MWS2010

OKAYAMA CONVENTION CENTER, Okayama, Japan
October 19 - 21, 2010

These manuscripts have been published without reviewing and editing as received from the authors: posting the manuscript to MWS2010 does not prevent future submissions to any journals or conferences with proceedings.

Award ceremony
MWS 2010 Best Paper Award
Development and evaluation of obfuscated JavaScript code analysis system using dynamic analysis
Masaki Kamizono, Masata Nishida and Yuji Hoshizawa
MWS 2010 Best Student Paper Award
Improvement of Emulation-based Shellcode Detection
Takayoshi Fujii, Katsunari Yoshioka, Junji Shikata and Tsutomu Matsumoto
MWS Cup 2010 Award Winner
Human-wave tactics Team of Tokai University and Chuo University
Masayuki Ohrui, Kazuya Kuwabara, Hiroaki Kikuchi, Shingo Andou, Takahiro Matsuki, Masato Terada and Masashi Fujiwara
MWS Cup 2010 Award Winner with Technical Component
IIJ Survival Game Club
Hiroshi Suzuki, Masahiko Kato and Takahiro Haruyama
MWS Cup 2010 Award Winner with Artistic Component
Team GOTO Love
Kazuhiro Toba, Yusuke Katayama, Yuta Takada, Daiki Chiba and Tatsuya Mori
1A1: Captured Data(1) - Session chair: Koji Nakao (Telecom-ISAC Japan / KDDI)
Datasets for Anti-Malware Research - MWS 2010 Datasets -
Mitsuhiro Hatada, You Nakatsuru, Mitsuaki Akiyama and Shinsuke Miwa

There have been a lot of researches on countermeasures against the complicated threats by malware. MWS 2008 and MWS 2009 were held in order to evaluate the proposals objectively and share the research achievements by using CCC DATAset 2008 and CCC DATAset 2009. This paper presents an overview of MWS 2010 Datasets for MWS 2010: CCC DATAset 2010, MARS, and D3M 2010.

[ Manuscript (PDF) | Slide (PDF) ]
Malware Analysis by PrismMap Visualization
Hirokazu Kaneko, Yuu Arai and Matsuki Takahiro

In recent years, cyber attacks have become one of the biggest threats for our network infrastructure. Increasing unknown malwares could be considered as one of the threatening facts. It is getting very important to understand the aspects of those attacks occurring globally, and to be able to present them in understandable ways. This report will show the conducted research; visualization and geographic statistics of the cyber attacks retrieved from anti Malware engineering WorkShop (MWS) dataset. We have successfully identified instinctive tendencies of those attacks from chronological and geographic visualization by using prism maps. This research will also include the consideration of the similarities of known.

[ Manuscript (PDF) | Slide (PDF) ]
Visualization and Analysis of Multi-Host Traffic
Yoshiyuki Seino and Hideki Koike

To find the malware infections, we developed an analysis tool that visualizes hosts and network traffic. This tool displays an animation of traffic patterns which are color-coded according to hosts and network. The system is composed of two modules. One plots third and fourth octets on two-dimensional maps. The other displays octets change on four frames. Then we analyzed a honeynet log, we could easily find three malware scans came from two hosts in same time.

[ Manuscript (PDF) ]
Consideration concerning malware distribution former Internet Protocol address evaluation by CCC Dataset 2010
Toshiaki Sudoh

A user infected of the malware is induced to the malware distribution origin before it notices by various techniques to inspect the site where the access and the injection were done to the link in the spam mail. As for the malware distribution origin, various Internet services like not only the site constructed for exclusive use but also a free hosting service and the online storage, etc. are used. Moreover, a lot of things to allow the provided service to be used for the malware distribution origin, fraudulence, and the spam transmission, etc. exist in an overseas provider and the hosting business company. In this thesis, Internet Protocol address in the attack origin is analyzed by using attack former data of CCC DATAset 2010 and the malignancy evaluation and the use are examined.

[ Manuscript (PDF) ]
TOP

1A2: Captured Data(2) - Session chair: Mitsuhiro Hatada (NTT Communications Corporation)
A study of malware countermeasures based on a temporal comparison of observations from two honeypot networks of different sizes
Tadaaki Nagao, Hiroshi Suzuki, Masahiko Katoh and Mamoru Saito

In this paper, we compare two observational data sets of malware infection activities, one of which is CCC DATAset 2010 Attack Source Data from Cyber Clean Center's wide honeypot network and another from IIJ’s locally installed honeypot network. We study and discuss differences observed between them based on a temporal comparison, and moreover, we also discuss countermeasures against infection activities.

[ Manuscript (PDF) | Slide (PDF) ]
Analyzing geo-specific bot based on malware transfer records
Akira Kanai

Bot threatens Internet users’ security with malicious behaviors. The new varieties of botware appear everyday. Since those bots conceal their existences and activities, it is difficult to defend from them. In this paper, malware traffic logs, which were captured by honeypots in Japan for three years, were analyzed especially focusing on nations. As a result, it was discovered that the amount of malware transports is coordinated to the local time of where the transport nodes reside in. In addition, it was shown that the number of transport nodes has been continuously increasing in North America and Europe since late 2009.

[ Manuscript (PDF) ]
Activities of Cyber Clean Center
Satoru Noritake (Telecom-ISAC Japan)

About Malware samples of MWS 2010 Datasets
You Nakatsuru (Japan Computer Emergency Response Team Coordination Center),Mitsuaki Akiyama (NTT Information Sharing Platform Laboratories)


TOP

2A1: Malware samples(1) - Session chair: Toshiaki Kokado (IPA)
Address independent breakpoint using extended memory function
Shinta Nakayama, Kazufumi Aoki, Yuhei Kawakoya, Makoto Iwamura and Mitsutaka Itoh

Recent days, many malwares appeared, and efficiency improvement of malwares behavior analysis are requested. API trace is a effective technique to know the outline of malwares. But API trace technique that raise interrupt when access to the specific address are evaded by the anti debugging technique that is called “stolen bytes”. “stolen bytes” is a technique that copy whole or part of API functions to memory, and use it. In this paper, we propose breakpoint technique based on extend virtual machine's memory, that spread breakpoint when specified breakpoint to address are copied. We evaluated the proposed technique by the CCC DATA Set 2010 malware samples.

[ Manuscript (PDF) ]
Analyzing CCC DATASet 2010 using User Support System against Malware
Nobutaka Kawaguchi, Takayuki Yoda, Tatsunoshin Kawagcuhi, Masato Terada, Toshihiko Kasagi, Yuji Hoshizawa, Masashi Eto, Daisuke Inoue and Koji Nakao

With the increasing number of new malware species, traditional malware detection approaches relying on signature files are being less effective, since it is quite difficult for anti-virus vendors to keep up with the frequent appearance of new malware species. In this situation, we are developing a system called Anti-malware User Support System, which detects malware files using dynamic analysis and remove them from user PCs. This system first finds suspicious files from a user PC by means of a client agent. Then, the suspicious files are sent to and analyzed by a malware analysis system. Finally, this system removes detected malware files in the user PC by generating, sending and executing custom-made removable tools automatically. In this paper, we analyze malware files in the CCC DATASet 2010 using the proposed system and show the results.

[ Manuscript (PDF) ]
Tracing Malware by Virtual Machine Monitor
Yuto Otsuki and Koichi Mouri

Recent malwares are applied obfuscation and debugger detection not to be analyzed by disassemblers and debuggers. We are developing an \Alkanet" virtual machine monitor for malware analysis. Alkanet monitors behavior of malwares by a system call hook. In addition, Alkanet can obtain detailed information of Windows by referring to internal objects managed in memory region of Windows. In this paper, we describe structure of Alkanet and malware analyses by Alkanet.

[ Manuscript (PDF) ]
TOP

2A3: Malware samples(2) - Session chair: Takashi Manabe (JPCERT/CC)
Development and evaluation of obfuscated JavaScript code analysis system using dynamic analysis
Masaki Kamizono, Masata Nishida and Yuji Hoshizawa

Recently, obfuscated JavaScript are being used to direct users to hostile web site that distribute and install malware files. Many of the malware files that get downloaded also contain obfuscated JavaScript which attacks application vulnerabilities. Adobe Reader is one of the applications that have been targeted by several 0 day vulnerability attacks. To better understand these attacks, we have developed a system that dynamically emulates and analyze obfuscated JavaScirpt.

[ Manuscript (PDF) ] | Slide (PDF) ]
Study and evaluation on classification of malware based on automatic execution set-up
Kohei Nasaka, Takahiro Sakai, Takumi Yamamoto, Keisuke Takemori and Masakatsu Nishigaki

Today's malwares, such as bots, are remotely controlled by commands sent through the Internet from an attacker. This means that these malwares have to stay alive themselves in PC so that they can await for future commands from the attacker. In other words, for almost all malwares, intrusion into operating system directory and registration themselves to auto run list are key functions which they should equip. This motivated us to study a malware detection scheme based on the action with respect to automatic execution set-up, however, due to vast diversity of malwares, it has been difficult to find all the malwares by one scheme only. Hence it is important to categorize all variety of malwares based on some appropriate manner, and use a suitable detection scheme respectively for each category of malwares. That is, to enumerate every possible detection schemes is necessary for coping with today’s malwares. Therefore, in this paper, as the first step to the goal, we try to categorize malwares based on a behavior with respect to automatic execution set-up. Then, we evaluate the validity of the proposed classification by using CCC DATAset2010.

[ Manuscript (PDF) | Slide (PDF) ]
Improvement of Emulation-based Shellcode Detection
Takayoshi Fujii, Katsunari Yoshioka, Junji Shikata and Tsutomu Matsumoto

Several dynamic shellcode detection methods, in which network traffic is examined by being executed as machine codes on light-weighted emulator to analyze its behavior, have been proposed as countermeasures against remote exploits. These previous methods, however, focus on detecting only a polymorphic shellcode, which decrypts its encrypted payload upon its execution, and therefore, require in practice a parallel use with an alternative method that detects a non-polymorphic shellcode. Although a number of static detection methods for a non-polymorphic shellcode have also been proposed, it is said that they have limitations on detecting a shellcode crafted by a series of obfuscation techniques. In this report, we propose a novel dynamic detection method that is able to detect not only a polymorphic shellcode but also an obfuscated non-polymorphic shellcode. Since the proposed method combines both static and dynamic detection, the efficiency can also be improved compared with a previous method that examines all traffic data by dynamic detection.

[ Manuscript (PDF) | Slide (PDF) ]
TOP

2A4: Malware samples(3)・MARS - Session chair: Kenichi Hanamura (IPA)
Investigation about Malware Execution Time in Dynamic Analysis
Kazufumi Aoki, Yuhei Kawakoya, Makoto Iwamura and Mitsutaka Itoh

Since there are many malware in the wild, dynamic analysis, which executes the malware to obtain its behavior, is one of the most useful approach to analyze their behavior efficiently. In dynamic analysis, however, we can only obtain the behavior that was performed during the analysis time frame, it is necessary to execute the malware with sufficient time frame to obtain its activities well. In this paper, we investigate the relationship between executed malware code volume and analysis time frame on the CCC DATAset 2010 and the D3M 2010 based on open/closed dynamic analysis system and we consider the analysis time frame to set in malware dynamic analysis.

[ Manuscript (PDF) ]
An automated integration and analysis of access log using mechanized reasoning
Ruo Ando, Youki Kadobayashi, Shinsuke Miwa and Yoichi Shinoda

With the rapid advance of monitoring and filtering technology, malware analysis need to synthesize a variety of access log and extract information to detect security incident. In this paper we an automated integration and analysis of access log using mechanized reasoning. In proposed system, we resolve several kinds of access log into uniform clausal representation. Then, automated deduction system generates unit conflict to detect malware’s behavior. We apply our system for coping with MARS dataset to evaluate numerical outputs. Also, we compare the result of two kinds of resolutions: binary and hyper resolution.

[ Manuscript (PDF) ]
TOP

3F1: D3M - Session chair: You Miyake (KDDI Corporation)
Study of Malicious Web Site Activities and their Relational Analysis Based on Domain Information
Yoshiro Fukushima, Yoshiaki Hori and Kouichi Sakurai

The threat of web based malware which leads users to attacker's sites from infected legitimate Web sites and exploits user's Web browser is increasing. It is important to investigate malicious activities of web based malware and clarify attacker's methodology for tackling it. In this paper, we investigate malicious Web site's activities and analyze relationship between them based on domain information such as DNS records and whois information. Our results reveal attacker's methods on deploying malicious Web sites and find that they use specific registrars.

[ Manuscript (PDF) ]
Analysis of the malicious redirecting for detection
Takeaki Terada, Tadanobu Furukawa, Yoshiki Higashikado and Satoru Torii

By focusing on the transition of the access to the Web pages, we clarified the feature of the access history of the Drive by Download attack. We analyzed the situation maliciously redirected to the host by using the attack communication data (D3M 2010) collected by client honeypot (Marionette). Moreover, we derived the distinction logic by using decision tree learning. The logic shows the consideration of the Web access transition is effective for the detection of URL (potential URL) that leads to the download of a malicious file. These analysis results are very important for settling on measures to reduce the malware damage beforehand.

[ Manuscript (PDF) ]
Classification of Drive-by-Download attacks based on a sequence of paths used in the attacks
Kazuya Kuwabara, Shingo Andou, Masashi Fujiwara, Hiroaki Kikuchi, Masato Terada and Shinki Cyou

This paper analyzes the D3M 2010 Dataset, captured packets used in, Drive-by-Download attack, in order to investigate features on the communications and the trasmition of states. Based on the analysis of the observed behavior of all data, we propose a method for classification of attacks with sequence of path used by the attacks.

[ Manuscript (PDF) ]
Detecting malware by learning character strings in executable files
Kazuhiro Tobe, Tatsuya Mori, Daiki Chiba, Akihiro Shimoda and Shigeki Goto

This paper develops a simple and efficient technique that can detect malware without having knowledge about the structure of malware executable files nor existence of packing. The key idea is to make use of character strings included in executable files and construct statistical feature vector for each file. We then apply supervised machine learning method. Through the analysis of 1,511 and 1,449 of benign and malware files, we validate that our proposed method can achieve fast and accurate malware detection.

[ Manuscript (PDF) | Slide (PDF) ]
TOP

3F2: Access Log - Session chair: Hiroshi Suzuki (IIJ)
Towards Extracting and Visualizing Malware Distribution Operations Based on Network Traffic Logs
Kazuaki Morihisa, Masato Jingu, Shinya Kanda, Gregory Blanc and Youki Kadobayashi

A malware has been downloaded from not only physical device like USB memory but the Internet. In this research, we focus on the IP addresses contained in the attack communications of the CCC DATAset2010. Through several host traffic logs, we were able to follow a same given IP address and guess it is related to malware download sites. In order to verify such hypothesis, we attempted extracting and visualizing such IP address relationships. By combining IP addresses with the information of ASes they belong to, we were able to cluster the malware download hosts and made considerations about their relationships.

[ Manuscript (PDF) ]
A study of an arrangement of Malware that consider of a distance on network
Yoshiki Higashikado, Takeaki Terada and Satoru Torii

Measures to reduce damage by Bots are thought that it is very important to understand the distance to site's where the control communication and malware that controls by a high decision by the attacker are downloaded from each Bots. In this thesis, when the attack communication data of CCC DATAset2010 was analyzed, it paid attention to the parameter (TTL,RTT)concerning the distance on the network, and it considered it concerning arrangement on the network where the role on the botnet of each malware had been considered.

[ Manuscript (PDF) ]
Revaluation of Technique to DetectC&C Server of Botnet Using CCC DATAset 2010
Nobuhiro Nakamura, Takaaki Nagumo, Tathuya Tanaka, Hajime Mihara and Ryoichi Sasaki

Recently, the damage caused by the bot net has been increasing. There exists a problem that the other bot PCs can be produced, even if one bot PC could be specified and removed. Therefore, we proposed the Multi Stage Trace Back system. We also developed second stage trace back method which consists of black list and Quantification methods No. 2 with CCCDataSet2009. As a result, we were able to know that the developed second stage trace back method could be useful. This paper reports the evaluated results of applying Quantification methods No. 2 with CCCDataSet2010 instead of CCCDataSet2009.

[ Manuscript (PDF) ]
Evolution of Botnet Coordinated Patterns from CCC DATAset
Masayuki Ohrui, Hiroaki Kikuchi, MasatoTerada and Nur Rohman Rosyidy

This paper aims to apply data mining technique Apriori and PrefixSpan, detecting feature and evolution coordinated attacks from using the captured packets data and the downloadinglogs of the CCC DATAset 2008-2010 by focusing on the behavior of malware over the past three years.

[ Manuscript (PDF) ]
TOP

MWS Cup - Session chair: Youki Kadobayashi (Nara Advanced Institute of Science and Technology)


Challengers
  • \Sokai Security ! / IT Keys
  • IIJ Survival Game Club
  • Malware Walker Neo
  • Ritsumeikan University SSL
  • Team GOTO Love
  • I am good at Tennis, but ...
  • Human-wave tactics Team of Tokai University and Chuo University
  • Tokyo Denki University ISL
Technical Component (80 minutes)
Artistic Component (3 minutes)
\Sokai Security ! / IT Keys
Artistic Component (3 minutes)
IIJ Survival Game Club
Artistic Component (3 minutes)
Malware Walker Neo
Artistic Component (3 minutes)
Ritsumeikan University SSL
Artistic Component (3 minutes)
Team GOTO Love
Artistic Component (3 minutes)
I am good at Tennis, but ...
Artistic Component (3 minutes)
Human-wave tactics Team of Tokai University and Chuo University
Artistic Component (3 minutes)
Tokyo Denki University ISL
Reviewers
Venue
Remarks of "Data Analysis of MWS Cup 2011"
Mitsuaki Akiyama (NTT Information Sharing Platform Laboratories)
TOP