• 検索結果がありません。

Exploit Kitの変化への適応を目的としたサイバー攻撃検知システムの改良

N/A
N/A
Info
ダウンロード
Protected

Academic year: 2021

シェア "Exploit Kitの変化への適応を目的としたサイバー攻撃検知システムの改良"

Copied!
8
0
0

読み込み中.... (全文を見る)

今ダウンロードする ( 8 ページ )

全文

(1)Computer Security Symposium 2015 21 - 23 October 2015. Exploit Kit. 135-8671 3 3-9 {mashikoh,ootanihs,shigetam}@nttdata.co.jp. Exploit Kit. Drive-by Download. Exploit Kit Exploit Kit MWS2015. Improving Cyber Attack Detection System To Adopt The Changing Of Exploit Kit Hiroki Mashiko. Hisamichi Ohtani. Masayoshi Shigeta. NTT DATA Corporation. Toyosu 3-3-9, Koto-ku, Tokyo 135-8671, JAPAN {mashikoh,ootanihs,shigetam}@nttdata.co.jp Abstract We have developed the cyber attack detection system, which is monitoring logs of network appliances. The system captures characteristics of Exploit Kits, and has advantages in detection of Drive-by Download Attack. Therefore, if the characteristics of Exploit Kits are changing, the system needs updating. So, not only we have improved the system to catch up the changing of Exploit Kits, but also we implemented a new method which capture another characteristics of Drive-by Download Attack. In this paper, we describe the detection rate of this system by using MWS2015 Datasets, and discuss about the advantages of a new method which we implemented to improve the system. Exploit Kit Drive-by Download. 1 DbD 2014. - 24 -. Exploit Kit.

(2) pre-DL Exploit Kit Exploit Kit. Exploit. malware-DL Expolit. 2. pre-DL. 2.1. malware-DL [1]. DbD. 1. Exploit Kit 5. Nuclear Exploit Kit. DbD 1. 1 DbD 1 Exploit Kit. DbD. Redirect. pre-Exploit pre-Exploit. 1 (2). (1) Redirect (3) (4) Exploit. pre-DL (3)pre-Exploit. Exploit. (5)pre-DL h**j.c**r.pw suffix. pre-Exploit Exploit. UserAgent. Exploit. pre-Exploit (5). 2. 2 DbD. pre-DL Downloader. Downloader. - 25 -. 2 (3) HTML iframe Web Internet Explorer suffix html. Javascript HTML UserAgent HTML.

(3) Javascript. JRE. Exploit Exploit Kit. Java (4) CVE-2013-2423 Exploit JRE Web JRE. JRE (4) JRE Exploit (3). JRE. 2014. Exploit Kit. UserAgent suffix jar. 2.3. Exploit (5) Windows. (5) Zbot. JRE UserAgent. Exploit Kit. Exploit Kit Exploit Kit 2014 JRE. JRE. Adobe Flash Player JRE. JRE JRE suffix UserAgent. Exploit Kit Exploit Kit. Nuclear Exploit Kit Java. Exploit Kit. 6 pre-Exploit pre-DL Exploit Kit. DbD. 3 3.1 2.1. 2.2. Exploit Kit pre-Exploit. Tokyo SOC. [2][3] DbD. 2013 JRE. 90% 2014 DbD 65% Adobe Flash Player DbD 2013 10% 2014 34% Cisco 2014 Midyear Security Report [4] FlashPack Angler, Fiesta, RIG. - 26 -. pre-DL. 3 malware-DL Kit 2 Exploit Kit. 2014. 8. 9. Redirect Exploit.

(4) DbD DbD. (5) 69. Redirect. URL. RIG. Exploit Kit. malware-DL Exploit Kit. Redirect. 3.2. Redirect. Redirect. DbD pre-Exploit. Windigo. Redirect 8 47 Exploit Kit Redirect. [5] B) 2014. r**k.ru 9. 1. 5. 4. 2 A) 2014. 8. TrendMicro 4 RIG. FlashPack Exploit Kit [6] DbD URL 2. 4. (2) Redirect (3) pre-Exploit / Exploit (3) RIG Exploit Kit Redirect r**k.ru DbD 9. 5. 2 FlashPack. 2. (3) (4) Redirect (5) pre-Exploit / Exploit (5) FlashPack Exploit Kit 5 NullHole. 2014. 9. 5. (2) Redirect pre-Exploit / Exploit Redirect URL (3) NullHole Exploit Kit. 3. Redirect. 3 RIG. 3. (3) (4) 2014. 8. Redirect. pre-Exploit DbD. 2. Exploit Kit. - 27 -. (3) 4.

(5) pre-Exploit. pre-DL. Redirect Redirect. URL. Exploit Kit 4. 3.3. malware-DL 4. malware-DL 4 Kit malware-DL. (3) {base64} Web Web. URL. Exploit. DbD URL. malware-DL. Redirect Web. Redirect. pre-DL. Web. malware-DL Downloader. Redirect Web. DbD. Web. malware-DL. 4 4.1. Redirect. Redirect 5 Redirect 1 2. Proxy Web. DbD DbD DbD. (i) 302. DbD DbD (ii) Movable Type URL (iii). DbD Flash. DbD (iv) Wordpress Internet Explorer. - 28 -.

(6) DbD. DbD (A). (v). pcap DbD. pcap HTTP. 4.2. Proxy. Exploit (A). Redirect Exploit Kit pre-Exploit. pre-Exploit, Exploit, pre-DL pre-DL Exploit. Proxy 283. Exploit Kit. 5.2. DbD. 3 JRE 7. 3. Exploit. Exploit Kit. (a) RIG, Fiesta, Angler, FlashPack. 2011 2013 2013 2014. (b) Nuclear, Neutrino, Magnitude. 5 D3M Datasets. 55.2% 80% 95.2% 2015. 2012. 1 D3M. 5.1 D3M(Drive-by Download Marionette) Datasets 2015. Data 2. by. Datasets 2014 [7] 2015 Angler Exploit Kit. A) Web (Marionette) DbD B) Marionette. URL Angler Exploit Kit. URL. Proxy. (Botnet Watcher) C&C. pcap 2. - 29 -. 3 Exploit.

(7) 0byte. 6.2. byte. Redirect 24. Exploit 1. 80%. Exploit. Exploit 6. 5. Exploit Internet Explorer DbD. Exploit 6 Redirect. 6. 5. D3M Datasets. Exploit 6. Redirect Exploit Redirect. 6.1 2015. 4. 7. 7 30. Redirect. 2015 6 1 5 4,915 10. Redirect. 6. Redirect. 30 Proxy 0.018%. 1 Redirect. 0.011% [7]. 8. Redirect Exploit Exploit. Redirect. Redirect. Exploit Redirect. Exploit Exploit. - 30 -.

(8) Exploit. [1] , Drive-by Download. JRE. ,. , , MWS. 9 Exploit Kit Exploit Redirect. Redirect Exploit Exploit. Redirect. 2013 [2]2013 TokyoSoc , https://www-935.ibm.com/services/multime dia/tokyo-soc-report2013-h2-jp.pdf [3]2014 TokyoSoc , https://www-304.ibm.com/connections/blog s/tokyo-soc/resource/PDF/tokyo_soc_report 2014_h1.pdf [4]Cisco 2014 Midyear Security Report, http://www.cisco.com/web/offers/lp/midyear -security-report/index.html [5]Olivier Bilodeau, Operation Windigo, http://www.welivesecurity.com/wp-content/ uploads/2014/03/operation_windigo.pdf [6]Walter Liu, “Website Add-on Targets Japanese Users, Leads To Exploit Kit”, http://blog.trendmicro.com/trendlabs-securi ty-intelligence/website-add-on-targets-japa nese-users-leads-to-exploit-kit/ [7] , , ,. Redirect , JRE. MWS2014 Exploit malware-DL. malware-DL Downloader Exploit Kit Downloader C&C. - 31 -.

(9)

参照

今ダウンロードする ( PDF - 8 ページ - 2.45 MB )

関連したドキュメント

Here, we attempt a comparative study of some of the theories on that subject which have been put forward since

This approach is not limited to classical solutions of the characteristic system of ordinary differential equations, but can be extended to more general solution concepts in ODE

We propose also a new approach which enables us to prove a unique solvability of the nonlocal problem with integral condition

S.; On the Solvability of Boundary Value Problems with a Nonlocal Boundary Condition of Integral Form for Multidimentional Hyperbolic Equations, Differential Equations, 2006, vol..

The basis functions exploit an orthogonal decomposition of the trial subspace to minimize the energy and are expressed in terms of local eigenproblems

This paper derives a priori error estimates for a special finite element discretization based on component mode synthesis.. The a priori error bounds state the explicit dependency

Here, we examine the same question for singular equations, but we refer the reader to [12] for a more detailed description of the history of this problem

[9] DiBenedetto, E.; Gianazza, U.; Vespri, V.; Harnack’s inequality for degenerate and singular parabolic equations, Springer Monographs in Mathematics, Springer, New York (2012),

We show the existence of the traveling wave so- lutions for this system by this iteration scheme

A monotone iteration scheme for traveling waves based on ordered upper and lower solutions is derived for a class of nonlocal dispersal system with delay.. Such system can be used

Onthe L ( L ) -regularityandBesovsmoothnessofstochasticparabolicequationsonboundedLipschitzdomains

Secondly, once we have established the solvability of SPDEs within the stochastic parabolic weighted Sobolev spaces H γ,q p,θ (O, T ) , we have to exploit the L q (L p ) –regularity

We also give a trace result allowing to deduce the continuity of the solutions with respect to time

Section 4 will be devoted to approximation results which allow us to overcome the difficulties which arise on time derivatives while in Section 5, we look at, as an application of

We cannot use LAN in the hall

“Breuil-M´ezard conjecture and modularity lifting for potentially semistable deformations after