查看文章

Recent epidemic of highly organized and sophisticated malwares increases the necessity of countermeasure technologies. Various research activities have been carried out focusing on statistic calculation of network events by means of global network sensors (macroscopic observations). Meanwhile, some activities can be recognized as direct detailed malware analysis such as code analysis and sandbox analysis (microscopic observations). Considering a lack of relationship between above two activities, the novel analysis concept based on multi-layer observations is proposed in this paper. In the proposed concept, we effectively correlate these macroscopic observations “in the wild” with detailed microscopic observations “in the lab” in order to identify the observed attacks caused by malwares with more accuracy. These two observations are separately performed on multi-layer, namely three layers: the scan layer, the exploit code layer, and the malware layer according to fundamental propagation steps of malwares. In each layer, analysis results of the two observations can be effectively correlated so as to identify frequently observed malwares behaviors in view of scan-exploit code-malware chain.