Multi-Pass Malware Sandbox Analysis with Controlled Internet Connection
スポンサーリンク
概要
- 論文の詳細を見る
Malware sandbox analysis, in which a malware sample is actually executed in a testing environment (i.e. sandbox) to observe its behavior, is one of the promising approaches to tackling the emerging threats of exploding malware. As a lot of recent malware actively communicates with remote hosts over the Internet, sandboxes should also support an Internet connection, otherwise important malware behavior may not be observed. In this paper, we propose a multi-pass sandbox analysis with a controlled Internet connection. In the proposed method, we start our analysis with an isolated sandbox and an emulated Internet that consists of a set of dummy servers and hosts that run vulnerable services, called Honeypots in the Sandbox (HitS). All outbound connections from the victim host are closely inspected to see if they could be connected to the real Internet. We iterate the above process until no new behaviors are observed. We implemented the proposed method in a completely automated fashion and evaluated it with malware samples recently captured in the wild. Using a simple containment policy that authorizes only certain application protocols, namely, HTTP, IRC, and DNS, we were able to observe a greater variety of behaviors compared with the completely isolated sandbox. Meanwhile, we confirmed that a noticeable number of IP scans, vulnerability exploitations, and DoS attacks are successfully contained in the sandbox. Additionally, a brief comparison with two existing sandbox analysis systems, Norman Sandbox and CWSandbox, are shown.
論文 | ランダム
- 米国・ロサンゼルス 「カワイイ」系小物 (特集 キーワードで世界を巡る 2011年ビジネスのヒント70) -- (北米・中南米)
- 米国・シカゴ 日本の庶民の味 (特集 キーワードで世界を巡る 2011年ビジネスのヒント70) -- (北米・中南米)
- 米国・ニューヨーク 日本の日用品 (特集 キーワードで世界を巡る 2011年ビジネスのヒント70) -- (北米・中南米)
- 北米・中南米 (特集 キーワードで世界を巡る 2011年ビジネスのヒント70)
- 90/130nmテクノロジのCMOS回路におけるソフトエラー(IEDM特集(先端CMOSデバイス・プロセス技術))