×

Attack observation apparatus and attack observation method

  • US 10,491,628 B2
  • Filed: 09/17/2014
  • Issued: 11/26/2019
  • Est. Priority Date: 09/17/2014
  • Status: Active Grant
First Claim
Patent Images

1. An attack observation apparatus being an environment where malware is run and an attack of the malware is observed, the attack observation apparatus comprising:

  • a computer processor; and

    a memory storing instructions which, when executed by the processor, performs a processing including,using a low-interactive simulation environment to simulate a terminal executing a response to communication coming from the malware;

    accumulating, in a terminal state transition scenario storage, a terminal state transition scenario indicating a scenario of a state transition of the terminal;

    generating an instruction for changing a state of the simulated terminal, in accordance with the terminal state transition scenario accumulated in the terminal state transition scenario storage;

    changing the state of the simulated terminal, in accordance with the generated instruction;

    monitoring an execution state of the low-interactive simulation environment with respect to the communication coming from the malware;

    switching from the use of the low-interactive simulation environment to a high-interactive simulation environment to simulate the terminal executing a response to the communication coming from the malware depending on the execution state of the low-interactive simulation environment, the high-interactive simulation environment being implemented by using a virtual machine to simulate the terminal; and

    accumulating, in a communication restoring data accumulation storage, restoring data necessary for restoring a communication state of the simulated terminal,wherein the communication state of the simulated terminal is restored by using the restoring data accumulated in the communication restoring data accumulation storage when the switching of the simulation environment simulating the terminal executing the response to the communication coming from the malware from the low-interactive simulation environment to the high-interactive simulation environment is performed.

View all claims
  • 1 Assignment
Timeline View
Assignment View
    ×
    ×