@techreport{oai:ipsj.ixsq.nii.ac.jp:00178519,
 author = {島川, 貴裕 and 佐藤, 信 and 久山, 真宏 and 佐々木, 良一 and Takahiro, Shimakawa and Makoto, Sato and Masahiro, Kuyama and Ryoichi, Sasaki},
 issue = {34},
 month = {Feb},
 note = {近年，特定の企業や組織を攻撃対象とする標的型攻撃が社会的な問題となっている．標的型攻撃は，段階的に攻撃を進めていく過程がある．中でも攻撃の核心部となるのは，初期段階で乗っ取った攻撃基盤をベースに，次々と端末を乗っ取りながら侵害範囲を拡大していく内部侵入 ・ 調査段階である．そのため，不正プログラムの感染を検知された端末から不正プログラムを調査 ・ 駆除するのみでは，被害範囲の想定ができず攻撃の対処を誤ってしまう可能性がある．そこで本稿では，内部侵入 ・ 調査段階に焦点をあて，複数の端末のプロセスログを解析 ・ 突合することで侵害範囲を特定する手法を提案する．また，提案手法を実現するプロトタイプのプログラムを開発し，攻撃者による侵害範囲の拡大を模擬した評価実験を行った．その結果，侵害範囲を約 120 秒で特定することができた．これにより，被害範囲の想定や優先して調査すべき端末の特定が可能であり，事故対応から事業の復旧までの時間を短縮できると考えられる．, In recent years, targeted attacks aiming at specific companies and organizations have become a social problem. Targeted attacks have a process of gradually advancing attacks. Especially, the core part of the attack is the internal invasion / investigation stage which will expand the range of infringement while taking over the terminal one after another based on the attack base taken over at the initial stage. Therefore, it is impossible to assume the scope of damage only by investigating and removing malicious program from terminals detected infection by a malicious program. As a result, there is a possibility of erroneously coping with the attack. In this paper, we propose a method to identify the range of infringement by analyzing and matching process logs of multiple terminals focusing on the internal invasion / investigation stage. We developed a prototype program that realizes the proposed method and conducted an evaluation experiment simulating expansion the range of infringement by an attacker. As a result of experiments, it was possible to identify the range of infringement in about 120 seconds. Thus, it is possible to assume the range of damage and identify terminals to be investigated preferentially, and it is considered that the time from accident response to restoration of business can be shortened.},
 title = {標的型攻撃に対する侵害範囲特定ツールの開発と評価},
 year = {2017}
}