@article{oai:ipsj.ixsq.nii.ac.jp:00158145,
 author = {川口, 信隆 and 築地原, 護 and 井手口, 恒太 and 谷川, 嘉伸 and 冨村, 英勤 and Nobutaka, Kawaguchi and Mamoru, Tsuichihara and Kota, Ideguchi and Yoshinobu, Tanigawa and Hideyuki, Tomimura},
 issue = {3},
 journal = {情報処理学会論文誌},
 month = {Mar},
 note = {標的型攻撃は，情報窃取や資産破壊を目的に企業や国家機関などの特定組織のネットワークを執拗に狙う攻撃の総称である．近年の標的型攻撃の高度化にともない個々の端末やプロセスを分析する手法では攻撃の検知が難しくなりつつある．そこで，我々は攻撃に用いられる個々の要素を深く分析するのではなく，多くの標的型攻撃で発生する活動である拡散活動に着目する．拡散活動は，攻撃者が最終目的となる資産にたどり着くために複数の端末を渡り歩く活動である．我々は，複数端末で行われる様々な種類の不審活動を分析し，攻撃者の拡散経路をグラフ構造として抽出することで拡散活動を検知する方式を考案した．そして，ある組織の同一部署に属する30台の端末の2カ月間にわたる活動ログを用いて方式の評価実験を行った．その結果，提案方式は標的型攻撃を模擬した攻撃シナリオに対して検知率97%を達成するとともに，既存方式と比べて誤検知頻度を10分の1まで削減できることが明らかになった．加えて，提案方式はプロセスやファイルシステムにいっさい痕跡を残さない高度な攻撃に対しても70%以上の検知率を実現することを確認した．, As Advanced Persistent Threats, which persistently target specific organization networks with the aim of stealing their information, destroying their assets, or disrupting their operations, have been more prevalent and sophisticated than ever before, it becomes further difficult to detect the attacks by solely analyzing each process or host. Instead of deeply analyzing each element that may be a part of an attack, we focus on an activity called lateral movement in which the attackers move from one host to another, looking for assets they want to access and manipulate. We designed and developed a scheme which detects the lateral movement by analyzing various types of suspicious activities over multiple hosts and extracting how an attacker moves in the network as a graph structure. Through evaluation experiments with activity logs from 30 hosts in the same organization's department network for two months and three types of attack scenarios, we found that the proposed scheme detects simulated targeted attacks at a rate of higher than 97%, while suppressing the false positives to about 10% of an existing work. In addition, we confirmed that the proposed scheme can detect sophisticated attacks, which do not leave any taints in processes and file systems and can evade the exiting work, at a rate of higher than 70%.},
 pages = {1022--1039},
 title = {不審活動の端末間伝搬に着目した標的型攻撃検知方式},
 volume = {57},
 year = {2016}
}