Proposal of a Method for Identifying the Infection Route for Targeted Attacks Based on Malware Behavior in a Network

A targeted attack affects all terminals in a network. Therefore, in order to properly deal with such an attack, it is necessary to analyze the event information for each terminal in the network as well as all event information within the terminal. We have been studying a dynamic diagnostic method based on malware behavior in a network. We herein propose a malware detection method that works by dynamically converting collected process logs into CybOX and analyzing the converted data. In the present paper, we focus on the observables of the penetration/exploration phase of targeted attacks. We propose a method for identifying the route of infection by analyzing the process and a communication attempt associated with the process of the detected malware. We confirmed the ability to find the source of the infection process in the initially infected terminal by analyzing the behavior of the malware in a secondarily infected terminal.