MALWARE ANALYSIS DEVICE, MALWARE ANALYSIS METHOD, AND STORAGE MEDIUM HAVING MALWARE ANALYSIS PROGRAM CONTAINED THEREIN

摘要

In order to analyze, efficiently and with high precision, the similarity in operation between software that is being examined and a known malware, this malware analysis device 40 is equipped with: an abstraction unit 41 for generating first abstraction information 410 obtained by abstracting first operation information 440 which indicates the result of an operation of sample software; an abstraction information storage unit 45 for storing second abstraction information 450 obtained by abstracting second operation information which indicates one or more operation results obtained for each piece of software that has been compared with the sample; a calculation unit 42 for calculating the similarity between the first abstraction information 410 and the second abstraction information 450; and a specifying unit 43 for specifying the compared software for which the similarity satisfies a criteria.