自己組織化マップを用いたWindows OS malware挙動の可視化(知的システム,一般)

Presentation	2011-07-26 A visualization method of Windows OS malware using SOM Ruo ANDO,
PDF Download Page	PDF download Page Link
Abstract(in Japanese)	(See Japanese page)
Abstract(in English)	As commodity OS has compound funcions and utilities, malware's behavisor has become complicated. In security incident analysis, we need to specify the malware without detailed information about structre and parameter. SOM (self organization map) is an algorithm of nonsupervised and makes it possible to analyze the malware without expensive preprocessing. In this paper we propose an interdomain communication protocol of XEN virtual machine by involing emit instruction. DomainU can convey information to hypervisor using virtual CPU context in an arbitrary point of Windows kernel by generating hypercall. In experiment, a security incident log of virtualized Windows OS is transferred to hypervisor of which log is visualized by self organization map. We show the result of classification of both dynamic and static log of malware.
Keyword(in Japanese)	(See Japanese page)
Keyword(in English)	Self organization map / analyzing malware / virtualization / static log / behavior log
Paper #	NC2011-40
Date of Issue

Paper Information
Registration To	Neurocomputing (NC)
Language	JPN
Title (in Japanese)	(See Japanese page)
Sub Title (in Japanese)	(See Japanese page)
Title (in English)	A visualization method of Windows OS malware using SOM
Sub Title (in English)
Keyword(1)	Self organization map
Keyword(2)	analyzing malware
Keyword(3)	virtualization
Keyword(4)	static log
Keyword(5)	behavior log
1st Author's Name	Ruo ANDO
1st Author's Affiliation	National Institute of Information and Communications Technology, Information Security Research Center()
Date	2011-07-26
Paper #	NC2011-40
Volume (vol)	vol.111
Number (no)	157
Page	pp.pp.-
#Pages	6
Date of Issue