{"created":"2025-01-19T01:35:21.780983+00:00","updated":"2025-01-19T09:59:15.260406+00:00","metadata":{"_oai":{"id":"oai:ipsj.ixsq.nii.ac.jp:00233783","sets":["1164:6389:11481:11634"]},"path":["11634"],"owner":"44499","recid":"233783","title":["ハニーポットとマルウェア動的解析とC&Cサーバの監視の融合によるIoTボットネット活動分析の高度化"],"pubdate":{"attribute_name":"公開日","attribute_value":"2024-03-14"},"_buckets":{"deposit":"c570c96f-5017-487f-8ae1-409eb09006c7"},"_deposit":{"id":"233783","pid":{"type":"depid","value":"233783","revision_id":0},"owners":[44499],"status":"published","created_by":44499},"item_title":"ハニーポットとマルウェア動的解析とC&Cサーバの監視の融合によるIoTボットネット活動分析の高度化","author_link":["635721","635722","635724","635720","635723","635719","635718","635717"],"item_titles":{"attribute_name":"タイトル","attribute_value_mlt":[{"subitem_title":"ハニーポットとマルウェア動的解析とC&Cサーバの監視の融合によるIoTボットネット活動分析の高度化"},{"subitem_title":"Enhanced Analysis of IoT Botnet Activity by Fusing Honeypots, Malware Dynamic Analysis, and C&C Observation","subitem_title_language":"en"}]},"item_keyword":{"attribute_name":"キーワード","attribute_value_mlt":[{"subitem_subject":"ICSS(2)","subitem_subject_scheme":"Other"}]},"item_type_id":"4","publish_date":"2024-03-14","item_4_text_3":{"attribute_name":"著者所属","attribute_value_mlt":[{"subitem_text_value":"横浜国立大学 大学院環境情報学府"},{"subitem_text_value":"横浜国立大学 先端科学高等研究院"},{"subitem_text_value":"横浜国立大学 先端科学高等研究院／大学院環境情報研究院"},{"subitem_text_value":"横浜国立大学 先端科学高等研究院／大学院環境情報研究院"}]},"item_4_text_4":{"attribute_name":"著者所属(英)","attribute_value_mlt":[{"subitem_text_value":"Graduate School of Environment and Information Sciences, Yokohama National University","subitem_text_language":"en"},{"subitem_text_value":"Institute of Advanced Sciences, Yokohama National University","subitem_text_language":"en"},{"subitem_text_value":"Institute of Advanced Sciences / Faculty of Environment and Information Sciences, Yokohama National University","subitem_text_language":"en"},{"subitem_text_value":"Institute of Advanced Sciences / Faculty of Environment and Information Sciences, Yokohama National University","subitem_text_language":"en"}]},"item_language":{"attribute_name":"言語","attribute_value_mlt":[{"subitem_language":"jpn"}]},"item_publisher":{"attribute_name":"出版者","attribute_value_mlt":[{"subitem_publisher":"情報処理学会","subitem_publisher_language":"ja"}]},"publish_status":"0","weko_shared_id":-1,"item_file_price":{"attribute_name":"Billing file","attribute_type":"file","attribute_value_mlt":[{"url":{"url":"https://ipsj.ixsq.nii.ac.jp/record/233783/files/IPSJ-SPT24054012.pdf","label":"IPSJ-SPT24054012.pdf"},"format":"application/pdf","billing":["billing_file"],"filename":"IPSJ-SPT24054012.pdf","filesize":[{"value":"984.4 kB"}],"mimetype":"application/pdf","priceinfo":[{"tax":["include_tax"],"price":"0","billingrole":"46"},{"tax":["include_tax"],"price":"0","billingrole":"44"}],"accessrole":"open_login","version_id":"d38b550b-fbf7-40f9-a2bc-eddcf0289e9e","displaytype":"detail","licensetype":"license_note","license_note":"Copyright (c) 2024 by the Institute of Electronics, Information and Communication Engineers This SIG report is only available to those in membership of the SIG."}]},"item_4_creator_5":{"attribute_name":"著者名","attribute_type":"creator","attribute_value_mlt":[{"creatorNames":[{"creatorName":"遠藤, 祐輝"}],"nameIdentifiers":[{}]},{"creatorNames":[{"creatorName":"田辺, 瑠偉"}],"nameIdentifiers":[{}]},{"creatorNames":[{"creatorName":"吉岡, 克成"}],"nameIdentifiers":[{}]},{"creatorNames":[{"creatorName":"松本, 勉"}],"nameIdentifiers":[{}]}]},"item_4_creator_6":{"attribute_name":"著者名(英)","attribute_type":"creator","attribute_value_mlt":[{"creatorNames":[{"creatorName":"Yuki, Endo","creatorNameLang":"en"}],"nameIdentifiers":[{}]},{"creatorNames":[{"creatorName":"Rui, Tanabe","creatorNameLang":"en"}],"nameIdentifiers":[{}]},{"creatorNames":[{"creatorName":"Katsunari, Yoshioka","creatorNameLang":"en"}],"nameIdentifiers":[{}]},{"creatorNames":[{"creatorName":"Tsutomu, Matsumoto","creatorNameLang":"en"}],"nameIdentifiers":[{}]}]},"item_4_source_id_9":{"attribute_name":"書誌レコードID","attribute_value_mlt":[{"subitem_source_identifier":"AA12628305","subitem_source_identifier_type":"NCID"}]},"item_4_textarea_12":{"attribute_name":"Notice","attribute_value_mlt":[{"subitem_textarea_value":"SIG Technical Reports are nonrefereed and hence may later appear in any journals, conferences, symposia, etc."}]},"item_resource_type":{"attribute_name":"資源タイプ","attribute_value_mlt":[{"resourceuri":"http://purl.org/coar/resource_type/c_18gh","resourcetype":"technical report"}]},"item_4_source_id_11":{"attribute_name":"ISSN","attribute_value_mlt":[{"subitem_source_identifier":"2188-8671","subitem_source_identifier_type":"ISSN"}]},"item_4_description_7":{"attribute_name":"論文抄録","attribute_value_mlt":[{"subitem_description":"DDoS 攻撃などのサイバー攻撃を行う IoT ボットネットが大きな脅威となっており，その活動実態の把握が喫緊の課題となっている．我々は先行研究において，ハニーポットとマルウェア動的解析と疑似ボットスクリプトから得られた観測結果を組み合わせることで攻撃インフラのグルーピングを行い，IoT ボットネットの攻撃活動の実態を明らかにした．本研究では，脆弱ホスト群に侵入しボット化するための専用の攻撃ホストであるローダに着目し，これをグルーピングの新たな要素に加えるとともに，これまでグルーピングの要素として用いていた C&C サーバ情報に関して，実際に攻撃コマンドを送ってきたホスト群に限定することで，攻撃インフラのより正確なグルーピングを行う．さらに，疑似ボットスクリプトを用いて観測した攻撃コマンドを解析環境内で動作するボット検体にフィードバックすることでこれらの検体に実装されている DoS 攻撃機能の調査を行い，グルーピング結果と突合することで IoT ボットネットが有する DoS 攻撃機能の実態を明らかにする．2022 年 5 月から 2023 年 4 月までの間にインターネット上に設置したハニーポットと疑似ボットスクリプトの観測結果を用いて 1,815 個の攻撃グループを特定した．多数の攻撃グループを特定したものの，活発に活動するグループは限られており，送信した攻撃コマンド数の上位 10 グループは全体の 67.7% に当たる攻撃コマンドを送っていた．攻撃コマンド数が多かった上位 10 グループが用いる 2,673 検体を動的解析し，解析環境に DoS 攻撃コマンドをフィードバックしたところ，1,534 検体から DoS 攻撃を観測した．また，これらのマルウェア検体に感染した機器から構成される IoT ボットネットは，複数種類の DoS 攻撃機能を有している可能性があることがわかった．","subitem_description_type":"Other"}]},"item_4_description_8":{"attribute_name":"論文抄録(英)","attribute_value_mlt":[{"subitem_description":"IoT botnets that conduct cyber-attacks, such as DDoS attacks, have become a major threat, and understanding their actual activities is an urgent issue. In our previous study, we grouped attack infrastructures by combining observations obtained from honeypots, malware dynamic analysis, and pseudo-bot scripts (i.e., milker), and we clarified the actual attack activities of IoT botnets. In this study, we focus on loaders, which are dedicated attack hosts for compromising vulnerable hosts, and add them as a new grouping element. Furthermore, by feeding back the attack commands observed using pseudo-bot scripts to malware dynamic analysis environments, we investigate DoS attack functions implemented in IoT malware samples. We identified 1,815 attack groups using the observation results of honeypots and pseudo-bot scripts set up on the Internet between May 2022 and April 2023. 2,673 samples used by the top 10 groups with the most attack commands were analyzed dynamically. By feeding the DoS attack commands to the malware samples running in the analysis environment, DoS attacks were observed from 1,534 samples. We also find that IoT botnets may have multiple DoS attack functions, including those not implem-en1te-d in the original Mirai source code.","subitem_description_type":"Other"}]},"item_4_biblio_info_10":{"attribute_name":"書誌情報","attribute_value_mlt":[{"bibliographicPageEnd":"6","bibliographic_titles":[{"bibliographic_title":"研究報告セキュリティ心理学とトラスト（SPT）"}],"bibliographicPageStart":"1","bibliographicIssueDates":{"bibliographicIssueDate":"2024-03-14","bibliographicIssueDateType":"Issued"},"bibliographicIssueNumber":"12","bibliographicVolumeNumber":"2024-SPT-54"}]},"relation_version_is_last":true,"weko_creator_id":"44499"},"id":233783,"links":{}}