As malware such as targeted attacks become more sophisticated, Managed Detection and Response (MDR), which extends conventional network-level security monitoring and responses, and Endpoint Detection and Response (EDR), which monitors threats at the host level, are gaining attention. NTT SPL is engaged in the following R&D efforts to support these technologies.
(1) Malware behavior and function analysis technologies: R&D of dynamic technologies that allow malware to attack in a segregated environment (sandbox) and observe their behaviors, and R&D of static technologies that perform malware binary (machine code commands) analysis to identify malware functions.
(2) Malware indicator analysis technologies: R&D of forensics technologies that analyze memory dumps and disk information of devices after incidents and malware behaviors during incidents and identify resulting damages.
(3) Technologies that extract characteristic behaviors and indicators of malware: R&D of technologies uses machine learning and graph matching of the results analyzed by the above technologies to compare with and integrate analysis of information of normal programs and externally gathered security intelligence to extract malwares' characteristic behaviors and indicators and automatically generate Indicator of Compromise (signatures used for malware detection by MDR and EDR).
Using these technologies, NTT SPL is realizing advanced MDR/EDR services that generate and distribute custom IOC tailored for protecting customers' networks and systems, and prevent diverse attacks, including Advanced Persistent Threat (APT) attacks.
Malware analysis technologies for MDR/EDR enhancement
- Yuhei Kawakoya, Makoto Iwamura, Eitaro Shioji, and Takeo Hariu: "API Chaser: Anti-analysis Resistant Malware Analyzer", The 16th International Symposium on Research in Attacks, Intrusions and Defenses (RAID)
- Yuhei Kawakoya, Eitaro Shioji, Yuto Otsuki, Makoto Iwamura, and Takeshi Yada: "Stealth Loader: Trace-free Program Loading for API Obfuscation", The 20th International Symposium on Research in Attacks, Intrusions and Defenses (RAID)
- Toshinori Usui, Tomonori Ikuse, Makoto Iwamura and Takeshi Yada:
"POSTER: Static ROP Chain Detection Based on Hidden Markov Model
Considering ROP Chain Integrity", The 23rd ACM Conference on Computer
and Communications Security (CCS) Poster Session
- Makoto Iwamura, Mitsutaka Itoh, Yoichi Muraoka: "Towards Efficient Analysis for Malware in the Wild", 2011 IEEE International Conference on Communications (ICC)