グレーリストを用いたホワイトリスト/ブラックリストの自動生成によるマルウェア感染検知方法の検討  [in Japanese] A detection method of malware infections based on "graylists"  [in Japanese]

Access this Article

Search this Article

Author(s)

Abstract

近年のインターネットの普及によりネットワーク人口が増加し,それに伴い,ネットワーク上の犯罪行為とされるサイバー攻撃手法も洗練され,マルウェアなどの侵入を防止することが困難になってきている.そこで,マルウェアに侵入された場合の実被害を最小限に抑えるために,できるだけ早くマルウェア感染を検知する技術が注目されてきている.しかし,一般的な対策の一つである,マルウェアがアクセスする悪性の Web サイト (C&C サーバー) の一覧であるブラックリストを用いる方法では,C&C サーバーの頻繁な変更に追随することが難しいという課題があった.このような課題を解決するため,本研究では,ネットワークのアクセスログを分析して算出した悪性度を基に,ホワイトリスト,ブラックリスト,そのいずれでもないグレーリストに振り分け,その後,マルウェアなどのプログラムでは突破が困難となるような形式で追加認証を行い,グレーリストをホワイトリストかブラックリストに振り分けることで,ホワイトリスト及びブラックリストを自動的に拡充可能な方法を提案する.この方法により,従来のあらかじめ準備したブラックリストのみを用いる方法と比較して,マルウェア感染の検知率向上が期待される.As well as network population has been increasing in recent years, cyber-attack techniques, which are criminal offenses on the network, have been more refined and prevention for them such as malware infection is becoming more difficult. In order to minimize the damage, various methods of detecting malwares at earliest opportunity have been developed. However, those methods are based on blacklists of malicious Web site (C&C server) and therefore have difficulty in following the frequent change of C&C servers. In order to overcome such a difficulty, we propose a new method of automatically generating blacklists and whitelists as follows: firstly, calculating malignancies by analyzing access logs of the network. Secondly, based on the malignancies, assigning destination URLs to blacklists, whitelists and "graylists" that are not included in either lists. After that, performing additional authentication which a program such as a malware cannot pass through but human can, and assigning the graylists to the blacklists or whitelists based on the outcome of the authentication. This method is expected to improve the detection capability of malware infection compared with the conventional methods which depend on only black lists.

As well as network population has been increasing in recent years, cyber-attack techniques, which are criminal offenses on the network, have been more refined and prevention for them such as malware infection is becoming more difficult. In order to minimize the damage, various methods of detecting malwares at earliest opportunity have been developed. However, those methods are based on blacklists of malicious Web site (C&C server) and therefore have difficulty in following the frequent change of C&C servers. In order to overcome such a difficulty, we propose a new method of automatically generating blacklists and whitelists as follows: firstly, calculating malignancies by analyzing access logs of the network. Secondly, based on the malignancies, assigning destination URLs to blacklists, whitelists and "graylists" that are not included in either lists. After that, performing additional authentication which a program such as a malware cannot pass through but human can, and assigning the graylists to the blacklists or whitelists based on the outcome of the authentication. This method is expected to improve the detection capability of malware infection compared with the conventional methods which depend on only black lists.

Journal

  • IPSJ SIG technical reports

    IPSJ SIG technical reports 2014-SPT-10(16), 1-7, 2014-06-26

    Information Processing Society of Japan (IPSJ)

Codes

  • NII Article ID (NAID)
    110009804703
  • NII NACSIS-CAT ID (NCID)
    AA12628305
  • Text Lang
    JPN
  • Article Type
    Technical Report
  • Data Source
    NII-ELS  IPSJ 
Page Top