Method for Estimating Unjust Communication Causes Using Network Packets Associated with Process Information

The number of attacks based on advanced persistent threat (APT), which is a set of stealthy and continuous computer hacking processes, has been increasing around the world. To cope with such attacks, a management system that stores and analyses log information in order to identify unjust packet network communications has come to be used for threat detection in equipment equipped with functions such as security information and event management (SIEM). However, while it is possible to identify personal computers (PCs) engaging in unjust communication using this system, it is often very difficult to determine the process used by the malware to cause the PC to engage in unjust communication in the first place. To cope with that issue, the authors will propose a dedicated method for storing startup and closing log data and, reading modules. They will also report on communication trials conduct in a Windows operating sys- tem (OS) environment. In addition, they will report on a newly developed driver program called Onmitsu that can be used to implement the functions included in the proposed method, as well as its application to an example. Based on the results of the application evaluation, it was confirmed that the program could effectively achieve the desired ob- jectives. In this paper, the proposed method, the developed program, applied results, and the evaluation performance results are described.