In information systems of companies, government organizations, or the like, the necessity for taking security measures against so-called cyber terrorism is increasing. When taking security measures, it is preferable to take measures, by considering an intention or purpose of an attacker trying to do any harm to an information system, for inhibiting the intention or purpose.
In a security monitoring operation that is one security measure, various techniques are used. There are techniques such as Intrusion Detection System (IDS), SIEM (Security Information and Event Management), and the like, for example.
PTL 1 describes a system or the like for protecting a computer from malware. The system described in PTL 1 protects in advance a computer from malware by collecting local machine events and aggregating knowledge bases from an anti-malware service and another event detection system.
PTL 2 describes a method for monitoring behaviors of suspicious malware monitored during installation of a file in which a plurality of activities on a computer system executed in a predetermined time frame in the computer system are suspicious.
PTL 3 describes a system or the like for malware detection. The system or the like described in PTL 3 receives an assembly language sequence from a binary file, identifies an instruction sequence from the assembly language sequence, and classifies the instruction sequence by a knowledge base of an expert system.
PTL 4 describes an analysis system that estimates an input path of unauthorized software for an execution device that executes software.