Dynamic analysis is used to cause an execution file to actually operate in analysis environment and obtain a behavior of the execution file to analyze a behavior of an analysis target execution file such as malware. The dynamic analysis includes a network behavior analysis-type dynamic analysis which monitors packets to be propagated from malware to an outside (Patent Literature 1).
According to this network behavior analysis-type dynamic analysis, it is possible to obtain information such as a communication destination, a port number, a protocol and a payload of the malware. Depending on cases, important information for understanding a malware behavior is observed from a payload portion in some cases. When, for example, information such as a machine name, user information and contents of confidential files are described in a payload portion, it is possible to determine that this malware makes a behavior of propagating confidential information of an infected terminal to an outside.
However, most of items of recent malware obfuscate communication data by way of encryption or compression. In such a case, it is not possible to learn contents of data which is being propagated, based on a payload portion of a packet which can be observed by the network behavior analysis-type dynamic analysis, and therefore it is not possible to understand a malware behavior.
There is a method of statically analyzing an execution file of malware and specifying contents of data which is being propagated in such a case. This method is a method of causing an analyzer to manually dissemble an execution file of malware and grasping a behavior of malware by interpreting an instruction. However, static analysis of malware is very costly, and is not suitable for analyzing a great amount of execution files.