Makoto Iwamura’s research while affiliated with NTT DATA Corporation and other places

What is this page?


This page lists works of an author who doesn't have a ResearchGate profile or hasn't added the works to their profile yet. It is automatically generated from public (personal) data to further our legitimate goal of comprehensive and accurate scientific recordkeeping. If you are this author and want this page removed, please let us know.

Publications (24)


Xunpack: Cross-Architecture Unpacking for Linux IoT Malware
  • Conference Paper

October 2023

·

17 Reads

·

Shu Akabane

·

Makoto Iwamura

·

Takeshi Okamoto


Automatic Reverse Engineering of Script Engine Binaries for Building Script API Tracers

January 2021

·

22 Reads

·

2 Citations

Digital Threats Research and Practice

Script languages are designed to be easy-to-use and require low learning costs. These features provide attackers options to choose a script language for developing their malicious scripts. This diversity of choice in the attacker side unexpectedly imposes a significant cost on the preparation for analysis tools in the defense side. That is, we have to prepare for multiple script languages to analyze malicious scripts written in them. We call this unbalanced cost for script languages asymmetry problem . To solve this problem, we propose a method for automatically detecting the hook and tap points in a script engine binary that is essential for building a script Application Programming Interface (API) tracer. Our method allows us to reduce the cost of reverse engineering of a script engine binary, which is the largest portion of the development of a script API tracer, and build a script API tracer for a script language with minimum manual intervention. This advantage results in solving the asymmetry problem. The experimental results showed that our method generated the script API tracers for the three script languages popular among attackers (Visual Basic for Applications (VBA), Microsoft Visual Basic Scripting Edition (VBScript), and PowerShell). The results also demonstrated that these script API tracers successfully analyzed real-world malicious scripts.


ROPminer: Learning-Based Static Detection of ROP Chain Considering Linkability of ROP Gadgets

July 2020

·

207 Reads

·

4 Citations

IEICE Transactions on Information and Systems

Return-oriented programming (ROP) has been crucial for attackers to evade the security mechanisms of recent operating systems. Although existing ROP detection approaches mainly focus on host-based intrusion detection systems (HIDSes), network-based intrusion detection systems (NIDSes) are also desired to protect various hosts including IoT devices on the network. However, existing approaches are not enough for network-level protection due to two problems: (1) Dynamic approaches take the time with second- or minute-order on average for inspection. For applying to NIDSes, millisecond-order is required to achieve near real time detection. (2) Static approaches generate false positives because they use heuristic patterns. For applying to NIDSes, false positives should be minimized to suppress false alarms. In this paper, we propose a method for statically detecting ROP chains in malicious data by learning the target libraries (i.e., the libraries that are used for ROP gadgets). Our method accelerates its inspection by exhaustively collecting feasible ROP gadgets in the target libraries and learning them separated from the inspection step. In addition, we reduce false positives inevitable for existing static inspection by statically verifying whether a suspicious byte sequence can link properly when they are executed as a ROP chain. Experimental results showed that our method has achieved millisecond-order ROP chain detection with high precision.



My script engines know what you did in the dark: converting engines into script API tracers

December 2019

·

27 Reads

·

3 Citations

Malicious scripts have been crucial attack vectors in recent attacks such as malware spam (malspam) and fileless malware. Since malicious scripts are generally obfuscated, statically analyzing them is difficult due to reflections. Therefore, dynamic analysis, which is not affected by obfuscation, is used for malicious script analysis. However, despite its wide adoption, some problems remain unsolved. Current designs of script analysis tools do not fulfill the following three requirements important for malicious script analysis. (1) Universally applicable to various script languages, (2) capable of outputting analysis logs that can precisely recover the behavior of malicious scripts, and (3) applicable to proprietary script engines. In this paper, we propose a method for automatically generating script API tracer by analyzing the target script engine binaries. The method mine the knowledge of script engine internals that are required to append behavior analysis capability. This enables the addition of analysis functionalities to arbitrary script engines and generation of script API tracers that can fulfill the above requirements. Experimental results showed that we can apply this method for building malicious script analysis tools.


EIGER: automated IOC generation for accurate and interpretable endpoint malware detection

December 2019

·

247 Reads

·

26 Citations

A malware signature including behavioral artifacts, namely Indicator of Compromise (IOC) plays an important role in security operations, such as endpoint detection and incident response. While building IOC enables us to detect malware efficiently and perform the incident analysis in a timely manner, it has not been fully-automated yet. To address this issue, there are two lines of promising approaches: regular expression-based signature generation and machine learning. However, each approach has a limitation in accuracy or interpretability, respectively. In this paper, we propose EIGER, a method to generate interpretable, and yet accurate IOCs from given malware traces. The key idea of EIGER is enumerate-then-optimize. That is, we enumerate representations of potential artifacts as candidates of IOCs. Then, we optimize the combination of these candidates to maximize the two essential properties, i.e., accuracy and interpretability, towards the generation of reliable IOCs. Through the experiment using 162K of malware samples collected over the five months, we evaluated the accuracy of EIGER-generated IOCs. We achieved a high True Positive Rate (TPR) of 91.98% and a very low False Positive Rate (FPR) of 0.97%. Interestingly, EIGER achieved FPR of less than 1% even when we use completely different dataset. Furthermore, we evaluated the interpretability of the IOCs generated by EIGER through a user study, in which we recruited 15 of professional security analysts working at a security operation center. The results allow us to conclude that our IOCs are as interpretable as manually-generated ones. These results demonstrate that EIGER is practical and deployable to the real-world security operations.


Toward the Analysis of Distributed Code Injection in Post-mortem Forensics

July 2019

·

90 Reads

·

4 Citations

Lecture Notes in Computer Science

Distributed code injection is a new type of malicious code injection technique. It makes existing forensics techniques for injected code detection infeasible by splitting a malicious code into several code snippets, injecting them into multiple running processes, and executing them in each process spaces. In spite of the impact of it on practical forensics fields, there was no discussion on countermeasures against this threat. In this paper, we present a memory forensics method for finding all code snippets distributively injected into multiple processes to defeat distributed code injection attacks. Our method is designed on the following observation for distributed code injection attacks. Even though malicious code is split and distributed in multiple processes, the split code snippets have to synchronize each other at runtime to maintain the order of the execution of the original malicious code. We exploit this characteristic of distributed code injection attacks with our method. The experimental results showed that our method successfully found all distributed code snippets and assisted to reconstruct the original code from them. We believe that we are the first to present a countermeasure against distributed code injection attacks. We also believe that our method is able to improve the efficiency of forensics especially for a host compromised with distributed code injection attacks.



Fig. 2 Taint-based control transfer interception.
Fig. 3 Taint-based control transfer interception against anti-analysis.
Fig. 4 Analysis process for API Chaser.
Fig. 5 Code taint propagation example.
Fig. 6 Taint tag format.

+2

API Chaser: Taint-Assisted Sandbox for Evasive Malware Analysis
  • Article
  • Full-text available

March 2019

·

120 Reads

·

13 Citations

Journal of Information Processing

We propose a design and implementation for an Application Programming Interface (API) monitoring system called API Chaser, which is resistant to evasion-type anti-analysis techniques, e.g., stolen code and code injection. The core technique in API Chaser is code tainting, which enables us to identify precisely the execution of monitored instructions by propagating three types of taint tags added to the codes of API, malware, and benign executables, respectively. Additionally, we introduce taint-based control transfer interception, which is a technique to capture precisely API calls invoked from evasive malware. We evaluate API Chaser based on several real-world and synthetic malware to demonstrate the accuracy of our API hooking technique. We also perform a large-scale malware experiment by analyzing 8, 897 malware samples to show the practical capability of API Chaser. These experimental results show that 701 out of 8, 897 malware samples employ hook evasion techniques to hide specific API calls, while 344 malware ones use target evasion techniques to hide the source of API calls.

Download

Citations (22)


... To improve the defense and countermeasures against cyberattacks, we are developing the following technologies in response to the sophistication of cyberattacks: advanced technology for detecting malware in endpoint devices; advanced technology for determining malicious domains; and technology to counter attacks that exploit the psychological weaknesses of users. We are also developing the following technologies in response to increasing number of cyberattacks: technology for improving operational efficiency and labor-saving technology for security operations [2]. ...

Reference:

R&D on Security Contributing to Creation of New Value
The Forefront of Cyberattack Countermeasures Focusing on Traces of Attacks
  • Citing Article
  • April 2020

NTT Technical Review

... When the data flow reaches to a sink point, simulator knows it. Most of works in this area could be divided into three categories: Static taint analysis, Dynamic taint analysis, and Hybrid taint analysis [15][16][17]. As stated in [11], dynamic taint analyses propagate taints when applications are running. ...

Script Tainting Was Doomed From The Start (By Type Conversion): Converting Script Engines into Dynamic Taint Analysis Frameworks
  • Citing Conference Paper
  • October 2022

... Macros can also be treated as Visual Basic scripts. With this respect, Usui et al. [36,37] proposed to trace API calls in scripting languages. Their work aims to be universally suitable for a plethora of scripting languages, including Visual Basic. ...

Automatic Reverse Engineering of Script Engine Binaries for Building Script API Tracers
  • Citing Article
  • January 2021

Digital Threats Research and Practice

... Researchers train a convolutional neural network (CNN) or reccurent neural network (RNN) respectively based on the customized dataset consists of benign samples and crafted gadget chains [31][32][33]. ROPminer [34] statically detects ROP chains by learning the orders of ROP components and the byte patterns of each component. The authors build a HMM (Hidden Markov Model) model based on exhaustively collecting feasible ROP gadgets in the target libraries. ...

ROPminer: Learning-Based Static Detection of ROP Chain Considering Linkability of ROP Gadgets
  • Citing Article
  • July 2020

IEICE Transactions on Information and Systems

... The manual process of verifying false positives can be a daunting exercise; therefore, ML algorithms must achieve high performance and minimize false positives. The validation of false positives can also be incorporated into ML algorithms, as emphasized by Otsuki et al. [55]. ...

EIGER: automated IOC generation for accurate and interpretable endpoint malware detection
  • Citing Conference Paper
  • December 2019

... Macros can also be treated as Visual Basic scripts. With this respect, Usui et al. [36,37] proposed to trace API calls in scripting languages. Their work aims to be universally suitable for a plethora of scripting languages, including Visual Basic. ...

My script engines know what you did in the dark: converting engines into script API tracers
  • Citing Conference Paper
  • December 2019

... The frequent appearance of intrusive advertisements also serves as an indicator of a malware infection. Moreover, there may be an unexplained disk space expansion, resulting in a significant loss of storage capacity [47]. Additionally, certain types of malware grant unauthorized access to the attacker, enabling them to download secondary B Mohammed Nasereddin mnasereddin@iitis.pl ...

Toward the Analysis of Distributed Code Injection in Post-mortem Forensics
  • Citing Chapter
  • July 2019

Lecture Notes in Computer Science

... Selain itu, terdapat penelitian yang dilakukan oleh (Kanemoto et al., 2019) di mana mereka menggunakan metode shellcode emulation yang berlandaskan kepada nilai akurasi dan performa. Mereka bertujuan untuk mendapatkan model yang dapat mengidentifikasi pemberitahuan yang penting yang dapat memberikan informasi mengenai adanya gangguan keamanan pada sistem secara otomatis. ...

Detecting Successful Attacks from IDS Alerts Based On Emulation of Remote Shellcodes
  • Citing Conference Paper
  • July 2019

... Yuhei et al. [23], [24] proposed a code tainting techniquesbased analyzer, API Chaser, to identify the execution of monitored instructions. API Chaser gave different taint tags to the API, benign, and malware samples. ...

API Chaser: Taint-Assisted Sandbox for Evasive Malware Analysis

Journal of Information Processing

... Call site monitoring BinUnpack [7], SOK [8], Scylla [9], Eureka [10], RePEc [11], PinDemonium [12], Arancino [13], Arg Prediction [14] Position monitoring API Chaser [15], QuietRIATT [16], Secure unpack [17], Taint-assisted [18] Hybrid monitoring API-Xray [4], RePEconstruct [19] Call site monitoring: Figure 2 depicts that the deobfuscation techniques for API call site monitoring follow two steps: (1) Instruction scanning (I in Figure 2), which runs PE files to find possible API call sites in memory, including indirect calls, direct calls, or indirect jumps. (2) Address association (II in Figure 2), which correlates the destination address of a possible call site with the exported API address of the loaded dynamic link library. ...

Taint-assisted IAT Reconstruction against Position Obfuscation

Journal of Information Processing