anti Malware engineering WorkShop 2018 (MWS2018)

MWS 2018

October 22 (Mon) -- 25 (Thu), 2018

Hotel Metropolitan Nagano, Nagano, Japan

MWS 2018 was held with CSS 2018.

Photo story of MWS2018 / MWS Cup 2018

Venue (Hotel Metropolitan Nagano)

Award Ceremony

	MWS2018 Best Paper Award: "Automatic Enhancement of Script Engines by Appending Behavior Analysis Capabilities" Toshinori Usui (NTT Secure Platform Laboratories) Yuto Otsuki (NTT Secure Platform Laboratories) Yuhei Kawakoya (NTT Secure Platform Laboratories) Makoto Iwamura (NTT Secure Platform Laboratories) Jun Miyoshi (NTT Secure Platform Laboratories)
	MWS2018 Student Paper Award: "Detecting Unseen Malicious Macros with Anomary Detection" Hiroya Miura (National Defense Academy of Japan) Mamoru Mimura (National Defense Academy of Japan) Hidema Tanaka (National Defense Academy of Japan)
	MWS2018 Best Practical Research Award: "Long-Term Observation of RIG Exploit Kit by User Environment Observation and Robust Attack Detection against Time Change" Ichiro Shimada (KOZO KEIKAKU ENGINEERING Inc.) Toshifumi Oota (KOZO KEIKAKU ENGINEERING Inc.) Akira Yamada (KDDI Research, Inc.)
	MWS Cup 2018 First Place Winner: Team UN Total Score: 60.6 Preliminary Challenge Score : 19.2 (3rd place/16 teams) On-site Challenge Score : 41.4 (1st place/16 teams)
	MWS Cup 2018 Second Place Winner: Team GOTO Love Total Score: 56.2 Preliminary Challenge Score : 17.1 (11th place/16 teams) On-site Challenge Score : 39.1 (2nd place/16 teams)
	MWS Cup 2018 Third Place Winner: Security SANKA Total Score: 52.4 Preliminary Challenge Score : 18.4 (5th place/16 teams) On-site Challenge Score : 34.0 (3rd place/16 teams)
	MWS Cup 2018 Preliminary Challenge Winner: m1z0r3 Preliminary Challenge Score : 21.0 (/25)
	MWS Cup 2018 On-site Challenge Winner: Team UN On-site Challenge Score : 41.4 (/75) Challenge 1 Score : 13.0 Challenge 2 Score : 22.0 Challenge 3 Score : 6.4

MWS Cup 2018

	Competitors in the technical session.
	Commentary on the Challenges in the technical session.
	group photo 1.
	group photo 2.

MWS 2018 Research Presentations

Symbols
- * : presenter
- ** : student presenter

1B5: Dataset (session chair: Kazuhiro Ono)

1B5-1: Overview of Research Data Set "Behavior Observable System 2018"

* Masato Terada (Hitachi Ltd.)
Takayuki Sato (Hitachi Ltd.)
Sho Aoki (Hitachi Ltd.)
Satoshi Kamekawa (Trend Micro Incorporated.)
Tsutomu Shimizu (Trend Micro Incorporated.)
Yu Tsuda (National Research and Development Agency)

1B5-2: (Japanese version only)

1B5-3: A Consideration on Dataset for Evaluation of Network-Based Intrusion Detection System

* Hisashi Takahara (University of NIIGATA PREFECTURE)

2C1: Malicious Domain Name (session chair: Masayuki Okada)

2C1-1: Generative Model of Combosquatting Domain Names and Evaluation

* Hirokuni Kitahara (IBM Research - Tokyo)
Yuji Watanabe (IBM Research - Tokyo)

2C1-2: (Japanese version only)

2C1-3: (Japanese version only)

2C1-4: (Japanese version only)

2C2: Machine Learning (1) (session chair: Masatsugu Ichino)

2C2-1: (Japanese version only)

2C2-2: (Japanese version only)

2C2-3: (Japanese version only)

2C2-4: (Japanese version only)

2C3: Utilization of Natural Language Processing (session chair: Yuki Ashino)

2C3-1: Extracting Frequent ASCII Strings to Detect Unseen Malware

** Ryo Ito (National Defense Academy of Japan)
Mamoru Mimura (National Defense Academy of Japan)
Hidema Tanaka (National Defense Academy of Japan)

2C3-2: Detecting Unseen Malicious Macros with Anomary Detection

** Hiroya Miura (National Defense Academy of Japan)
Mamoru Mimura (National Defense Academy of Japan)
Hidema Tanaka (National Defense Academy of Japan)

2C3-3: An Investigation of Static Feature Space for Malware Detection

** Yutaka Takesue (Osaka Electro-Communication University, Faculty of Information and Communication Engineering)
Kazuhiro Takeuchi (Osaka Electro-Communication University, Faculty of Information and Communication Engineering)

2C3-4: Identification of Malware Variants Using fastText

** Ryota Iwamoto (Graduate School of Science and Engineering, Saitama University)
Jun Ohkubo (Graduate School of Science and Engineering, Saitama University)

2C3-5: Clustering Security Blog Posts Using Guided-Topic Model for Threat Analysis

** Tatsuya Nagai (Graduate School of Engineering, Kobe University)
Tomohiro Inui (Graduate School of Engineering, Kobe University)
Makoto Takita (Graduate School of Engineering, Kobe University)
Keisuke Furumoto (National Institute of Information and Communications Technology)
Yoshiaki Shiraishi (Graduate School of Engineering, Kobe University)
Yasuhiro Takano (Graduate School of Engineering, Kobe University)
Masami Mohri (Faculty of Engineering, Gifu University)
Masakatu Morii (Graduate School of Engineering, Kobe University)

2C4: Detection Avoidance and Misdetection (session chair: You Nakatsuru)

2C4-1: Survey of False-Positive by Antivirus Software and Proposal of the Countermeasures

* Kazuki Iwamoto (SecureBrain Corporation)

2C4-2: Evaluation of Security Appliance against Customized Malware

* Rui Tanabe (Institute of Advanced Sciences, Yokohama National University)
Wataru Ueno (Graduate School of Environment and Information Sciences, Yokohama National University)
Katsunari Yoshioka (Graduate School of Environment and Information Sciences, Yokohama National University / Institute of Advanced Sciences, Yokohama National University)
Tsutomu Matsumoto (Graduate School of Environment and Information Sciences, Yokohama National University / Institute of Advanced Sciences, Yokohama National University)
Takamichi Saito (Meiji University)
Takahiro Kasama (National Institute of Information and Communications Technology)
Daisuke Inoue (National Institute of Information and Communications Technology)

2C4-3: (Japanese version only)

2C4-4: Mitigaton of Fileless-Malware in Linux

** Kousei Tanaka (Tokyo Denki University)
Taiichi Saito (Tokyo Denki University)

3C1: Darknet and DDoS Attack (session chair: Daisuke Makita)

3C1-1: An Analysis of Network Scanning Activity Based on Destination Address Order and Payload

* Yasuhiro Nakamura (Computer Science, National Defense Academy)
Keita Kajikawa (Graduate School of Science and Engineering, National Defense Academy)
Yuki Ashino (Cyber Security Factory, National Security Solution Division, NEC Corporation)
Ayaka Samejima (Cyber Security Factory, National Security Solution Division, NEC Corporation)
Kazushi Sugyo (Cyber Security Factory, National Security Solution Division, NEC Corporation)
Yukiko Yano (Cyber Security Factory, National Security Solution Division, NEC Corporation)

3C1-2: An Extraction Method for Collaborative Scanning Host Groups Using Number of Destination Changes

** Keita Kajikawa (Graduate School of Science and Engineering, National Defense Academy)
Yasuhiro Nakamura (Computer Science, National Defense Academy)
Yuki Ashino (Cyber Security Factory, National Security Solution Division, NEC Corporation)
Reika Samejima (Cyber Security Factory, National Security Solution Division, NEC Corporation)
K Sugyo (Cyber Security Factory, National Security Solution Division, NEC Corporation)
Yukiko Yaho (Cyber Security Factory, National Security Solution Division, NEC Corporation)

3C1-3: Discovering Multi-Vector DDoS Attack by Correlation Analysis of Darknet Backscatter and Honeypot Logs

* Natsuru Yamamura (National Police Academy / NTT Secure Platform Laboratories)
Kazunori Kamiya (NTT Secure Platform Laboratories)
Hiroshi Kurakami (NTT Secure Platform Laboratories)

3C1-4: DDoS Attack Participation Countermeasure Method Considering User's Behavior History

* Nao Takaoka (Kansai University Graduate School)
Takashi Kobayashi (Kansai University)

3C2: Surface Analysis and Program Analysis (session chair: Kazuki Iwamoto)

3C2-1: Analysis on the Usage of the RDTSC Instruction by Malware

* Yoshihiro Oyama (University of Tsukuba )

3C2-2: IOC Conversion with Symbolic Execution

* Yuhei Kawakoya (NTT)
Makoto Iwamura (NTT)
Jun Miyoshi (NTT)
Tatsuya Mori (Waseda University)

3C2-3: Automatic Extraction of Conditions for Bypassing Malware Anti-Analysis Techniques by Using Symbolic Execution

* Yuji Kubo (Institute of Information Security / National Police Agency of Japan)
Takao Okubo (Institute of Information Security)

3C2-4: Automation: Detection Method for Data Sets with Concept Drift and Scale-Free Properties

* Kenji Aiko (LINE Corporation)

3C3: Attack Detection (session chair: Eiji Takimoto)

3C3-1: (Japanese version only)

3C3-2: Experience of System Anomaly Detection by Levelaging Log Message Format Structure

* Masayoshi Mizutani (Cookpad Inc.)

3C3-3: A Method to Detect Indiscriminate Spam Emails Focusing on Similarity of Messages Body and Attachments

* Toru Fujishiro (Canon IT Solutions Inc.)
Ryoto Miura (Canon IT Solutions Inc.)
Takafumi Harada (Canon IT Solutions Inc.)

3C3-4: (Japanese version only)

3B4: Dynamic Analysis (session chair: Akira Orita)

3B4-1: Analysis Method of Malicious JavaScript That Tampers Web Contents in MITB Attack

* Kazuki Takada (Graduate School of Environment and Information Sciences, Yokohama National University / SecureBrain Corporation)
Hideki Matsumoto (SecureBrain Corporation)
Michio Kunimoto (SecureBrain Corporation)
Katsunari Yoshioka (Graduate School of Environment and Information Sciences, Yokohama National University / Institute of Advanced Sciences, Yokohama National University)
Tsutomu Matsumoto (Graduate School of Environment and Information Sciences, Yokohama National University / Institute of Advanced Sciences, Yokohama National University)

3B4-2: Automatic Enhancement of Script Engines by Appending Behavior Analysis Capabilities

* Toshinori Usui (NTT Secure Platform Laboratories)
Yuto Otsuki (NTT Secure Platform Laboratories)
Yuhei Kawakoya (NTT Secure Platform Laboratories)
Makoto Iwamura (NTT Secure Platform Laboratories)
Jun Miyoshi (NTT Secure Platform Laboratories)

3B4-3: A Survey on Malware That Log Can not be Acquired in Dynamic Analysis

** Kota Morimoto (Ritsumeikan University)
Junjun Zheng (Ritsumeikan University)
Shoichi Saito (Nagoya Institute of Technology)
Eiji Takimoto (Ritsumeikan University)
Koichi Mouri (Ritsumeikan University)

3B4-4: Malware Classification Using the Call Log of an API for Dynamic Function Address Resolution

** Yuto Maeda (University of Tsukuba)
Yoshihiro Oyama (University of Tsukuba)

3C4: Traffic Data Analysis (session chair: Takashi Koide)

3C4-1: (Japanese version only)

3C4-2: The Detection Method for C&C Communication Using SSL/TLS Based on Characteristics of Malware Communication

* Seigo Terada (PFU Limited.)
Takashi Kobayashi (PFU Limited.)
Keiji Michine (PFU Limited.)
Koichi Yamashita (PFU Limited.)

3C4-3: Communication Protocol Analysis of the Cutwail Spam Delivery Service

* Ichiro Asomura (Mizuho Financial Group)
Yasuhiro Takeda (Mizuho Financial Group)

4C1: Drive-by-download Attack (session chair: Hiroki Hada)

4C1-1: Analysis on Relevance of Communication Data during Drive-by-Download Attack

** Masashi Takada (Graduate School of Sustinability Science, Tottori University)
Kenichi Takahashi (Graduate School of Engineering, Tottori University / Tottori University Cross-informatics Research Center)
Takao Kawamura (Graduate School of Engineering, Tottori University / Tottori University Cross-informatics Research Center)
Kazunori Sugahara (Graduate School of Engineering, Tottori University / Tottori University Cross-informatics Research Center)

4C1-2: Detecting Malicious Websites from Direct-IP Web Accesses

** Yuta Nakagawa (Graduate School of Environment and Information Sciences, Yokohama National University)
Wataru Ueno (Graduate School of Environment and Information Sciences, Yokohama National University)
Rui Tanabe (Institute of Advanced Sciences, Yokohama National University)
Akira Fujita (Institute of Advanced Sciences, Yokohama National University)
Katsunari Yoshioka (Institute of Advanced Sciences, Yokohama National University / Graduate School of Environment and Information Sciences, Yokohama National University)
Tsutomu Matsumoto (Institute of Advanced Sciences, Yokohama National University / Graduate School of Environment and Information Sciences, Yokohama National University)

4C1-3: A Study on Detection of Malicious JavaScript Based on Source Code Similarity

* Takeshi Misu (SecureBrain Corporation)
Kazuo Makishima (SecureBrain Corporation)
Kazuki Iwamoto (SecureBrain Corporation)

4C1-4: Long-Term Observation of RIG Exploit Kit by User Environment Observation and Robust Attack Detection against Time Change

Ichiro Shimada (KOZO KEIKAKU ENGINEERING Inc.)
* Toshifumi Oota (KOZO KEIKAKU ENGINEERING Inc.)
Akira Yamada (KDDI Research, Inc.)

4D1: Attack Analysis (session chair: Yoshiaki Shiraishi)

4D1-1: Data Modeling and Normalization for Active Monitoring of Cyber Attacks

* Nobuyuki Kanaya (National Institute of Information and Communications Technology)
Yu Tsuda (National Institute of Information and Communications Technology)
Takashi Tomine (National Institute of Information and Communications Technology)
Yuuki Takano (National Institute of Information and Communications Technology)
Daisuke Inoue (National Institute of Information and Communications Technology)

4D1-2: Improvement of Network Forensic Method for Promptly Analyzing the Extent of Damage after Targeted Attacks

* Yuki Unno (FUJITSU LABORATORIES LTD.)
Masanobu Morinaga (FUJITSU LABORATORIES LTD.)
Takanori Oikawa (FUJITSU LABORATORIES LTD.)
Kazuyoshi Furukawa (FUJITSU LABORATORIES LTD.)
Nobuyuki Kanaya (FUJITSU LABORATORIES LTD. / National Institute of Information and Communications Technology)
Yu Tsuda (National Institute of Information and Communications Technology)
Takashi Tomine (National Institute of Information and Communications Technology)
Daisuke Inoue (National Institute of Information and Communications Technology)
Satoru Torii (FUJITSU LABORATORIES LTD.)
Tetsuya Izu (FUJITSU LABORATORIES LTD.)

4D1-3: On Automation and Orchestration of an Initial Computer Security Incident Response Using Centralized Incident Tracking System

* Motoyuki Ohmori (Tottori University)
Masayuki Higashino (Tottori University)
Toshiya Kawato (Tottori University)
Naoki Miyata (Tottori University)
Kenichi Takahashi (Tottori University)
Takao Kawamura (Tottori University)

4D1-4: Analyze of Dynamic Analysis Log for Estimating Object of Malware Infection Activity

** Yuuki Mori (The University of Electro-Communications)
Ryoji Kanai (FFRI Inc.)
Hiroshi Yoshiura (The University of Electro-Communications)
Masatsugu Ichino (The University of Electro-Communications)

4C2: Machine Learning (2) (session chair: Hajime Shimada)

4C2-1: Compiler Classification from a Code Fragment

* Yuhei Otsubo (National Police Agency / Institute of Information Security)
Akira Otsuka (Institute of Information Security)
Mamoru Mimura (National Defense Academy / Institute of Information Security)
Takeshi Sakaki (University of Tokyo)
Hiroshi Ukegawa (National Police Agency)
Yoshihiro Iwata (National Police Agency)

4C2-2: Malware Detection Method Using a Weighted Sum Model Based on API Call Patterns, Elapsed Time and System Load between API Calls

** Junko Sato (Graduate School of Informatics, Tokyo University of Information Sciences)
Masaki Hanada (Department of Information Sciences, Tokyo University of Information Sciences)
Kazumasa Omote (Graduate School of Systems and Information Engineering, University of Tsukuba)
Yoichi Murakami (Department of Information Sciences, Tokyo University of Information Sciences)
Hideo Suzuki (Department of Information Sciences, Tokyo University of Information Sciences)
Eiji Nunohiro (Department of Information Sciences, Tokyo University of Information Sciences)
Akira Orita (Hitachi Systems, Ltd. Cyber Security Research Center)
Tatsuya Sekiguchi (Hitachi Systems, Ltd. Cyber Security Research Center)

4C2-3: A Design Method for Zero-Day Malicious Email Detection Using Email Header Information Analysis (EHIA) and Deep-Learning Approach

** Sanouphab Phomkeona (Graduate School of Information Science and Electrical Engineering, Kyushu University)
Koji Okamura (Research Institute for Information Technology, Kyushu University)

4C2-4: (Japanese version only)

4D2: Cyber Attack (session chair: Takashi Matsunaka)

4D2-1: A Study of Static Character of Internet Sensors for Cyber Attacks

* Yuki Ashino (Cyber Security Factory, National Security Solution Division, NEC Corporation)
Ayaka Samejima (Cyber Security Factory, National Security Solution Division, NEC Corporation)
Kazushi Sugyo (Cyber Security Factory, National Security Solution Division, NEC Corporation)
Yukiko Yano (Cyber Security Factory, National Security Solution Division, NEC Corporation)
Yasuhiro Nakamura (Computer Science, National Defense Academy)

4D2-2: A Study of Attacker's Image Based on Classification of Programs Presumed Cyber Attack Used Packet Data Observed Long Term

* Ayaka Samejima (Cyber Security Factory, National Security Solution Division, NEC Corporation)
Yuki Ashino (Cyber Security Factory, National Security Solution Division, NEC Corporation)
Kazushi Sugyo (Cyber Security Factory, National Security Solution Division, NEC Corporation)
Yukiko Yano (Cyber Security Factory, National Security Solution Division, NEC Corporation)
Yasuhiro Nakamura (Computer Science, National Defense Academy)

4D2-3: Assessment of National Capabilities Using the Modified 'Cybersecurity Capacity Maturity Model'

* Shigeo Mori (Institute of Information Security)
Atsuhiro Goto (Institute of Information Security)

4D2-4: Proposal of Cyber Attack and Defense Exercise System CyExec Composed of Ecosystem

* Shinichi Toyoda (Advanced Institute of Industrial Technology)
Ryotaro Nakata (Showa Women's University)
Kumi Hasegawa (Advanced Institute of Industrial Technology)
Sanggyu Shin (Advanced Institute of Industrial Technology)
Yoichi Seto (Advanced Institute of Industrial Technology)

MWS 2018

Photo story of MWS2018 / MWS Cup 2018

Venue (Hotel Metropolitan Nagano)

Award Ceremony

MWS Cup 2018

MWS 2018 Research Presentations

1B5: Dataset (session chair: Kazuhiro Ono)

1B5-1: Overview of Research Data Set "Behavior Observable System 2018"

1B5-2: (Japanese version only)

1B5-3: A Consideration on Dataset for Evaluation of Network-Based Intrusion Detection System

2C1: Malicious Domain Name (session chair: Masayuki Okada)

2C1-1: Generative Model of Combosquatting Domain Names and Evaluation

2C1-2: (Japanese version only)

2C1-3: (Japanese version only)

2C1-4: (Japanese version only)

2C2: Machine Learning (1) (session chair: Masatsugu Ichino)

2C2-1: (Japanese version only)

2C2-2: (Japanese version only)

2C2-3: (Japanese version only)

2C2-4: (Japanese version only)

2C3: Utilization of Natural Language Processing (session chair: Yuki Ashino)

2C3-1: Extracting Frequent ASCII Strings to Detect Unseen Malware

2C3-2: Detecting Unseen Malicious Macros with Anomary Detection

2C3-3: An Investigation of Static Feature Space for Malware Detection

2C3-4: Identification of Malware Variants Using fastText

2C3-5: Clustering Security Blog Posts Using Guided-Topic Model for Threat Analysis

2C4: Detection Avoidance and Misdetection (session chair: You Nakatsuru)

2C4-1: Survey of False-Positive by Antivirus Software and Proposal of the Countermeasures

2C4-2: Evaluation of Security Appliance against Customized Malware

2C4-3: (Japanese version only)

2C4-4: Mitigaton of Fileless-Malware in Linux

3C1: Darknet and DDoS Attack (session chair: Daisuke Makita)

3C1-1: An Analysis of Network Scanning Activity Based on Destination Address Order and Payload

3C1-2: An Extraction Method for Collaborative Scanning Host Groups Using Number of Destination Changes

3C1-3: Discovering Multi-Vector DDoS Attack by Correlation Analysis of Darknet Backscatter and Honeypot Logs

3C1-4: DDoS Attack Participation Countermeasure Method Considering User's Behavior History

3C2: Surface Analysis and Program Analysis (session chair: Kazuki Iwamoto)

3C2-1: Analysis on the Usage of the RDTSC Instruction by Malware

3C2-2: IOC Conversion with Symbolic Execution

3C2-3: Automatic Extraction of Conditions for Bypassing Malware Anti-Analysis Techniques by Using Symbolic Execution

3C2-4: Automation: Detection Method for Data Sets with Concept Drift and Scale-Free Properties

3C3: Attack Detection (session chair: Eiji Takimoto)

3C3-1: (Japanese version only)

3C3-2: Experience of System Anomaly Detection by Levelaging Log Message Format Structure

3C3-3: A Method to Detect Indiscriminate Spam Emails Focusing on Similarity of Messages Body and Attachments

3C3-4: (Japanese version only)

3B4: Dynamic Analysis (session chair: Akira Orita)

3B4-1: Analysis Method of Malicious JavaScript That Tampers Web Contents in MITB Attack

3B4-2: Automatic Enhancement of Script Engines by Appending Behavior Analysis Capabilities

3B4-3: A Survey on Malware That Log Can not be Acquired in Dynamic Analysis

3B4-4: Malware Classification Using the Call Log of an API for Dynamic Function Address Resolution

3C4: Traffic Data Analysis (session chair: Takashi Koide)

3C4-1: (Japanese version only)

3C4-2: The Detection Method for C&C Communication Using SSL/TLS Based on Characteristics of Malware Communication

3C4-3: Communication Protocol Analysis of the Cutwail Spam Delivery Service

4C1: Drive-by-download Attack (session chair: Hiroki Hada)

4C1-1: Analysis on Relevance of Communication Data during Drive-by-Download Attack

4C1-2: Detecting Malicious Websites from Direct-IP Web Accesses

4C1-3: A Study on Detection of Malicious JavaScript Based on Source Code Similarity

4C1-4: Long-Term Observation of RIG Exploit Kit by User Environment Observation and Robust Attack Detection against Time Change

4D1: Attack Analysis (session chair: Yoshiaki Shiraishi)

4D1-1: Data Modeling and Normalization for Active Monitoring of Cyber Attacks

4D1-2: Improvement of Network Forensic Method for Promptly Analyzing the Extent of Damage after Targeted Attacks

4D1-3: On Automation and Orchestration of an Initial Computer Security Incident Response Using Centralized Incident Tracking System

4D1-4: Analyze of Dynamic Analysis Log for Estimating Object of Malware Infection Activity

4C2: Machine Learning (2) (session chair: Hajime Shimada)

4C2-1: Compiler Classification from a Code Fragment

4C2-2: Malware Detection Method Using a Weighted Sum Model Based on API Call Patterns, Elapsed Time and System Load between API Calls

4C2-3: A Design Method for Zero-Day Malicious Email Detection Using Email Header Information Analysis (EHIA) and Deep-Learning Approach

4C2-4: (Japanese version only)

4D2: Cyber Attack (session chair: Takashi Matsunaka)

4D2-1: A Study of Static Character of Internet Sensors for Cyber Attacks

4D2-2: A Study of Attacker's Image Based on Classification of Programs Presumed Cyber Attack Used Packet Data Observed Long Term

4D2-3: Assessment of National Capabilities Using the Modified 'Cybersecurity Capacity Maturity Model'

4D2-4: Proposal of Cyber Attack and Defense Exercise System CyExec Composed of Ecosystem

Sponsors