Multi-Pass Malware Sandbox Analysis with Controlled Internet Connection
スポンサーリンク
概要
- 論文の詳細を見る
Malware sandbox analysis, in which a malware sample is actually executed in a testing environment (i.e. sandbox) to observe its behavior, is one of the promising approaches to tackling the emerging threats of exploding malware. As a lot of recent malware actively communicates with remote hosts over the Internet, sandboxes should also support an Internet connection, otherwise important malware behavior may not be observed. In this paper, we propose a multi-pass sandbox analysis with a controlled Internet connection. In the proposed method, we start our analysis with an isolated sandbox and an emulated Internet that consists of a set of dummy servers and hosts that run vulnerable services, called Honeypots in the Sandbox (HitS). All outbound connections from the victim host are closely inspected to see if they could be connected to the real Internet. We iterate the above process until no new behaviors are observed. We implemented the proposed method in a completely automated fashion and evaluated it with malware samples recently captured in the wild. Using a simple containment policy that authorizes only certain application protocols, namely, HTTP, IRC, and DNS, we were able to observe a greater variety of behaviors compared with the completely isolated sandbox. Meanwhile, we confirmed that a noticeable number of IP scans, vulnerability exploitations, and DoS attacks are successfully contained in the sandbox. Additionally, a brief comparison with two existing sandbox analysis systems, Norman Sandbox and CWSandbox, are shown.
論文 | ランダム
- P-2-3 リスザルの主観的輪郭の知覚(2)(日本動物心理学会第56回大会発表要旨)
- PB25 リスザルの主観的輪郭の知覚(1)(日本動物心理学会第55回大会発表要旨)
- リン酸は光合成にどのような影響を与えるか--炭酸固定関連酵素との関わり,細胞内濃度,欠乏の影響などに注目(今日の話題)
- リスザルとヒトにおける因果性の知覚(因果知覚に関する研究の新たな展開-ヒトと動物の比較-,第24回大会 シンポジウム1)
- ヒト乳頭腫ウイルスの基礎と最新の知見