Attack observation apparatus and attack observation method

US 10,491,628 B2
Filed: 09/17/2014
Issued: 11/26/2019
Est. Priority Date: 09/17/2014
Status: Active Grant

First Claim

Patent Images

1. An attack observation apparatus being an environment where malware is run and an attack of the malware is observed, the attack observation apparatus comprising:

a computer processor; and

a memory storing instructions which, when executed by the processor, performs a processing including,using a low-interactive simulation environment to simulate a terminal executing a response to communication coming from the malware;

accumulating, in a terminal state transition scenario storage, a terminal state transition scenario indicating a scenario of a state transition of the terminal;

generating an instruction for changing a state of the simulated terminal, in accordance with the terminal state transition scenario accumulated in the terminal state transition scenario storage;

changing the state of the simulated terminal, in accordance with the generated instruction;

monitoring an execution state of the low-interactive simulation environment with respect to the communication coming from the malware;

switching from the use of the low-interactive simulation environment to a high-interactive simulation environment to simulate the terminal executing a response to the communication coming from the malware depending on the execution state of the low-interactive simulation environment, the high-interactive simulation environment being implemented by using a virtual machine to simulate the terminal; and

accumulating, in a communication restoring data accumulation storage, restoring data necessary for restoring a communication state of the simulated terminal,wherein the communication state of the simulated terminal is restored by using the restoring data accumulated in the communication restoring data accumulation storage when the switching of the simulation environment simulating the terminal executing the response to the communication coming from the malware from the low-interactive simulation environment to the high-interactive simulation environment is performed.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present invention relates to an attack observation apparatus being a simulation environment where a malicious program such as malware created by an attacker is run, the simulation environment being built for observing the behavior and attack scheme of the malicious program.

The attack observation apparatus includes a low-interactive simulation environment to execute on a terminal a predetermined response to communication coming from the malware, a high-interactive simulation environment to execute a response to the communication coming from the malware with using a virtual machine which simulates the terminal, and a communication management part to monitor an execution state of the low-interactive simulation environment with respect to the communication coming from the malware and switch the communication coming from the malware to the high-interactive simulation environment depending on the execution state of the low-interactive simulation environment.

Citations

9 Claims

1. An attack observation apparatus being an environment where malware is run and an attack of the malware is observed, the attack observation apparatus comprising:
- a computer processor; and
  
  a memory storing instructions which, when executed by the processor, performs a processing including,using a low-interactive simulation environment to simulate a terminal executing a response to communication coming from the malware;
  
  accumulating, in a terminal state transition scenario storage, a terminal state transition scenario indicating a scenario of a state transition of the terminal;
  
  generating an instruction for changing a state of the simulated terminal, in accordance with the terminal state transition scenario accumulated in the terminal state transition scenario storage;
  
  changing the state of the simulated terminal, in accordance with the generated instruction;
  
  monitoring an execution state of the low-interactive simulation environment with respect to the communication coming from the malware;
  
  switching from the use of the low-interactive simulation environment to a high-interactive simulation environment to simulate the terminal executing a response to the communication coming from the malware depending on the execution state of the low-interactive simulation environment, the high-interactive simulation environment being implemented by using a virtual machine to simulate the terminal; and
  
  accumulating, in a communication restoring data accumulation storage, restoring data necessary for restoring a communication state of the simulated terminal,wherein the communication state of the simulated terminal is restored by using the restoring data accumulated in the communication restoring data accumulation storage when the switching of the simulation environment simulating the terminal executing the response to the communication coming from the malware from the low-interactive simulation environment to the high-interactive simulation environment is performed.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The attack observation apparatus according to claim 1,wherein the low-interactive simulation environment transmits a switching request for switching the simulation environment which simulates the terminal executing the response to the communication coming from the malware from the low-interactive simulation environment to the high-interactive simulation environment, depending on the execution state of the low-interactive simulation environment, andwherein the switching of the simulation environment simulating the terminal executing the response to the communication coming from the malware from the low-interactive simulation environment to the high-interactive simulation environment is performed in response to the switching request transmitted from the low-interactive simulation environment.
  - 3. The attack observation apparatus according to claim 1, the process further comprising storing, in an execution state management storage, execution state data indicating the execution state of the low-interactive simulation environment and an execution state of the high-interactive simulation environment,wherein the switching of the simulation environment simulating the terminal executing the response to the communication coming from the malware from the low-interactive simulation environment to the high-interactive simulation environment is performed based on an execution state indicated by the execution state data stored in the execution state management storage.
  - 4. The attack observation apparatus according to claim 1, the process further comprising accumulating, in an execution command accumulation storage, a command for executing the terminal state transition scenario on the high-interactive simulation environment,wherein the instruction is generated by using the command accumulated in the execution command accumulation part.
  - 5. The attack observation apparatus according to claim 1, the process further comprising relaying communication coming from the simulated terminal to another terminal simulated by the attack observation apparatus.
  - 6. The attack observation apparatus according to claim 1, the process further comprising storing, in an ARP cache setting storage, an ARP cache as a setting of a spoofed response to an ARP (Address Resolution Protocol) request,wherein the ARP cache stored in the ARP cache setting storage is transmitted to the virtual machine of the high-interactive simulation environment.
  - 7. The attack observation apparatus according to claim 1, the process further comprisingproducing, from the low-interactive simulation environment, communication restoring application layer data in which a communication state of an application layer of the terminal has been restored, andtransferring the communication restoring application layer data to the virtual machine of the high-interactive simulation environment.
  - 8. The attack observation apparatus according to claim 1, wherein the switching of the simulation environment simulating the terminal executing the response to the communication coming from the malware from the low-interactive simulation environment to the high-interactive simulation environment is performed depending on a detection result of an intrusion detection system which detects intrusion of the malware.

9. An attack observation method of an attack observation apparatus being an environment where malware is run and an attack of the malware is observed, the attack observation method comprising:
- using a low-interactive simulation environment to simulate a terminal executing a response to communication coming from the malware;
  
  generating an instruction for changing a state of the terminal, in accordance with a terminal state transition scenario indicating a scenario of a state transition of the terminal;
  
  changing the state of the simulated terminal, in accordance with the instruction;
  
  monitoring an execution state of the low-interactive simulation environment with respect to the communication coming from the malware;
  
  switching from the use of the low-interactive simulation environment to a high-interactive simulation environment to simulate the terminal executing a response to the communication coming from the malware depending on the execution state of the low-interactive simulation environment, the high-interactive simulation environment being implemented by using a virtual machine to simulate the terminal; and
  
  accumulating, in a communication restoring data accumulation storage, restoring data necessary for restoring a communication state of the simulated terminal,wherein the communication state of the simulated terminal is restored by using the restoring data accumulated in the communication restoring data accumulation storage when the switching of the simulation environment simulating the terminal executing the response to the communication coming from the malware from the low-interactive simulation environment to the high-interactive simulation environment is performed.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Mitsubishi Electric Corporation
Original Assignee
Mitsubishi Electric Corporation
Inventors
Kawauchi, Kiyoto, Sakurai, Shoji
Primary Examiner(s)
Lewis, Lisa C
Assistant Examiner(s)
Zhu, Zhimei

Application Number

US15/509,299
Publication Number

US 20170302683A1
Time in Patent Office

1,896 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/53   by executing in a restricte...

G06F 21/566   Dynamic detection, i.e. det...

G06F 9/45533   Hypervisors; Virtual machin...

H04L 63/145   the attack involving the pr...

H04L 63/1491   using deception as counterm...

Attack observation apparatus and attack observation method

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

9 Claims

Specification

Solutions

Use Cases

Quick Links

Attack observation apparatus and attack observation method

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

9 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links