{"metadata":{"_oai":{"id":"oai:ipsj.ixsq.nii.ac.jp:00207945","sets":["1164:3925:10120:10391"]},"path":["10391"],"owner":"44499","recid":"207945","title":["Linuxゲスト向けCuckoo Sandboxへのファイル保存機能の実現"],"pubdate":{"attribute_name":"公開日","attribute_value":"2020-11-18"},"_buckets":{"deposit":"70aa9d5c-af9e-43f9-99ff-3acdef091805"},"_deposit":{"id":"207945","pid":{"type":"depid","value":"207945","revision_id":0},"owners":[44499],"status":"published","created_by":44499},"item_title":"Linuxゲスト向けCuckoo Sandboxへのファイル保存機能の実現","author_link":["520074","520076","520077","520078","520075","520079"],"item_titles":{"attribute_name":"タイトル","attribute_value_mlt":[{"subitem_title":"Linuxゲスト向けCuckoo Sandboxへのファイル保存機能の実現"},{"subitem_title":"Implementation of file saving mechanism for Linux guests of Cuckoo Sandbox","subitem_title_language":"en"}]},"item_keyword":{"attribute_name":"キーワード","attribute_value_mlt":[{"subitem_subject":"CSEC一般講演5","subitem_subject_scheme":"Other"}]},"item_type_id":"4","publish_date":"2020-11-18","item_4_text_3":{"attribute_name":"著者所属","attribute_value_mlt":[{"subitem_text_value":"立命館大学"},{"subitem_text_value":"立命館大学"},{"subitem_text_value":"立命館大学"}]},"item_4_text_4":{"attribute_name":"著者所属(英)","attribute_value_mlt":[{"subitem_text_value":"Ritsumeikan University","subitem_text_language":"en"},{"subitem_text_value":"Ritsumeikan University","subitem_text_language":"en"},{"subitem_text_value":"Ritsumeikan University","subitem_text_language":"en"}]},"item_language":{"attribute_name":"言語","attribute_value_mlt":[{"subitem_language":"jpn"}]},"item_publisher":{"attribute_name":"出版者","attribute_value_mlt":[{"subitem_publisher":"情報処理学会","subitem_publisher_language":"ja"}]},"publish_status":"0","weko_shared_id":-1,"item_file_price":{"attribute_name":"Billing file","attribute_type":"file","attribute_value_mlt":[{"url":{"url":"https://ipsj.ixsq.nii.ac.jp/record/207945/files/IPSJ-CSEC20091019.pdf","label":"IPSJ-CSEC20091019.pdf"},"date":[{"dateType":"Available","dateValue":"2022-11-18"}],"format":"application/pdf","billing":["billing_file"],"filename":"IPSJ-CSEC20091019.pdf","filesize":[{"value":"1.5 MB"}],"mimetype":"application/pdf","priceinfo":[{"tax":["include_tax"],"price":"660","billingrole":"5"},{"tax":["include_tax"],"price":"330","billingrole":"6"},{"tax":["include_tax"],"price":"0","billingrole":"30"},{"tax":["include_tax"],"price":"0","billingrole":"44"}],"accessrole":"open_date","version_id":"fc251b08-48e2-461d-b804-05af0ba3c3e5","displaytype":"detail","licensetype":"license_note","license_note":"Copyright (c) 2020 by the Information Processing Society of Japan"}]},"item_4_creator_5":{"attribute_name":"著者名","attribute_type":"creator","attribute_value_mlt":[{"creatorNames":[{"creatorName":"原田, 隆成"}],"nameIdentifiers":[{}]},{"creatorNames":[{"creatorName":"鄭, 俊俊"}],"nameIdentifiers":[{}]},{"creatorNames":[{"creatorName":"毛利, 公一"}],"nameIdentifiers":[{}]}]},"item_4_creator_6":{"attribute_name":"著者名(英)","attribute_type":"creator","attribute_value_mlt":[{"creatorNames":[{"creatorName":"Ryusei, Harada","creatorNameLang":"en"}],"nameIdentifiers":[{}]},{"creatorNames":[{"creatorName":"Junjun, Zheng","creatorNameLang":"en"}],"nameIdentifiers":[{}]},{"creatorNames":[{"creatorName":"Koichi, Mouri","creatorNameLang":"en"}],"nameIdentifiers":[{}]}]},"item_4_source_id_9":{"attribute_name":"書誌レコードID","attribute_value_mlt":[{"subitem_source_identifier":"AA11235941","subitem_source_identifier_type":"NCID"}]},"item_4_textarea_12":{"attribute_name":"Notice","attribute_value_mlt":[{"subitem_textarea_value":"SIG Technical Reports are nonrefereed and hence may later appear in any journals, conferences, symposia, etc."}]},"item_resource_type":{"attribute_name":"資源タイプ","attribute_value_mlt":[{"resourceuri":"http://purl.org/coar/resource_type/c_18gh","resourcetype":"technical report"}]},"item_4_source_id_11":{"attribute_name":"ISSN","attribute_value_mlt":[{"subitem_source_identifier":"2188-8655","subitem_source_identifier_type":"ISSN"}]},"item_4_description_7":{"attribute_name":"論文抄録","attribute_value_mlt":[{"subitem_description":"マルウェアの動的解析において，マルウェアによってダウンロードされたり書き込まれたファイル，および削除されたファイルを取得することで一連の攻撃の流れを解析することができるようになる．攻撃対象としては，Windows だけでなく，Linux を標的としたマルウェアも重要であるが，Linux マルウェアの動的解析システムにおいて，十分な解析能力を有し，かつファイルの保存機能を備えたものは存在しない．そこで我々は，広く使われているオープンソースの動的解析システムである Cuckoo Sandbox の Linux ゲストに対し，既に実装されているカーネル空間でのシステムコールトレースを拡張する形で新たにファイル保存機能を実装した．これにより，Linuxマルウェアがダウンロードや書き込みを行ったファイル，永続化のために書き換えられた設定ファイル，攻撃の証拠隠滅のために削除されたファイルを取得できることを確認した．また，HiddenWasp を用いた動作検証により実際のマルウェア解析における提案手法の有効性についても確認した．","subitem_description_type":"Other"}]},"item_4_description_8":{"attribute_name":"論文抄録(英)","attribute_value_mlt":[{"subitem_description":"In the dynamic analysis of malware, it is possible to analyze a series of attacks by obtaining the files that are downloaded, written or deleted by the malware. Like Windows, Linux also becomes a common attack target of malware so that the analysis of Linux malware is important. However, the existing dynamic analysis systems for Linux malware have no sufficient analysis capability and in particular a file saving function. Therefore, in this paper, we have implemented a new file saving mechanism for Linux guests of Cuckoo Sandbox, which is a widely used open-source dynamic analysis system, by extending the already-implemented system call trace in the kernel space. We confirmed that it is possible to obtain the files that were downloaded or written by Linux malware, the configuration files that were modified to persist, and the files that were deleted to destroy evidence of the attack. In addition, the effectiveness of the proposed approach in actual malware analysis was validated through operational verification with HiddenWasp.","subitem_description_type":"Other"}]},"item_4_biblio_info_10":{"attribute_name":"書誌情報","attribute_value_mlt":[{"bibliographicPageEnd":"8","bibliographic_titles":[{"bibliographic_title":"研究報告コンピュータセキュリティ（CSEC）"}],"bibliographicPageStart":"1","bibliographicIssueDates":{"bibliographicIssueDate":"2020-11-18","bibliographicIssueDateType":"Issued"},"bibliographicIssueNumber":"19","bibliographicVolumeNumber":"2020-CSEC-91"}]},"relation_version_is_last":true,"weko_creator_id":"44499"},"id":207945,"updated":"2025-01-19T18:59:40.862147+00:00","links":{},"created":"2025-01-19T01:09:32.972056+00:00"}