{"created":"2025-01-19T01:45:21.485648+00:00","metadata":{"_oai":{"id":"oai:ipsj.ixsq.nii.ac.jp:00240901","sets":["6164:6165:6462:11854"]},"path":["11854"],"owner":"11","recid":"240901","title":["Linuxファイルレスマルウェア検知手法に対するeBPFを用いた回避手法の提案とその対策"],"pubdate":{"attribute_name":"PubDate","attribute_value":"2024-10-15"},"_buckets":{"deposit":"8c9cdc5d-bf29-45cf-b3ab-ea7ee4a135eb"},"_deposit":{"id":"240901","pid":{"type":"depid","value":"240901","revision_id":0},"owners":[11],"status":"published","created_by":11},"item_title":"Linuxファイルレスマルウェア検知手法に対するeBPFを用いた回避手法の提案とその対策","author_link":["662086","662087","662088","662089"],"item_titles":{"attribute_name":"タイトル","attribute_value_mlt":[{"subitem_title":"Linuxファイルレスマルウェア検知手法に対するeBPFを用いた回避手法の提案とその対策","subitem_title_language":"ja"},{"subitem_title":"Proposal of eBPF-based Evasion Methods Against Detection of Linux Fileless Malware and Their Countermeasures","subitem_title_language":"en"}]},"item_keyword":{"attribute_name":"キーワード","attribute_value_mlt":[{"subitem_subject":"eBPF，ファイルレスマルウェア，Linux，検知回避","subitem_subject_scheme":"Other"}]},"item_type_id":"18","publish_date":"2024-10-15","item_language":{"attribute_name":"言語","attribute_value_mlt":[{"subitem_language":"jpn"}]},"item_18_text_3":{"attribute_name":"著者所属","attribute_value_mlt":[{"subitem_text_value":"金沢大学"},{"subitem_text_value":"金沢大学"}]},"item_18_text_4":{"attribute_name":"著者所属(英)","attribute_value_mlt":[{"subitem_text_value":"Kanazawa University","subitem_text_language":"en"},{"subitem_text_value":"Kanazawa University","subitem_text_language":"en"}]},"item_publisher":{"attribute_name":"出版者","attribute_value_mlt":[{"subitem_publisher":"情報処理学会","subitem_publisher_language":"ja"}]},"publish_status":"0","weko_shared_id":-1,"item_file_price":{"attribute_name":"Billing file","attribute_type":"file","attribute_value_mlt":[{"url":{"url":"https://ipsj.ixsq.nii.ac.jp/record/240901/files/IPSJ-CSS2024155.pdf","label":"IPSJ-CSS2024155.pdf"},"date":[{"dateType":"Available","dateValue":"2026-10-15"}],"format":"application/pdf","billing":["billing_file"],"filename":"IPSJ-CSS2024155.pdf","filesize":[{"value":"362.1 kB"}],"mimetype":"application/pdf","priceinfo":[{"tax":["include_tax"],"price":"660","billingrole":"5"},{"tax":["include_tax"],"price":"330","billingrole":"6"},{"tax":["include_tax"],"price":"0","billingrole":"30"},{"tax":["include_tax"],"price":"0","billingrole":"46"},{"tax":["include_tax"],"price":"0","billingrole":"44"}],"accessrole":"open_date","version_id":"c2e35e5c-6bb6-4848-b36c-9fe5e4e01be3","displaytype":"detail","licensetype":"license_note","license_note":"Copyright (c) 2024 by the Information Processing Society of Japan"}]},"item_18_creator_5":{"attribute_name":"著者名","attribute_type":"creator","attribute_value_mlt":[{"creatorNames":[{"creatorName":"高林, 裕太"}],"nameIdentifiers":[{}]},{"creatorNames":[{"creatorName":"満保, 雅浩"}],"nameIdentifiers":[{}]}]},"item_18_creator_6":{"attribute_name":"著者名(英)","attribute_type":"creator","attribute_value_mlt":[{"creatorNames":[{"creatorName":"Yuta, Takabayashi","creatorNameLang":"en"}],"nameIdentifiers":[{}]},{"creatorNames":[{"creatorName":"Masahiro, Mambo","creatorNameLang":"en"}],"nameIdentifiers":[{}]}]},"item_resource_type":{"attribute_name":"資源タイプ","attribute_value_mlt":[{"resourceuri":"http://purl.org/coar/resource_type/c_5794","resourcetype":"conference paper"}]},"item_18_description_7":{"attribute_name":"論文抄録","attribute_value_mlt":[{"subitem_description":"ファイルレスマルウェアはメモリ上にペイロードを配置するため，検知やフォレンジックが困難である．近年ではLinuxをターゲットとした検体も確認されており，その対策として複数の検知手法が考案されている．しかし，こうした検知手法は感染端末に用意されたコマンドやファイルに依存しており，それらが改ざんされた場合を考慮していない．たとえばLinuxに存在するeBPFという技術を悪用することで，システムコールやネットワークパケットの改ざんが可能である．そこで本論文では，現在考案されているLinuxファイルレスマルウェアの検知手法に対して，eBPFを用いた検知回避手法を提案し，実装を通してその実現性を示す．さらに，提案した検知回避手法に対する防御策についても考察を行い，既存の検知手法の堅牢性を向上させる手法を示す．","subitem_description_type":"Other"}]},"item_18_description_8":{"attribute_name":"論文抄録(英)","attribute_value_mlt":[{"subitem_description":"It is difficult to detect and analyze fileless malware because its payload resides in memory. Recently, samples of fileless malware have been found on Linux and several detection methods have been proposed to detect them. However, these detection methods rely on commands and files provided on the infected computer and do not consider potential tampering with them. For example, we can tamper with system calls and network packets by using ``eBPF'', a technology available on Linux. In this paper, we propose eBPF-based evasion methods against existing detection methods for Linux fileless malware, and show these feasibilities through implementation. In addition, we also discuss countermeasures against the proposed evasion methods and improve robustness of the existing detection methods.","subitem_description_type":"Other"}]},"item_18_biblio_info_10":{"attribute_name":"書誌情報","attribute_value_mlt":[{"bibliographicPageEnd":"1163","bibliographic_titles":[{"bibliographic_title":"コンピュータセキュリティシンポジウム2024論文集"}],"bibliographicPageStart":"1156","bibliographicIssueDates":{"bibliographicIssueDate":"2024-10-15","bibliographicIssueDateType":"Issued"}}]},"relation_version_is_last":true,"weko_creator_id":"11"},"links":{},"id":240901,"updated":"2025-03-06T05:56:00.956886+00:00"}