JP5912074B2 - Program analysis system and method - Google Patents

Description

  The present invention relates to a program analysis system and method, and is particularly suitable for application to a program analysis system for analyzing the behavior of a computer program.

  In recent years, malicious malicious programs (hereinafter referred to as malware) such as computer viruses, spyware, and bot programs that cause threats such as information leakage and unauthorized access have become a social problem.

  The number of malware is increasing year by year. As a result, it is becoming difficult for conventional signature type anti-virus software to sufficiently combat new types of malware. As a means for solving this problem, a dynamic analysis technique for detecting malware by executing a program in a sandbox and analyzing the behavior has attracted attention. According to this technology, since detection is performed without using a signature, it is possible to cope with a new type of malware that cannot be handled by the signature type.

  Patent Document 1 discloses a technique for detecting and removing a new type of malware by finding a suspicious program from a computer, transmitting it as a sample to a test server, and performing dynamic analysis using a sample analyzer. According to this technique, it is possible to perform dynamic analysis of suspicious programs in a plurality of computers by one server.

JP 2010-198054 A

  However, Patent Document 1 does not mention an analysis / detection method for malware executed only on a specific type of execution environment. For example, some document file-type malware called PDF (Portable Document Format) files exploit exploitation file vulnerabilities only when they are read from a specific version of a PDF executable file. There is. In order to analyze such malware, it is necessary to use a sample analyzer having a plurality of versions of execution environments, but it is inefficient to try all versions of the execution environments one after another.

  The present invention has been made in consideration of the above points, and proposes a program analysis system and method capable of efficiently analyzing a malicious program (malware) that reveals illegal activities only in a specific version of an execution environment. It is something to try.

  In order to solve such a problem, the present invention is a program analysis system for analyzing whether or not a sample is a malicious program that reveals illegal activities on the execution environment of a version having a specific vulnerability, A plurality of sample analyzers for analyzing the samples in different versions of the execution environment and analysis priorities for the respective vulnerabilities are determined, and one or more versions to be preferentially analyzed are selected based on the determination results And an analysis management device that requests the sample analyzer having the selected version of the execution environment to analyze the sample.

  Further, in the present invention, there is provided a program analysis method in a program analysis system for analyzing whether or not a sample is a malicious program that reveals an unauthorized activity on a version of the execution environment having a specific vulnerability. The system includes a plurality of sample analyzers that analyze the sample in different versions of execution environments, and an analysis management device that requests the sample analyzer to analyze the sample. A first step of determining an analysis priority for each vulnerability, and a second step in which the analysis management device selects one or more versions to be preferentially analyzed based on the determination result; A third step in which the analysis management device requests the sample analysis device having the execution environment of the selected version to analyze the sample. Was to so that.

  As a result, according to the program analysis system and the program analysis method of the present invention, the sample is analyzed in the sample analyzer corresponding to the version to be preferentially analyzed. Compared with the conventional analysis methods that will continue, it is possible to analyze the specimen more efficiently.

  According to the present invention, it is possible to realize a program analysis system and method capable of efficiently analyzing a malicious program that reveals an unauthorized activity only in a specific version of the execution environment.

It is a block diagram which shows the whole structure of the program analysis system by this Embodiment. It is a block diagram which shows schematic structure of an analysis management apparatus. It is a conceptual diagram which shows notionally the structure of a sample database. It is a conceptual diagram which shows notionally the structure of an analysis priority vulnerability determination parameter database. It is a conceptual diagram which shows notionally the structure of a vulnerability information database. It is a conceptual diagram which shows notionally the structure of a usage frequency information database. It is a conceptual diagram which shows notionally the structure of an analysis priority vulnerability database. It is a conceptual diagram which shows notionally the structure of an analysis system database. It is a conceptual diagram which shows notionally the structure of an analysis environment determination parameter database. It is a block diagram which shows the logic structure of an analysis management apparatus. It is a flowchart which shows the process sequence of an analysis priority vulnerability determination process. It is a flowchart which shows the process sequence of an analysis environment determination process.

  Hereinafter, an embodiment of the present invention will be described in detail with reference to the drawings.

  In the following, a system for analyzing a document file named PDF (Portable Document Formant) will be mainly described.

  The PDF file is PDF. It is a file that displays a document by being read in an execution environment called EXE. The PDF file type malware created by the attacker is a specific version of PDF. When read on EXE, fraudulent activity is started using the vulnerability of the execution environment.

  PDF. EXE has various vulnerabilities depending on the version. Vulnerabilities used by malware and PDF. Malware can start fraud only when the vulnerabilities that EXE has match. Therefore, to check whether a certain PDF file is malware, various versions of PDF. It is necessary to read on EXE.

  The system taken up in the present embodiment is a PDF. PDF that loads malware based on information about the frequency of EXE and the frequency of vulnerabilities targeted by attackers. By determining the EXE version and reading order, efficient analysis is realized.

(1) Configuration of Program Analysis System According to this Embodiment In FIG. 1, reference numeral 1 denotes a program analysis system according to this embodiment as a whole. The program analysis system 1 includes one or a plurality of information processing apparatuses 3, an analysis management apparatus 4, a plurality of sample analysis apparatuses 5, and a vulnerability information site 6. Between the information processing device 3, the analysis management device 4 and the vulnerability information site 6 is from a WAN (World Area Network), a LAN (Local Area Network), or a public network such as a mobile phone or a PHS (Personal Handyphone System). The analysis management device 4 and the sample analysis device 5 are connected to each other via the configured first communication network 7, and are similarly configured from a WAN, LAN, or a public network such as a mobile phone or PHS. They are connected to each other via the second communication network 8.

  The information processing apparatus 3 is a computer belonging to an organization network 2 such as an in-company network, for example, and includes a personal computer and various servers. In the information processing apparatus 3, the file (which is a PDF file in the present embodiment, hereinafter referred to as a sample) FL is analyzed and managed by the analysis management apparatus 4 at some opportunity such as execution of a new program or reception of an attached file. Send to. In addition, the information processing device 3 periodically transmits the types of applications and operating systems used in the information processing device 3 to the analysis management device 4 as usage frequency information UEI.

  The analysis management device 4 is a device that issues an analysis request to the sample analyzer 55 for the sample FL transmitted from the information processing device 3. The analysis management device 4 sends a sample analysis request ARQ to the sample analysis device 5 in consideration of the vulnerabilities often used for attacks and the type of environment used in the information processing device 3 belonging to the organization network 2. By publishing, efficient analysis is realized.

  The sample analyzer 5 analyzes whether the sample FL is malware according to the analysis request ARQ from the analysis management device 4. The analysis result is returned to the analysis management apparatus 4 as the analysis result ARS. Various sample analysis environments are prepared for each sample analyzer 5, and the usable environments differ for each sample analyzer 5. Therefore, the analysis management device 4 determines an appropriate sample analysis device 5 as a sample analysis device for analyzing the sample FL based on the type of the sample FL, the vulnerability information VI described later, and the usage frequency information UEI. The analysis request ARQ for the sample FL is issued to the sample analysis apparatus 5 that has been processed.

  Vulnerability information site 6 is an external organization (Web site) that provides vulnerability information VI, which is information related to application and system vulnerabilities. The analysis management device 4 acquires the vulnerability information VI from the vulnerability information site 6 and uses it when determining the sample analysis device 5 that performs the analysis of the sample FL.

  FIG. 2 shows a hardware configuration of the analysis management device 4. As is apparent from FIG. 2, the analysis management device 4 includes an information processing device main body 10 and an input / output device 11.

  The information processing apparatus main body 10 includes a CPU 21, a memory 22, an external storage device 23, and an interface 24 that are connected to each other via a bus 20.

The CPU 21 is an arithmetic device for executing various processes, and the memory 22 is a storage medium including data in which a set of instructions executed by the CPU 21 is described as a program. A sample reception program 30, a vulnerability information acquisition program 31, a usage frequency information acquisition program 32, an analysis priority vulnerability determination program 33, and an analysis environment determination program 34, which will be described later, are also stored and held in the memory 22. These programs stored in the memory 22 by CPU21 executes and performs various processes as described later as a whole analysis management apparatus 4.

  The external storage device 23 includes a storage medium such as a hard disk drive (HDD). A specimen database 40, an analysis priority vulnerability determination parameter database 41, a vulnerability information database 42, a use frequency information database 43, an analysis priority vulnerability database 44, an analysis system database 45, and an analysis environment determination parameter database 46 described later are stored in this external storage. It is stored and held in the device 23.

  The interface 24 is a communication device for connecting the analysis management device 4 to the first and second communication networks 7 and 8, and is composed of a communication device such as a LAN card, for example.

  Further, the input / output device 11 is a device for an administrator to input data to the analysis management device 4 and to output data in the analysis management device 4. A keyboard and a mouse are applied as input units in the input / output device 11, and a display is applied as an output unit in the input / output device 11.

(2) Program Analysis Method According to this Embodiment Next, a program analysis method according to this embodiment executed in the program analysis system 1 will be described.

  In the present embodiment, the analysis management apparatus 4 selects one or more versions of the execution environment to be preferentially analyzed, and analyzes the sample only for the sample analysis apparatus 5 having the selected version of the execution environment. One of the features is that the requested function is installed.

  As means for realizing such a function, as shown in FIG. 2, in the memory 22 of the analysis management apparatus 4, the sample reception program 30, vulnerability information acquisition program 31, usage frequency information acquisition program 32, analysis priority vulnerability A determination program 33 and an analysis environment determination program 34 are stored, and in the external storage device 23 of the analysis management device 4, a specimen database 40, an analysis priority vulnerability determination parameter database 41, a vulnerability information database 42, a use frequency information database 43, An analysis priority vulnerability database 44, an analysis system database 45, and an analysis environment determination parameter database 46 are stored.

  The sample reception program 30 is a program that receives the sample FL transmitted from the information processing apparatus 3, and the vulnerability information acquisition program 31 receives the vulnerability information VI (FIG. 1) from the vulnerability information site 6 (FIG. 1). It is a program to acquire. The usage frequency information acquisition program 32 is a program that receives the usage frequency information UEI (FIG. 1) transmitted from the information processing device 3, and the analysis priority vulnerability determination program 33 determines which vulnerability is associated with a specific execution environment. It is a program that decides whether analysis should be prioritized from an environment with sexuality. Further, the analysis environment determination program 34 determines on which execution environment of which sample analyzer 5 the sample FL is to be analyzed, transmits the analysis request ARQ (FIG. 1), and receives the analysis result ARS (FIG. 1). It is a program that performs.

  On the other hand, the sample database 40 is a database used for managing the analysis status of each sample FL transmitted from the information processing apparatus 3, and as shown in FIG. 3, an ID column 40A and an analysis acceptance time column 40B. , A sample name column 40C, a sample data column 40D, an execution environment column 40E, an analysis request list column 40F, and a determination result column 40G. In FIG. 3, one record (row) corresponds to one sample FL transmitted from any one of the information processing apparatuses 3.

  The ID column 40A stores an identifier (ID) assigned to each record, and the analysis acceptance time column 40B stores the time when the analysis management apparatus 4 receives the corresponding sample FL. The sample name column 40C stores the name of the corresponding sample FL, and the sample data column 40D stores the data of the corresponding sample FL.

  Furthermore, the execution environment column 40E stores the execution environment in which the corresponding sample FL is executed, and the analysis request list column 40F includes the identifier (device ID) of the sample analyzer 5 that requested the analysis of the corresponding sample FL and An execution environment used in the sample analyzer 5 is stored. The determination result column 40G stores the analysis status of the corresponding sample FL. Note that the analysis status of the sample FL means that the sample analysis device 5 has not been requested to analyze the sample FL yet, or the sample analysis device 5 has been requested to analyze the sample FL, but the analysis result has not yet been obtained. There are “waiting for analysis”, “malware” meaning that the analysis result that the specimen FL is malware, “non-malware” meaning that the analysis result that the specimen FL is not malware, and the like.

  Therefore, in the case of FIG. 3, three types of specimen FL are registered in the specimen database 40. For example, the specimen FL “A.pdf” is received at “2012/01/01 11:01:00”. "Device B" having the data contents "90fddd23a9 ...", the execution environment "PDF.exe", the execution environment "PDF.exe-1.6", and the execution environment "PDF.exe-1.2" The sample analysis apparatus 5 is requested to perform analysis, and it is indicated that the sample analysis apparatus 5 is currently in the “waiting for analysis” state.

  The analysis priority vulnerability determination parameter database 41 is a database used for managing parameters used when determining the priority for each vulnerability (hereinafter referred to as analysis priority) when analyzing the vulnerability. As shown in FIG. 4, it consists of an ID column 41A, a detection acceleration weighting parameter column 41B, and a damage minimization weighting parameter column 41C. In FIG. 4, one record (row) corresponds to one combination of a detection speed-up weighting parameter and a damage minimization weighting parameter.

  The ID column 41A stores an identifier (ID) assigned to each record, and the detection acceleration weighting parameter column 41B stores analysis processing for a version execution environment having a frequently exploited vulnerability. A parameter for determining the priority (hereinafter referred to as a detection acceleration weighting parameter) is stored. The larger the value of this detection acceleration weighting parameter is, the more priority is given to the execution environment of the version having the vulnerability that is currently being abused frequently.

  The damage minimum weight parameter column 41C stores a parameter (hereinafter referred to as a damage minimum weight parameter) that determines the priority of analysis processing for a frequently used version execution environment. As the value of the damage minimum weighting parameter is larger, the analysis is prioritized from the execution environment of the version frequently used in the organization network 2.

  The detection acceleration weighting parameter and the minimum damage weighting parameter are set by the administrator of the analysis management device 4 in the range of “0.0” to “1.0” so that the total value of these two parameters becomes “1.0”. The

  For example, in the case of FIG. 4, it is shown that the detection acceleration weighting parameter is set to “0.2” and the damage minimization weighting parameter 41C is set to “0.8”.

  The vulnerability information database 42 is a database used for managing the frequency of exploitation of the vulnerability and the version of the execution environment having the vulnerability. As shown in FIG. 5, the ID column 42A, the vulnerability name column 42B, It consists of an execution environment type column 42C, an abuse frequency column 42D, and a vulnerable execution environment version column 42E. In FIG. 5, one record (row) corresponds to one vulnerability.

  The ID column 42A stores an identifier (ID) given to each record, and the vulnerability name column 42B gives the corresponding vulnerability acquired from the vulnerability information site 6 (FIG. 1). Stores the name. The execution environment type column 42C stores the type of execution environment having the corresponding vulnerability, and the abuse frequency column 42D stores the frequency at which the corresponding vulnerability is abused. The abuse frequency is a relative value of the frequency of exploitation of the vulnerability compared to other vulnerabilities, and the total value of the exploitation frequencies of all vulnerabilities is “1.0”. Further, the vulnerable execution environment version column 42E stores the version of the execution environment having the corresponding vulnerability.

  Therefore, in the case of FIG. 5, four types of vulnerabilities are registered in the vulnerability information database 42. For example, a vulnerability named “PDF-V1” is “1.0.1.0” in the execution environment “PDF.exe”. ”,“ 1.1 ”and“ 1.2 ”, and the abuse frequency is“ 0.05 ”.

  The usage frequency information database 43 is a database used by the information processing apparatus 3 in the organization network 2 to manage the usage frequency of each version of each execution environment. As shown in FIG. , An execution environment type column 43B, an execution environment version column 43C, and a use frequency column 43D. In FIG. 6, one record (row) corresponds to one version.

  The ID column 43A stores an identifier (ID) assigned to each record, and the execution environment type column 43B stores the type of execution environment (PDF in the present embodiment) corresponding to the sample FL. Is done. Each version of the corresponding execution environment used in the organization network 2 is stored in the execution environment version column 43C, and the ratio that the corresponding version is used in the organization network 2 is stored in the usage frequency column 43D. (Ratio of the version being used over all versions) is stored. The total value of the usage frequencies of all the records in the usage frequency information database 43 is “1.0”.

Accordingly, in the case of FIG. 6, nine types of execution environments and combinations of versions are registered in the usage frequency information database 43. For example, an execution environment called “PDF.exe” with an ID of “1” is registered. The usage frequency of the execution environment version “1.1” of the execution environment “PDF.exe” with the ID “0.01” and the ID “2” assigned to the version “1.0” is “0.04” and “3”. It can be seen that the frequency of use of the execution environment version “1.2” of the execution environment “PDF.exe” to which the ID is assigned is “0.1”.

  The analysis priority vulnerability database 44 is a database used for managing the analysis priority of each vulnerability. As shown in FIG. 7, the analysis priority vulnerability database 44 includes an ID column 44A, a vulnerability name column 44B, and an analysis priority column 44C. Composed. In FIG. 7, one record (row) corresponds to one vulnerability.

  The ID column 44A stores an identifier (ID) assigned to each record, and the vulnerability name column 44B is used in the organization network 2 acquired from the vulnerability information site 6 (FIG. 1). Stores the name assigned to the vulnerability in the execution environment. The analysis priority column 44C stores the priority for analyzing the corresponding vulnerability (analysis priority). A larger value of this analysis priority means that the corresponding vulnerability analysis needs to be prioritized.

Therefore, in the case of FIG. 7, the analysis priority vulnerability database 44 has four types of vulnerability analysis priority registered, and the vulnerability “PDF-V1” with the ID “1” is analyzed. Vulnerability of “PDF-V2” with IDs of “0.13” and “2” has priority of “PDF-V3” with ID of “0.26” and “3” of analysis priority Indicates that the vulnerability of “PDF-V4” with the analysis priority of “0.52” and the ID of “4” has the analysis priority of “0.33”.

  The analysis system database 45 is a database used for managing the execution environment and version of each sample analyzer 5, and includes an ID column 45A, a sample analyzer column 45B, an execution environment type column 45C, and an execution environment version column 45D. Consists of

  The ID column 45A stores an identifier (ID) assigned to each record, and the sample analyzer column 45B stores the name of the corresponding sample analyzer 5. The execution environment type column 45C stores the execution environment of the corresponding sample analyzer 5, and the execution environment version column 45D stores the version of the execution environment in the corresponding sample analyzer 5. In the present embodiment, one or more versions exist for each sample analyzer 5.

  Accordingly, in the case of FIG. 8, four sample analyzers 5 are registered in the analysis system database 45, the execution environment of the sample analyzer 5 called “apparatus A” is “PDF.exe”, and the version is “1.0”. The execution environment of the sample analyzer 5 named “1.1” and “apparatus B” is “PDF.exe”, and the execution environment of the sample analyzer 5 whose versions are “1.2”, “1.6”, and “apparatus C” is “PDF. It is indicated that the execution environment of the sample analyzer 5 with “exe” having the versions “1.0” and “1.3” and “device D” is “PDF.exe” and the versions “1.4” and “1.5”.

Therefore, for example, when the sample FL is analyzed in the environment of the version “1.6”, the analysis regarding the vulnerability “PDF-V3” and the vulnerability “PDF-V4” is completed from FIG. For this reason, the total value of the abuse frequency of the specimen FL is calculated as shown in the following equation from FIG.

In addition, the versions where all the vulnerabilities are either “PDF-V3” and / or “PDF-V4” are “1.5”, “1.6”, “1.7” and “1.8” from FIG. . “1.4” is excluded because it has the vulnerability of “PDF-V2”. For this reason, the total value of use frequency becomes following Formula.

  The analysis environment determination parameter database 46 is a database used for managing an abuse frequency coverage rate threshold and a usage frequency coverage threshold, which will be described later, set in advance by an administrator. As shown in FIG. , An abuse frequency coverage threshold field 46B and a usage frequency coverage threshold field 46C. In FIG. 8, one record (row) corresponds to one combination of an abuse frequency coverage threshold and a usage frequency coverage threshold described later.

  The ID column 46A stores an identifier (ID) assigned to each record, and the abuse frequency coverage threshold value column 46B stores the threshold value of the total abuse frequency described above with reference to FIG. (Referred to as frequency coverage threshold). The usage frequency coverage threshold field 46C stores the threshold value of the total usage frequency described above with reference to FIG. 6 (hereinafter referred to as the usage frequency coverage threshold).

  Therefore, in the case of FIG. 9, it is shown that the abuse frequency coverage threshold is set to “0.8” and the usage frequency coverage threshold is set to “0.8”.

  The logical configuration of the analysis management device 4 is shown in FIG. As is clear from FIG. 10, the analysis management apparatus 4 includes a sample receiving unit 50, a vulnerability information acquisition unit 51, a usage frequency information acquisition unit 52, an analysis priority vulnerability determination unit 53, and an analysis environment determination unit 54. Is done.

  The sample receiving unit 50 is a function embodied by the CPU 21 executing the sample receiving program 30, receives the sample FL transmitted from the information processing apparatus 3, and receives the received sample FL and various types of information related to the sample FL. Is registered in the specimen database 40.

  The vulnerability information acquisition unit 51 is a function embodied by the CPU 21 executing the vulnerability information acquisition program 31, and acquires the vulnerability information VI (FIG. 1) from the vulnerability information site 6 (FIG. 1). The acquired vulnerability information is registered in the vulnerability information database 42.

  The usage frequency information acquisition unit 52 is a function that is realized by the CPU 21 executing the usage frequency information acquisition program 32. The usage frequency information acquisition unit 52 receives the usage frequency information UEI (FIG. 1) from the information processing device 3 and receives the usage frequency. Information UEI is registered in the usage frequency information database 43.

  The analysis priority vulnerability determination unit 53 is a function realized by the CPU 21 executing the analysis priority vulnerability determination program 33, and includes an analysis priority vulnerability determination parameter database 41, a vulnerability information database 42, and a usage frequency information database. 43 and the analysis priority vulnerability database 44 are used to determine which vulnerability is to be preferentially analyzed for a specific execution environment.

  The analysis environment determination unit 54 is a function that is realized when the CPU 21 executes the analysis environment determination program 34. The sample database 40, the vulnerability information database 42, the analysis priority vulnerability database 44, the analysis system database 45, and the analysis This is a function for determining which version of the execution environment of which sample analyzer 5 is to analyze the sample FL based on the environment determination parameter database 46. Further, the analysis environment determination unit 54 transmits an analysis request ARQ (FIG. 1) to the sample analyzer 5 based on the determination and receives an analysis result ARS (FIG. 1).

(3) Various Processes Related to Program Analysis Method According to this Embodiment Next, specific processing contents of various processes executed in the analysis management apparatus 4 in relation to the program analysis method according to this embodiment will be described. In the following description, the processing entities of various processes are the function units (sample receiving unit 50, vulnerability information acquiring unit 51, usage frequency information acquiring unit 52, analysis priority vulnerability determining unit 53, or analysis environment determining unit shown in FIG. 54), in practice, the programs that the CPU 21 corresponds to (the sample reception program 30, the vulnerability information acquisition program 31, the usage frequency information acquisition program 32, the analysis priority vulnerability determination program 33, and the analysis environment determination program 34). It goes without saying that the processing is executed based on the above.

(3-1) Specimen Reception Processing When the sample FL is transmitted from the information processing apparatus 3, the sample reception unit 50 of the analysis management apparatus 4 starts the sample reception process, and first receives the sample FL.

  Subsequently, the sample receiving unit 50 registers the analysis acceptance time, sample name, sample data, and execution environment of the sample FL in the sample database 40. At this time, the sample receiving unit 50 determines the execution environment of the sample FL from the extension of the sample name. For example, if the extension of the sample name is “.pdf”, the execution environment is determined as “PDF.exe”, and if the extension is “.xls”, the execution environment is determined as “EXCEL.exe”. When the extension is “.doc”, the execution environment is determined to be “WORD.exe”. Note that the sample receiving unit 50 may determine the execution environment by analyzing the data of the sample FL.

  Then, the sample receiving unit 50 thereafter ends this sample receiving process.

(3-2) Vulnerability information acquisition processing The vulnerability information acquisition unit 51 of the analysis management device 4 executes vulnerability information acquisition processing periodically (for example, every 24 hours). Each is accessed, the vulnerability information VI related to the sample FL to be analyzed is acquired from these vulnerability information sites 6, and the acquired vulnerability information is registered in the vulnerability information database 42. The format of the vulnerability information VI is not particularly defined in the present invention, but a text file, an HTML (Hyper Text Markup Language) file, or an XML (Extensible) file that describes the vulnerability identifier and frequency of occurrence of each execution environment. Markup Language) file and so on.

  Subsequently, the vulnerability information acquisition unit 51 calculates the exploitation frequency of the vulnerability corresponding to the record for each record (row) in the vulnerability information database 42, and the abuse frequency of each record based on the calculation result. The abuse frequency stored in the column 42D (FIG. 5) is updated.

  The vulnerability information acquisition unit 51 thereafter ends this vulnerability information acquisition process.

(3-3) Usage Frequency Information Acquisition Processing The usage frequency information acquisition unit 52 of the analysis management device 4 executes the usage frequency information acquisition processing periodically (for example, every 24 hours). Usage frequency information UEI (FIG. 1) is acquired from the processing device 3. The format of the usage frequency information UEI is not particularly defined in the present invention, but is intended for a text file, an HTML file, an XML file, or the like in which the identifier of the version of the execution environment used by the information processing apparatus 3 is described.

  Subsequently, the usage frequency information acquisition unit 52 registers the usage frequency information UEI acquired in step SP20 in the usage frequency information database 43, and thereafter ends this usage frequency information acquisition process.

(3-4) Analysis Prioritized Vulnerability Determination Processing FIG. 11 shows a processing procedure of analysis prioritized vulnerability determination processing executed by the analysis prioritized vulnerability determination unit 53 (FIG. 10) of the analysis management device 4. The analysis priority vulnerability determination unit 53 calculates the analysis priority of each vulnerability according to the processing procedure shown in FIG. 11, and registers the calculated analysis priority in the analysis priority vulnerability database 44 (FIG. 7).

  In practice, the analysis priority vulnerability determination unit 53 starts the analysis priority vulnerability determination process at the timing when the vulnerability information database 42 or the usage frequency information database 43 is updated. First, the analysis priority vulnerability database 44 is referred to. Then, one vulnerability whose analysis priority is not calculated is selected (SP1).

Subsequently, the analysis priority vulnerability determination unit 53 refers to the vulnerability information database 42 and the usage frequency information database 43, and selects the vulnerability selected in step SP1 of the execution environment targeted at that time (hereinafter referred to as the selected vulnerability). The cumulative frequency of use of the version having the function is called (SP2). For example, if the selected vulnerability is “PDF-V1” in FIG. 6, this selected vulnerability refers to the vulnerability information database 42, and the execution environment “1.0”, “1.1” and “PDF.exe” It turns out that the version "1.2" is targeted. Further, referring to the usage frequency information database 43, the usage frequencies of the versions “1.0”, “1.1”, and “1.2” of the execution environment “PDF.exe” are “0.01”, “0.04”, and “0.1”, respectively. It turns out that it is. Therefore, the cumulative usage frequency of this selected vulnerability ("PDF-V1") is
Thus, it is possible to calculate “0.15” by adding these “0.01”, “0.04”, and “0.1”.

Next, the analysis priority vulnerability determination unit 53 calculates the analysis priority of the selected vulnerability based on the vulnerability information database 42, the analysis environment determination parameter database 46, and the cumulative use frequency of the selected vulnerability calculated in step SP2. (SP3). Specifically, the analysis priority vulnerability determination unit 53 sets the abuse frequency of the selected vulnerability to F1, the cumulative use frequency of the selected vulnerability to F2, the value of the detection acceleration weighting parameter described above with reference to FIG. Assuming that the weighting parameter value is P2,
Based on the above, the analysis priority AP of the selected vulnerability is calculated.

For example, in the examples of FIGS. 5 to 8, when the selected vulnerability is “PDF-V1”, the analysis priority AP of the selected vulnerability is an abuse frequency F1 of “0.05” (see FIG. 5 ), and the detection speed is increased. The weighting parameter value P1 is “0.2” (FIG. 4 ), the cumulative usage frequency F2 of the selected vulnerability is “0.15” as described above with respect to the equation (3), and the damage minimization weighting parameter value P2 is “0.8” (FIG. 4 ). 4 ) Since
It can be calculated as follows. Similarly, when the selected vulnerability is “PDF-V2”, the analysis priority AP is “0.26”, and when the selected vulnerability is “PDF-V3”, the analysis priority AP is “0.52”. Is “PDF-V4”, the analysis priority AP can be calculated as “0.33”, respectively.

  Then, the analysis priority vulnerability determination unit 53 overwrites the analysis priority of the selected vulnerability calculated in this way on the analysis priority AP of the record corresponding to the selected vulnerability in the analysis priority vulnerability database 44. The analysis priority vulnerability database 44 is updated.

  Thereafter, the analysis priority vulnerability determination unit 53 determines whether or not the analysis priority has been calculated for all the vulnerabilities (SP4), and if a negative result is obtained, returns to step SP1. Then, the analysis priority vulnerability determination unit 53 repeats the processing of step SP1 to step SP4 while sequentially switching the vulnerability selected in step SP1 to other unprocessed vulnerabilities.

  The analysis priority vulnerability determination unit 53 eventually calculates the analysis priority AP for all the vulnerabilities registered in the analysis priority vulnerability database 44, and finishes updating the analysis priority vulnerability database 44 based on the calculation result. If an affirmative result is obtained in step SP4, the analysis priority vulnerability determination process is terminated.

(3-5) Analysis Environment Determination Process FIG. 12 shows a processing procedure of the analysis environment determination process executed by the analysis environment determination unit 54 (FIG. 10) of the analysis management device 4. The analysis environment determination unit 54 determines the sample analyzer 5 that requests the analysis of the sample FL to be analyzed in accordance with the processing procedure shown in FIG. 12, and requests the determined sample analyzer 5 to analyze the sample FL.

  In practice, the analysis environment determination unit 54 of the analysis management device 4 starts the analysis environment determination process at the timing when the sample FL whose determination result is “waiting for analysis” is registered in the sample database 40 (FIG. 3). First, the sample FL registered at that time is selected from the samples FL registered in the sample database 40 (SP10). For example, in the case of the example of FIGS. 3 to 9, in this step SP10, a sample “A.pdf” in which “waiting for analysis” is stored in the determination result column 40G (FIG. 3) of the sample database 40 (FIG. 3). Will be selected.

  Subsequently, the analysis environment determination unit 54 selects a vulnerability that is not “selected” and has the highest analysis priority from the vulnerabilities that the execution environment of the sample FL selected in step SP10 may have. Select (SP11). As for “selected”, step SP15 will be described later. In the case of the examples in FIGS. 3 to 9, referring to the analysis priority vulnerability database 44 (FIG. 7), the vulnerability having the highest analysis priority is “PDF-V3”. V3 "will be selected.

  Next, the analysis environment determination unit 54 selects one version from all versions of the execution environment having the vulnerability selected in step SP11 (hereinafter referred to as “selected vulnerability”) (SP12). For example, in the example of FIGS. 3 to 9, if the selected vulnerability is “PDF-V3”, the version of the execution environment having the selected vulnerability is referred to by referring to the vulnerability information database 42 (FIG. 5). It can be seen that they are “1.4”, “1.5” and “1.6”. Therefore, the analysis environment determination unit 54 selects one version from “1.4”, “1.5”, and “1.6” in step SP12.

  Thereafter, the analysis environment determination unit 54 calculates a cumulative value of analysis priorities of vulnerabilities of the version selected in step SP12 (SP13).

  For example, in the example of FIGS. 3 to 9, if the version selected in step SP12 is “1.4”, referring to the vulnerability information database 42 (FIG. 5), the version “1.4” is “PDF- It can be seen that it has two vulnerabilities: “V2” and “PDF-V3”. Therefore, in this case, the analysis environment determination unit 54 analyzes the analysis priority of the vulnerability “PDF-V2” and the analysis priority of the vulnerability “PDF-V3” with the analysis priority vulnerability database 44 (FIG. 7). ), And the vulnerability analysis priority of “PDF-V2” and the vulnerability analysis priority of “PDF-V3” are added together to analyze the vulnerability of version “1.4”. Calculate the cumulative priority. The analysis priority of the vulnerability “PDF-V2” is “0.26” and the analysis priority of the vulnerability “PDF-V3” is “0.52”. The cumulative value of analysis priority is “0.78”.

  If the version selected in step SP12 is “1.5”, referring to the vulnerability information database 42, it can be seen that the version “1.5” has only the vulnerability “PDF-V3”. Therefore, in this case, the analysis environment determination unit 54 reads the analysis priority of the vulnerability “PDF-V3” from the analysis priority vulnerability database 44, and sets the read analysis priority to the analysis priority of the version “1.5”. The cumulative value of

  Furthermore, when the version selected in step SP12 is “1.6”, referring to the vulnerability information database 42, the version “1.6” has two vulnerabilities “PDF-V3” and “PDF-V4”. I understand that. Therefore, in this case, the analysis environment determination unit 54 reads out the analysis priority of the vulnerability “PDF-V3” and the analysis priority of the vulnerability “PDF-V4” from the analysis priority vulnerability database 44. By adding the analysis priority of the vulnerability “PDF-V3” and the vulnerability analysis priority “PDF-V4”, the cumulative analysis priority of the vulnerability “1.6” Calculate the value. The analysis priority of the vulnerability “PDF-V3” is “0.52” and the analysis priority of the vulnerability “PDF-V4” is “0.33”. The cumulative value of analysis priority is “0.85”.

  Subsequently, the analysis environment determination unit 54 determines whether or not the processing of step SP13 has been completed for all versions having the selected vulnerability (SP14). If the analysis environment determination unit 54 obtains a negative result in this determination, the analysis environment determination unit 54 returns to step SP12, and thereafter performs the processing of step SP12 to step SP14 while sequentially switching the version selected in step SP12 to the corresponding unprocessed version. repeat.

  When the analysis environment determination unit 54 finally obtains an affirmative result in step SP14 by completing the calculation of the cumulative analysis priority for all versions having the selected vulnerability, the selection calculated by the processing in steps SP12 to SP14 is performed. Among all versions with vulnerabilities, the version with the highest cumulative analysis priority is determined as the version to be analyzed (version to be analyzed with priority), and the vulnerability corresponding to the determined version is “Selected” (SP15).

  For example, in the example of FIGS. 3 to 9, the versions having the selected vulnerability as described above are “1.4”, “1.5”, and “1.6”, and the cumulative analysis priority values of these versions are “0.72”, respectively. ”,“ 0.52 ”, and“ 0.85 ”, the version“ 1.6 ”is determined as the version to be analyzed in this step SP15. In addition, the vulnerabilities corresponding to the version “1.6” are “PDF-V3” and “PDF-V4” when the vulnerability information database 42 is referred to. Therefore, the analysis environment determination unit 54 selects these vulnerabilities as “selection”. Done ".

  Next, the analysis environment determination unit 54 calculates the total value of the abuse frequency and the total value of the usage frequency for the vulnerabilities that are “selected” in step SP15 (SP16). For example, in the examples of FIGS. 3 to 9, referring to the vulnerability information database 42 (FIG. 5), the exploitation frequency of the vulnerability “PDF-V3” that is “selected” in step SP15 is “0.6”. Since the exploitation frequency of the vulnerability “PDF-V4” is “0.25”, the total abuse frequency is calculated as “0.85”. Further, referring to the vulnerability information database 42, the execution environment versions of the vulnerability “PDF-V3” are “1.4”, “1.5”, and “1.6”, and the execution environment version of the vulnerability “PDF-V4” is “1.6”, “1.7” and “1.8”. However, since the version “1.4” also has the vulnerability “RDF-V2”, it is necessary to calculate the total value of the usage frequency by excluding the usage frequency of the version “1.4”. Therefore, for the total value of the usage frequency in this case, referring to the usage frequency information database 43 (FIG. 6), the usage frequencies of the versions “1.5” to “1.8” are “0.3”, “0.05”, “0.2”. And “0.1”, it is calculated as “0.65” by adding them together.

  Thereafter, the analysis environment determination unit 54 determines that the sum of the abuse frequencies calculated in step SP16 is larger than the abuse frequency coverage threshold registered in the analysis environment determination parameter database 46 (FIG. 9), and step SP16. It is determined whether or not the total value of the usage frequencies calculated in step S1 is larger than the usage frequency coverage threshold value registered in the analysis environment determination parameter database 46 (SP17).

  When the analysis environment determination unit 54 obtains a negative result in this determination, the analysis environment determination unit 54 returns to step SP11, and then selects the vulnerability selected in step SP11 as the vulnerability with the highest analysis priority among the vulnerabilities that are not “selected”. The processing of step SP11 to step SP17 is repeated while sequentially switching to the sex.

  When the analysis environment determination unit 54 eventually obtains a positive result for any of the vulnerabilities in step SP17, the analysis environment determination unit 54 refers to the analysis system database 45 (FIG. 8) and analyzes the version for each version. 5 is selected (SP18). At this time, when there are a plurality of sample analysis devices 5 having the same execution environment version, the analysis environment determination unit 54 performs the analysis in parallel so that the sample analysis device 5 has as little overlap as possible. Select.

  For example, in the example of FIGS. 3 to 9, since the total value of the usage frequencies for the version “1.6” determined in step SP15 as described above is “0.65”, a negative result is obtained in step SP17. Return to SP11. In this case, in step SP11, the vulnerability “PDF-V2” is selected. Then, the cumulative values of the analysis priorities for the versions “1.2”, “1.3”, and “1.4” having this vulnerability are calculated as “0.39”, “0.26”, and “0.26”, respectively, in step SP13. Accordingly, in step SP15, the version “1.2” is determined as the second version to be analyzed, and the vulnerabilities “PDF-V1” and “PDF-V2” are each “selected”.

  In step SP16, the total value of abuse frequency and the total value of usage frequency for the versions that have been analyzed so far ("1.6" and "1.2") are both calculated as "1.0". As a result, in step SP17 A positive result will be obtained. Thus, the analysis environment determination unit 54 analyzes the sample analysis apparatus 5 that analyzes the version “1.6” and the version “1.2” determined as the analysis target versions as described above in step SP18. A selection is made with reference to the system database 45. In the case of the present embodiment, the sample analyzer 5 having the execution environment of version “1.6” is only “apparatus B”, and the sample analyzer 5 having the execution environment of version “1.2” is also only “apparatus B”. Therefore, the sample analyzer 5 called “device B” is selected as the sample analyzer 5 that analyzes these two versions.

  Next, the analysis environment determination unit 54 selects the analysis request ARQ (FIG. 1) for each version that has been determined as the analysis target in step SP15 so far, in order from the version with the highest analysis priority, in the corresponding sample selected in step SP19. The data is sequentially transmitted to the analysis device 5. The analysis environment determination unit 54 thereafter displays the ID of the sample analyzer 5 that issued the analysis request at this time and the version requested to be analyzed by the sample analyzer 5 in the analysis request list field 40F of the sample database 40 (FIG. 3). (SP19). The analysis request ARQ includes information regarding the data and version of the sample FL.

  For example, in the example of FIGS. 3 to 9, the versions selected in step SP15 are “1.6” and “1.2”, and the sample analyzer 5 selected for each version in step SP18 is “apparatus B”. . In addition, in the version “1.6” and the version “1.2”, the version “1.6” has higher analysis priority. Therefore, the analysis of the version “1.6” and the version “1.2” is called “device B”. The sample analyzer 5 is sequentially requested. Further, the analysis environment determination unit 54 thereafter requests the sample analysis device 5 named “device B” to analyze the version “1.6” and the version “1.2” in the corresponding analysis request list column 40F of the sample database 40. Stores information to that effect.

  Subsequently, the analysis environment determination unit 54 waits for a response (analysis result ARS (FIG. 1)) from each sample analyzer 5 that requested the analysis in step SP19 (SP20), and eventually analyzes from all the sample analyzers 5 When the result ARS is received, the analysis result ARS is stored in the corresponding determination result column 40G of the specimen database 40, and the analysis result ARS is transmitted to the corresponding information processing apparatus 3, and then the analysis environment determination process is terminated. .

(4) Effects of the present embodiment According to the program analysis system 1 of the present embodiment described above, the sample is analyzed in the sample analyzer 5 corresponding to the version to be preferentially analyzed. Compared with the conventional analysis method that sequentially tests the execution environment, the sample can be analyzed efficiently. In this way, it is possible to efficiently analyze a malicious program (malware) that reveals an unauthorized activity only on a specific version of the execution environment.

(5) Other Embodiments In the above-described embodiment, the analysis request ARQ for each version determined as the analysis target in step SP19 of the analysis environment determination process described above with reference to FIG. From the above, it has been described that the analysis results ARS are sequentially transmitted to the corresponding sample analyzer 5 and then waiting for the analysis result ARS from these sample analyzers 5 in the following step SP20. However, the present invention is not limited to this. For example, in step SP19, only one analysis request ARQ for the version with the highest priority is transmitted, and after receiving the analysis result ARS in the subsequent step SP20, the process returns to step SP19 for the version with the next highest priority. Repeatedly sending the analysis request ARQ to the corresponding sample analyzer 5 You may make it. At this time, when the content of the analysis result ARS is “malware” (when the analysis result that the sample is malware is obtained), the sample analysis device 5 corresponding to the version with the next highest priority. The sample analysis request may be stopped. By doing so, it is possible to omit the issuance of an extra analysis request ARQ and further improve the analysis efficiency of the sample as the entire program analysis system 1.

  In the above-described embodiment, the case where the execution environment is “PDF.EXE” has been described. However, the present invention is not limited to this, and the execution environment is not limited to “PDF.EXE”. Can also be applied. The present invention can be similarly applied to an analysis system having a plurality of execution environments.

  Furthermore, in the above-described embodiment, the case where the analysis management apparatus 4 actively acquires the vulnerability information VI from the vulnerability information site 6 has been described. However, the present invention is not limited to this. A person may periodically provide vulnerability information VI.

  The present invention can be applied to a program analysis system that can perform an efficient analysis of a malicious program that reveals an unauthorized activity only in a specific version of the execution environment.

  DESCRIPTION OF SYMBOLS 1 ... Program analysis system, 3 ... Information processing apparatus, 4 ... Analysis management apparatus, 5 ... Sample analysis apparatus, 6 ... Information site, 21 ... CPU, 30 ... Sample reception program, 31 ... Vulnerability Sex information acquisition program, 32... Usage frequency information acquisition program, 33... Analysis priority vulnerability determination program, 34 .. analysis environment determination program, 40 .. specimen database, 41 .. analysis priority vulnerability determination parameter database, 42 …… Vulnerability information database, 43 …… Usage frequency information database, 44 …… Analysis priority vulnerability database, 45 …… Analysis system database, 46 …… Analysis environment determination parameter database, 50 …… Sample receiver, 51 …… Vulnerability information acquisition unit, 52 …… Use frequency information acquisition unit, 53 …… Analysis priority vulnerability determination unit, 54 …… Analysis ring Determining unit.

Claims (14)

A program analysis system that analyzes whether or not a sample is a malicious program that reveals illegal activities on an execution environment with a specific vulnerability,
A plurality of sample analyzers for analyzing the samples in different versions of execution environments;
The analysis priority for each vulnerability is determined, one or more versions to be preferentially analyzed are selected based on the determination result, and the sample is analyzed with respect to the sample analyzer having the execution environment of the selected version A program analysis system comprising: an analysis management device that requests analysis of the program. The analysis management device includes:
For each vulnerability, the exploitation frequency, which is the relative frequency of exploitation of the vulnerability compared to other vulnerabilities, and the ratio that the version is used for all versions for each version of the execution environment The program analysis system according to claim 1, wherein a certain usage frequency is calculated, and the analysis priority for each vulnerability is determined based on the calculated abuse frequency and the usage frequency. The analysis management device includes:
Holding vulnerability information representing the version of the execution environment having the vulnerability for each vulnerability,
Based on the analysis priority for each vulnerability and the vulnerability information, the cumulative value of the analysis priority for each version of the execution environment is calculated, and the cumulative value of the analysis priority for each calculated version is calculated. The program analysis system according to claim 1, wherein a version to be preferentially analyzed is selected based on. The analysis management device includes:
Holding a pre-set weighting parameter that determines which of the abuse frequency and the usage frequency is important;
The program analysis system according to claim 2, wherein the analysis priority for each vulnerability is determined based on the abuse frequency, the use frequency, and the weighting parameter. The analysis management device includes:
For each version of the execution environment, calculate a usage frequency that is a relative value of the frequency with which the version is used as seen from all versions,
In order from the version in which the cumulative value of the analysis priority is large, the version to which the total value of the usage frequency exceeds a preset first threshold is selected as a version to be preferentially analyzed,
4. The analysis of the sample is requested from the sample analysis apparatus having an execution environment of the version in order from the version with the highest cumulative value of the analysis priority among the selected versions. The program analysis system described in 1. The analysis management device includes:
For each of the vulnerabilities, calculate the abuse frequency, which is a relative value of the frequency of exploitation of the vulnerability as seen from the entire vulnerability,
In order from the version with the largest cumulative value of the analysis priority, the version that the total value of the abuse frequency exceeds a preset second threshold is selected as a version to be preferentially analyzed,
4. The analysis of the sample is requested from the sample analysis apparatus having an execution environment of the version in order from the version with the highest cumulative value of the analysis priority among the selected versions. The program analysis system described in 1. The analysis management device includes:
If an analysis result is received from any of the sample analyzers that the sample is a malicious program that reveals illegal activities on the execution environment of a specific vulnerability version, The program analysis system according to claim 1, wherein an analysis request to the sample analyzer is stopped. A program analysis method in a program analysis system for analyzing whether or not a sample is a malicious program that reveals illegal activities on an execution environment of a version having a specific vulnerability,
The analysis system includes:
A plurality of sample analyzers for analyzing the samples in different versions of execution environments;
An analysis management device that requests the sample analyzer to analyze the sample;
A first step in which the analysis management device determines an analysis priority for each vulnerability;
A second step in which the analysis management device selects one or more versions to be preferentially analyzed based on the determination result;
The analysis management apparatus comprises a third step of requesting the sample analysis apparatus having the selected version of the execution environment to analyze the sample. The analysis management device, in the first step,
For each vulnerability, the exploitation frequency, which is the relative frequency of exploitation of the vulnerability compared to other vulnerabilities, and the ratio that the version is used for all versions for each version of the execution environment The program analysis method according to claim 8, wherein a certain usage frequency is calculated, and the analysis priority for each vulnerability is determined based on the calculated abuse frequency and the usage frequency. The analysis management device includes:
Holding vulnerability information representing the version of the execution environment having the vulnerability for each vulnerability,
In the second step,
Based on the analysis priority for each vulnerability and the vulnerability information, the cumulative value of the analysis priority for each version of the execution environment is calculated, and the cumulative value of the analysis priority for each calculated version is calculated. The program analysis method according to claim 9, wherein a version to be preferentially analyzed is selected based on the selection. The analysis management device includes:
Holding a pre-set weighting parameter that determines which of the abuse frequency and the usage frequency is important;
In the first step,
The program analysis method according to claim 9, wherein the analysis priority for each vulnerability is determined based on the abuse frequency, the use frequency, and the weighting parameter. The analysis management device includes:
In the first step, for each version of the execution environment, a usage frequency that is a relative value of a frequency with which the version is used as seen from all versions is calculated,
In the second step, in order from the version with the largest accumulated analysis priority value, the version to which the total value of the usage frequency exceeds the preset first threshold is determined as the version to be preferentially analyzed. Selected,
In the third step, the analysis of the sample is requested to the sample analyzer having the execution environment of the version in order from the version with the largest cumulative value of the analysis priority among the selected versions. The program analysis method according to claim 10. The analysis management device includes:
In the first step, for each of the vulnerabilities, an exploitation frequency that is a relative value of the frequency of exploitation of the vulnerability as viewed from the entire vulnerability is calculated.
In the second step, in order from the version with the largest accumulated analysis priority value, the version to which the total value of the abuse frequency exceeds a preset second threshold is the version to be preferentially analyzed. Selected,
In the third step, the analysis of the sample is requested to the sample analyzer having the execution environment of the version in order from the version with the largest cumulative value of the analysis priority among the selected versions. The program analysis method according to claim 10. The analysis management device includes:
In the third step, when an analysis result is received from any one of the sample analyzers that the sample is a malicious program that reveals an unauthorized activity on a version of the execution environment having a specific vulnerability The program analysis method according to claim 8, wherein the request for analysis of the sample to the sample analyzer is stopped.