不公开文件内容的恶意软件动态分析部分外包

2023 IEEE 47th Annual Computers, Software, and Applications Conference (COMPSAC) Pub Date : 2023-06-01 DOI:10.1109/COMPSAC57700.2023.00098

Keisuke Hamajima, Daisuke Kotani, Y. Okabe

{"title":"不公开文件内容的恶意软件动态分析部分外包","authors":"Keisuke Hamajima, Daisuke Kotani, Y. Okabe","doi":"10.1109/COMPSAC57700.2023.00098","DOIUrl":null,"url":null,"abstract":"Dynamic analysis is one of the methods to analyze malware. However, if the file to be analyzed contains confidential information, disclosing it to the analyst outside the organization is undesirable. Previous works proposed classifying malware while preserving privacy or outsourcing dynamic analysis, but it is challenging to outsource dynamic analysis without disclosing file contents. The proposed method builds the Local Environment for users and the Remote Environment for analysts outside the organization. We proposed partial outsourcing, which opens a file in the Local Environment, reproduces its behavior in the Remote Environment, and conducts dynamic analysis based on this information. The Local Environment hooks an API call and retrieves information on the function name and arguments. Then, the Local Environment sends the information to the Remote Environment to reproduce file behavior. Our method could reproduce most operations on files and registries but could not reproduce some operations on files.","PeriodicalId":296288,"journal":{"name":"2023 IEEE 47th Annual Computers, Software, and Applications Conference (COMPSAC)","volume":"59 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2023-06-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":"{\"title\":\"Partial Outsourcing of Malware Dynamic Analysis Without Disclosing File Contents\",\"authors\":\"Keisuke Hamajima, Daisuke Kotani, Y. Okabe\",\"doi\":\"10.1109/COMPSAC57700.2023.00098\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"Dynamic analysis is one of the methods to analyze malware. However, if the file to be analyzed contains confidential information, disclosing it to the analyst outside the organization is undesirable. Previous works proposed classifying malware while preserving privacy or outsourcing dynamic analysis, but it is challenging to outsource dynamic analysis without disclosing file contents. The proposed method builds the Local Environment for users and the Remote Environment for analysts outside the organization. We proposed partial outsourcing, which opens a file in the Local Environment, reproduces its behavior in the Remote Environment, and conducts dynamic analysis based on this information. The Local Environment hooks an API call and retrieves information on the function name and arguments. Then, the Local Environment sends the information to the Remote Environment to reproduce file behavior. Our method could reproduce most operations on files and registries but could not reproduce some operations on files.\",\"PeriodicalId\":296288,\"journal\":{\"name\":\"2023 IEEE 47th Annual Computers, Software, and Applications Conference (COMPSAC)\",\"volume\":\"59 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2023-06-01\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"0\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"2023 IEEE 47th Annual Computers, Software, and Applications Conference (COMPSAC)\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1109/COMPSAC57700.2023.00098\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"2023 IEEE 47th Annual Computers, Software, and Applications Conference (COMPSAC)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/COMPSAC57700.2023.00098","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 0

摘要

动态分析是恶意软件分析的方法之一。但是，如果要分析的文件包含机密信息，则不希望将其透露给组织外部的分析人员。以往的研究提出了在保护隐私的情况下对恶意软件进行分类或将动态分析外包，但如何在不泄露文件内容的情况下将动态分析外包是一个挑战。提出的方法为用户构建本地环境，为组织外部的分析人员构建远程环境。我们建议部分外包，它在本地环境中打开一个文件，在远程环境中再现它的行为，并根据这些信息进行动态分析。Local Environment钩住API调用并检索函数名和参数的信息。然后，本地环境将信息发送到远程环境以重现文件行为。我们的方法可以重现文件和注册表上的大多数操作，但不能重现文件上的某些操作。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

查看原文本刊更多论文

Partial Outsourcing of Malware Dynamic Analysis Without Disclosing File Contents

Dynamic analysis is one of the methods to analyze malware. However, if the file to be analyzed contains confidential information, disclosing it to the analyst outside the organization is undesirable. Previous works proposed classifying malware while preserving privacy or outsourcing dynamic analysis, but it is challenging to outsource dynamic analysis without disclosing file contents. The proposed method builds the Local Environment for users and the Remote Environment for analysts outside the organization. We proposed partial outsourcing, which opens a file in the Local Environment, reproduces its behavior in the Remote Environment, and conducts dynamic analysis based on this information. The Local Environment hooks an API call and retrieves information on the function name and arguments. Then, the Local Environment sends the information to the Remote Environment to reproduce file behavior. Our method could reproduce most operations on files and registries but could not reproduce some operations on files.

求助全文

通过发布文献求助，成功后即可免费获取论文全文。去求助

来源期刊

2023 IEEE 47th Annual Computers, Software, and Applications Conference (COMPSAC)

自引率

0.00%

发文量