Multi-Pass Malware Sandbox Analysis with Controlled Internet Connection
スポンサーリンク
概要
- 論文の詳細を見る
Malware sandbox analysis, in which a malware sample is actually executed in a testing environment (i.e. sandbox) to observe its behavior, is one of the promising approaches to tackling the emerging threats of exploding malware. As a lot of recent malware actively communicates with remote hosts over the Internet, sandboxes should also support an Internet connection, otherwise important malware behavior may not be observed. In this paper, we propose a multi-pass sandbox analysis with a controlled Internet connection. In the proposed method, we start our analysis with an isolated sandbox and an emulated Internet that consists of a set of dummy servers and hosts that run vulnerable services, called Honeypots in the Sandbox (HitS). All outbound connections from the victim host are closely inspected to see if they could be connected to the real Internet. We iterate the above process until no new behaviors are observed. We implemented the proposed method in a completely automated fashion and evaluated it with malware samples recently captured in the wild. Using a simple containment policy that authorizes only certain application protocols, namely, HTTP, IRC, and DNS, we were able to observe a greater variety of behaviors compared with the completely isolated sandbox. Meanwhile, we confirmed that a noticeable number of IP scans, vulnerability exploitations, and DoS attacks are successfully contained in the sandbox. Additionally, a brief comparison with two existing sandbox analysis systems, Norman Sandbox and CWSandbox, are shown.
- 2010-01-01
著者
-
MATSUMOTO Tsutomu
Yokohama National University
-
YOSHIOKA Katsunari
Yokohama National University
-
Matsumoto Tsutomu
Yokohama National Univ. Yokohama‐shi Jpn
関連論文
- E2-A New 128-Bit Block Cipher(Special Section on Cryptography and Information Security)
- Digitally Signed Document Sanitizing Scheme with Disclosure Condition Control(Application)(Cryptography and Information Security)
- On the security of Feistel Ciphers with SPN Round Function against Differential, Linear, and Truncated Differential Cryptanalysis(Special Section on Cryptography and Information Security)
- Multi-Pass Malware Sandbox Analysis with Controlled Internet Connection
- 招待講演 nicter: An Incident Analysis System for the Global Internet using Correlation between Network Monitoring and Malware Analysis
- 招待講演 nicter: An Incident Analysis System for the Global Internet using Correlation between Network Monitoring and Malware Analysis
- Fine-Grain Feature Extraction from Malware's Scan Behavior Based on Spectrum Analysis
- Malware Sandbox Analysis for Secure Observation of Vulnerability Exploitation
- Automated Malware Analysis System and Its Sandbox for Revealing Malware's Internal and External Activities
- Practical Correlation Analysis between Scan and Malware Profiles against Zero-Day Attacks Based on Darknet Monitoring
- FOREWORD (Special Section on Cryptography and Information Security)
- Your Sandbox is Blinded: Impact of Decoy Injection to Public Malware Analysis Systems
- Information-Flow-Based Access Control for Web Browsers
- Effectiveness of Outline Measures of Strength against Differential and Linear Cryptanalysis (Special Section on Cryptography and Information Security)
- Malware Sandbox Analysis with Efficient Observation of Herder's Behavior
- Malware Sandbox Analysis with Efficient Observation of Herder's Behavior
- Catching the Behavioral Differences between Multiple Executions for Malware Detection
- FOREWORD
- Catching the Behavioral Differences between Multiple Executions for Malware Detection