{"updated":"2025-03-06T06:12:21.210200+00:00","links":{},"id":240999,"created":"2025-01-19T01:45:30.707976+00:00","metadata":{"_oai":{"id":"oai:ipsj.ixsq.nii.ac.jp:00240999","sets":["6164:6165:6462:11854"]},"path":["11854"],"owner":"11","recid":"240999","title":["ファイル操作ログの取得による永続化マルウェアの追跡手法"],"pubdate":{"attribute_name":"PubDate","attribute_value":"2024-10-15"},"_buckets":{"deposit":"b5019bc8-192b-4850-8f3a-9b612f091c53"},"_deposit":{"id":"240999","pid":{"type":"depid","value":"240999","revision_id":0},"owners":[11],"status":"published","created_by":11},"item_title":"ファイル操作ログの取得による永続化マルウェアの追跡手法","author_link":["662742","662743","662744","662745","662746","662747","662748","662749","662750","662751"],"item_titles":{"attribute_name":"タイトル","attribute_value_mlt":[{"subitem_title":"ファイル操作ログの取得による永続化マルウェアの追跡手法","subitem_title_language":"ja"},{"subitem_title":"Tracking Method for Persistent Malware by Capturing File Operation Logs","subitem_title_language":"en"}]},"item_keyword":{"attribute_name":"キーワード","attribute_value_mlt":[{"subitem_subject":"マルウェア，永続化，スタートアップフォルダ，プロセス追跡","subitem_subject_scheme":"Other"}]},"item_type_id":"18","publish_date":"2024-10-15","item_language":{"attribute_name":"言語","attribute_value_mlt":[{"subitem_language":"jpn"}]},"item_18_text_3":{"attribute_name":"著者所属","attribute_value_mlt":[{"subitem_text_value":"立命館大学"},{"subitem_text_value":"日本電気株式会社"},{"subitem_text_value":"日本電気株式会社"},{"subitem_text_value":"日本電気株式会社"},{"subitem_text_value":"立命館大学"}]},"item_18_text_4":{"attribute_name":"著者所属(英)","attribute_value_mlt":[{"subitem_text_value":"Ritsumeikan University","subitem_text_language":"en"},{"subitem_text_value":"NEC Corporation","subitem_text_language":"en"},{"subitem_text_value":"NEC Corporation","subitem_text_language":"en"},{"subitem_text_value":"NEC Corporation","subitem_text_language":"en"},{"subitem_text_value":"Ritsumeikan University","subitem_text_language":"en"}]},"item_publisher":{"attribute_name":"出版者","attribute_value_mlt":[{"subitem_publisher":"情報処理学会","subitem_publisher_language":"ja"}]},"publish_status":"0","weko_shared_id":-1,"item_file_price":{"attribute_name":"Billing file","attribute_type":"file","attribute_value_mlt":[{"url":{"url":"https://ipsj.ixsq.nii.ac.jp/record/240999/files/IPSJ-CSS2024253.pdf","label":"IPSJ-CSS2024253.pdf"},"date":[{"dateType":"Available","dateValue":"2026-10-15"}],"format":"application/pdf","billing":["billing_file"],"filename":"IPSJ-CSS2024253.pdf","filesize":[{"value":"892.7 kB"}],"mimetype":"application/pdf","priceinfo":[{"tax":["include_tax"],"price":"660","billingrole":"5"},{"tax":["include_tax"],"price":"330","billingrole":"6"},{"tax":["include_tax"],"price":"0","billingrole":"30"},{"tax":["include_tax"],"price":"0","billingrole":"46"},{"tax":["include_tax"],"price":"0","billingrole":"44"}],"accessrole":"open_date","version_id":"8110cc87-ff48-4cbf-ac9b-3cdcc6060f51","displaytype":"detail","licensetype":"license_note","license_note":"Copyright (c) 2024 by the Information Processing Society of Japan"}]},"item_18_creator_5":{"attribute_name":"著者名","attribute_type":"creator","attribute_value_mlt":[{"creatorNames":[{"creatorName":"荒木, 辰哉"}],"nameIdentifiers":[{}]},{"creatorNames":[{"creatorName":"高橋, 佑典"}],"nameIdentifiers":[{}]},{"creatorNames":[{"creatorName":"木津, 由也"}],"nameIdentifiers":[{}]},{"creatorNames":[{"creatorName":"細見, 格"}],"nameIdentifiers":[{}]},{"creatorNames":[{"creatorName":"毛利, 公一"}],"nameIdentifiers":[{}]}]},"item_18_creator_6":{"attribute_name":"著者名(英)","attribute_type":"creator","attribute_value_mlt":[{"creatorNames":[{"creatorName":"Tatsuya, Araki","creatorNameLang":"en"}],"nameIdentifiers":[{}]},{"creatorNames":[{"creatorName":"Yusuke, Takahashi","creatorNameLang":"en"}],"nameIdentifiers":[{}]},{"creatorNames":[{"creatorName":"Yoshiya, Kizu","creatorNameLang":"en"}],"nameIdentifiers":[{}]},{"creatorNames":[{"creatorName":"Itaru, Hosomi","creatorNameLang":"en"}],"nameIdentifiers":[{}]},{"creatorNames":[{"creatorName":"Koich, Mouri","creatorNameLang":"en"}],"nameIdentifiers":[{}]}]},"item_resource_type":{"attribute_name":"資源タイプ","attribute_value_mlt":[{"resourceuri":"http://purl.org/coar/resource_type/c_5794","resourcetype":"conference paper"}]},"item_18_description_7":{"attribute_name":"論文抄録","attribute_value_mlt":[{"subitem_description":"マルウェアが引き起こすインシデントへの対応では，マルウェアの影響範囲を明らかにするために，自動化されたログ解析ツールを用いて端末に残されたログ同士を関連付けながら解析することが多い．既存のログ解析ツールでは，一般的にマルウェアの影響範囲をプロセス間の親子関係で不審なプロセスのプロセス生成の流れを遡ることができる．しかし，手口が高度化したマルウェアの中にはOSの自動実行機能を悪用するものが存在し，再起動によりプロセス間の親子関係が途切れてしまう．既存のログ解析ツールは自動実行機能によるプロセス生成の流れを追跡する機能を持たないため，解析者がある程度手作業で探る必要があり，困難で手間がかかる作業が求められる．本論文では自動実行機能の中でも，指定のフォルダに対しファイルを配置するだけで利用できるスタートアップフォルダに焦点を当て，プロセスのファイル操作ログを用いることで自動実行機能に登録したプロセスから再起動後に生成されたプロセスを自動で追跡する手法について述べる．これによって，スタートアップフォルダによるプロセス生成の流れを容易に追跡可能にした．","subitem_description_type":"Other"}]},"item_18_description_8":{"attribute_name":"論文抄録(英)","attribute_value_mlt":[{"subitem_description":"In the event of malware incidents, automated log analysis tools are employed to ascertain the impact of the malware in question by analyzing system logs. Most tools employ a method of tracing the creation flow of suspicious processes, utilizing parent-child relationships. However, some malware exploits the operating system's auto-execution function, thereby breaking these relationships by restarting processes. The current tools cannot trace this flow, necessitating manual, time-consuming analysis. This paper focuses on the startup folder, which allows process tracking by placing files in a specific folder. We propose a method to automatically track processes created after a restart using file operation logs, thereby simplifying the process tracking in the startup folder.","subitem_description_type":"Other"}]},"item_18_biblio_info_10":{"attribute_name":"書誌情報","attribute_value_mlt":[{"bibliographicPageEnd":"1895","bibliographic_titles":[{"bibliographic_title":"コンピュータセキュリティシンポジウム2024論文集"}],"bibliographicPageStart":"1888","bibliographicIssueDates":{"bibliographicIssueDate":"2024-10-15","bibliographicIssueDateType":"Issued"}}]},"relation_version_is_last":true,"weko_creator_id":"11"}}