{"created":"2023-06-20T15:09:03.432350+00:00","id":4943,"links":{},"metadata":{"_buckets":{"deposit":"364b15f7-475f-404a-aa0b-a5041a88e333"},"_deposit":{"created_by":17,"id":"4943","owners":[17],"pid":{"revision_id":0,"type":"depid","value":"4943"},"status":"published"},"_oai":{"id":"oai:ynu.repo.nii.ac.jp:00004943","sets":["500:503"]},"author_link":["22780"],"item_7_alternative_title_21":{"attribute_name":"その他のタイトル","attribute_value_mlt":[{"subitem_alternative_title":"マルウェアの回避挙動を利用した動的解析に関する研究","subitem_alternative_title_language":"ja"}]},"item_7_biblio_info_8":{"attribute_name":"書誌情報","attribute_value_mlt":[{"bibliographicIssueDates":{"bibliographicIssueDate":"2014-03-26","bibliographicIssueDateType":"Issued"}}]},"item_7_date_granted_66":{"attribute_name":"学位授与年月日","attribute_value_mlt":[{"subitem_dategranted":"2014-03-26"}]},"item_7_degree_grantor_64":{"attribute_name":"学位授与機関","attribute_value_mlt":[{"subitem_degreegrantor":[{"subitem_degreegrantor_name":"横浜国立大学"}],"subitem_degreegrantor_identifier":[{"subitem_degreegrantor_identifier_name":"12701","subitem_degreegrantor_identifier_scheme":"kakenhi"}]}]},"item_7_degree_name_63":{"attribute_name":"学位名","attribute_value_mlt":[{"subitem_degreename":"博士(工学)"}]},"item_7_description_5":{"attribute_name":"抄録","attribute_value_mlt":[{"subitem_description":"Internet security threats utilizing highly functional malicious programs called malware are recentlyon the rise, and extensive research efforts have been made to counter them. With this explosiveincrease of malware, it is becoming nearly impossible to manually analyze all its forms by reverseengineering. An effective countermeasure for this problem, malware sandbox analysis, in which amalware sample is executed in a testing environment (a sandbox) to observe its behaviors, has beenwidely studied. Malware authors have responded by making their work more sophisticated to evadethis analysis. One example is a type of malware called a bot, which changes its behaviors inaccordance with the behaviors of remote servers with which it interacts, such as Command andControl (C&C) servers and malware download servers. Since a bot does not work unless it meetsthe conditions for activation, it is difficult to analyze it sufficiently with traditional sandboxanalysis. Another example is a type of malware that stops or changes its behaviors when it detects asandbox environment by checking Internet connectivity, the existence of a virtual machine, etc. Sandbox analysis thus faces a serious problem in dealing with this evasive malware. This dissertation first describes techniques performed by malware and malware authors forevading analysis and detection, and categorized evasion techniques against sandbox analysis, intotwo approaches: making comprehension of malware behaviors more difficult and detectingsandboxes. Then this study indicates a direction on how to develop a countermeasure techniqueagainst evasive malware without being evaded by an attacker-leveraging differences betweenmalware and benign software that come from malware's mechanism for evading theanalysis/detection mechanism; that is, when proposing a new analysis method, the method ofdetecting malware that evades the analysis method should be considered. Consequently, the attackers can be given fewer choices.Chapter 4 proposes a novel sandbox analysis method that realizes better observability andefficiency against malware using techniques to make comprehension of malware behaviors moredifficult. The method focuses on a function of malware that changes its behaviors in accordancewith the behaviors of remote servers with which it interacts, such as C&C and malware downloadservers, and analyzes the server behaviors and corresponding malware behaviors. Experiments with samples captured in the wild confirm that the method can observe more variety in their behaviors.Chapter 5 clarifies targeted sandbox detection vulnerability in public malware sandbox analysis systems (public MSASs) for pursuing better observability. First, properties of sandboxinformation for decoy injection attack, in which an attacker detects the sandbox based on itssandbox information disclosed by submitting a decoy sample, are defined: stability, uniqueness,and stealthiness of collection. Then, 16 different kinds of characteristic information of the sandboxfor its detection are analyzed in terms of those properties. Experiments with real public MSASs inoperation confirm the broad applicability of the decoy injection attack as well as the need forcomprehensive countermeasures. Chapter 6 proposes a novel behavior-based malware-detection method using sandbox-evasivebehaviors. Malware authors have been embedding functions that act as countermeasures againstmalware analysis and detection that often change runtime behaviors in each execution. Theproposed method focuses on such characteristics. It conducts dynamic analysis on an executablefile multiple times in the same sandbox environment to obtain multiple logs of API call and traffic,and then compares them to find the difference between the multiple executions. Experiments withmalware samples captured in the wild and benign software samples confirm effectiveness of themethod.","subitem_description_type":"Abstract"}]},"item_7_dissertation_number_67":{"attribute_name":"学位授与番号","attribute_value_mlt":[{"subitem_dissertationnumber":"甲第1636号"}]},"item_7_subject_24":{"attribute_name":"国立国会図書館分類","attribute_value_mlt":[{"subitem_subject":"UT51","subitem_subject_scheme":"NDLC"}]},"item_access_right":{"attribute_name":"アクセス権","attribute_value_mlt":[{"subitem_access_right":"open access","subitem_access_right_uri":"http://purl.org/coar/access_right/c_abf2"}]},"item_creator":{"attribute_name":"著者","attribute_type":"creator","attribute_value_mlt":[{"creatorAffiliations":[{"affiliationNames":[{"affiliationName":"Graduate School of Environment and Information Sciences, Yokohama National University"}]}],"creatorAlternatives":[{"creatorAlternativeLang":"ja-Kana"},{"creatorAlternativeLang":"en"}],"creatorNames":[{"creatorName":"笠間, 貴弘","creatorNameLang":"ja"}],"nameIdentifiers":[{"nameIdentifier":"22780","nameIdentifierScheme":"WEKO"}]}]},"item_files":{"attribute_name":"ファイル情報","attribute_type":"file","attribute_value_mlt":[{"accessrole":"open_date","date":[{"dateType":"Available","dateValue":"2016-09-16"}],"displaytype":"detail","filename":"kasama_takahiro-thesis.pdf","filesize":[{"value":"4.1 MB"}],"format":"application/pdf","licensetype":"license_note","mimetype":"application/pdf","url":{"label":"kasama_takahiro-thesis.pdf","objectType":"fulltext","url":"https://ynu.repo.nii.ac.jp/record/4943/files/kasama_takahiro-thesis.pdf"},"version_id":"5da2f43c-496b-4ed7-aee3-66284cf9e73c"},{"accessrole":"open_date","date":[{"dateType":"Available","dateValue":"2016-09-16"}],"displaytype":"detail","filename":"kasama_takahiro-review.pdf","filesize":[{"value":"246.4 kB"}],"format":"application/pdf","licensetype":"license_note","mimetype":"application/pdf","url":{"label":"kasama_takahiro-review.pdf","objectType":"other","url":"https://ynu.repo.nii.ac.jp/record/4943/files/kasama_takahiro-review.pdf"},"version_id":"037579df-ef36-41d0-af20-8bdc0e23a992"}]},"item_language":{"attribute_name":"言語","attribute_value_mlt":[{"subitem_language":"eng"}]},"item_resource_type":{"attribute_name":"資源タイプ","attribute_value_mlt":[{"resourcetype":"doctoral thesis","resourceuri":"http://purl.org/coar/resource_type/c_db06"}]},"item_title":"A Study on Malware Analysis Leveraging Sandbox Evasive Behaviors","item_titles":{"attribute_name":"タイトル","attribute_value_mlt":[{"subitem_title":"A Study on Malware Analysis Leveraging Sandbox Evasive Behaviors","subitem_title_language":"en"}]},"item_type_id":"7","owner":"17","path":["503"],"pubdate":{"attribute_name":"PubDate","attribute_value":"2014-05-30"},"publish_date":"2014-05-30","publish_status":"0","recid":"4943","relation_version_is_last":true,"title":["A Study on Malware Analysis Leveraging Sandbox Evasive Behaviors"],"weko_creator_id":"17","weko_shared_id":-1},"updated":"2024-06-06T02:32:54.507823+00:00"}