詳細検索結果
以下の条件での結果を表示する:
全文: "sandbox"
151件中 1-20の結果を表示しています
  • Katsunari YOSHIOKA, Tsutomu MATSUMOTO
    IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences
    2010年 E93.A 巻 1 号 210-218
    発行日: 2010/01/01
    公開日: 2010/01/01
    ジャーナル 認証あり
    Malware sandbox analysis, in which a malware sample is actually executed in a testing environment (i.e. sandbox) to observe its behavior, is one of the promising approaches to tackling the emerging threats of exploding malware. As a lot of recent malware actively communicates with remote hosts over the Internet, sandboxes should also support an Internet connection, otherwise important malware behavior may not be observed. In this paper, we propose a multi-pass sandbox analysis with a controlled Internet connection. In the proposed method, we start our analysis with an isolated sandbox and an emulated Internet that consists of a set of dummy servers and hosts that run vulnerable services, called Honeypots in the Sandbox (HitS). All outbound connections from the victim host are closely inspected to see if they could be connected to the real Internet. We iterate the above process until no new behaviors are observed. We implemented the proposed method in a completely automated fashion and evaluated it with malware samples recently captured in the wild. Using a simple containment policy that authorizes only certain application protocols, namely, HTTP, IRC, and DNS, we were able to observe a greater variety of behaviors compared with the completely isolated sandbox. Meanwhile, we confirmed that a noticeable number of IP scans, vulnerability exploitations, and DoS attacks are successfully contained in the sandbox. Additionally, a brief comparison with two existing sandbox analysis systems, Norman Sandbox and CWSandbox, are shown.
  • Katsunari Yoshioka, Yoshihiko Hosobuchi, Tatsunori Orii, Tsutomu Matsumoto
    Information and Media Technologies
    2011年 6 巻 2 号 633-648
    発行日: 2011年
    公開日: 2011/06/15
    ジャーナル フリー
    The use of public Malware Sandbox Analysis Systems (public MSASs) which receive online submissions of possibly malicious files or URLs from an arbitrary user, analyze their behavior by executing or visiting them by a testing environment (i.e., a sandbox), and send analysis reports back to the user, has increased in popularity. Consequently, anti-analysis techniques have also evolved from known technologies like anti-virtualization and anti-debugging to the detection of specific sandboxes by checking their unique characteristics such as a product ID of their OS and a usage of certain Dynamic Link Library (DLL) used in a particular sandbox. In this paper, we point out yet another important characteristic of the sandboxes, namely, their IP addresses. In public MSASs, the sandbox is often connected to the Internetin order to properly observe malware behavior as modern malware communicate with remote hosts in the Internet for various reasons, such as receiving command and control (C&C) messages and files for updates. We explain and demonstrate that the IP address of an Internet-connected sandbox can be easily disclosed by an attacker who submits a decoy sample dedicated to this purpose. The disclosed address can then be shared among attackers, blacklisted, and used against the analysis system, for example, to conceal potential malicious behavior of malware. We call the method Network-based Sandbox Detection by Decoy Injection (NSDI). We conducted case studies with 15 representative existing public MSASs, which were selected from 33 online malware analysis systems with careful screening processes, and confirmed that a hidden behavior of the malware samples was successfully concealed from all of the 15 analysis systems by NSDI. In addition, we found out the risk that a background analysis activity behind these systems can also be revealed by NSDI if the samples are shared among the systems without careful considerations. Moreover, about three months after our first case study it was reported that a real-world NSDI was conducted against several public MSASs.
  • Katsunari Yoshioka, Yoshihiko Hosobuchi, Tatsunori Orii, Tsutomu Matsumoto
    Journal of Information Processing
    2011年 19 巻 153-168
    発行日: 2011年
    公開日: 2011/03/09
    ジャーナル フリー
    The use of public Malware Sandbox Analysis Systems (public MSASs) which receive online submissions of possibly malicious files or URLs from an arbitrary user, analyze their behavior by executing or visiting them by a testing environment (i.e., a sandbox), and send analysis reports back to the user, has increased in popularity. Consequently, anti-analysis techniques have also evolved from known technologies like anti-virtualization and anti-debugging to the detection of specific sandboxes by checking their unique characteristics such as a product ID of their OS and a usage of certain Dynamic Link Library (DLL) used in a particular sandbox. In this paper, we point out yet another important characteristic of the sandboxes, namely, their IP addresses. In public MSASs, the sandbox is often connected to the Internetin order to properly observe malware behavior as modern malware communicate with remote hosts in the Internet for various reasons, such as receiving command and control (C&C) messages and files for updates. We explain and demonstrate that the IP address of an Internet-connected sandbox can be easily disclosed by an attacker who submits a decoy sample dedicated to this purpose. The disclosed address can then be shared among attackers, blacklisted, and used against the analysis system, for example, to conceal potential malicious behavior of malware. We call the method Network-based Sandbox Detection by Decoy Injection (NSDI). We conducted case studies with 15 representative existing public MSASs, which were selected from 33 online malware analysis systems with careful screening processes, and confirmed that a hidden behavior of the malware samples was successfully concealed from all of the 15 analysis systems by NSDI. In addition, we found out the risk that a background analysis activity behind these systems can also be revealed by NSDI if the samples are shared among the systems without careful considerations. Moreover, about three months after our first case study it was reported that a real-world NSDI was conducted against several public MSASs.
  • 久保田 恭守, 北形 元, 木下 哲男
    電気関係学会東北支部連合大会講演論文集
    2016年 2016 巻 1A15
    発行日: 2016年
    公開日: 2017/10/05
    会議録・要旨集 フリー
  • Takahiro Kasama, Katsunari Yoshioka, Tsutomu Matsumoto, Masaya Yamagata, Masashi Eto, Daisuke Inoue, Koji Nakao
    Information and Media Technologies
    2012年 7 巻 4 号 1577-1587
    発行日: 2012年
    公開日: 2012/12/15
    ジャーナル フリー
    Recent malware communicate with remote hosts in the Internet for receiving C&C commands and updating themselves, etc., and their behaviors can be diverse depending on the behaviors of the remote hosts. Thus, when analyzing these malware by sandbox analysis, it is important not only to focus behaviors of a malware sample itself but also those of the remote servers that are controlled by attackers. A simple solution to achieve this is to observe the live sample by an Internet-connected sandbox for a long period of time. However, since we do not know when these servers will send meaningful responses, we need to keep the sample being executed in the sandbox, which is indeed a costly operation. Also, leaving the live malware in the Internet-connected sandbox increases the risk that its attacks spill out of the sandbox and induce secondary infections. In this paper, we propose a novel sandbox analysis method using a dummy client, an automatically generated lightweight script to interact with the remote servers instead of the malware sample itself. In the proposed method, at first we execute a malware sample in the sandbox that is connected to the real Internet and Internet Emulator. Secondly, we inspect the traffic observed in the sandbox and filter out high-risk communications. The rest of the traffic data is then used by the dummy client to interact with the remote servers instead of the sample itself and effectively collects the responses from the servers. The collected server responses are then fed back to the Internet Emulator in the sandbox and will be used for improving observability of malware sandbox analysis. In the experiment with malware samples captured in the wild, we indeed observed a considerable number of changes in the responses from the remote servers that were obtained by our dummy client. Also, in comparison with the simple Internet-connected sandbox, the proposed sandbox could improve observability of malware sandbox analysis.
  • Takahiro Kasama, Katsunari Yoshioka, Tsutomu Matsumoto, Masaya Yamagata, Masashi Eto, Daisuke Inoue, Koji Nakao
    Journal of Information Processing
    2012年 20 巻 4 号 835-845
    発行日: 2012年
    公開日: 2012/10/15
    ジャーナル フリー
    Recent malware communicate with remote hosts in the Internet for receiving C&C commands and updating themselves, etc., and their behaviors can be diverse depending on the behaviors of the remote hosts. Thus, when analyzing these malware by sandbox analysis, it is important not only to focus behaviors of a malware sample itself but also those of the remote servers that are controlled by attackers. A simple solution to achieve this is to observe the live sample by an Internet-connected sandbox for a long period of time. However, since we do not know when these servers will send meaningful responses, we need to keep the sample being executed in the sandbox, which is indeed a costly operation. Also, leaving the live malware in the Internet-connected sandbox increases the risk that its attacks spill out of the sandbox and induce secondary infections. In this paper, we propose a novel sandbox analysis method using a dummy client, an automatically generated lightweight script to interact with the remote servers instead of the malware sample itself. In the proposed method, at first we execute a malware sample in the sandbox that is connected to the real Internet and Internet Emulator. Secondly, we inspect the traffic observed in the sandbox and filter out high-risk communications. The rest of the traffic data is then used by the dummy client to interact with the remote servers instead of the sample itself and effectively collects the responses from the servers. The collected server responses are then fed back to the Internet Emulator in the sandbox and will be used for improving observability of malware sandbox analysis. In the experiment with malware samples captured in the wild, we indeed observed a considerable number of changes in the responses from the remote servers that were obtained by our dummy client. Also, in comparison with the simple Internet-connected sandbox, the proposed sandbox could improve observability of malware sandbox analysis.
  • Bo SUN, Akinori FUJINO, Tatsuya MORI, Tao BAN, Takeshi TAKAHASHI, Daisuke INOUE
    IEICE Transactions on Information and Systems
    2018年 E101.D 巻 11 号 2622-2632
    発行日: 2018/11/01
    公開日: 2018/11/01
    ジャーナル フリー

    Analyzing a malware sample requires much more time and cost than creating it. To understand the behavior of a given malware sample, security analysts often make use of API call logs collected by the dynamic malware analysis tools such as a sandbox. As the amount of the log generated for a malware sample could become tremendously large, inspecting the log requires a time-consuming effort. Meanwhile, antivirus vendors usually publish malware analysis reports (vendor reports) on their websites. These malware analysis reports are the results of careful analysis done by security experts. The problem is that even though there are such analyzed examples for malware samples, associating the vendor reports with the sandbox logs is difficult. This makes security analysts not able to retrieve useful information described in vendor reports. To address this issue, we developed a system called AMAR-Generator that aims to automate the generation of malware analysis reports based on sandbox logs by making use of existing vendor reports. Aiming at a convenient assistant tool for security analysts, our system employs techniques including template matching, API behavior mapping, and malicious behavior database to produce concise human-readable reports that describe the malicious behaviors of malware programs. Through the performance evaluation, we first demonstrate that AMAR-Generator can generate human-readable reports that can be used by a security analyst as the first step of the malware analysis. We also demonstrate that AMAR-Generator can identify the malicious behaviors that are conducted by malware from the sandbox logs; the detection rates are up to 96.74%, 100%, and 74.87% on the sandbox logs collected in 2013, 2014, and 2015, respectively. We also present that it can detect malicious behaviors from unknown types of sandbox logs.

  • 山本 真也, 田川 卓哉, 濵口 孝司, 越島 一郎, 橋本 芳宏
    自動制御連合講演会講演論文集
    2016年 59 巻 FrA2-4
    発行日: 2016年
    公開日: 2017/02/01
    会議録・要旨集 フリー

    制御系コントローラは、上位のレイヤから攻撃者などにより悪意のある操作が与えられるという仮定を考慮していない。本研究では、プラントの動的モデルが存在するモデル予測制御が適用されている制御系を対象とし、ローカルコントローラのレイヤで不安全を引き起こし得る操作を検知する制御系用Sandboxの提案を行う。

  • Mitsuaki AKIYAMA, Takeshi YAGI, Youki KADOBAYASHI, Takeo HARIU, Suguru YAMAGUCHI
    IEICE Transactions on Information and Systems
    2015年 E98.D 巻 4 号 775-787
    発行日: 2015年
    公開日: 2015/04/01
    ジャーナル フリー
    We investigated client honeypots for detecting and circumstantially analyzing drive-by download attacks. A client honeypot requires both improved inspection performance and in-depth analysis for inspecting and discovering malicious websites. However, OS overhead in recent client honeypot operation cannot be ignored when improving honeypot multiplication performance. We propose a client honeypot system that is a combination of multi-OS and multi-process honeypot approaches, and we implemented this system to evaluate its performance. The process sandbox mechanism, a security measure for our multi-process approach, provides a virtually isolated environment for each web browser. It prevents system alteration from a compromised browser process by I/O redirection of file/registry access. To solve the inconsistency problem of file/registry view by I/O redirection, our process sandbox mechanism enables the web browser and corresponding plug-ins to share a virtual system view. Therefore, it enables multiple processes to be run simultaneously without interference behavior of processes on a single OS. In a field trial, we confirmed that the use of our multi-process approach was three or more times faster than that of a single process, and our multi-OS approach linearly improved system performance according to the number of honeypot instances. In addition, our long-term investigation indicated that 72.3% of exploitations target browser-helper processes. If a honeypot restricts all process creation events, it cannot identify an exploitation targeting a browser-helper process. In contrast, our process sandbox mechanism permits the creation of browser-helper processes, so it can identify these types of exploitations without resulting in false negatives. Thus, our proposed system with these multiplication approaches improves performance efficiency and enables in-depth analysis on high interaction systems.
  • Hisashi TANIYAMA, Hiroyuki WATANABE
    STRUCTURAL ENGINEERING / EARTHQUAKE ENGINEERING
    2002年 19 巻 2 号 209s-219s
    発行日: 2002年
    公開日: 2003/06/27
    ジャーナル フリー
    We performed sandbox tests and numerical analysis of the tests to investigated the deformation of the sand by reverse faulting. Test results can be simulated generally well by FEM using elasto-plastic solid elements and joint elements, if the stress-strain relation of the sand is adequately modeled. We applied our numerical model to prototypic real scale sandy alluvium model. The analyses of 30m, 50m and 75m deep alluvium suggested that the failure surface propagates through the alluvium if the vertical bedrock fault displacement reaches 3-7% of the depth of the alluvium. It is unlikely that the shear failure propagates through 100m deep alluvium.
  • 青木 謙二, 川畑圭一郎, 黒木 亘, 園田 誠, 廿日出 勇
    学術情報処理研究
    2018年 22 巻 1 号 64-70
    発行日: 2018/09/19
    公開日: 2018/09/10
    ジャーナル フリー

    近年,多くの機密情報を保有する大学は,標的型サイバー攻撃のターゲットになりやすく,情報が漏洩した際の社会的インパクトも大きい.このような状況の中,標的型攻撃メールなどの個人に対する攻撃から重要な情報を守るためには,構成員一人一人が正しい知識を持ち,正しく対処する必要がある.そこで,標的型攻撃メールがどのようなものかを周知し,攻撃を受けた場合に適切な行動をとれるようになるために,本学の全構成員を対象とした標的型攻撃メール訓練を行った.訓練は,事前に標的型攻撃メールへの注意喚起と対処法を通知し,その数日後,事前通知なしに訓練用の疑似標的型攻撃メールを一斉に送った.メールには,標的型攻撃メールと判断できる疑わしい点をいくつか含ませた.メール内に偽装したリンクを記述し,これをクリックした場合を標的型攻撃メールの被害にあったとみなし,その数を集計した.集計の際には,Sandboxによる試行接続を考慮し,この影響を除外した.その結果,リンクをクリックした者は全体の約14%であった.本論文では,実施方法および集計方法,集計結果について報告する.

  • Takahiro KASAMA, Katsunari YOSHIOKA, Daisuke INOUE, Tsutomu MATSUMOTO
    IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences
    2013年 E96.A 巻 1 号 225-232
    発行日: 2013/01/01
    公開日: 2013/01/01
    ジャーナル 認証あり
    As the number of new malware has increased explosively, traditional malware detection approaches based on pattern matching have been less effective. Therefore, it is important to develop a detection method which relies on not signatures but characteristic behaviors of malware. Recently, malware authors have been embedding functions for countermeasure against malware analyses and detections into malware. Accordingly, modern malware often changes their runtime behaviors in each execution to tolerate against malware analyses and detections. For example, when malware copies itself on a file system, it can randomly determine its file name for avoiding the detections. Another example is that when malware tries to connect its command and control server, it randomly chooses a domain name from a hard-coded domain name list to avoid being blocked by a static blacklist of malicious domain names. We assume that such evasive behaviors are unnecessary for benign software. Therefore the behaviors can be the clues to distinguish malware from benign software. In this paper, we propose a novel behavior-based malware detection method which focuses attention on such characteristics. Our proposed method conducts dynamic analysis on an executable file multiple times in same sandbox environment so as to obtain plural lists of API call sequences and plural traffic logs, and then compares the lists and the logs to find the difference between the multiple executions. In the experiments with 5,697 malware samples and 819 benign software samples, we can detect about 70% malware samples and the false positive rate is about 1%. In addition, we can detect about 50% malware samples which were not detected by each Anti-Virus Software engine. Therefore we confirm the possibility the proposed method may be able to improve the accuracy of malware detection utilizing in combination with other existing methods.
  • Thamali GUNARATNA, Saki AKIMOTO, Takayuki SUZUKI
    土木学会論文集B3(海洋開発)
    2018年 74 巻 2 号 I_737-I_742
    発行日: 2018年
    公開日: 2018/09/12
    ジャーナル 認証あり
     In this study, laboratory experiments are conducted in a two-dimensional flume with a 1-m-long sandbox in the middle of a slope. Using fluorescent sand tracers and core sample methods, the spatial and temporal variation in the mixing depths in the surf zone are investigated. The core samples are collected from the sand bed where the wave breaking and impinging are observed. The mixing depth is defined as the fluorescent intrusion depth from the bed profile at the time of core sampling with a cut-off value of 10 tracers. In the case of sediment accumulation, the mixing depth is measured from the initial bed profile. Moreover, each case of the experiments is simulated by a numerical model, Large Eddy Simulation (LES), to compare the mixing depths with the velocity field of horizontal bottom eddies. The simulation results of the surface elevations and velocity fields are verified using the measured data. The experiment results indicate that the spatial variation of the mixing depths show different trends depending on the wave breaking style. Moreover, the mixing depth variations are compared with the simulated results of the bottom horizontal eddies. The results indicate that the plunging breaker type of sediment mixing pattern in space within the wave breaking zone correlates with the spatial distribution of the maximum bottom horizontal eddies.
  • 山田 泰広
    地質学雑誌
    2006年 112 巻 Supplement 号 S153-S159
    発行日: 2006年
    公開日: 2007/06/06
    ジャーナル フリー
    スケールアナログモデル実験(以下モデル実験と略)は,地質構造の形態やその形成過程を検討するための優れた手法である.自然現象である地質構造形成過程を縮小して,それと物理学的に等価な現象を実験室で再現するためには,相似律と呼ばれる理論に基づいてサイズや物性を変更する必要がある.上部地殻の岩石変形挙動を脆性破壊で近似した場合,相似律によると実験材料を乾燥粒状体(砂やガラスビーズなど)にする必要がある.今回のミニスクールでは,実験理論である相似律と実験材料の物性に関して概略を説明した後,実際に乾燥砂を使ったモデル実験を行って,モデル化した付加体形成過程を観察する.
  • 井上 大介
    映像情報メディア学会誌
    2015年 69 巻 4 号 317-321
    発行日: 2015年
    公開日: 2017/06/03
    ジャーナル フリー
  • 高下 裕章, 山田 泰広, 大出 晃弘, 山口 飛鳥, 芦 寿一郎
    日本地質学会学術大会講演要旨
    2017年 2017 巻 R8-P-6
    発行日: 2017年
    公開日: 2018/03/30
    会議録・要旨集 フリー
    台風18号により学術大会の一部プログラムが中止となりましたが,それに伴い特別セッションが開催され,本発表は特別セッション内で発表が行われました.
  • Yin Minn Pa Pa, Shogo Suzuki, Katsunari Yoshioka, Tsutomu Matsumoto, Takahiro Kasama, Christian Rossow
    Journal of Information Processing
    2016年 24 巻 3 号 522-533
    発行日: 2016年
    公開日: 2016/05/15
    ジャーナル フリー
    We analyze the increasing threats against IoT devices. We show that Telnet-based attacks that target IoT devices have rocketed since 2014. Based on this observation, we propose an IoT honeypot and sandbox, which attracts and analyzes Telnet-based attacks against various IoT devices running on different CPU architectures such as ARM, MIPS, and PPC. By analyzing the observation results of our honeypot and captured malware samples, we show that there are currently at least 5 distinct DDoS malware families targeting Telnet-enabled IoT devices and one of the families has quickly evolved to target more devices with as many as 9 different CPU architectures.
  • Daiki Hirakawa, Yoshihisa Miyata
    Japanese Geotechnical Society Special Publication
    2016年 2 巻 64 号 2164-2169
    発行日: 2016/01/31
    公開日: 2016/01/29
    ジャーナル フリー
    In pavement structure, short fiber reinforcing technique is hoped as an effective method for improving the stability of the subbase or subgrade layers against traffic load. In this paper, compaction behavior of short fiber reinforced is discussed by the results of laboratory compaction tests. As the results of roller compaction tests, it was confirmed that the value of dry density stably increases with an increase in the number of roller passing even if initial value of dry density at spreading was lower. At 8 passing of roller compaction, the value of realized dry density around the optimum water content become higher than the maximum dry density obtained from the Proctor test. This results shows that the current compaction control method for the subbase of pavement structure can also be applied to short fiber reinforced soil.
  • Mitsuaki AKIYAMA, Makoto IWAMURA, Yuhei KAWAKOYA, Kazufumi AOKI, Mitsutaka ITOH
    IEICE Transactions on Communications
    2010年 E93.B 巻 5 号 1131-1139
    発行日: 2010/05/01
    公開日: 2010/05/01
    ジャーナル 認証あり
    Nowadays, the number of web-browser targeted attacks that lead users to adversaries' web sites and exploit web browser vulnerabilities is increasing, and a clarification of their methods and countermeasures is urgently needed. In this paper, we introduce the design and implementation of a new client honeypot for drive-by-download attacks that has the capacity to detect and investigate a variety of malicious web sites. On the basis of the problems of existing client honeypots, we enumerate the requirements of a client honeypot: 1) detection accuracy and variety, 2) collection variety, 3) performance efficiency, and 4) safety and stability. We improve our system with regard to these requirements. The key features of our developed system are stepwise detection focusing on exploit phases, multiple crawler processing, tracking of malware distribution networks, and malware infection prevention. Our evaluation of our developed system in a laboratory experiment and field experiment indicated that its detection variety and crawling performance are higher than those of existing client honeypots. In addition, our system is able to collect information for countermeasures and is secure and stable for continuous operation. We conclude that our system can investigate malicious web sites comprehensively and support countermeasures.
  • Yuhei Kawakoya, Eitaro Shioji, Yuto Otsuki, Makoto Iwamura, Jun Miyoshi
    Journal of Information Processing
    2018年 26 巻 673-686
    発行日: 2018年
    公開日: 2018/09/15
    ジャーナル フリー

    Understanding how application programming interfaces (APIs) are used in a program plays an important role in malware analysis. This, however, has resulted in an endless battle between malware authors and malware analysts around the development of API [de]obfuscation techniques over the last few decades. Our goal in this paper is to show the limit of existing API de-obfuscation techniques. To do that, we first analyzed existing API [de]obfuscation techniques and clarified that an attack vector commonly exists in these techniques; then, we present Stealth Loader, which is a program loader to bypass all existing API de-obfuscation techniques. The core idea of Stealth Loader is to load a dynamic link library (DLL) and resolve its dependency without leaving any traces on memory to be detected. We demonstrated the effectiveness of Stealth Loader by analyzing a set of Windows executables and malware protected with Stealth Loader using major dynamic and static analysis tools. The results indicate that among other obfuscation tools, only Stealth Loader is able to successfully bypass all analysis tools.

feedback
Top