Attack observation apparatus and attack observation method
First Claim
1. An attack observation apparatus being an environment where malware is run and an attack of the malware is observed, the attack observation apparatus comprising:
- a computer processor; and
a memory storing instructions which, when executed by the processor, performs a processing including,using a low-interactive simulation environment to simulate a terminal executing a response to communication coming from the malware;
accumulating, in a terminal state transition scenario storage, a terminal state transition scenario indicating a scenario of a state transition of the terminal;
generating an instruction for changing a state of the simulated terminal, in accordance with the terminal state transition scenario accumulated in the terminal state transition scenario storage;
changing the state of the simulated terminal, in accordance with the generated instruction;
monitoring an execution state of the low-interactive simulation environment with respect to the communication coming from the malware;
switching from the use of the low-interactive simulation environment to a high-interactive simulation environment to simulate the terminal executing a response to the communication coming from the malware depending on the execution state of the low-interactive simulation environment, the high-interactive simulation environment being implemented by using a virtual machine to simulate the terminal; and
accumulating, in a communication restoring data accumulation storage, restoring data necessary for restoring a communication state of the simulated terminal,wherein the communication state of the simulated terminal is restored by using the restoring data accumulated in the communication restoring data accumulation storage when the switching of the simulation environment simulating the terminal executing the response to the communication coming from the malware from the low-interactive simulation environment to the high-interactive simulation environment is performed.
1 Assignment
0 Petitions
Accused Products
Abstract
The present invention relates to an attack observation apparatus being a simulation environment where a malicious program such as malware created by an attacker is run, the simulation environment being built for observing the behavior and attack scheme of the malicious program.
The attack observation apparatus includes a low-interactive simulation environment to execute on a terminal a predetermined response to communication coming from the malware, a high-interactive simulation environment to execute a response to the communication coming from the malware with using a virtual machine which simulates the terminal, and a communication management part to monitor an execution state of the low-interactive simulation environment with respect to the communication coming from the malware and switch the communication coming from the malware to the high-interactive simulation environment depending on the execution state of the low-interactive simulation environment.
-
Citations
9 Claims
-
1. An attack observation apparatus being an environment where malware is run and an attack of the malware is observed, the attack observation apparatus comprising:
-
a computer processor; and a memory storing instructions which, when executed by the processor, performs a processing including, using a low-interactive simulation environment to simulate a terminal executing a response to communication coming from the malware; accumulating, in a terminal state transition scenario storage, a terminal state transition scenario indicating a scenario of a state transition of the terminal; generating an instruction for changing a state of the simulated terminal, in accordance with the terminal state transition scenario accumulated in the terminal state transition scenario storage; changing the state of the simulated terminal, in accordance with the generated instruction; monitoring an execution state of the low-interactive simulation environment with respect to the communication coming from the malware; switching from the use of the low-interactive simulation environment to a high-interactive simulation environment to simulate the terminal executing a response to the communication coming from the malware depending on the execution state of the low-interactive simulation environment, the high-interactive simulation environment being implemented by using a virtual machine to simulate the terminal; and accumulating, in a communication restoring data accumulation storage, restoring data necessary for restoring a communication state of the simulated terminal, wherein the communication state of the simulated terminal is restored by using the restoring data accumulated in the communication restoring data accumulation storage when the switching of the simulation environment simulating the terminal executing the response to the communication coming from the malware from the low-interactive simulation environment to the high-interactive simulation environment is performed. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. An attack observation method of an attack observation apparatus being an environment where malware is run and an attack of the malware is observed, the attack observation method comprising:
-
using a low-interactive simulation environment to simulate a terminal executing a response to communication coming from the malware; generating an instruction for changing a state of the terminal, in accordance with a terminal state transition scenario indicating a scenario of a state transition of the terminal; changing the state of the simulated terminal, in accordance with the instruction; monitoring an execution state of the low-interactive simulation environment with respect to the communication coming from the malware; switching from the use of the low-interactive simulation environment to a high-interactive simulation environment to simulate the terminal executing a response to the communication coming from the malware depending on the execution state of the low-interactive simulation environment, the high-interactive simulation environment being implemented by using a virtual machine to simulate the terminal; and accumulating, in a communication restoring data accumulation storage, restoring data necessary for restoring a communication state of the simulated terminal, wherein the communication state of the simulated terminal is restored by using the restoring data accumulated in the communication restoring data accumulation storage when the switching of the simulation environment simulating the terminal executing the response to the communication coming from the malware from the low-interactive simulation environment to the high-interactive simulation environment is performed.
-
Specification