Process analysis apparatus, process analysis method, and process analysis for determining input/output relation of a block of execution trace to detect potential malware

US 10,325,094 B2
Filed: 08/28/2014
Issued: 06/18/2019
Est. Priority Date: 08/28/2014
Status: Active Grant

First Claim

Patent Images

1. A process analysis apparatus comprising processing circuitry to:

acquire an execution trace of a process to be analyzed;

extract, from the execution trace, a block that is a program element indicating a loop structure;

extract, from the block, block information including input information and output information including a value written in a storage area, wherein the extracted input information is determined to satisfy conditions ofbeing defined prior to execution of the block, andbeing read prior to overwriting during execution of the block;

generate characteristic determination information for determining a characteristic of an input/output relation of the block, using one of the input information and the output information of the block information;

analyze the input/output relation of the block, using the characteristic determination information to determine whether the characteristic of the input/output relation of the block is one of an encryption function and a decryption function; and

when the characteristic of the input/output relation of the block is determined to be one of an encryption function and a decryption function, further analyze the block to perform at least one of;

detecting malware within the process, andprocessing encryption logic from the block to identify information compromised by the malware within the process.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present invention relates to a process analysis apparatus for analyzing a process executed in an information processing unit and extracting encryption logic such as an encryption function or a decryption function used in the process. The process analysis apparatus is provided with an execution trace acquisition section to acquire an execution trace of a process to be analyzed; a block extraction section to extract, from the execution trace, a block that is a processing unit indicating a loop structure; a block information extraction section to extract, from the block, block information including input information and output information; and a block information analysis section to generate characteristic determination information for determining a characteristic of an input/output relation of the block, using the input information or the output information of the block information, analyzing the input/output relation of the block, using the characteristic determination information, and determining the block which indicates a characteristic of an input/output relation of an encryption function or a decryption function, as the encryption logic.

Citations

7 Claims

1. A process analysis apparatus comprising processing circuitry to:
- acquire an execution trace of a process to be analyzed;
  
  extract, from the execution trace, a block that is a program element indicating a loop structure;
  
  extract, from the block, block information including input information and output information including a value written in a storage area, wherein the extracted input information is determined to satisfy conditions ofbeing defined prior to execution of the block, andbeing read prior to overwriting during execution of the block;
  
  generate characteristic determination information for determining a characteristic of an input/output relation of the block, using one of the input information and the output information of the block information;
  
  analyze the input/output relation of the block, using the characteristic determination information to determine whether the characteristic of the input/output relation of the block is one of an encryption function and a decryption function; and
  
  when the characteristic of the input/output relation of the block is determined to be one of an encryption function and a decryption function, further analyze the block to perform at least one of;
  
  detecting malware within the process, andprocessing encryption logic from the block to identify information compromised by the malware within the process.
- View Dependent Claims (2, 3, 4)
- - 2. The process analysis apparatus of claim 1, wherein the processing circuitry:
    - decodes the output information of the block information;
      
      generates, as the characteristic determination information, a decoding result obtained by decoding the output information of the block information; and
      
      determines the block which has the output information that matches the decoding result, as encryption logic.
  - 3. The process analysis apparatus of claim 1, wherein the processing circuitry:
    - decompresses the output information of the block information;
      
      generates, as the characteristic determination information, a decoding result obtained by decompressing the output information of the block information by the data decompression section; and
      
      determines the bock which has the output information that matches the decoding result, as the encryption logic.
  - 4. The process analysis apparatus of claim 1, wherein the processing circuitry:
    - inputs the output information of the block information to another block, and execute a process of the another block,generates, as the characteristic determination information, an execution result obtained by executing the process of the another block, anddetermines a block which has the input information that matches the execution result, as the encryption logic.

5. A process analysis apparatus comprising processing circuitry to:
- acquire an execution trace of a process to be analyzed;
  
  extract, from the execution trace, a block that is a program element indicating a loop structure;
  
  extract, from the block, block information including input information and output information including a value written in a storage area;
  
  generate characteristic determination information for determining a characteristic of an input/output relation of the block, using one of the input information and the output information of the block information;
  
  analyze the input/output relation of the block, using the characteristic determination information to determine whether the characteristic of the input/output relation of the block is one of an encryption function and a decryption function; and
  
  when the characteristic of the input/output relation of the block is determined to be one of an encryption function and a decryption function, further analyze the block to perform at least one of;
  
  detecting malware within the process, andprocessing encryption logic from the block to identify information compromised by the malware within the process,wherein the processing circuitry determines a printable character-string rate which is a rate of printable character strings in one of the input information and the output information of the block information;
  
  calculates, as the characteristic determination information, a difference between a first printable character-string rate of the input information and a second printable character-string rate of the output information, which have been determined by the character-string rate determination section; and
  
  when the difference is at or above a predetermined threshold, determines the block to be encryption logic.

6. A process analysis method of a process analysis apparatus to analyze a process to be analyzed and determine encryption logic, the process analysis method comprising:
- acquiring an execution trace of the process to be analyzed;
  
  extracting, from the execution trace, a block that is a program element indicating a loop structure;
  
  extracting, from the block, block information including input information and output information including a value written in a storage area, wherein the extracted input information is determined to satisfy conditions ofbeing defined prior to execution of the block, andbeing read prior to overwriting during execution of the block;
  
  generating characteristic determination information for determining a characteristic of an input/output relation of the block, using one of the input information and the output information of the block information;
  
  analyzing the input/output relation of the block, using the characteristic determination information to determine whether the characteristic of the input/output relation of the block is one of an encryption function and a decryption function; and
  
  when the characteristic of the input/output relation of the block is determined to be one of an encryption function and a decryption function, further analyzing the block to perform at least one of;
  
  detecting malware within the process, andprocessing encryption logic from the block to identify information compromised by the malware within the process.

7. A non-transitory computer readable medium including a process analysis program causing a computer to:
- acquire an execution trace of a process to be analyzed;
  
  extract, from the execution trace, a block that is a program element indicating a loop structure;
  
  extract, from the block, block information including input information and output information including a value written in a storage area, wherein the extracted input information is determined to satisfy conditions ofbeing defined prior to execution of the block, andbeing read prior to overwriting during execution of the block;
  
  generate characteristic determination information for determining a characteristic of an input/output relation of the block, using one of the input information and the output information of the block information,analyze the input/output relation of the block, using the characteristic determination information, to determine whether the characteristic of the input/output relation of the block is one of an encryption function and a decryption function; and
  
  when the characteristic of the input/output relation of the block is determined to be one of an encryption function and a decryption function, further analyze the block to perform at least one of;
  
  detecting malware within the process, andprocessing encryption logic from the block to identify information compromised by the malware within the process.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Mitsubishi Electric Corporation
Original Assignee
Mitsubishi Electric Corporation
Inventors
Yamamoto, Takumi, Sakurai, Shoji, Kawauchi, Kiyoto
Primary Examiner(s)
Avery, Jeremiah L

Application Number

US15/500,476
Publication Number

US 20170337378A1
Time in Patent Office

1,755 Days
Field of Search

None
US Class Current
CPC Class Codes

G06F 21/562   Static detection

G06F 21/566   Dynamic detection, i.e. det...

G06F 21/567   using dedicated hardware

G06F 2221/033   Test or assess software

Process analysis apparatus, process analysis method, and process analysis for determining input/output relation of a block of execution trace to detect potential malware

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

7 Claims

Specification

Solutions

Use Cases

Quick Links

Process analysis apparatus, process analysis method, and process analysis for determining input/output relation of a block of execution trace to detect potential malware

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

7 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links