Abstract: The present invention provides a malware analysis apparatus, a malware analysis method, and a malware analysis system that, in a case where dynamic analysis and static analysis are combined to analyze malware, make it possible to analyze malware more easily compared with a case where the analysis is performed without using the configuration adopted by the present invention. The malware analysis apparatus includes an analysis section, a conversion section, and a generation section. The analysis section performs dynamic analysis and static analysis of analysis target malware. The conversion section converts results of the dynamic analysis and the static analysis into natural language, and generates explanations of the analysis results. The generation section generates information regarding a behavior of analysis target malware, the information being obtained by comparing the explanations generated respectively from the dynamic analysis and the static analysis.

Abstract: Disclosed is an information sharing system that includes a concealment processing section, an analysis section, and an information transmission section. The concealment processing section conceals information collected from any one or more of multiple organizations in accordance with the level of credibility between the organizations. The analysis section makes an analysis by using the information concealed by the concealment processing section and an analysis logic collected from any one or more of the multiple organizations. The information transmission section transmits the result of analysis by the analysis section to any one or more of the multiple organizations, and allows each organization to share the result of analysis.

Abstract: An information management system is provided with a data processing unit that receives, from an information processing apparatus corresponding to a different party, information managed by the different party, calculates a reliability level with respect to the different party, and calculates a confidence level with respect to the information based on the received information and the calculated reliability level, a countermeasure process setting unit that, based on the calculated confidence level, determines details of a countermeasure process with respect to details indicated by the information, and a reliability level updating unit that changes the reliability level based on the details of the countermeasure process, thereby increasing the possibility of effective processing based on information obtained from a different party.

Abstract: A connection destination malignancy determination system connected to the Internet through a network includes: a connection destination observation unit that observes a connection destination; a connection destination malignancy determination unit that determines a malignancy indicating the degree of maliciousness of the connection destination; and a countermeasure priority determination unit that determines a countermeasure priority indicating the degree of preferential countermeasure required based on the malignancy and an observation result of the connection destination.

Abstract: A malicious website lifespan prediction system includes a communication device that accesses a network, a storage device that stores information on malicious websites, and an arithmetic logic unit that observes predetermined events at the malicious websites, applies results of the observation to a decision rule defining a relationship between a tendency related to the predetermined event at the malicious website and a lifespan of the malicious website to predict the lifespan of the malicious website, and selects predetermined malicious websites from among the malicious websites according to the lifespan and generates a blocklist or a watchlist.

Abstract: An unauthorized access detection device that includes a control device for executing: abnormal access request detection processing in which a plurality of pieces of input/output request data for accessing a file is acquired and it is determined whether or not an access mode to the file is abnormal on the basis of patterns of the acquired plurality of pieces of input/output request data; abnormal data detection processing in which, where it is determined that the access mode to the file is abnormal, it is determined, by specifying data to be written into the file on the basis of the acquired input/output request data and specifying a trend of the specified data, whether or not the specified data is abnormal data; and suspicious process resolution processing in which, where it is determined that the specified data is abnormal data, predetermined processing related to access to the file is executed.

Abstract: In a data circulation control method, an approval server including a processor and a memory controls access to data between a provision party computer providing the data and a use party computer using data. The method includes: a purpose accomplishment status notifying step in which the use party computer notifies the approval server of a use status of the previously approved data; a use application step in which the use party computer makes application to the approval server for a use policy including protection level information related to a security measure when the data is used and a use purpose of the data; and an access control step in which the approval server controls access of the use party computer to the data of the provision party computer based on the use status of the data, the protection level information, and the use purpose of the data.

Abstract: A response support technology for minimizing the impact on jobs as much as possible and enabling job continuity and prompt response can be realized. A response support device that supports a response executed according to a situation of an incident that has occurred in a monitoring target, includes an incident evaluation unit 103 that evaluates an impact of the incident on the monitoring target and an urgency level of the response against the incident; a response evaluation unit 104 that evaluates an impact level on jobs and an effectiveness level to the incident, for the response against the incident; a priority order determination unit 105 that determines a priority order of responses based on evaluation by the incident evaluation unit and evaluation by the response evaluation unit; and a display unit 106 that displays a screen including the priority order of responses determined by the priority order determination unit.

Abstract: Attack scenario information describes each state of an information processing system to be attacked and an attack scenario including a chain of actions that can be taken in the state, an action that transitions from a first state to a second state is obtained with reference to state information, action information, and attack tactics information, a reward of the action is obtained with reference to reward information, the action information, and the attack tactics information, an expected reward of the reward of the action that transitions from the first state to the second state is obtained with reference to success probability information, the highest expected reward is set as a state value of reinforcement learning of the first state among the expected rewards of the action, and the attack scenario is generated by the reinforcement learning.

Abstract: In a network monitoring device, a CPU detects an increase point of a darknet traffic and calculates, with regard to darknet traffic corresponding to the increase point, an evaluation value indicating priority of a countermeasure against a cyberattack based on whether one or more of the following conditions are met: the darknet traffic has been detected inside a user organization; a correlation score of a darknet traffic between an observation point and the user organization is equal to or more than a threshold; a transmission source IP address is included in a blacklist; the darknet traffic is included in threat intelligence as attack information; a corresponding log is included in a honeypot; the honeypot including the log is included in the user organization; a CVSS score of a target is equal to or more than a threshold; and there is a product having vulnerability inside the user organization.

Abstract: A computer system comprises an analysis module configured to execute dynamic analysis for a sample of a malicious program, and to output an analysis result including a coupling destination to and from which the malicious program communicates; a variation detection module configured to detect variation of the coupling destination based on results of cyclic observation of the coupling destination, and to output a result of the detection; and an information sharing module configured to store information output from the analysis module and information output from the variation detection module in a form that allows sharing among a plurality of external computers.

Abstract: Disclosed is an incident scenario generation device for generating an incident scenario that indicates how an attack progresses in relation to an information system. The incident scenario generation device includes an attack parts database for storing attack parts information and a system configuration database for storing system configuration information about the information system. The incident scenario generation device generates the incident scenario according to the attack parts information stored in the attack parts database and to the system configuration information stored in the system configuration database.

Abstract: A transaction mediation device stores transaction request information indicating estimates of profit and loss obtained by the first participant through the transaction; transaction provision information indicating estimates of profit and loss incurred based on a thing that the second participant obtains through the transaction; and behavior characteristic information indicating evaluation of behavior characteristics that affect the profit and loss of a transaction counterparty, and, for each of the one or more second participants, calculates, based on the transaction request information and the behavior characteristic information, a first expected profit that the first participant obtains through the transaction with the second participant and a second expected profit that the second participant obtains through the transaction with the first participant; and calculates and outputs a gross profit incurred from the transaction based on the first expected profit and the second expected profit.

Abstract: Attack scenario information describes each state of an information processing system to be attacked and an attack scenario including a chain of actions that can be taken in the state, an action that transitions from a first state to a second state is obtained with reference to state information, action information, and attack tactics information, a reward of the action is obtained with reference to reward information, the action information, and the attack tactics information, an expected reward of the reward of the action that transitions from the first state to the second state is obtained with reference to success probability information, the highest expected reward is set as a state value of reinforcement learning of the first state among the expected rewards of the action, and the attack scenario is generated by the reinforcement learning.

Abstract: A vulnerability countermeasure device stores configuration information associating multiple computers connected via a network and software possessed by each computer, vulnerability information associating the software with information related to the vulnerability of the software, and countermeasure policy information associating the software with a countermeasure policy to be executed if there is a vulnerability in the software; calculates the computer that data will reach based on information related to a route of the data included in the data received from a used terminal; acquires software existing in the computer based on the calculated computer and configuration information; assesses whether or not there is a vulnerability in the acquired software based on the acquired software and the vulnerability information; and is provided with countermeasure unit for executing a countermeasure to a vulnerability in accordance with a countermeasure policy with respect to the software assessed to have the vulnerabili

Abstract: A vulnerability countermeasure device stores configuration information associating multiple computers connected via a network and software possessed by each computer, vulnerability information associating the software with information related to the vulnerability of the software, and countermeasure policy information associating the software with a countermeasure policy to be executed if there is a vulnerability in the software; calculates the computer that data will reach based on information related to a route of the data included in the data received from a used terminal; acquires software existing in the computer based on the calculated computer and configuration information; assesses whether or not there is a vulnerability in the acquired software based on the acquired software and the vulnerability information; and is provided with countermeasure unit for executing a countermeasure to a vulnerability in accordance with a countermeasure policy with respect to the software assessed to have the vulnerabili

Abstract: A security level of each service is calculated and visualized. The device includes a security level calculation unit and a security level visualization unit. The security level calculation unit receives information regarding security of the service from a plurality of sensors as observation information, and calculates a security level of each service based on the received observation information and a security level calculation policy. The security level visualization unit outputs the security level of each service, based on the security level calculated by the security level calculation unit and configuration information of the service. Further, the security level calculation policy has a service, a user using the service, and an observation item to be observed in the service. The security level calculation unit calculates the security level in association with the user of the service and the service, based on the security level calculation policy.

Abstract: An encrypted traffic test system is disclosed which tests whether or not traffic involving packets over a network is encrypted, the encrypted traffic test system including: a test data acquisition portion configured to receive each of the packets on the network so as to acquire test data from the received packet; an encrypted traffic test portion configured to evaluate the test data acquired by the test data acquisition portion for randomness using a random number testing scheme and, if the test data is evaluated to have randomness, to further determine that the traffic involving the packets including the test data is encrypted traffic; and a test result display portion configured to display a test result from the encrypted traffic test portion on a test result display screen.

Abstract: Provided is a system whereby information on activities obtained by way of monitoring system access to input and output devices and storage devices in a terminal as well as information on activities executed by way of a terminal and obtained by way of monitoring communications through a network are associated with processes in the terminal that generated the activities, and if the activities are predetermined activities executed by the same or related processes, the system detects that unauthorized processes are running on the terminal.

Abstract: A technique for collecting information concerning those files distributed on a file sharing network and for detecting an information leak file to take corrective measures is provided. Supervised information is generated by adding as attributes a file type, a speech-part appearance frequency of words making up a file name and a result of human-made judgment as to whether a file being inspected is the information leak file to key information collected from the file sharing network. Next, the supervised information is input to a decision tree leaning algorithm, thereby causing it to learn an information leak file judgment rule and then derive a decision tree for use in information leak file judgment. Thereafter, this decision tree is used to detect the information leak file from key information flowing on the file sharing network, followed by alert transmission and key information invalidation, thereby preventing damage expansion.