Malware Sandbox Analysis with Efficient Observation of Herder's Behavior
スポンサーリンク
概要
- 論文の詳細を見る
Recent malware communicate with remote hosts in the Internet for receiving C&C commands and updating themselves, etc., and their behaviors can be diverse depending on the behaviors of the remote hosts. Thus, when analyzing these malware by sandbox analysis, it is important not only to focus behaviors of a malware sample itself but also those of the remote servers that are controlled by attackers. A simple solution to achieve this is to observe the live sample by an Internet-connected sandbox for a long period of time. However, since we do not know when these servers will send meaningful responses, we need to keep the sample being executed in the sandbox, which is indeed a costly operation. Also, leaving the live malware in the Internet-connected sandbox increases the risk that its attacks spill out of the sandbox and induce secondary infections. In this paper, we propose a novel sandbox analysis method using a dummy client, an automatically generated lightweight script to interact with the remote servers instead of the malware sample itself. In the proposed method, at first we execute a malware sample in the sandbox that is connected to the real Internet and Internet Emulator. Secondly, we inspect the traffic observed in the sandbox and filter out high-risk communications. The rest of the traffic data is then used by the dummy client to interact with the remote servers instead of the sample itself and effectively collects the responses from the servers. The collected server responses are then fed back to the Internet Emulator in the sandbox and will be used for improving observability of malware sandbox analysis. In the experiment with malware samples captured in the wild, we indeed observed a considerable number of changes in the responses from the remote servers that were obtained by our dummy client. Also, in comparison with the simple Internet-connected sandbox, the proposed sandbox could improve observability of malware sandbox analysis.
著者
-
ETO Masashi
National Institute of Information and Communications Technology
-
NAKAO Koji
National Institute of Information and Communications Technology
-
YOSHIOKA Katsunari
Yokohama National University
-
Matsumoto Tsutomu
Yokohama National Univ. Yokohama‐shi Jpn
-
Inoue Daisuke
National Institute Of Information And Communicarions Technology
-
Kasama Takahiro
Yokohama National University
-
Yamagata Masaya
NEC Corporation
関連論文
- O-means: An Optimized Clustering Method for Analyzing Spam Based Attacks
- E2-A New 128-Bit Block Cipher(Special Section on Cryptography and Information Security)
- Digitally Signed Document Sanitizing Scheme with Disclosure Condition Control(Application)(Cryptography and Information Security)
- On the security of Feistel Ciphers with SPN Round Function against Differential, Linear, and Truncated Differential Cryptanalysis(Special Section on Cryptography and Information Security)
- Multi-Pass Malware Sandbox Analysis with Controlled Internet Connection
- 招待講演 nicter: An Incident Analysis System for the Global Internet using Correlation between Network Monitoring and Malware Analysis
- 招待講演 nicter: An Incident Analysis System for the Global Internet using Correlation between Network Monitoring and Malware Analysis
- Fine-Grain Feature Extraction from Malware's Scan Behavior Based on Spectrum Analysis
- Malware Sandbox Analysis for Secure Observation of Vulnerability Exploitation
- Automated Malware Analysis System and Its Sandbox for Revealing Malware's Internal and External Activities
- Practical Correlation Analysis between Scan and Malware Profiles against Zero-Day Attacks Based on Darknet Monitoring
- FOREWORD (Special Section on Cryptography and Information Security)
- Special Section on Information Theory and Its Applications
- Your Sandbox is Blinded: Impact of Decoy Injection to Public Malware Analysis Systems
- O-means : An Optimized Clustering Method for Analyzing Spam Based Attacks
- A Comparative Study of Unsupervised Anomaly Detection Techniques Using Honeypot Data
- Information-Flow-Based Access Control for Web Browsers
- P2P Network Traffic Analysis Using Data Mining Engines
- Effectiveness of Outline Measures of Strength against Differential and Linear Cryptanalysis (Special Section on Cryptography and Information Security)
- A Novel Malware Clustering Method Using Frequency of Function Call Traces in Parallel Threads
- An Empirical Evaluation of an Unpacking Method Implemented with Dynamic Binary Instrumentation
- Malware Sandbox Analysis with Efficient Observation of Herder's Behavior
- Malware Sandbox Analysis with Efficient Observation of Herder's Behavior
- Catching the Behavioral Differences between Multiple Executions for Malware Detection
- An Accurate Packer Identification Method Using Support Vector Machine
- Design and Implementation of Security for HIMALIS Architecture of Future Networks
- FOREWORD
- Catching the Behavioral Differences between Multiple Executions for Malware Detection