US 12,282,550 B2
Rule generating device and rule generating program
Yuma Kurogome, Musashino (JP); Yuhei Kawakoya, Musashino (JP); Makoto Iwamura, Musashino (JP); Yuto Otsuki, Musashino (JP); and Jun Miyoshi, Musashino (JP)
Assigned to NIPPON TELEGRAPH AND TELEPHONE CORPORATION, Tokyo (JP)
Appl. No. 17/774,478
Filed by NIPPON TELEGRAPH AND TELEPHONE CORPORATION, Tokyo (JP)
PCT Filed Nov. 28, 2019, PCT No. PCT/JP2019/046682
§ 371(c)(1), (2) Date May 5, 2022,
PCT Pub. No. WO2021/106172, PCT Pub. Date Jun. 3, 2021.
Prior Publication US 2022/0391505 A1, Dec. 8, 2022
Int. Cl. G06F 21/56 (2013.01)
CPC G06F 21/56 (2013.01) [G06F 2221/034 (2013.01)] 14 Claims
OG exemplary drawing
 
1. A rule generation apparatus comprising:
processing circuitry configured to:
enumerate each of a plurality of rule candidates with different degrees of abstraction as candidates for a rule for detecting a malware trace using an analysis result of malware, the different degrees of abstraction include a lowest degree of abstraction, an intermediate degree of abstraction that is greater than the lowest degree of abstraction, and a highest degree of abstraction that is greater than the intermediate degree of abstraction;
calculate evaluation values of the rule candidates enumerated using a predetermined evaluation function and sort a rule from among the rule candidates based on the evaluation values;
impart information of the malware included in the analysis result to the rule sorted and output the information;
divide malware traces included in the analysis result of the malware into a plurality of clusters based on a degree of similarity of the malware traces; and
generate a regular expression of each of the plurality of rule candidates with the different degrees of abstraction for each of the plurality of clusters.