WEKO3
アイテム
API Chaser: Taint-Assisted Sandbox for Evasive Malware Analysis
https://ipsj.ixsq.nii.ac.jp/records/195418
https://ipsj.ixsq.nii.ac.jp/records/19541866ae59a3-a819-4d29-959d-4fe203981c43
| 名前 / ファイル | ライセンス | アクション |
|---|---|---|
IPSJ-JNL6003030.pdf (911.1 kB)
|
Copyright (c) 2019 by the Information Processing Society of Japan
|
|
| オープンアクセス | ||
| Item type | Journal(1) | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 公開日 | 2019-03-15 | |||||||||||||
| タイトル | ||||||||||||||
| タイトル | API Chaser: Taint-Assisted Sandbox for Evasive Malware Analysis | |||||||||||||
| タイトル | ||||||||||||||
| 言語 | en | |||||||||||||
| タイトル | API Chaser: Taint-Assisted Sandbox for Evasive Malware Analysis | |||||||||||||
| 言語 | ||||||||||||||
| 言語 | eng | |||||||||||||
| キーワード | ||||||||||||||
| 主題Scheme | Other | |||||||||||||
| 主題 | [一般論文] Malware, Taint Analysis, Anti-analysis, Evasion, Windows API | |||||||||||||
| 資源タイプ | ||||||||||||||
| 資源タイプ識別子 | http://purl.org/coar/resource_type/c_6501 | |||||||||||||
| 資源タイプ | journal article | |||||||||||||
| 著者所属 | ||||||||||||||
| NTT Secure Platform Laboratories | ||||||||||||||
| 著者所属 | ||||||||||||||
| NTT Secure Platform Laboratories | ||||||||||||||
| 著者所属 | ||||||||||||||
| NTT Secure Platform Laboratories | ||||||||||||||
| 著者所属 | ||||||||||||||
| NTT Secure Platform Laboratories | ||||||||||||||
| 著者所属(英) | ||||||||||||||
| en | ||||||||||||||
| NTT Secure Platform Laboratories | ||||||||||||||
| 著者所属(英) | ||||||||||||||
| en | ||||||||||||||
| NTT Secure Platform Laboratories | ||||||||||||||
| 著者所属(英) | ||||||||||||||
| en | ||||||||||||||
| NTT Secure Platform Laboratories | ||||||||||||||
| 著者所属(英) | ||||||||||||||
| en | ||||||||||||||
| NTT Secure Platform Laboratories | ||||||||||||||
| 著者名 |
Yuhei, Kawakoya
× Yuhei, Kawakoya
× Eitaro, Shioji
× Makoto, Iwamura
× Jun, Miyoshi
|
|||||||||||||
| 著者名(英) |
Yuhei, Kawakoya
× Yuhei, Kawakoya
× Eitaro, Shioji
× Makoto, Iwamura
× Jun, Miyoshi
|
|||||||||||||
| 論文抄録 | ||||||||||||||
| 内容記述タイプ | Other | |||||||||||||
| 内容記述 | We propose a design and implementation for an Application Programming Interface (API) monitoring system called API Chaser, which is resistant to evasion-type anti-analysis techniques, e.g., stolen code and code injection. The core technique in API Chaser is code tainting, which enables us to identify precisely the execution of monitored instructions by propagating three types of taint tags added to the codes of API, malware, and benign executables, respectively. Additionally, we introduce taint-based control transfer interception, which is a technique to capture precisely API calls invoked from evasive malware. We evaluate API Chaser based on several real-world and synthetic malware to demonstrate the accuracy of our API hooking technique. We also perform a large-scale malware experiment by analyzing 8,897 malware samples to show the practical capability of API Chaser. These experimental results show that 701 out of 8,897 malware samples employ hook evasion techniques to hide specific API calls, while 344 malware ones use target evasion techniques to hide the source of API calls. ------------------------------ This is a preprint of an article intended for publication Journal of Information Processing(JIP). This preprint should not be cited. This article should be cited as: Journal of Information Processing Vol.27(2019) (online) DOI http://dx.doi.org/10.2197/ipsjjip.27.297 ------------------------------ |
|||||||||||||
| 論文抄録(英) | ||||||||||||||
| 内容記述タイプ | Other | |||||||||||||
| 内容記述 | We propose a design and implementation for an Application Programming Interface (API) monitoring system called API Chaser, which is resistant to evasion-type anti-analysis techniques, e.g., stolen code and code injection. The core technique in API Chaser is code tainting, which enables us to identify precisely the execution of monitored instructions by propagating three types of taint tags added to the codes of API, malware, and benign executables, respectively. Additionally, we introduce taint-based control transfer interception, which is a technique to capture precisely API calls invoked from evasive malware. We evaluate API Chaser based on several real-world and synthetic malware to demonstrate the accuracy of our API hooking technique. We also perform a large-scale malware experiment by analyzing 8,897 malware samples to show the practical capability of API Chaser. These experimental results show that 701 out of 8,897 malware samples employ hook evasion techniques to hide specific API calls, while 344 malware ones use target evasion techniques to hide the source of API calls. ------------------------------ This is a preprint of an article intended for publication Journal of Information Processing(JIP). This preprint should not be cited. This article should be cited as: Journal of Information Processing Vol.27(2019) (online) DOI http://dx.doi.org/10.2197/ipsjjip.27.297 ------------------------------ |
|||||||||||||
| 書誌レコードID | ||||||||||||||
| 収録物識別子タイプ | NCID | |||||||||||||
| 収録物識別子 | AN00116647 | |||||||||||||
| 書誌情報 |
情報処理学会論文誌 巻 60, 号 3, 発行日 2019-03-15 |
|||||||||||||
| ISSN | ||||||||||||||
| 収録物識別子タイプ | ISSN | |||||||||||||
| 収録物識別子 | 1882-7764 | |||||||||||||
