Abstract: A trace information determination device includes an extraction unit that extracts a feature of malware, a classification unit that performs clustering on the basis of the feature of malware extracted by the extraction unit and classifies the malware into a predetermined cluster, an attack tendency determination unit that determines a tendency of an attack of the malware on the basis of the cluster classified by the classification unit, and a validity determination unit that determines validity of trace information generated from an activity trace of the malware on the basis of a result of determination by the attack tendency determination unit.

Abstract: An activity trace extraction device executes malware to collect an analysis log including a plurality of activity traces of the malware, and executes the malware again in an environment indicating time information different from time information at the time of executing the malware to collect a time change analysis log including a plurality of activity traces of the malware. The activity trace extraction device updates the analysis log by removing, from the analysis log, the activity trace different from the activity trace of the time change analysis log among the plurality of activity traces included in the analysis log based on the analysis log and the time change analysis log. The activity trace extraction device generates trace information of the malware independent of time lapse based on the updated analysis log.

Abstract: An activity trace extraction device executes malware to collect an analysis log including a plurality of activity traces of the malware, and executes the malware again to collect an environment change analysis log including the plurality of activity traces of the malware assumed in a case where an execution environment of a system and a device used at execution of the malware and information unique to application software are changed. The activity trace extraction device updates, based on the analysis log and the environment change analysis log, the analysis log by removing, from the analysis log, an activity trace different from an activity trace of the environment change analysis log among the plurality of activity traces included in the analysis log. The activity trace extraction device generates trace information of the malware independent of the execution environment based on the analysis log updated.

Abstract: The analysis function imparting device acquires a plurality of execution traces related to a branch instruction and memory access, by inputting a test script to a script engine and causing the script engine to execute the test script. The analysis function imparting device specifies a similar sequence on the basis of the plurality of execution traces and detects a function call included in the specified sequence as a candidate of a type conversion function. The analysis function imparting device detects a variable having an input/output relationship from a variable of a candidate argument and a return value of the type conversion function among the execution traces. The analysis function imparting device executes a taint analysis on the type variable function of the variable having an input/output relationship of the type conversion function, and detects a propagation leakage function indicating a type variable function.

Abstract: The program protection device (100) includes an encoding unit (133) and an output unit (135). An encoding unit (133) encodes a program to be protected according to a specific encoding algorithm, and stores information used for decoding the encoded program in a relocation table of the encoded program. The output unit (135) outputs the program encoded by the encoding unit (133) as a protected program.

Abstract: A conversion device includes processing circuitry configured to receive a programmable signature as a target to be analyzed and symbolized data and/or a log as an input value, analyze the programmable signature by using a symbolic execution engine, and output a conditional branching process executed on the input value as a constraint on the input value and receive the output constraint on the input value, perform field conversion from the constraint on the input value to an output format based on a table of field name correspondence between formats, and output a static signature.

Abstract: An analysis function imparting device (10) includes a virtual machine analyzing unit (121) that analyzes a virtual machine of a script engine, a command set architecture analyzing unit (122) that analyzes a command set architecture that is a command system of the virtual machine, and an analysis function imparting unit (123) that performs hooking for imparting multipath execution functions to the script engine, on the basis of architecture information acquired by the analysis performed by the virtual machine analyzing unit (121) and the command set architecture analyzing unit (122).

Abstract: A calculating unit calculates a semantics set relating to an entirety of state of a recursive neural network satisfying a specification. A determining unit determines whether or not the recursive neural network that is an object of checking satisfies the specification, on the basis of the semantics set and an initial state of the recursive neural network that is the object of checking.

Abstract: A rule generation apparatus includes processing circuitry configured to enumerate rule candidates with different degrees of abstraction as candidates for a rule for detecting a malware trace using an analysis result of malware, and calculate evaluation values of the rule candidates enumerated using a predetermined evaluation function and sort a rule from among the rule candidates based on the evaluation values.

Abstract: For the purpose of reproducing a call stack accurately without restricting the range of application, a stack scanner extracts, from a stack area of a thread whose call stack is to be acquired in a memory space of an application process, possible return addresses that are addresses in a feasible region in the memory space each representing a command right after a function call command. A program analyzer analyzes a control flow representing a flow of control configured by a branch in a function that is called by the function call command right before the command represented by each of the possible return addresses and, when there is a route reaching a command currently being executed in the control flow, determines that the possible return address is a return address and, when there is not the route, determines that the possible return address is not a return address.

Abstract: An analysis system includes processing circuitry configured to extract each running process and each thread in each process from data that records a state of a memory of an analysis object apparatus, acquire an object belonging to the process or the thread having been extracted, and specify a same object belonging to a plurality of processes or a plurality of threads among objects acquired and associate the plurality of processes or the plurality of threads to which the same object belongs.

Abstract: An analysis function imparting device according to the present invention includes processing circuitry configured to execute a script engine while monitoring the script engine to acquire an execution trace including an application programming interface (API) trace and a branch trace, analyze the execution trace, and detect a hook point that is a location to which a hook is applied and a code for analysis is inserted, detect, based on monitoring at the hook point, a tap point that is a memory monitoring location at which the code for analysis outputs a log, and apply a hook to the script engine to impart an analysis function to the script engine based on the hook point and the tap point.

Abstract: A call stack acquisition device reproduces, from a memory dump, a memory space of a process to which a thread as a production target of a call stack belongs. Then, the call stack acquisition device acquires execution context of the thread by acquiring, from a virtual memory space, register information of the thread, which is stored in a memory by an OS. In addition, the call stack acquisition device acquires a current stack position and a currently executed function from the acquired execution context. Thereafter, the call stack acquisition device acquires the call stack by tracing return addresses of a series of functions as callers of the currently executed function on the stack from metadata of an execution file of the process including the thread.

Abstract: A conversion device includes processing circuitry configured to receive a programmable signature as a target to be analyzed and symbolized data and/or a log as an input value, analyze the programmable signature by using a symbolic execution engine, and output a conditional branching process executed on the input value as a constraint on the input value and receive the output constraint on the input value, perform field conversion from the constraint on the input value to an output format based on a table of field name correspondence between formats, and output a static signature.

Abstract: For the purpose of reproducing a call stack accurately without restricting the range of application, a stack scanner extracts, from a stack area of a thread whose call stack is to be acquired in a memory space of an application process, possible return addresses that are addresses in a feasible region in the memory space each representing a command right after a function call command. A program analyzer analyzes a control flow representing a flow of control configured by a branch in a function that is called by the function call command right before the command represented by each of the possible return addresses and, when there is a route reaching a command currently being executed in the control flow, determines that the possible return address is a return address and, when there is not the route, determines that the possible return address is not a return address.

Abstract: A call stack acquisition device reproduces, from a memory dump, a memory space of a process to which a thread as a production target of a call stack belongs. Then, the call stack acquisition device acquires execution context of the thread by acquiring, from a virtual memory space, register information of the thread, which is stored in a memory by an OS. In addition, the call stack acquisition device acquires a current stack position and a currently executed function from the acquired execution context. Thereafter, the call stack acquisition device acquires the call stack by tracing return addresses of a series of functions as callers of the currently executed function on the stack from metadata of an execution file of the process including the thread.

Abstract: A system and method are provided for detecting a botnet in a network based on traffic flow, daisy chained mechanism and white-list generation mechanism. The system and method uses the known malicious components in a botnet such as IP address, domain name and URL, to be the root of a daisy chain and creates a network graph based on given traffic flow data such as NetFlow data, DNS cache data, DNS sinkhole data, DDoS data and Attack log data in threat sensors. The system and method iteratively detects new malicious factors by tracing that network graph. The system and method also introduces a technique to create a white list which is used in the daisy chain to reduce false positive.

Abstract: An information processing device and method that monitor a behavior of malware (program), and generate a log which associates identification information of an invoked library function, input data to the library function, output data from the library function and a taint tag for uniquely specifying output data every time the program invokes a library function. Further, the information processing device and method refer to a taint tag set to output data from an information processing device and a log, track a dependent relationship between items of data input and output to and from libraries and specify a library function which has generated the output data from the information processing device.

Abstract: An information processing apparatus includes an adding unit and an identifying unit. The adding unit adds, to data received from a communication destination device by a program to be analyzed, a tag, by which the communication destination device is identifiable. If the tag has been added to data executed by a new program when an activation of or an activation reservation for the new program is detected, the identifying unit identifies the communication destination device identified by the tag.

Abstract: A system and method are provided for detecting a botnet in a network based on traffic flow, daisy chained mechanism and white-list generation mechanism. The system and method uses the known malicious components in a botnet such as IP address, domain name and URL, to be the root of a daisy chain and creates a network graph based on given traffic flow data such as NetFlow data, DNS cache data, DNS sinkhole data, DDoS data and Attack log data in threat sensors. The system and method iteratively detects new malicious factors by tracing that network graph. The system and method also introduces a technique to create a white list which is used in the daisy chain to reduce false positive.