This application is a National Stage of International Application No. PCT/JP2016/000293 filed Jan. 21, 2016, claiming priority based on Japanese Patent Application No. 2015-014873 filed Jan. 29, 2015, the contents of all of which are incorporated herein by reference in their entirety.
The present invention relates to an anti-malware device and the like that detect malware and take a countermeasure against the malware.
In recent years, a threat to security due to malicious software (hereinafter referred to as malware) that provides a computer with an unauthorized command has been a social issue. Accordingly, expectations have been raised for a technique for accurately detecting malware getting into a computer so as to eliminate such a threat to security.
As an example of a technique related to the above-mentioned technique, PTL 1 discloses a malware analysis system that receives a malware candidate sample from a firewall, and automatically generates a signature code when it is determined that the sample is malware. This system determines whether or not the malware candidate sample is malware by using various heuristic methods.
[PTL 1] Japanese Translation of PCT International Application Publication No. 2014-519113
In a general malware detection method, it is determined that software is malware, based on a feature or behavior of a binary code constituting the software (e.g., a communication procedure and a feature of a communication destination domain). Specifically, in the general malware detection method, malware is detected based only on an event by objectively observing an operation of software. For example, the malware analysis system described in PTL 1 determines that the software is malware when at least one of the following events is observed.
However, the above-mentioned events are not always generated with malicious intention, but may be generated by a provider that has distributed software, or a user that executes software, for an unmalicious valid purpose. More precisely, whether or not software is malware is determined not only by an event objectively observed with regard to an operation of the software, but also by various factors depending on an attribution of a subject that executes the software and an attribution of the software. The malware analysis system described in PTL 1 does not determine whether or not software is malware from information based on a comprehensive aspect (viewpoint) in consideration of the above-mentioned various factors. Accordingly, the malware analysis system has a problem that the determination cannot be made with high accuracy. A principal object of the present invention is to provide an anti-malware device and the like that solve the above-mentioned problem.
An anti-malware device according to one aspect of the present invention includes: a storage means for storing risk information in which there are associated a value indicating an attribution of a first information processing device configured to execute software, a value indicating an attribution of the software, and a value that depends on the attributions of the first information processing device and the software and that indicates a degree of risk when the software is executed by the first information processing device; a subject attribution collection means for collecting the value indicating the attribution of the first information processing device from outside; an object attribution collection means for collecting the value indicating the attribution of the software from outside; and a determination means for determining that the software is malware when the value indicating the degree of risk satisfies a criterion, the value being obtained by comparing the risk information with the values collected by the subject attribution collection means and the object attribution collection means.
As another aspect to attain the above-mentioned object, an anti-malware method according to one aspect of the present invention includes, when a storage means stores risk information in which there are associated a value indicating an attribution of a first information processing device configured to execute software, a value indicating an attribution of the software, and a value that depends on the attributions of the first information processing device and the software and that indicates a degree of risk when the software is executed by the first information processing device: by a third information processing device, collecting the value indicating the attribution of the first information processing device from outside; collecting the value indicating the attribution of the software from outside; and determining that the software is malware when the value indicating the degree of risk satisfies a criterion, the value being obtained by comparing the risk information with the values collected, indicating the attribution of the first information processing device and the attribution of the software.
As further aspect to attain the above-mentioned object, an anti-malware program according to one aspect of the present invention causes a computer accessible to a storage means for storing risk information in which there are associated a value indicating an attribution of a first information processing device configured to execute software, a value indicating an attribution of the software, and a value that depends on the attributions of the first information processing device and the software and that indicates a degree of risk when the software is executed by the first information processing device, to execute: a subject attribution collection process of collecting the value indicating the attribution of the first information processing device from outside; an object attribution collection process of collecting the value indicating the attribution of the software from outside; and a determination process of determining that the software is malware when the value indicating the degree of risk satisfies a criterion, the value being obtained by comparing the risk information with the values collected by the subject attribution collection process and the object attribution collection process.
Further, the present invention may also be implemented by a computer-readable non-volatile recording medium storing the anti-malware program (computer program).
The present invention is capable of detecting malware with high accuracy.
Example embodiments of the present invention will be described in detail below with reference to the drawings.
<First Example Embodiment>
The terminal device 20 is an information processing device including a processor and a storage device (not illustrated) and is capable of executing software 200 which is externally obtained via the communication network 40. When the anti-malware device 10 determines that the software 200 is not malware, the terminal device 20 executes the software 200 in accordance with an instruction from the anti-malware device 10. The terminal device 20 displays the execution result of the software 200 on a console display unit 21. When the anti-malware device 10 determines that the software 200 is malware, the terminal device 20 does not execute the software 200. In this case, the anti-malware device 10 transfers the software 200 to the live sandbox server device 30 from the software 200.
The live sandbox server device 30 is an information processing device and executes a virtual machine 31. The live sandbox server device 30 may execute a plurality of virtual machines. The virtual machine 31 stores the software 200, which has been transferred from the terminal device 20, as alleged malware 310, and executes a process for the alleged malware 310 in accordance with an instruction from the anti-malware device 10. The virtual machine 31 outputs the execution result of the alleged malware 310 to the console display unit 21 in the terminal device 20. The virtual machine 31 can receive a user's input operation via the terminal device 20 during the execution of the alleged malware 310.
The anti-malware device 10 is a device for determining whether or not the software 200 acquired by the terminal device 200 is malware, and performing a process for taking a countermeasure against malware when it is determined that the software 200 is malware. The anti-malware device 10 includes a risk information storage unit 11, a risk information collection unit 12, a subject attribution collection unit 13, an object attribution collection unit 14, a determination unit 15, a transfer unit 16, and an internal state collection unit 17. The risk information storage unit 11 is a storage device such as an electronic memory or a magnetic disk. The risk information collection unit 12, the subject attribution collection unit 13, the object attribution collection unit 14, the determination unit 15, the transfer unit 16, and the internal state collection unit 17 may be electronic circuits, or may be implemented by a computer program and a processor that operates according to the computer program.
The risk information storage unit 11 stores a subject attribution database 110, an object attribution database 111, a subjective database 112, an objective database 113, a circumstance database 114, and trail information 115.
The subject attribution database 110 is information indicating a criterion for determining the attribution of the terminal device 20 that executes the software 200.
The subject attribution database 110 illustrated in
The object attribution database 111 illustrated in
The “development source country” represents an identifier capable of identifying a country where the object software has been developed. The “development source linguistic area” represents an identifier capable of identifying a linguistic area where the object software has been developed. The anti-malware device 10 can obtain “development source country” and “development source linguistic area” for the object software on the basis of the “hash value” that is determined by the content of character information included in a binary code, digital signature information, or the like. The object attribution database 111 illustrated in
The subjective database 112 illustrated in
The “risk index by policy violation” represents a numerical value indicating the degree of risk when an event that violates a security policy occurs in the case where the subject device executes the object software. The “risk index by policy violation” indicates that the degree of risk increases as the value increases. For example, the subjective database 112 illustrated in
In general, the security policy applied to the subject device and the degree of risk when the security policy is violated vary depending on the attribution of the subject device. For example, a low level security policy is applied to the subject device that performs information processing with a low social importance, and the degree of risk is low when the security policy is violated. On the contrary, a high level security policy is applied to the subject device that performs information processing with a high social importance, and the degree of risk is high when the security policy is violated.
The objective database 113 illustrated in
The circumstance database 114 illustrated in
The “risk index by unauthorized operation” represents a numerical value indicating a likelihood that the object software performs an unauthorized operation, such as a cyberattack, when the subject device executes the object software. For example, the circumstance database 114 illustrated in
The trail information 115 illustrated in
The risk information collection unit 12 illustrated in
In addition, the risk information collection unit 12 may collect, via the Internet, information provided by news or social media and information such as travel safety information by using a predetermined keyword as a key, and then register the collected information in the circumstance database 114. In this case, the risk information collection unit 12 may set the value of “risk index by unauthorized operation” based on a predetermined calculation criterion, or the system administrator may set the value. When the system administrator registers each database stored in the risk information storage unit 11, note that the anti-malware device 10 does not necessarily need to include the risk information collection unit 12.
When the terminal device 20 acquires the software 200, the subject attribution collection unit 13 collects, from the terminal device 20, an IP address as information indicating the attribution of the terminal device 20, and inputs the collected IP address to the determination unit 15. When a management server device that manages the attribution of the terminal device 20 is present in the anti-malware system 1, the subject attribution collection unit 13 may collect information such as the IP address indicating the attribution of the terminal device 20 from the management server device.
When the terminal device 20 acquires the software 200, the object attribution collection unit 14 collects information indicating the attribution of the software from a binary code or a source code of the software 200 stored in the terminal device 20. The object attribution collection unit 14 calculates a hash value by inputting the binary code of the software 200 to a predetermined hash function, for example. Alternatively, the object attribution collection unit 14 may acquire the IP address of the distribution source device that has distributed the software 200 from log information or the like obtained when the terminal device 20 acquires the software 200. The object attribution collection unit 14 inputs information indicating the attribution of the software 200 to the determination unit 15.
The determination unit 15 compares the IP address indicating the attribution of the terminal device 20 input from the subject attribution collection unit 13 with the subject attribution database 110 stored in the risk information storage unit 11. For example, when the IP address input from the subject attribution collection unit 13 is “IP address 1000”, the determination unit 15 recognizes the terminal device 20 as the device that is owned by “organization A” and installed in “country X”.
The determination unit 15 compares the hash value that is input from the object attribution collection unit 14 and indicates the attribution of the software 200 with the object attribution database 111 stored in the risk information storage unit 11. For example, when the hash value input from the object attribution collection unit 14 is “0005”, the determination unit 15 recognizes the software 200 as the software that is developed in the linguistic area of “language w1” in “country W”.
For example, when the determination unit 15 recognizes the terminal device 20 as the device that is owned by “organization A” and installed in “country X”, the determination unit 15 applies “security policy AX” to the terminal device 20 and recognizes that the “policy violation risk index” is “70”, by referring to the subjective database 112. When it turns out that an event that does not comply with the “security policy AX” occurs when the terminal device 20 executes the software 200 as a result of analyzing the software 200, the determination unit 15 sets the risk index to “70” when the terminal device 20 executes the software 200.
The determination unit 15 compares the result of analyzing the software 200 with the objective database 113. When it turns out that the event registered in the objective database 113 occurs when the terminal device 20 executes the software 200, the determination unit 15 adds the value of “risk index during occurrence of event” relating to the event to the risk index when the terminal device 20 executes the software 200.
The determination unit 15 compares the values respectively indicating the attribution of the terminal device 20 and the attribution of the software 200 with the circumstance database 114. As illustrated in
The determination unit 15 determines whether or not the risk index when the terminal 20 executes the software 200 satisfies a determination criterion 150, the risk index being calculated by comparing the value indicating the attribution of the terminal device 20 and the attribution of the software 200 with each database stored in the risk information storage unit 11. The determination criterion 150 is information indicating a criterion for the determination unit 15 to determine the software 200 to be malware, and is, for example, a threshold relating to the risk index when the subject device executes the object software. In the case where the risk index satisfies the determination criterion 150 when the terminal device 20 executes the software 200, the determination unit 15 determines the software 200 to be malware, and inputs the determination result to each of the transfer unit 16 and the internal state collection unit 17.
When the determination unit 15 determines that the software 200 is malware, the transfer unit 16 transfers the software 200 to the virtual machine 31 in the live sandbox server device 30, and stores the software 200 as the alleged malware 310 in the virtual machine 31.
After the virtual machine 31 stores the alleged malware 310, the internal state collection unit 17 collects the snapshot of the virtual machine 31 at the time before the alleged malware 310 is executed, and stores the collected snapshot as the trail information 115 in the risk information storage unit 11.
The internal state collection unit 17 extracts the alleged malware 310 as a sample from the trail information 115. The internal state collection unit 17 conducts a static analysis on the sample, and stores the analysis result as the objective database 113 in the risk information storage unit 11. After the virtual machine 31 starts execution of the alleged malware 31, the internal state collection unit 17 collects information indicating the operation of the alleged malware 310, and stores the collected information as the objective database 113 in the risk information storage unit 11. The information indicating the operation of the alleged malware 310 is at least one of the IP address of a communication destination device, the communication frequency, the argument of a system call, and the frequency of system calls, for example. The internal state collection unit 17 may set the value of “risk index during occurrence of event” in the objective database 113 on the basis of a predetermined calculation criterion, or the system administrator may set the value.
Next, the operation (processing) of the anti-malware system 1 according to this example embodiment will be described in detail with reference to the flowchart of
The terminal device 20 acquires the software 200 via the communication network 40 (step S101). The subject attribution collection unit 13 collects a value indicating the attribution of the terminal device 20, and inputs the collected value to the determination unit 15 (step S102). The object attribution collection unit 14 collects a value indicating the attribution of the software 200, and inputs the collected value to the determination unit 15 (step S103). The determination unit 15 acquires, from the risk information storage unit 11, the value indicating the degree of risk when the terminal device 20 executes the software 200 (step S104).
The determination unit 15 determines whether or not the acquired value indicating the degree of risk satisfies the determination criterion 150 (step S105). When the value indicating the degree of risk does not satisfy the determination criterion 150 (No in step S106), the terminal device 20 starts execution of the software 200 (step S107), and the entire process is terminated.
When the value indicating the degree of risk satisfies the determination criterion 150 (Yes in step S106), the transfer unit 16 transfers the software 200 as the alleged malware 310 to the virtual machine 31 (step S108). The internal state collection unit 17 stores the snapshot of the virtual machine 31 as the trail information 115 in the risk information storage unit 11 (step S109). The virtual machine 31 starts execution of the alleged malware 310 (step S110), and the entire process is terminated.
The anti-malware system 1 according to this example embodiment can detect malware with high accuracy. This is because the determination unit 15 determines whether or not the software 200 is malware on the basis of the value indicating the degree of risk obtained by comparing the value indicating the attribution of the terminal device 20 that is collected by the subject attribution collection unit 13 and the value indicating the attribution of the software 200 that is collected by the object attribution collection unit 14 with each database stored in the risk information storage unit 11.
Advantageous effects of the anti-malware system 1 according to this example embodiment will be described in detail below. In the general malware detection method, malware is detected based only on an event objectively observed with regard to the operation of the object software. However, the event determined to be malware is not always generated with a malicious intention, but may be generated by the provider that has distributed the object software or the user that executes the object software, for an unmalicious valid purpose. More precisely, whether or not the object software is malware is determined not only by an event objectively observed with regard to the operation of the object software, but also by various factors depending on the attribution of the subject device and the attribution of the object software. Accordingly, it is difficult for the general malware detection method to detect malware with high accuracy.
On the other hand, in the anti-malware device 10 according to this example embodiment, the risk information storage unit 11 stores a database in which the value indicating the attribution of the subject device, the value indicating the attribution of the object software, and the value that depends on the attribution of the subject device and the attribution of the object software and that indicates the degree of risk when the object software is executed by the subject device are associated with each other. The subject attribution collection unit 13 collects the value indicating the attribution of the subject device, and the object attribution collection unit 14 collects the value indicating the attribution of the object software. Further, the determination unit 15 determine whether or not the object software is malware, based on the value indicating the degree of risk obtained by comparing the collected values indicating the attribution of the subject device and the attribution of the object software with the database stored in the risk information storage unit 11. Accordingly, the anti-malware device 10 according to this example embodiment can detect malware with high accuracy by making a determination using information based on the comprehensive aspect (viewpoint) as described above.
Further, when the object software, which is malware, is executed by the subject device, there is a possibility that a problem occurs such as classified information may be leaked from the subject device by an unauthorized operation of the object software, until it is detected that the object software is malware. On the other hand, in the anti-malware device 10 according to this example embodiment, when the determination unit 15 determines that the software 200 is malware, the transfer unit 16 transfers the software 200 to the virtual machine 31 in the live sandbox server device 31 from the terminal device 20, and stores the software as the alleged malware 310. According to the instruction from the transfer unit 16, the terminal device 20 does not execute the software 200 and the virtual machine 31 executes the alleged malware 310. In other words, the anti-malware device 10 isolates the software 200 that is suspected to be malware in the live sandbox server device 31 in advance as the alleged malware 310. Thus, the anti-malware device 10 according to this example embodiment can prevent the above-mentioned problem from occurring.
In many cases, malware is deleted after the malware has achieved the object by performing an unauthorized operation. In this case, the malware cannot be analyzed by reproducing the operation of the malware. On the other hand, in the anti-malware device 10 according to this example embodiment, the internal state collection unit 17 collects the snapshot of the virtual machine 31 and stores the snapshot into the risk information storage unit 11 as the trail information 115 before the virtual machine 31 executes the alleged malware 310. Accordingly, the anti-malware device 10 can analyze malware by extracting a sample of malware from the trail information 115, even after the malware itself is deleted.
Further, since the anti-malware device 10 according to this example embodiment includes the risk information collection unit 12, each database stored in the risk information storage unit 11 can be efficiently constructed.
Note that the subject attribution collection unit 13, the object attribution collection unit 14, and the determination unit 15 may be built in the terminal device 20. In this case, the determination unit 15 accesses the risk information storage unit 11 via the communication network 40. Further, the transfer unit 16 and the internal state collection unit 17 may be built in the terminal device 20 and the live sandbox server device 30, respectively.
The anti-malware system 1 may include a server device that operates in a real machine environment, instead of the live sandbox server device 30. In this case, the internal state collection unit 17 collects log information of the server device that operates in the real machine environment and information stored in a memory, a disk, or the like included in the server device, instead of collecting the snapshot of the virtual machine 31.
<Second Example Embodiment>
The anti-malware device 50 according to this example embodiment includes a storage unit 51, a subject attribution collection unit 53, an object attribution collection unit 54, and a determination unit 55.
The storage unit 51 stores risk information 510. The risk information 510 is information in which there are associated the value indicating the attribution of an information processing device 60 that executes software 600, the value indicating the attribution of the software 600, and the value that depends on the attribution of the information processing device 60 and the attribution of the software 600 and that indicates the degree of risk when the software 600 is executed by the information processing device 60.
The subject attribution collection unit 53 collects the value indicating the attribution of the information processing device 60 from the outside.
The object attribution collection unit 54 collects the value indicating the attribution of the software 600 from the outside.
The determination unit 55 determines that the software 600 is malware when the value indicating the degree of risk satisfies the criterion, the value being obtained by comparing the risk information 510 with the values collected by the subject attribution collection unit 53 and the object attribution collection unit 54.
The anti-malware device 50 according to this example embodiment can detect malware with high accuracy. This is because the determination unit 55 determines whether or not the software 600 is malware on the basis of the value indicating the degree of risk obtained by comparing the value indicating the attribution of the information processing device 60 that is collected by the subject attribution collection unit 53 and the value indicating the attribution of the software 600 that is collected by the object attribution collection unit 54 with the risk information 510 stored in the storage unit 51.
<Hardware Configuration Example>
In the example embodiments described above, the parts illustrated in
The information processing device 900 illustrated in
The information processing device 900 is a general computer in which the above-mentioned components are connected via the bus 906.
The present invention described above with reference to example embodiments supplies a computer program capable of implementing the following functions to the information processing device 900 illustrated in
In the above-mentioned case, a general procedure can be currently employed as a method for supplying the computer program into the hardware. Examples of the procedure include a method of installing the computer program in the device via various recording media 907 such as a CD-ROM, and a method of downloading the computer program from the outside via a communication line such as the Internet. In such a case, it can be understood that the present invention is configured by a code that constitutes the computer program, or by the recording medium 907 storing the code.
While the invention has been particularly shown and described with reference to example embodiments thereof, the invention is not limited to these embodiments. It will be understood by those of ordinary skill in the art that various changes in form and details may be made therein without departing from the spirit and scope of the present invention as defined by the claims.
This application is based upon and claims the benefit of priority from Japanese patent application No. 2015-014873, filed on Jan. 29, 2015, the disclosure of which is incorporated herein in its entirety by reference.
Number | Date | Country | Kind |
---|---|---|---|
2015-014873 | Jan 2015 | JP | national |
Filing Document | Filing Date | Country | Kind |
---|---|---|---|
PCT/JP2016/000293 | 1/21/2016 | WO | 00 |
Publishing Document | Publishing Date | Country | Kind |
---|---|---|---|
WO2016/121348 | 8/4/2016 | WO | A |
Number | Name | Date | Kind |
---|---|---|---|
8418251 | Satish | Apr 2013 | B1 |
8959624 | Gray | Feb 2015 | B2 |
9069957 | Tuvell | Jun 2015 | B2 |
20110145926 | Dalcher et al. | Jun 2011 | A1 |
20130347094 | Bettini | Dec 2013 | A1 |
20140082729 | Shim et al. | Mar 2014 | A1 |
20140096241 | Li | Apr 2014 | A1 |
20150040246 | Yuen | Feb 2015 | A1 |
20150101050 | Nielson | Apr 2015 | A1 |
20150207812 | Back | Jul 2015 | A1 |
20150350249 | Reno | Dec 2015 | A1 |
20160006766 | Joo | Jan 2016 | A1 |
20160173446 | Nantel | Jun 2016 | A1 |
Number | Date | Country |
---|---|---|
2012-221216 | Nov 2012 | JP |
2013-514594 | Apr 2013 | JP |
2014-063490 | Apr 2014 | JP |
2014-519113 | Aug 2014 | JP |
Entry |
---|
International Search Report of PCT/JP2016/000293 dated Apr. 26, 2016. |
Number | Date | Country | |
---|---|---|---|
20180004939 A1 | Jan 2018 | US |