Recent malware communicate with remote hosts in the Internet for receiving C&C commands and updating themselves, etc., and their behaviors can be diverse depending on the behaviors of the remote hosts. Thus, when analyzing these malware by analysis, it is important not only to focus behaviors of a malware sample itself but also those of the remote servers that are controlled by attackers. A simple solution to achieve this is to observe the live sample by an Internet-connected for a long period of time. However, since we do not know when these servers will send meaningful responses, we need to keep the sample being executed in the , which is indeed a costly operation. Also, leaving the live malware in the Internet-connected increases the risk that its attacks spill out of the and induce secondary infections. In this paper, we propose a novel analysis method using a dummy client, an automatically generated lightweight script to interact with the remote servers instead of the malware sample itself. In the proposed method, at first we execute a malware sample in the that is connected to the real Internet and Internet Emulator. Secondly, we inspect the traffic observed in the and filter out high-risk communications. The rest of the traffic data is then used by the dummy client to interact with the remote servers instead of the sample itself and effectively collects the responses from the servers. The collected server responses are then fed back to the Internet Emulator in the and will be used for improving observability of malware analysis. In the experiment with malware samples captured in the wild, we indeed observed a considerable number of changes in the responses from the remote servers that were obtained by our dummy client. Also, in comparison with the simple Internet-connected , the proposed could improve observability of malware analysis.

抄録全体を表示

Recent malware communicate with remote hosts in the Internet for receiving C&C commands and updating themselves, etc., and their behaviors can be diverse depending on the behaviors of the remote hosts. Thus, when analyzing these malware by analysis, it is important not only to focus behaviors of a malware sample itself but also those of the remote servers that are controlled by attackers. A simple solution to achieve this is to observe the live sample by an Internet-connected for a long period of time. However, since we do not know when these servers will send meaningful responses, we need to keep the sample being executed in the , which is indeed a costly operation. Also, leaving the live malware in the Internet-connected increases the risk that its attacks spill out of the and induce secondary infections. In this paper, we propose a novel analysis method using a dummy client, an automatically generated lightweight script to interact with the remote servers instead of the malware sample itself. In the proposed method, at first we execute a malware sample in the that is connected to the real Internet and Internet Emulator. Secondly, we inspect the traffic observed in the and filter out high-risk communications. The rest of the traffic data is then used by the dummy client to interact with the remote servers instead of the sample itself and effectively collects the responses from the servers. The collected server responses are then fed back to the Internet Emulator in the and will be used for improving observability of malware analysis. In the experiment with malware samples captured in the wild, we indeed observed a considerable number of changes in the responses from the remote servers that were obtained by our dummy client. Also, in comparison with the simple Internet-connected , the proposed could improve observability of malware analysis.

抄録全体を表示

Malware analysis, in which a malware sample is actually executed in a testing environment (i.e. ) to observe its behavior, is one of the promising approaches to tackling the emerging threats of exploding malware. As a lot of recent malware actively communicates with remote hosts over the Internet, sandboxes should also support an Internet connection, otherwise important malware behavior may not be observed. In this paper, we propose a multi-pass analysis with a controlled Internet connection. In the proposed method, we start our analysis with an isolated and an emulated Internet that consists of a set of dummy servers and hosts that run vulnerable services, called Honeypots in the (HitS). All outbound connections from the victim host are closely inspected to see if they could be connected to the real Internet. We iterate the above process until no new behaviors are observed. We implemented the proposed method in a completely automated fashion and evaluated it with malware samples recently captured in the wild. Using a simple containment policy that authorizes only certain application protocols, namely, HTTP, IRC, and DNS, we were able to observe a greater variety of behaviors compared with the completely isolated . Meanwhile, we confirmed that a noticeable number of IP scans, vulnerability exploitations, and DoS attacks are successfully contained in the . Additionally, a brief comparison with two existing analysis systems, Norman and CWSandbox, are shown.

抄録全体を表示

制御系コントローラは、上位のレイヤから攻撃者などにより悪意のある操作が与えられるという仮定を考慮していない。本研究では、プラントの動的モデルが存在するモデル予測制御が適用されている制御系を対象とし、ローカルコントローラのレイヤで不安全を引き起こし得る操作を検知する制御系用

の提案を行う。

抄録全体を表示

The use of public Malware Analysis Systems (public MSASs) which receive online submissions of possibly malicious files or URLs from an arbitrary user, analyze their behavior by executing or visiting them by a testing environment (i.e., a ), and send analysis reports back to the user, has increased in popularity. Consequently, anti-analysis techniques have also evolved from known technologies like anti-virtualization and anti-debugging to the detection of specific sandboxes by checking their unique characteristics such as a product ID of their OS and a usage of certain Dynamic Link Library (DLL) used in a particular . In this paper, we point out yet another important characteristic of the sandboxes, namely, their IP addresses. In public MSASs, the is often connected to the Internetin order to properly observe malware behavior as modern malware communicate with remote hosts in the Internet for various reasons, such as receiving command and control (C&C) messages and files for updates. We explain and demonstrate that the IP address of an Internet-connected can be easily disclosed by an attacker who submits a decoy sample dedicated to this purpose. The disclosed address can then be shared among attackers, blacklisted, and used against the analysis system, for example, to conceal potential malicious behavior of malware. We call the method Network-based Detection by Decoy Injection (NSDI). We conducted case studies with 15 representative existing public MSASs, which were selected from 33 online malware analysis systems with careful screening processes, and confirmed that a hidden behavior of the malware samples was successfully concealed from all of the 15 analysis systems by NSDI. In addition, we found out the risk that a background analysis activity behind these systems can also be revealed by NSDI if the samples are shared among the systems without careful considerations. Moreover, about three months after our first case study it was reported that a real-world NSDI was conducted against several public MSASs.

抄録全体を表示

The use of public Malware Analysis Systems (public MSASs) which receive online submissions of possibly malicious files or URLs from an arbitrary user, analyze their behavior by executing or visiting them by a testing environment (i.e., a ), and send analysis reports back to the user, has increased in popularity. Consequently, anti-analysis techniques have also evolved from known technologies like anti-virtualization and anti-debugging to the detection of specific sandboxes by checking their unique characteristics such as a product ID of their OS and a usage of certain Dynamic Link Library (DLL) used in a particular . In this paper, we point out yet another important characteristic of the sandboxes, namely, their IP addresses. In public MSASs, the is often connected to the Internetin order to properly observe malware behavior as modern malware communicate with remote hosts in the Internet for various reasons, such as receiving command and control (C&C) messages and files for updates. We explain and demonstrate that the IP address of an Internet-connected can be easily disclosed by an attacker who submits a decoy sample dedicated to this purpose. The disclosed address can then be shared among attackers, blacklisted, and used against the analysis system, for example, to conceal potential malicious behavior of malware. We call the method Network-based Detection by Decoy Injection (NSDI). We conducted case studies with 15 representative existing public MSASs, which were selected from 33 online malware analysis systems with careful screening processes, and confirmed that a hidden behavior of the malware samples was successfully concealed from all of the 15 analysis systems by NSDI. In addition, we found out the risk that a background analysis activity behind these systems can also be revealed by NSDI if the samples are shared among the systems without careful considerations. Moreover, about three months after our first case study it was reported that a real-world NSDI was conducted against several public MSASs.

抄録全体を表示

Analyzing a malware sample requires much more time and cost than creating it. To understand the behavior of a given malware sample, security analysts often make use of API call logs collected by the dynamic malware analysis tools such as a

. As the amount of the log generated for a malware sample could become tremendously large, inspecting the log requires a time-consuming effort. Meanwhile, antivirus vendors usually publish malware analysis reports (vendor reports) on their websites. These malware analysis reports are the results of careful analysis done by security experts. The problem is that even though there are such analyzed examples for malware samples, associating the vendor reports with the logs is difficult. This makes security analysts not able to retrieve useful information described in vendor reports. To address this issue, we developed a system called AMAR-Generator that aims to automate the generation of malware analysis reports based on logs by making use of existing vendor reports. Aiming at a convenient assistant tool for security analysts, our system employs techniques including template matching, API behavior mapping, and malicious behavior database to produce concise human-readable reports that describe the malicious behaviors of malware programs. Through the performance evaluation, we first demonstrate that AMAR-Generator can generate human-readable reports that can be used by a security analyst as the first step of the malware analysis. We also demonstrate that AMAR-Generator can identify the malicious behaviors that are conducted by malware from the logs; the detection rates are up to 96.74%, 100%, and 74.87% on the logs collected in 2013, 2014, and 2015, respectively. We also present that it can detect malicious behaviors from unknown types of logs.

抄録全体を表示

近年，多くの機密情報を保有する大学は，標的型サイバー攻撃のターゲットになりやすく，情報が漏洩した際の社会的インパクトも大きい．このような状況の中，標的型攻撃メールなどの個人に対する攻撃から重要な情報を守るためには，構成員一人一人が正しい知識を持ち，正しく対処する必要がある．そこで，標的型攻撃メールがどのようなものかを周知し，攻撃を受けた場合に適切な行動をとれるようになるために，本学の全構成員を対象とした標的型攻撃メール訓練を行った．訓練は，事前に標的型攻撃メールへの注意喚起と対処法を通知し，その数日後，事前通知なしに訓練用の疑似標的型攻撃メールを一斉に送った．メールには，標的型攻撃メールと判断できる疑わしい点をいくつか含ませた．メール内に偽装したリンクを記述し，これをクリックした場合を標的型攻撃メールの被害にあったとみなし，その数を集計した．集計の際には，

による試行接続を考慮し，この影響を除外した．その結果，リンクをクリックした者は全体の約14%であった．本論文では，実施方法および集計方法，集計結果について報告する．

抄録全体を表示

We performed tests and numerical analysis of the tests to investigated the deformation of the sand by reverse faulting. Test results can be simulated generally well by FEM using elasto-plastic solid elements and joint elements, if the stress-strain relation of the sand is adequately modeled. We applied our numerical model to prototypic real scale sandy alluvium model. The analyses of 30m, 50m and 75m deep alluvium suggested that the failure surface propagates through the alluvium if the vertical bedrock fault displacement reaches 3-7% of the depth of the alluvium. It is unlikely that the shear failure propagates through 100m deep alluvium.

抄録全体を表示

Malware has been recognized as one of the major security threats in the Internet. Previous researches have mainly focused on malware's internal activity in a system. However, it is crucial that the malware analysis extracts a malware's external activity toward the network to correlate with a security incident. We propose a novel way to analyze malware: focus closely on the malware's external (i.e., network) activity. A malware sample is executed on a that consists of a real machine as victim and a virtual Internet environment. Since this environment is totally isolated from the real Internet, the execution of the sample causes no further unwanted propagation. The is configurable so as to extract specific activity of malware, such as scan behaviors. We implement a fully automated malware analysis system with the , which enables us to carry out the large-scale malware analysis. We present concrete analysis results that are gained by using the proposed system.

抄録全体を表示

We investigated client honeypots for detecting and circumstantially analyzing drive-by download attacks. A client honeypot requires both improved inspection performance and in-depth analysis for inspecting and discovering malicious websites. However, OS overhead in recent client honeypot operation cannot be ignored when improving honeypot multiplication performance. We propose a client honeypot system that is a combination of multi-OS and multi-process honeypot approaches, and we implemented this system to evaluate its performance. The process mechanism, a security measure for our multi-process approach, provides a virtually isolated environment for each web browser. It prevents system alteration from a compromised browser process by I/O redirection of file/registry access. To solve the inconsistency problem of file/registry view by I/O redirection, our process mechanism enables the web browser and corresponding plug-ins to share a virtual system view. Therefore, it enables multiple processes to be run simultaneously without interference behavior of processes on a single OS. In a field trial, we confirmed that the use of our multi-process approach was three or more times faster than that of a single process, and our multi-OS approach linearly improved system performance according to the number of honeypot instances. In addition, our long-term investigation indicated that 72.3% of exploitations target browser-helper processes. If a honeypot restricts all process creation events, it cannot identify an exploitation targeting a browser-helper process. In contrast, our process mechanism permits the creation of browser-helper processes, so it can identify these types of exploitations without resulting in false negatives. Thus, our proposed system with these multiplication approaches improves performance efficiency and enables in-depth analysis on high interaction systems.

抄録全体を表示

 In this study, laboratory experiments are conducted in a two-dimensional flume with a 1-m-long in the middle of a slope. Using fluorescent sand tracers and core sample methods, the spatial and temporal variation in the mixing depths in the surf zone are investigated. The core samples are collected from the sand bed where the wave breaking and impinging are observed. The mixing depth is defined as the fluorescent intrusion depth from the bed profile at the time of core sampling with a cut-off value of 10 tracers. In the case of sediment accumulation, the mixing depth is measured from the initial bed profile. Moreover, each case of the experiments is simulated by a numerical model, Large Eddy Simulation (LES), to compare the mixing depths with the velocity field of horizontal bottom eddies. The simulation results of the surface elevations and velocity fields are verified using the measured data. The experiment results indicate that the spatial variation of the mixing depths show different trends depending on the wave breaking style. Moreover, the mixing depth variations are compared with the simulated results of the bottom horizontal eddies. The results indicate that the plunging breaker type of sediment mixing pattern in space within the wave breaking zone correlates with the spatial distribution of the maximum bottom horizontal eddies.

抄録全体を表示

Exploiting vulnerabilities of remote systems is one of the fundamental behaviors of malware that determines their potential hazards. Understanding what kind of propagation tactics each malware uses is essential in incident response because such information directly links with countermeasures such as writing a signature for IDS. Although recently malware analysis has been studied intensively, little work is done on securely observing the vulnerability exploitation by malware. In this paper, we propose a novel analysis method for securely observing malware's vulnerability exploitation in a totally isolated environment. In our , we prepare two victim hosts. We first execute the sample malware on one of these hosts and then let it attack the other host which is running multiple vulnerable services. As a simple realization of the proposed method, we have implemented a using Nepenthes, a low-interaction honeypot, as the second victim. Because Nepenthes can emulate a variety of vulnerable services, we can efficiently observe the propagation of sample malware. In the experiments, among 382 samples whose scan capabilities are confirmed, 381 samples successfully started exploiting vulnerabilities of the second victim. This indicates the certain level of feasibility of the proposed method.

抄録全体を表示

As the number of new malware has increased explosively, traditional malware detection approaches based on pattern matching have been less effective. Therefore, it is important to develop a detection method which relies on not signatures but characteristic behaviors of malware. Recently, malware authors have been embedding functions for countermeasure against malware analyses and detections into malware. Accordingly, modern malware often changes their runtime behaviors in each execution to tolerate against malware analyses and detections. For example, when malware copies itself on a file system, it can randomly determine its file name for avoiding the detections. Another example is that when malware tries to connect its command and control server, it randomly chooses a domain name from a hard-coded domain name list to avoid being blocked by a static blacklist of malicious domain names. We assume that such evasive behaviors are unnecessary for benign software. Therefore the behaviors can be the clues to distinguish malware from benign software. In this paper, we propose a novel behavior-based malware detection method which focuses attention on such characteristics. Our proposed method conducts dynamic analysis on an executable file multiple times in same environment so as to obtain plural lists of API call sequences and plural traffic logs, and then compares the lists and the logs to find the difference between the multiple executions. In the experiments with 5,697 malware samples and 819 benign software samples, we can detect about 70% malware samples and the false positive rate is about 1%. In addition, we can detect about 50% malware samples which were not detected by each Anti-Virus Software engine. Therefore we confirm the possibility the proposed method may be able to improve the accuracy of malware detection utilizing in combination with other existing methods.

抄録全体を表示

We analyze the increasing threats against IoT devices. We show that Telnet-based attacks that target IoT devices have rocketed since 2014. Based on this observation, we propose an IoT honeypot and , which attracts and analyzes Telnet-based attacks against various IoT devices running on different CPU architectures such as ARM, MIPS, and PPC. By analyzing the observation results of our honeypot and captured malware samples, we show that there are currently at least 5 distinct DDoS malware families targeting Telnet-enabled IoT devices and one of the families has quickly evolved to target more devices with as many as 9 different CPU architectures.

抄録全体を表示

Nowadays, the number of web-browser targeted attacks that lead users to adversaries' web sites and exploit web browser vulnerabilities is increasing, and a clarification of their methods and countermeasures is urgently needed. In this paper, we introduce the design and implementation of a new client honeypot for drive-by-download attacks that has the capacity to detect and investigate a variety of malicious web sites. On the basis of the problems of existing client honeypots, we enumerate the requirements of a client honeypot: 1) detection accuracy and variety, 2) collection variety, 3) performance efficiency, and 4) safety and stability. We improve our system with regard to these requirements. The key features of our developed system are stepwise detection focusing on exploit phases, multiple crawler processing, tracking of malware distribution networks, and malware infection prevention. Our evaluation of our developed system in a laboratory experiment and field experiment indicated that its detection variety and crawling performance are higher than those of existing client honeypots. In addition, our system is able to collect information for countermeasures and is secure and stable for continuous operation. We conclude that our system can investigate malicious web sites comprehensively and support countermeasures.

抄録全体を表示

スケールアナログモデル実験（以下モデル実験と略）は，地質構造の形態やその形成過程を検討するための優れた手法である．自然現象である地質構造形成過程を縮小して，それと物理学的に等価な現象を実験室で再現するためには，相似律と呼ばれる理論に基づいてサイズや物性を変更する必要がある．上部地殻の岩石変形挙動を脆性破壊で近似した場合，相似律によると実験材料を乾燥粒状体（砂やガラスビーズなど）にする必要がある．今回のミニスクールでは，実験理論である相似律と実験材料の物性に関して概略を説明した後，実際に乾燥砂を使ったモデル実験を行って，モデル化した付加体形成過程を観察する．

抄録全体を表示

In pavement structure, short fiber reinforcing technique is hoped as an effective method for improving the stability of the subbase or subgrade layers against traffic load. In this paper, compaction behavior of short fiber reinforced is discussed by the results of laboratory compaction tests. As the results of roller compaction tests, it was confirmed that the value of dry density stably increases with an increase in the number of roller passing even if initial value of dry density at spreading was lower. At 8 passing of roller compaction, the value of realized dry density around the optimum water content become higher than the maximum dry density obtained from the Proctor test. This results shows that the current compaction control method for the subbase of pavement structure can also be applied to short fiber reinforced soil.

抄録全体を表示