An issue of security threat caused by programs executing malicious processes in various kinds of information processing devices (for example, various computers, communication devices and the like) in operating environments (for example, various software programs such as malware) has been arisen in recent years. To deal with the issue, malware analysis has been carried out, for example, in organizations such as SOC (Security Operation Center) and CSIRT (Computer Security Incident Response Team).
Malware analysis tasks may include a task of sampling a record about calling of a system call, network access or the like, by executing the malware in an environment for analysis. Such an environment for analysis is desired not to prevent original operation of malware when sampling the record, and to be able to reduce various security threats (for example, an illegitimate access and the like) to an environment other than the environment for analysis. Hereafter, the environment for analysis may be referred to as a “protected environment”, and an environment in which an information processing device or the like really operates may be referred to as a “real operating environment”.
In many cases, the protected environment is built by use of a virtual machine using various virtualization platforms. The protected environment is not equal to the real operating environment itself. Accordingly, in many cases, the protected environment has a different feature from that of the real operating environment. There is malware which detects difference between the protected environment and the real operating environment from a feature of the protected environment and accordingly conceals original operation of the malware itself.
Technologies relating to analysis of an malicious program such as the above-described malware are disclosed, for example, in Patent Literature described below. Patent Literature 1 (PTL 1) discloses a technology of evaluating operation of an executable program by use of a protected execution environment (sandbox environment). The technology disclosed in PTL 1 selects one of a sandbox environment and a standard environment as an operating environment to operate a program, on the basis of a result of analyzing the program in real time.
Patent Literature 2 (PTL 2) discloses a technology which builds execution environments to execute malware to be analyzed, on the basis of demand for computer environments requested by users, and analyzes malware by selecting, among the built execution environments, an execution environment resembling a user's computer environment.
Patent Literature 3 (PTL 3) discloses a technology which collects information for building an operation environment to operate malware by analyzing shell cord for installing the malware and controls the malware to operate in the built operation environment, thereby analyzing the malware's operation.
Patent Literature 4 (PTL 4) discloses a technology of building a malware execution environment to execute malware and a virtual network environment which creates virtual communication data according to a protocol of communication performed by the malware and performs transmission and reception of the virtual communication data. This technology analyzes operation of malware which checks connection to a network, by executing the malware in the malware execution environment and returning the virtual communicated data to a communication process performed by the malware.
Patent Literature 5 (PTL 5) discloses a technology which analyzes operation of malware by using a log of the malware's execution in a terminal for malware execution disposed in an isolated environment and a log of the malware's communication to a dummy server.
Patent Literature 6 (PTL 6) discloses a technology of determining whether a program is malware or not by setting a breakpoint in the program and analyzing the program's operation at the breakpoint.
Further, in relation to management of various resources in virtual machines, Patent Literature 7 (PTL 7) discloses a technology which, in a virtual machine system using a plurality of physical resources, controls arrangement of virtual machines such that surplus amounts of the resources comply with a specific policy (surplus policy).