anti Malware engineering WorkShop 2015 (MWS 2015)

[ MWS2008 | MWS2009 | MWS2010 | MWS2011 | MWS2012 | MWS2013 | MWS2014 ]

MWS 2015

October 21 (Wed) - 23 (Fri), 2015
Nagasaki Brick Hall, Nagasaki, Japan
Nagasaki Shimbun Culture Hall, Nagasaki, Japan

Photo story of MWS 2015

Nagasaki Brick Hall
Nagasaki Shimbun Culture Hall

Award Ceremony

MWS2015 Best Paper Award:
ROPGuard Bypass Prevention Method using Last Branch Recording Facilities,
Mitsunobu Tarao (Kanagawa Institute of Technology) and Takeshi Okamoto (Kanagawa Institute of Technology).
MWS2015 Best Student Paper Award:
A Large-scale Analysis of Cloned Android Apps,
Yuta Ishii (Waseda University), Takuya Watanabe (Waseda University), Mitsuaki Akiyama (NTT Secure Platform Laboratories) and Tatsuya Mori (Waseda University).

Team Name Total Score (Rank) Technical Score (Rank) Presentation Score (Rank)
MWS Cup 2015 First Place Winner JINKAI-SENJUTSU Black Team 74 (1) 55 (1) 19 (8)
MWS Cup 2015 Second Place Winner Security SANKA 67 (2) 47 (2) 20 (5)
MWS Cup 2015 Third Place Winner urandom 64 (3) 43 (3) 21 (1)
MWS Cup 2015 Planning Board Chair Special Prize JINKAI-SENJUTSU Black Team
Kazumi Ishibuchi (HIRT, Hitachi, Ltd.)

MWS Cup 2015

Briefing from a MWS Planning Board member, before the technical session.
Just after the beginning of the technical session.
Introduction from a MWS Planning Board member during the technical session.
Commentary to the Challenges from the authors (1).
Commentary to the Challenges from the authors (2).
Commentary to the Challenges from the authors (3).
Just before the end of the technical session.
Presentation session.
Evaluation of presentations.

MWS 2015 Manuscripts and Slides

  • Symbols
    • "*" : presenter
    • "**" : student presenter

1A3: Drive-by Download Attack (session chair: Makoto Iwamura)

1A3-1: Drive-by Download Detection Method based on Network Traffic Correlation

1A3-2: A method of preventing the malicious redirections of Web sites by transitions of HTTP communications and URL attribute information

1A3-3: The assessment of the effectiveness of cyber attack detection system for enterprise use

1A3-4: Improving Cyber Attack Detection System To Adopt The Changing Of Exploit Kit

1F4: Android (session chair: Ayumu Kubota)

1F4-1: Studies on Risk Level Evaluation Schemes using APK Metadata

1F4-2: A Large-scale Analysis of Cloned Android Apps

1F4-3: An empirical study of Android APK disributuion sites using headless browser with navigation scripting

2A1: Drive-by Download Attack and Illegal Communication (session chair: Yasuyuki Tanaka)

2A1-1: Detection of suspicious redirection using HTTP request sequence

2A1-2: Detecting obfuscated malicious JavaScript based on information-theoretic measures and novelty detection

2A1-3: A study for effectiveness of User-Agent for malware communication traffic detection

2A1-4: Automatic Generation of URL Regular Expression for Detecting Malicious Traffic

2A3: Log Analysis (session chair: Nobutaka Kawaguchi)

2A3-1: Characterizing Network Behavior of Malware: Toward Detecting New Malware Families with Network Monitoring

2A3-2: Detecting RAT Activity in Proxy Server Logs with Machine Learning

2A3-3: Method for detecting Malware based on clustering of time series information of infection behavior

2A3-4: Darknet Traffic Analysis by Focusing on Variations in Dominant Traffic

2A4: Dynamic Analysis (session chair: Yoshiaki Shiraishi)

2A4-1: Malware Communication Analysis using Dynamic Binary Instrumentationin Heterogeneous Analysis Environments for Stealthiness

2A4-2: Correlating Experts' Malware Analysis Reports and Dynamic Malware Analysis Logs

2A4-3: Configuration study of the sandbox for the function improvement of environment-dependent malware analyzing system

2A4-4: A Note of Malware Detections in non-Windows using a Sandbox

3A1: Endpoint (session chair: Junichi Murakami)

3A1-1: Data Acquisition for Malware Analysis on Windows 7 x64

3A1-2: Implementation of System Call Tracer for Windows 10 x64

3A1-3: ROPGuard Bypass Prevention Method using Last Branch Recording Facilities

3A1-4: Memory Access Control using Virtual Machine Monitor for Process Information Hiding

3A2: Targeted Attack (1) (session chair: Nobuyuki Kanaya)

3A2-1: Detection of Advanced Persistent Threat based on Cascade of Suspicious Activities over Multiple Internal Hosts

3A2-2: Evaluation of Detection Method of Targeted Malware Displaying a Decoy Document

3A2-3: Long-term Effectiveness of File Structure Inspection to Detect Malicious Document Files

3A2-4: A study on malware characteristics and its effects observed in targeted attacks

3A3: Targeted Attack (2), SECCON (session chair: Takahiro Matsuki)

3A3-1: Analysis result of doc, pdf, zip file malware and its consideration

3A3-2: Web Mining System for Security Incidents Analysis

3A3-3: Early Detective Method of Remote Access Trojan by Host Base

3A4: Malware Distribution and Malicious Contents (session chair: Takahiro Kasama)

3A4-1: Trend analysis using spatio-temporal geographical information of the Malware distribution

3A4-2: Analysis of spam mail containing malicious attachments using SpamTrap

3A4-3: Analysis of Similarities among Malicious Contents Generated by Exploit Kit

3E4: Traffic Observation (session chair: Tatsuya Mori)

3E4-1: A Study of Port-Based Dynamic Darknet Monitoring

3E4-2: An apploach for controling IRCbot's activity using IPS

3E4-3: Method of Connecting System Call Trace Log and Packet Capture Data to Analyze Malware

3E4-4: Overview of Research Data Set "Behavior Observable System 2015"

3E4-5: Development of Adaptive Event-Monitoring System for DDoS Attacks

Contact us

If you have any questions, please contact: csecreg at

Published: 0:15 2015/06/02 Last Update: 0:15 2015/06/02

MWS 2015 Datasets provided by


Telecom-ISAC Japan

NICTER Darknet Dataset




FFRI Dataset

FFRI, Inc.


NTT Communications Corporation


Hitachi Incident Response Team










Valid HTML 4.01 Strict
Valid CSS!