The original paper is in English. Non-English content has been machine-translated and may contain typographical errors or mistranslations. ex. Some numerals are expressed as "XNUMX".
Copyrights notice
The original paper is in English. Non-English content has been machine-translated and may contain typographical errors or mistranslations. Copyrights notice
Menganalisis sampel perisian hasad memerlukan lebih banyak masa dan kos daripada menciptanya. Untuk memahami gelagat sampel perisian hasad yang diberikan, penganalisis keselamatan sering menggunakan log panggilan API yang dikumpulkan oleh alat analisis perisian hasad dinamik seperti kotak pasir. Memandangkan jumlah log yang dijana untuk sampel perisian hasad boleh menjadi sangat besar, pemeriksaan log memerlukan usaha yang memakan masa. Sementara itu, vendor antivirus biasanya menerbitkan laporan analisis perisian hasad (laporan vendor) di tapak web mereka. Laporan analisis perisian hasad ini adalah hasil analisis teliti yang dilakukan oleh pakar keselamatan. Masalahnya ialah walaupun terdapat contoh yang dianalisis untuk sampel perisian hasad, mengaitkan laporan vendor dengan log kotak pasir adalah sukar. Ini menjadikan penganalisis keselamatan tidak dapat mendapatkan maklumat berguna yang diterangkan dalam laporan vendor. Untuk menangani isu ini, kami membangunkan sistem yang dipanggil Penjana AMAR yang bertujuan untuk mengautomasikan penjanaan laporan analisis perisian hasad berdasarkan log kotak pasir dengan menggunakan laporan vendor sedia ada. Dengan mensasarkan alat pembantu yang mudah untuk penganalisis keselamatan, sistem kami menggunakan teknik termasuk padanan templat, pemetaan gelagat API dan pangkalan data gelagat berniat jahat untuk menghasilkan laporan ringkas yang boleh dibaca manusia yang menerangkan gelagat jahat program perisian hasad. Melalui penilaian prestasi, kami mula-mula menunjukkan bahawa AMAR-Generator boleh menjana laporan yang boleh dibaca manusia yang boleh digunakan oleh penganalisis keselamatan sebagai langkah pertama analisis perisian hasad. Kami juga menunjukkan bahawa AMAR-Generator boleh mengenal pasti tingkah laku berniat jahat yang dijalankan oleh perisian hasad daripada log kotak pasir; kadar pengesanan adalah sehingga 96.74%, 100% dan 74.87% pada log kotak pasir yang dikumpul pada 2013, 2014 dan 2015, masing-masing. Kami juga menyatakan bahawa ia boleh mengesan tingkah laku berniat jahat daripada jenis log kotak pasir yang tidak diketahui.
Bo SUN
National Institute of Information and Communications Technology,Waseda University
Akinori FUJINO
Waseda University
Tatsuya MORI
Waseda University,RIKEN
Tao BAN
National Institute of Information and Communications Technology
Takeshi TAKAHASHI
National Institute of Information and Communications Technology
Daisuke INOUE
National Institute of Information and Communications Technology
The copyright of the original papers published on this site belongs to IEICE. Unauthorized use of the original or translated papers is prohibited. See IEICE Provisions on Copyright for details.
Salinan
Bo SUN, Akinori FUJINO, Tatsuya MORI, Tao BAN, Takeshi TAKAHASHI, Daisuke INOUE, "Automatically Generating Malware Analysis Reports Using Sandbox Logs" in IEICE TRANSACTIONS on Information,
vol. E101-D, no. 11, pp. 2622-2632, November 2018, doi: 10.1587/transinf.2017ICP0011.
Abstract: Analyzing a malware sample requires much more time and cost than creating it. To understand the behavior of a given malware sample, security analysts often make use of API call logs collected by the dynamic malware analysis tools such as a sandbox. As the amount of the log generated for a malware sample could become tremendously large, inspecting the log requires a time-consuming effort. Meanwhile, antivirus vendors usually publish malware analysis reports (vendor reports) on their websites. These malware analysis reports are the results of careful analysis done by security experts. The problem is that even though there are such analyzed examples for malware samples, associating the vendor reports with the sandbox logs is difficult. This makes security analysts not able to retrieve useful information described in vendor reports. To address this issue, we developed a system called AMAR-Generator that aims to automate the generation of malware analysis reports based on sandbox logs by making use of existing vendor reports. Aiming at a convenient assistant tool for security analysts, our system employs techniques including template matching, API behavior mapping, and malicious behavior database to produce concise human-readable reports that describe the malicious behaviors of malware programs. Through the performance evaluation, we first demonstrate that AMAR-Generator can generate human-readable reports that can be used by a security analyst as the first step of the malware analysis. We also demonstrate that AMAR-Generator can identify the malicious behaviors that are conducted by malware from the sandbox logs; the detection rates are up to 96.74%, 100%, and 74.87% on the sandbox logs collected in 2013, 2014, and 2015, respectively. We also present that it can detect malicious behaviors from unknown types of sandbox logs.
URL: https://global.ieice.org/en_transactions/information/10.1587/transinf.2017ICP0011/_p
Salinan
@ARTICLE{e101-d_11_2622,
author={Bo SUN, Akinori FUJINO, Tatsuya MORI, Tao BAN, Takeshi TAKAHASHI, Daisuke INOUE, },
journal={IEICE TRANSACTIONS on Information},
title={Automatically Generating Malware Analysis Reports Using Sandbox Logs},
year={2018},
volume={E101-D},
number={11},
pages={2622-2632},
abstract={Analyzing a malware sample requires much more time and cost than creating it. To understand the behavior of a given malware sample, security analysts often make use of API call logs collected by the dynamic malware analysis tools such as a sandbox. As the amount of the log generated for a malware sample could become tremendously large, inspecting the log requires a time-consuming effort. Meanwhile, antivirus vendors usually publish malware analysis reports (vendor reports) on their websites. These malware analysis reports are the results of careful analysis done by security experts. The problem is that even though there are such analyzed examples for malware samples, associating the vendor reports with the sandbox logs is difficult. This makes security analysts not able to retrieve useful information described in vendor reports. To address this issue, we developed a system called AMAR-Generator that aims to automate the generation of malware analysis reports based on sandbox logs by making use of existing vendor reports. Aiming at a convenient assistant tool for security analysts, our system employs techniques including template matching, API behavior mapping, and malicious behavior database to produce concise human-readable reports that describe the malicious behaviors of malware programs. Through the performance evaluation, we first demonstrate that AMAR-Generator can generate human-readable reports that can be used by a security analyst as the first step of the malware analysis. We also demonstrate that AMAR-Generator can identify the malicious behaviors that are conducted by malware from the sandbox logs; the detection rates are up to 96.74%, 100%, and 74.87% on the sandbox logs collected in 2013, 2014, and 2015, respectively. We also present that it can detect malicious behaviors from unknown types of sandbox logs.},
keywords={},
doi={10.1587/transinf.2017ICP0011},
ISSN={1745-1361},
month={November},}
Salinan
TY - JOUR
TI - Automatically Generating Malware Analysis Reports Using Sandbox Logs
T2 - IEICE TRANSACTIONS on Information
SP - 2622
EP - 2632
AU - Bo SUN
AU - Akinori FUJINO
AU - Tatsuya MORI
AU - Tao BAN
AU - Takeshi TAKAHASHI
AU - Daisuke INOUE
PY - 2018
DO - 10.1587/transinf.2017ICP0011
JO - IEICE TRANSACTIONS on Information
SN - 1745-1361
VL - E101-D
IS - 11
JA - IEICE TRANSACTIONS on Information
Y1 - November 2018
AB - Analyzing a malware sample requires much more time and cost than creating it. To understand the behavior of a given malware sample, security analysts often make use of API call logs collected by the dynamic malware analysis tools such as a sandbox. As the amount of the log generated for a malware sample could become tremendously large, inspecting the log requires a time-consuming effort. Meanwhile, antivirus vendors usually publish malware analysis reports (vendor reports) on their websites. These malware analysis reports are the results of careful analysis done by security experts. The problem is that even though there are such analyzed examples for malware samples, associating the vendor reports with the sandbox logs is difficult. This makes security analysts not able to retrieve useful information described in vendor reports. To address this issue, we developed a system called AMAR-Generator that aims to automate the generation of malware analysis reports based on sandbox logs by making use of existing vendor reports. Aiming at a convenient assistant tool for security analysts, our system employs techniques including template matching, API behavior mapping, and malicious behavior database to produce concise human-readable reports that describe the malicious behaviors of malware programs. Through the performance evaluation, we first demonstrate that AMAR-Generator can generate human-readable reports that can be used by a security analyst as the first step of the malware analysis. We also demonstrate that AMAR-Generator can identify the malicious behaviors that are conducted by malware from the sandbox logs; the detection rates are up to 96.74%, 100%, and 74.87% on the sandbox logs collected in 2013, 2014, and 2015, respectively. We also present that it can detect malicious behaviors from unknown types of sandbox logs.
ER -