-
公开(公告)号:EP3964988A1
公开(公告)日:2022-03-09
申请号:EP19932174.6
申请日:2019-06-04
发明人: ARAKI, Shohei , HU, Bo , KAMIYA, Kazunori , TANIKAWA, Masaki
IPC分类号: G06F21/55
摘要: A detection device (10) identifies candidate bots using flow data. The detection device (10) uses the flow data to count the number of candidate bots communicating with each server and determines a server communicating with a predetermined number or more of candidate bots as a malicious server. The detection device (10) detects a candidate bot communicating with the malicious server as a malicious bot.
-
2.发明公开DEVICE FOR DETECTING TERMINAL INFECTED BY MALWARE, SYSTEM FOR DETECTING TERMINAL INFECTED BY MALWARE, METHOD FOR DETECTING TERMINAL INFECTED BY MALWARE, AND PROGRAM FOR DETECTING TERMINAL INFECTED BY MALWARE 审中-公开用于检测恶意软件感染终端的设备,用于检测受恶意软件感染的终端的系统,用于检测由恶意软件感染的终端的方法以及用于检测受恶意软件感染的终端的程序
公开(公告)号:EP3258409A1
公开(公告)日:2017-12-20
申请号:EP16764774.2
申请日:2016-03-08
发明人: AOKI, Kazufumi , KAMIYA, Kazunori
IPC分类号: G06F21/56
CPC分类号: G06F21/56 , G06F11/3006 , G06F16/9024 , G06F21/53 , G06F21/554 , H04L63/14 , H04L63/1416
摘要: A detection device (100) generates an event sequence from events that are acquired for each of identifiers that distinguish among terminals in a monitoring target network or pieces of malware, by taking into account an order of occurrence of the events. The detection device (100) retrieves events that commonly occur in event sequences belonging to a same cluster among clusters including event sequences with similarities at a predetermined level or higher, and extracts, as a detection event sequence, a representative event sequence based on a relationship between events that have high occurrence rates in similar common event sequences. The detection device (100) detects a malware infected terminal in the monitoring target network based on whether the event sequence generated based on a communication in the monitoring target network and the extracted detection event sequence match each other.
摘要翻译: 检测装置(100)通过考虑事件的发生顺序,根据针对在监视目标网络中的终端之间区分的每个标识符或多个恶意软件而获取的事件来生成事件序列。 检测装置(100)检索属于包含预定等级以上的相似度的事件序列的群集中属于同一群集的事件序列中通常发生的事件,并基于关系提取代表事件序列作为检测事件序列 在相似的常见事件序列中具有高发生率的事件之间。 检测装置(100)基于监视对象网络中的通信所生成的事件序列与提取出的检测事件序列是否一致,来检测监视对象网络中的恶意软件感染终端。
-
3.发明公开
公开(公告)号:EP3506572A1
公开(公告)日:2019-07-03
申请号:EP17858068.4
申请日:2017-08-09
IPC分类号: H04L12/70
摘要: A flow information analysis apparatus (10) receives flow information containing a header sample, determines whether the header sample of the flow information matches any of templates that are based on tunneling protocols, and when determining that the header sample matches any of the templates, extract information on a header of the IP packet from the header sample on the basis of the matched template. Further, when determining that the header sample does not match any of the templates, the flow information analysis apparatus (10) extracts information on the header of the IP packet from the header sample on the basis of a result of a search through the header sample for a byte sequence that matches search data in which a value that is set in a specific field of the tunnel header and a value that is set in a specific field of the IP packet are combined.
-
公开(公告)号:EP3242240B1
公开(公告)日:2018-11-21
申请号:EP16746668.9
申请日:2016-02-03
发明人: KAMIYA, Kazunori , AOKI, Kazufumi , NAKATA, Kensuke , SATO, Tohru
CPC分类号: H04L63/1425 , G06F21/556 , G06F21/56 , H04L63/1416
摘要: A malicious communication pattern extraction device (10) includes a statistical value calculation unit (132) that calculates a statistical value for an appearance frequency of each of a plurality of communication patterns that is a combination of a field and a value, from a traffic log (31) obtained from the traffic caused by malware, and a traffic log (21) obtained from traffic in a predetermined communication environment; a malicious list candidate extraction unit (134) that compares between the appearance frequency of the traffic log (21) and the appearance frequency of the traffic log (31) for each of the communication patterns, based on the statistical value calculated by the statistical value calculation unit (132), and extracts the communication pattern as the malicious communication pattern when a difference between both of the appearance frequencies is equal to or more than a predetermined threshold; and a threshold setting unit (135) that sets a threshold so that an erroneous detection rate being probability of erroneously detecting the traffic caused by malware is equal to or less than a certain value as well as a detection rate that is probability of detecting the traffic caused by malware is equal to or more than a certain value.
-
5.发明公开
公开(公告)号:EP3242240A1
公开(公告)日:2017-11-08
申请号:EP16746668.9
申请日:2016-02-03
发明人: KAMIYA, Kazunori , AOKI, Kazufumi , NAKATA, Kensuke , SATO, Tohru
IPC分类号: G06F21/56
CPC分类号: H04L63/1425 , G06F21/556 , G06F21/56 , H04L63/1416
摘要: A malicious communication pattern extraction device (10) includes a statistical value calculation unit (132) that calculates a statistical value for an appearance frequency of each of a plurality of communication patterns that is a combination of a field and a value, from a traffic log (31) obtained from the traffic caused by malware, and a traffic log (21) obtained from traffic in a predetermined communication environment; a malicious list candidate extraction unit (134) that compares between the appearance frequency of the traffic log (21) and the appearance frequency of the traffic log (31) for each of the communication patterns, based on the statistical value calculated by the statistical value calculation unit (132), and extracts the communication pattern as the malicious communication pattern when a difference between both of the appearance frequencies is equal to or more than a predetermined threshold; and a threshold setting unit (135) that sets a threshold so that an erroneous detection rate being probability of erroneously detecting the traffic caused by malware is equal to or less than a certain value as well as a detection rate that is probability of detecting the traffic caused by malware is equal to or more than a certain value.
摘要翻译: 恶意通信模式提取装置(10)包括统计值计算单元(132),该统计值计算单元从通信日志中计算作为字段和值的组合的多个通信模式中的每一个的出现频率的统计值 (31),以及从预定通信环境中的通信量获得的通信量日志(21);其中, 恶意候选列表候选提取单元(134),其基于由统计值计算出的统计值,针对每个通信模式对流量日志(21)的出现频率和流量日志(31)的出现频率进行比较 计算单元(132),并且当两个出现频率之间的差等于或大于预定阈值时,提取通信模式作为恶意通信模式; 以及阈值设置单元(135),其设置阈值以使得由恶意软件引起的作为错误检测流量的概率的错误检测率等于或小于特定值以及作为检测流量的概率的检测率 恶意软件造成的等于或大于某个值。
-
公开(公告)号:EP3848834A1
公开(公告)日:2021-07-14
申请号:EP19871873.6
申请日:2019-09-26
IPC分类号: G06F21/56
摘要: A search apparatus (10) extracts fingerprints that are combinations of first communication data corresponding to requests and second communication data corresponding to responses to the requests from communication data of known malware independently from protocols. The search apparatus 10 gives degrees of priority corresponding to degrees of maliciousness of the malware, to the fingerprints. The search apparatus (10) decides search-target sending-out destinations from among sending-out destinations. The search apparatus (10) generates probes based on the first communication data of the fingerprints and signatures based on payloads of the second communication data of the fingerprints. The search apparatus (10) sends out the probes to the search-target sending-out destinations in order according to the degrees of priority. The search apparatus (10) determines whether the sending-out destinations are malicious or not based on responses and the signatures.
-
公开(公告)号:EP3745324A1
公开(公告)日:2020-12-02
申请号:EP19760201.4
申请日:2019-02-22
发明人: ARAKI, Shohei , HU, Bo , KAMIYA, Kazunori , TANIKAWA, Masaki
IPC分类号: G06N20/00
摘要: A classification apparatus 10 acquires a communication log including a plurality of pieces of traffic data, and extracts different types of feature values from the plurality of pieces of traffic data. Subsequently, the classification apparatus 10 classifies the traffic data on a per IP address basis based on the extracted different types of feature values, and uses a plurality of classification results to count the number of times of appearance of a pattern having the same combination of the classification results.
-
8.发明公开BLACKLIST GENERATION DEVICE, BLACKLIST GENERATION SYSTEM, BLACKLIST GENERATION METHOD, AND BLACKLIST GENERATION PROGRAM 审中-公开黑名单生成装置,黑名单生成系统,黑名单生成方法和黑名单生成程序
公开(公告)号:EP3244335A1
公开(公告)日:2017-11-15
申请号:EP16752378.6
申请日:2016-02-10
发明人: NAKATA, Kensuke , SATO, Tohru , AOKI, Kazufumi , KAMIYA, Kazunori
IPC分类号: G06F21/56
CPC分类号: H04L63/101 , G06F21/56 , H04L63/1416 , H04L63/1425 , H04L63/1433 , H04L63/1441
摘要: A blacklist generating device (300) acquires a malicious communication log (301a) and a normal communication log (301b). A malicious communication profile extracting function (305) calculates statistics on communication patterns included in the malicious communication log (301a) and outputs a communication pattern satisfying a certain condition to a potential blacklist (305a). A normal communication profile extracting function (306) calculates statistics on communication patterns included in the normal communication log (301b) and outputs a communication pattern satisfying a certain condition to a whitelist (306a). A blacklist creating function (307) searches the potential blacklist (305a) for a value with the value on the whitelist (306a), excludes a coincident communication pattern from the potential blacklist (305a), and creates a blacklist (307a).
摘要翻译: 黑名单生成设备(300)获取恶意通信日志(301a)和正常通信日志(301b)。 恶意通信简档提取功能(305)计算关于包含在恶意通信日志(301a)中的通信模式的统计量,并将满足特定条件的通信模式输出到潜在黑名单(305a)。 正常通信简档提取功能(306)计算关于包括在正常通信日志(301b)中的通信模式的统计量,并将满足特定条件的通信模式输出到白名单(306a)。 黑名单创建功能(307)在潜在黑名单(305a)中搜索具有白名单(306a)上的值的值,从潜在黑名单(305a)中排除一致的通信模式,并创建黑名单(307a)。
-
9.发明公开ANALYSIS RULE ADJUSTMENT DEVICE, ANALYSIS RULE ADJUSTMENT SYSTEM, ANALYSIS RULE ADJUSTMENT METHOD, AND ANALYSIS RULE ADJUSTMENT PROGRAM 有权装置:用于适配系统分析规则进行分析竞赛规则的调整分析规则进行调整和程序分析规则的调整方法
公开(公告)号:EP3099024A1
公开(公告)日:2016-11-30
申请号:EP15765105.0
申请日:2015-03-16
发明人: NAKATA, Kensuke , KAMIYA, Kazunori , YAGI, Takeshi , SATO, Tohru , CHIBA, Daiki
CPC分类号: H04L63/20 , G06F21/552 , G06F2221/2151 , H04L12/6418 , H04L43/04 , H04L63/1425 , H04L2463/144
摘要: There is provided an analysis rule adjustment device that adjusts an analysis rule used in a communication log analysis performed to detect malicious communication through a network. The analysis rule adjustment device includes a log acquisition unit, a log analysis unit, and a first analysis unit. The log acquisition unit acquires a communication log through a network to be defended and a communication log generated by malware. The log analysis unit analyzes the communication log acquired by the log acquisition unit on the basis of predetermined analysis rule and tuning condition. The first analysis unit analyzes an analysis result by the log analysis unit and calculates a recommended tuning value used in an adjustment of the predetermined analysis rule and satisfying the tuning condition.
摘要翻译: 有被提供给分析规则调整装置也bestimmt中进行的通过网络检测恶意通信的通信日志分析中使用的分析规则的。 分析规则调节装置包括一个日志获取单元,日志分析单元,以及一个第一分析单元。 日志获取单元通过获得辩护的网络和由恶意软件生成的通信日志获取的通信日志。 日志分析单元分析由日志获取单元分析预定规则和调谐条件的基础上获取的通信日志。 第一分析单元由日志分析部的分析结果的分析和计算在预定的分析规则的调整并满足调谐条件用于在推荐的调谐值。
-
公开(公告)号:EP3989491A1
公开(公告)日:2022-04-27
申请号:EP19937882.9
申请日:2019-07-17
发明人: HU, Bo , KAMIYA, Kazunori
摘要: A generation apparatus (10) aggregates a plurality of traffic data for every predetermined target. Further, the generation apparatus (10) samples target traffic data where the number of aggregated traffic data exceeds a threshold. Further, the generation apparatus (10) generates a feature vector representing a feature of the aggregated traffic data for the target that is not sampled, and generates a feature vector representing the feature of the sampled traffic data for the target in which the sampling is performed.
-
-
-
-
-
-
-
-
-
搜索结果
15 条记录 (耗时 0.015 秒)
