{"updated":"2025-01-22T01:02:49.290604+00:00","metadata":{"_oai":{"id":"oai:ipsj.ixsq.nii.ac.jp:00066486","sets":["581:582:5904"]},"path":["5904"],"owner":"11","recid":"66486","title":["Yataglass：攻撃の擬似実行による攻撃メッセージの振舞いの解析"],"pubdate":{"attribute_name":"公開日","attribute_value":"2009-09-15"},"_buckets":{"deposit":"6ffd98d2-8a01-4e4e-971d-4db76dc2bac7"},"_deposit":{"id":"66486","pid":{"type":"depid","value":"66486","revision_id":0},"owners":[11],"status":"published","created_by":11},"item_title":"Yataglass：攻撃の擬似実行による攻撃メッセージの振舞いの解析","author_link":["0","0"],"item_titles":{"attribute_name":"タイトル","attribute_value_mlt":[{"subitem_title":"Yataglass：攻撃の擬似実行による攻撃メッセージの振舞いの解析"},{"subitem_title":"Yataglass: Network-level Attack Behavior Analysis with Emulated Execution","subitem_title_language":"en"}]},"item_keyword":{"attribute_name":"キーワード","attribute_value_mlt":[{"subitem_subject":"一般論文","subitem_subject_scheme":"Other"}]},"item_type_id":"2","publish_date":"2009-09-15","item_2_text_3":{"attribute_name":"著者所属","attribute_value_mlt":[{"subitem_text_value":"慶應義塾大学理工学部情報工学科"},{"subitem_text_value":"慶應義塾大学理工学部情報工学科／科学技術振興機構CREST"}]},"item_2_text_4":{"attribute_name":"著者所属(英)","attribute_value_mlt":[{"subitem_text_value":"Department of Information and Computer Science, Faculty of Science and Technology, Keio University","subitem_text_language":"en"},{"subitem_text_value":"Department of Information and Computer Science, Faculty of Science and Technology, Keio University / CREST, Japan Science and Technology Agency","subitem_text_language":"en"}]},"item_language":{"attribute_name":"言語","attribute_value_mlt":[{"subitem_language":"jpn"}]},"publish_status":"0","weko_shared_id":-1,"item_file_price":{"attribute_name":"Billing file","attribute_type":"file","attribute_value_mlt":[{"url":{"url":"https://ipsj.ixsq.nii.ac.jp/record/66486/files/IPSJ-JNL5009037.pdf"},"date":[{"dateType":"Available","dateValue":"2011-09-15"}],"format":"application/pdf","billing":["billing_file"],"filename":"IPSJ-JNL5009037.pdf","filesize":[{"value":"228.6 kB"}],"mimetype":"application/pdf","priceinfo":[{"tax":["include_tax"],"price":"660","billingrole":"5"},{"tax":["include_tax"],"price":"330","billingrole":"6"},{"tax":["include_tax"],"price":"0","billingrole":"8"},{"tax":["include_tax"],"price":"0","billingrole":"44"}],"accessrole":"open_date","version_id":"d4457ccd-5f80-4251-98c4-58e05c68d801","displaytype":"detail","licensetype":"license_note","license_note":"Copyright (c) 2009 by the Information Processing Society of Japan"}]},"item_2_creator_5":{"attribute_name":"著者名","attribute_type":"creator","attribute_value_mlt":[{"creatorNames":[{"creatorName":"嶋村, 誠"},{"creatorName":"河野, 健二"}],"nameIdentifiers":[{}]}]},"item_2_creator_6":{"attribute_name":"著者名(英)","attribute_type":"creator","attribute_value_mlt":[{"creatorNames":[{"creatorName":"Makoto, Shimamura","creatorNameLang":"en"},{"creatorName":"Kenji, Kono","creatorNameLang":"en"}],"nameIdentifiers":[{}]}]},"item_2_source_id_9":{"attribute_name":"書誌レコードID","attribute_value_mlt":[{"subitem_source_identifier":"AN00116647","subitem_source_identifier_type":"NCID"}]},"item_resource_type":{"attribute_name":"資源タイプ","attribute_value_mlt":[{"resourceuri":"http://purl.org/coar/resource_type/c_6501","resourcetype":"journal article"}]},"item_2_source_id_11":{"attribute_name":"ISSN","attribute_value_mlt":[{"subitem_source_identifier":"1882-7764","subitem_source_identifier_type":"ISSN"}]},"item_2_description_7":{"attribute_name":"論文抄録","attribute_value_mlt":[{"subitem_description":"バッファオーバフロー攻撃に代表されるリモートコードインジェクション攻撃が大きな問題となっている．このような攻撃を検知するため，近年ではメッセージ中に機械語命令列に相当するバイト列が含まれているかどうかを検査するネットワーク侵入検知システム（NIDS）が提案されている．しかし，これらのシステムでは検知した攻撃コードが実際にサーバ上でどのように振る舞うかは分からない．このため，NIDSが攻撃を検知すると，管理者は適切な対策をとるため，人手で攻撃コードの振舞いを調査しなければならない．本論文では攻撃メッセージを解析し，攻撃コードの振舞いを抽出するシステムであるYataglassを提案する．Yataglassでは，NIDSが検知したメッセージを機械語命令列と見なして擬似的に実行し，攻撃が成功したときに実行されるシステムコール列を抽出する．実際にIntel x86アーキテクチャのLinuxおよびWindowsに対する攻撃メッセージを対象としたYataglassのプロトタイプを作成し，実験を行った．実験の結果，Sambaを対象とする攻撃メッセージや，Metasploit Frameworkから生成された攻撃メッセージが実行するシステムコールを抽出することができた．","subitem_description_type":"Other"}]},"item_2_description_8":{"attribute_name":"論文抄録(英)","attribute_value_mlt":[{"subitem_description":"Remote code injection attacks such as buffer-overflow attacks are still one of the most serious attacks on computer systems. Current researchers focus on network intrusion detection systems (NIDSs) to detect anomal byte sequences such as machine instructions in network messages. However, such systems do not analyze behaviors of detected attacks and thus the administrator must find damage on her server when her NIDS detects an attack. In this paper, we propose a network message analyzer called Yataglass which executes attack code in an emulated environment. Yataglass treats the byte stream of a detected message as machine instructions and analyzes them to reveal behaviors of the attack code (i.e., which system calls the attack issues). Experimental results show that Yataglass successfully generated a list of system calls issued by a real attack message for Samba server and polymorphic attacks generated by the Metasploit Framework.","subitem_description_type":"Other"}]},"item_2_biblio_info_10":{"attribute_name":"書誌情報","attribute_value_mlt":[{"bibliographicPageEnd":"2381","bibliographic_titles":[{"bibliographic_title":"情報処理学会論文誌"}],"bibliographicPageStart":"2371","bibliographicIssueDates":{"bibliographicIssueDate":"2009-09-15","bibliographicIssueDateType":"Issued"},"bibliographicIssueNumber":"9","bibliographicVolumeNumber":"50"}]},"relation_version_is_last":true,"weko_creator_id":"11"},"created":"2025-01-18T23:27:14.166986+00:00","id":66486,"links":{}}