ntt r&d’s anti-malware technologiesokaweb.ec.kyushu-u.ac.jp/cs/2015-0121/materials/16...
TRANSCRIPT
Copyright©2015 NTT corp. All Rights Reserved.
NTT R&D’s anti-malware technologies
Jan. 21, 2015
NTT Secure Platform Laboratories
Takeo HARIU
2Copyright©2015 NTT corp. All Rights Reserved.
Malware Threats
Malware causes most of cyber attacks
Major infection routes are web browsing, URL links in email
messages, attachment files, etc.
McAfee Labs Threats Report Nov. 2014
http://www.mcafee.com/us/resources/reports/rp-quarterly-threat-q3-
2014.pdf?cid=BHP032
constant emergence ofnew malware
Infection by
web
browsing
Infection
by clicking
web link
Users
others
http://...URL link
http://...Email
Exploiting
/ infectionWeb browsing
3Copyright©2015 NTT corp. All Rights Reserved.
Internet
Malware
・悪性サイトURL
・攻撃元・攻撃コード・マルウェア検体・悪性アプリ等の時系列データ
Reputation /
Profiling
Web client type
honeypot
Web server type
honeypot
Android crawler
NTT R&D’s Anti-malware Technologies
Time series data of
・Malicious web sites
・Sources of attacks
・Exploiting codes
・Malware files
・Malware communications
NTT R&D
attack sensors
Malware dynamic
analysis
Malware
files
Malware
analysis
result
Collected
data
Intelligence Database
RELIEF
Detect/gather the latest attacks using “honeypot” sensors
Analyze gathered data such as malware samples
Construct an intelligence database of threat information
Implement countermeasures such as access filtering
4Copyright©2015 NTT corp. All Rights Reserved.
Internet
Malware
・悪性サイトURL
・攻撃元・攻撃コード・マルウェア検体・悪性アプリ等の時系列データ
Reputation /
Profiling
Web client type
honeypot
Web server type
honeypot
Android crawler
NTT R&D’s Anti-malware Technologies
Time series data of
・Malicious web sites
・Sources of attacks
・Exploiting codes
・Malware files
・Malware communications
NTT R&D
attack sensors
Malware dynamic
analysis
Malware
files
Malware
analysis
result
Collected
data
Intelligence Database
RELIEF
Detect/gather the latest attacks using “honeypot” sensors
Analyze gathered data such as malware samples
Construct an intelligence database of threat information
Implement countermeasures such as access filtering
5Copyright©2015 NTT corp. All Rights Reserved.
Malicious site
Exploiting code
Web Client Type Honeypot
A decoy web crawler which detects attacks to web browser vulnerabilities
Crawls web sites, finds malicious web sites with exploiting codes or malware files,
specifies attacks, and collects malware files
Highly parallelized OSes and browsers make it possible to crawl many web sites
Crawling
Malware
downloading
Web space in the Internet
Web client type honeypots
OS (virtual machine) Web browser (process)
6Copyright©2015 NTT corp. All Rights Reserved.
Internet
Malware
・悪性サイトURL
・攻撃元・攻撃コード・マルウェア検体・悪性アプリ等の時系列データ
Reputation /
Profiling
Web client type
honeypot
Web server type
honeypot
Android crawler
NTT R&D’s Anti-malware Technologies
Time series data of
・Malicious web sites
・Sources of attacks
・Exploiting codes
・Malware files
・Malware communications
NTT R&D
attack sensors
Malware dynamic
analysis
Malware
files
Malware
analysis
result
Collected
data
Intelligence Database
RELIEF
Detect/gather the latest attacks using “honeypot” sensors
Analyze gathered data such as malware samples
Construct an intelligence database of threat information
Implement countermeasures such as access filtering
7Copyright©2015 NTT corp. All Rights Reserved.
Malware Dynamic Analysis
Some malware acts communicating with attacker’s C&C servers, so malware dynamic
analysis in Internet environment is important
Analyze malware behavior safely by using Fake Internet
Extract malware-related hosts information such as attacker’s C&C servers, malware
distribution sites
Benign sites
Malicious sites
malware
Fake Internet
Fake Internet
generates fake
responses
Malware
honeypot
Analysis environment
Internet
Controls communications
with benign users
×
8Copyright©2015 NTT corp. All Rights Reserved.
Internet
Malware
・悪性サイトURL
・攻撃元・攻撃コード・マルウェア検体・悪性アプリ等の時系列データ
Reputation /
Profiling
Web client type
honeypot
Web server type
honeypot
Android crawler
NTT R&D’s Anti-malware Technologies
Time series data of
・Malicious web sites
・Sources of attacks
・Exploiting codes
・Malware files
・Malware communications
NTT R&D
attack sensors
Malware dynamic
analysis
Malware
files
Malware
analysis
result
Collected
data
Intelligence Database
RELIEF
Detect/gather the latest attacks using “honeypot” sensors
Analyze gathered data such as malware samples
Construct an intelligence database of threat information
Implement countermeasures such as access filtering
9Copyright©2015 NTT corp. All Rights Reserved.
Security Intelligence DB “RELIEF”
Analyze collected time-series data taking with various viewpoint such
as nations, vulnerabilities
Apply to countermeasures such as blocking malicious communications
by using blacklists, alerting infected users or falsified web
administrators
Internet
Security
intelligence DB
“RELIEF”
Honeypots
Analysis
Malware
Blocking malicious communications
Cooperation with SIEM
Network monitoring
Administrator Falsified site
Operator
Usage scenes
10Copyright©2015 NTT corp. All Rights Reserved.
Thank you!