Process analysis apparatus, process analysis method, and process analysis for determining input/output relation of a block of execution trace to detect potential malware
First Claim
1. A process analysis apparatus comprising processing circuitry to:
- acquire an execution trace of a process to be analyzed;
extract, from the execution trace, a block that is a program element indicating a loop structure;
extract, from the block, block information including input information and output information including a value written in a storage area, wherein the extracted input information is determined to satisfy conditions ofbeing defined prior to execution of the block, andbeing read prior to overwriting during execution of the block;
generate characteristic determination information for determining a characteristic of an input/output relation of the block, using one of the input information and the output information of the block information;
analyze the input/output relation of the block, using the characteristic determination information to determine whether the characteristic of the input/output relation of the block is one of an encryption function and a decryption function; and
when the characteristic of the input/output relation of the block is determined to be one of an encryption function and a decryption function, further analyze the block to perform at least one of;
detecting malware within the process, andprocessing encryption logic from the block to identify information compromised by the malware within the process.
1 Assignment
0 Petitions
Accused Products
Abstract
The present invention relates to a process analysis apparatus for analyzing a process executed in an information processing unit and extracting encryption logic such as an encryption function or a decryption function used in the process. The process analysis apparatus is provided with an execution trace acquisition section to acquire an execution trace of a process to be analyzed; a block extraction section to extract, from the execution trace, a block that is a processing unit indicating a loop structure; a block information extraction section to extract, from the block, block information including input information and output information; and a block information analysis section to generate characteristic determination information for determining a characteristic of an input/output relation of the block, using the input information or the output information of the block information, analyzing the input/output relation of the block, using the characteristic determination information, and determining the block which indicates a characteristic of an input/output relation of an encryption function or a decryption function, as the encryption logic.
-
Citations
7 Claims
-
1. A process analysis apparatus comprising processing circuitry to:
-
acquire an execution trace of a process to be analyzed; extract, from the execution trace, a block that is a program element indicating a loop structure; extract, from the block, block information including input information and output information including a value written in a storage area, wherein the extracted input information is determined to satisfy conditions of being defined prior to execution of the block, and being read prior to overwriting during execution of the block; generate characteristic determination information for determining a characteristic of an input/output relation of the block, using one of the input information and the output information of the block information; analyze the input/output relation of the block, using the characteristic determination information to determine whether the characteristic of the input/output relation of the block is one of an encryption function and a decryption function; and when the characteristic of the input/output relation of the block is determined to be one of an encryption function and a decryption function, further analyze the block to perform at least one of; detecting malware within the process, and processing encryption logic from the block to identify information compromised by the malware within the process. - View Dependent Claims (2, 3, 4)
-
-
5. A process analysis apparatus comprising processing circuitry to:
-
acquire an execution trace of a process to be analyzed; extract, from the execution trace, a block that is a program element indicating a loop structure; extract, from the block, block information including input information and output information including a value written in a storage area; generate characteristic determination information for determining a characteristic of an input/output relation of the block, using one of the input information and the output information of the block information; analyze the input/output relation of the block, using the characteristic determination information to determine whether the characteristic of the input/output relation of the block is one of an encryption function and a decryption function; and when the characteristic of the input/output relation of the block is determined to be one of an encryption function and a decryption function, further analyze the block to perform at least one of; detecting malware within the process, and processing encryption logic from the block to identify information compromised by the malware within the process, wherein the processing circuitry determines a printable character-string rate which is a rate of printable character strings in one of the input information and the output information of the block information; calculates, as the characteristic determination information, a difference between a first printable character-string rate of the input information and a second printable character-string rate of the output information, which have been determined by the character-string rate determination section; and when the difference is at or above a predetermined threshold, determines the block to be encryption logic.
-
-
6. A process analysis method of a process analysis apparatus to analyze a process to be analyzed and determine encryption logic, the process analysis method comprising:
-
acquiring an execution trace of the process to be analyzed; extracting, from the execution trace, a block that is a program element indicating a loop structure; extracting, from the block, block information including input information and output information including a value written in a storage area, wherein the extracted input information is determined to satisfy conditions of being defined prior to execution of the block, and being read prior to overwriting during execution of the block; generating characteristic determination information for determining a characteristic of an input/output relation of the block, using one of the input information and the output information of the block information; analyzing the input/output relation of the block, using the characteristic determination information to determine whether the characteristic of the input/output relation of the block is one of an encryption function and a decryption function; and when the characteristic of the input/output relation of the block is determined to be one of an encryption function and a decryption function, further analyzing the block to perform at least one of; detecting malware within the process, and processing encryption logic from the block to identify information compromised by the malware within the process.
-
-
7. A non-transitory computer readable medium including a process analysis program causing a computer to:
-
acquire an execution trace of a process to be analyzed; extract, from the execution trace, a block that is a program element indicating a loop structure; extract, from the block, block information including input information and output information including a value written in a storage area, wherein the extracted input information is determined to satisfy conditions of being defined prior to execution of the block, and being read prior to overwriting during execution of the block; generate characteristic determination information for determining a characteristic of an input/output relation of the block, using one of the input information and the output information of the block information, analyze the input/output relation of the block, using the characteristic determination information, to determine whether the characteristic of the input/output relation of the block is one of an encryption function and a decryption function; and when the characteristic of the input/output relation of the block is determined to be one of an encryption function and a decryption function, further analyze the block to perform at least one of; detecting malware within the process, and processing encryption logic from the block to identify information compromised by the malware within the process.
-
Specification