracts, from variables used in a target program, an output variable to which output information to be output by an output function defined in an output function list is set. The necessary information extraction unit extracts, from the variables used in the target program, an encryption variable to which encrypted information encrypted by an encrypting function defined in an encryption function list is set. A protected state analysis unit refers to an assignment statement included in the target program, and extracts an encrypted state variable to which the encrypted information is assigned. A vulnerability determination unit determines whether or not the encrypted state variable and the output variable are the same variable, and outputs a program verification result based on a result of determination.

Abstract: A test memory extracting unit 110 extracts a test memory image 191 from a memory area of a target system. A template memory extracting unit 120 extracts a template memory image 192 from a template system not infected with malware. An injected code detecting unit 130 compares the test memory image 191 with the template memory image 192, and generates an injected code list 193. An injected code testing unit 140 generates a malicious code list 195 based on the injected code list 193 and a test rule list 194. A test result output unit 150 generates a test result file 196 based on the malicious code list 195.

Abstract: A necessary information extraction unit extracts, from variables used in a target program, an output variable to which output information to be output by an output function defined in an output function list is set. The necessary information extraction unit extracts, from the variables used in the target program, an encryption variable to which encrypted information encrypted by an encrypting function defined in an encryption function list is set. A protected state analysis unit refers to an assignment statement included in the target program, and extracts an encrypted state variable to which the encrypted information is assigned. A vulnerability determination unit determines whether or not the encrypted state variable and the output variable are the same variable, and outputs a program verification result based on a result of determination.

Abstract: An optical sensor device includes a plurality of optical sensor units two-dimensionally arranged, a scan driver, and a detection driver. The scan driver sets optical sensor units, in each row, in a selected state. The detection driver acquires detection signals corresponding to illuminance of incident light on the optical sensor units. Each of the optical sensor units comprises a first optical sensor including a first photoelectric conversion section blocked from light and a second optical sensor including a second photoelectric conversion section configured to change the illuminance in response to an externally applied external force. The detection driver maintains each voltage of electrodes of the first optical sensors and each voltage of electrodes of the second optical sensors in equal voltage levels to each other, and acquires a plurality of voltage signals in parallel.

Abstract: A method for heating and pasteurizing a material, comprising placing the material inside of a semi-sealed chamber at atmospheric pressure that contains an atmosphere produced by replacing air in the chamber with a gas component produced by spraying or injecting hot water droplets and steam at a temperature of at least 100° C. into the chamber which is heated to a temperature of at least 100° C. which is equal to or higher than the temperature of the sprayed hot water droplets and steam, which gas component has a humidity of at least 95% and contains no more than 1% oxygen; contacting said material to the gas component for exposing it to continual temperature variation during heating ranging from 10-50° C. inside the chamber at temperature(s) ranging from 90-180° C. for a time sufficient to heat or pasteurize it. An apparatus for performing this method.

Abstract: An optical sensor device includes a plurality of optical sensor units two-dimensionally arranged, a scan driver, and a detection driver. The scan driver sets optical sensor units, in each row, in a selected state. The detection driver acquires detection signals corresponding to illuminance of incident light on the optical sensor units. Each of the optical sensor units comprises a first optical sensor including a first photoelectric conversion section blocked from light and a second optical sensor including a second photoelectric conversion section configured to change the illuminance in response to an externally applied external force. The detection driver maintains each voltage of electrodes of the first optical sensors and each voltage of electrodes of the second optical sensors in equal voltage levels to each other, and acquires a plurality of voltage signals in parallel.