Multi-Pass Malware Sandbox Analysis with Controlled Internet Connection
スポンサーリンク
概要
- 論文の詳細を見る
Malware sandbox analysis, in which a malware sample is actually executed in a testing environment (i.e. sandbox) to observe its behavior, is one of the promising approaches to tackling the emerging threats of exploding malware. As a lot of recent malware actively communicates with remote hosts over the Internet, sandboxes should also support an Internet connection, otherwise important malware behavior may not be observed. In this paper, we propose a multi-pass sandbox analysis with a controlled Internet connection. In the proposed method, we start our analysis with an isolated sandbox and an emulated Internet that consists of a set of dummy servers and hosts that run vulnerable services, called Honeypots in the Sandbox (HitS). All outbound connections from the victim host are closely inspected to see if they could be connected to the real Internet. We iterate the above process until no new behaviors are observed. We implemented the proposed method in a completely automated fashion and evaluated it with malware samples recently captured in the wild. Using a simple containment policy that authorizes only certain application protocols, namely, HTTP, IRC, and DNS, we were able to observe a greater variety of behaviors compared with the completely isolated sandbox. Meanwhile, we confirmed that a noticeable number of IP scans, vulnerability exploitations, and DoS attacks are successfully contained in the sandbox. Additionally, a brief comparison with two existing sandbox analysis systems, Norman Sandbox and CWSandbox, are shown.
論文 | ランダム
- ウェーブレット変換を用いた南極域衛星画像のテクスチャ解析
- ウェーブレット変換を用いた南極域衛星画像のテクスチャ解析
- ウェーブレット変換を用いた南極域衛星画像のテクスチャ解析
- A-HIGHERS - The System to Produce the High Spatial Resolution Sea Surface Temperature Maps of the Western North Pacific Using the AVHRR/NOAA
- Structural Model of Molecular Cloud Complexes: Mass, Size, and External Pressure