The original paper is in English. Non-English content has been machine-translated and may contain typographical errors or mistranslations. ex. Some numerals are expressed as "XNUMX".
Copyrights notice
The original paper is in English. Non-English content has been machine-translated and may contain typographical errors or mistranslations. Copyrights notice
Analisis kotak pasir perisian hasad, di mana sampel perisian hasad sebenarnya dilaksanakan dalam persekitaran ujian (iaitu kotak pasir) untuk memerhati kelakuannya, merupakan salah satu pendekatan yang menjanjikan untuk menangani ancaman perisian hasad yang meletup. Memandangkan banyak perisian hasad baru-baru ini berkomunikasi secara aktif dengan hos jauh melalui Internet, kotak pasir juga harus menyokong sambungan Internet, jika tidak, tingkah laku perisian hasad yang penting mungkin tidak diperhatikan. Dalam kertas ini, kami mencadangkan analisis kotak pasir berbilang laluan dengan sambungan Internet terkawal. Dalam kaedah yang dicadangkan, kami memulakan analisis kami dengan kotak pasir terpencil dan Internet yang dicontohi yang terdiri daripada satu set pelayan tiruan dan hos yang menjalankan perkhidmatan yang terdedah, dipanggil Honeypots dalam Kotak Pasir (HitS). Semua sambungan keluar dari hos mangsa diperiksa dengan teliti untuk melihat sama ada ia boleh disambungkan ke Internet sebenar. Kami mengulangi proses di atas sehingga tiada gelagat baharu diperhatikan. Kami melaksanakan kaedah yang dicadangkan dalam cara automatik sepenuhnya dan menilainya dengan sampel perisian hasad baru-baru ini ditangkap di alam liar. Menggunakan dasar pembendungan mudah yang membenarkan hanya protokol aplikasi tertentu, iaitu HTTP, IRC dan DNS, kami dapat memerhatikan lebih pelbagai gelagat berbanding dengan kotak pasir yang terpencil sepenuhnya. Sementara itu, kami mengesahkan bahawa sejumlah besar imbasan IP, eksploitasi kerentanan dan serangan DoS berjaya terkandung dalam kotak pasir. Selain itu, perbandingan ringkas dengan dua sistem analisis kotak pasir sedia ada, Norman Sandbox dan CWSandbox, ditunjukkan.
The copyright of the original papers published on this site belongs to IEICE. Unauthorized use of the original or translated papers is prohibited. See IEICE Provisions on Copyright for details.
Salinan
Katsunari YOSHIOKA, Tsutomu MATSUMOTO, "Multi-Pass Malware Sandbox Analysis with Controlled Internet Connection" in IEICE TRANSACTIONS on Fundamentals,
vol. E93-A, no. 1, pp. 210-218, January 2010, doi: 10.1587/transfun.E93.A.210.
Abstract: Malware sandbox analysis, in which a malware sample is actually executed in a testing environment (i.e. sandbox) to observe its behavior, is one of the promising approaches to tackling the emerging threats of exploding malware. As a lot of recent malware actively communicates with remote hosts over the Internet, sandboxes should also support an Internet connection, otherwise important malware behavior may not be observed. In this paper, we propose a multi-pass sandbox analysis with a controlled Internet connection. In the proposed method, we start our analysis with an isolated sandbox and an emulated Internet that consists of a set of dummy servers and hosts that run vulnerable services, called Honeypots in the Sandbox (HitS). All outbound connections from the victim host are closely inspected to see if they could be connected to the real Internet. We iterate the above process until no new behaviors are observed. We implemented the proposed method in a completely automated fashion and evaluated it with malware samples recently captured in the wild. Using a simple containment policy that authorizes only certain application protocols, namely, HTTP, IRC, and DNS, we were able to observe a greater variety of behaviors compared with the completely isolated sandbox. Meanwhile, we confirmed that a noticeable number of IP scans, vulnerability exploitations, and DoS attacks are successfully contained in the sandbox. Additionally, a brief comparison with two existing sandbox analysis systems, Norman Sandbox and CWSandbox, are shown.
URL: https://global.ieice.org/en_transactions/fundamentals/10.1587/transfun.E93.A.210/_p
Salinan
@ARTICLE{e93-a_1_210,
author={Katsunari YOSHIOKA, Tsutomu MATSUMOTO, },
journal={IEICE TRANSACTIONS on Fundamentals},
title={Multi-Pass Malware Sandbox Analysis with Controlled Internet Connection},
year={2010},
volume={E93-A},
number={1},
pages={210-218},
abstract={Malware sandbox analysis, in which a malware sample is actually executed in a testing environment (i.e. sandbox) to observe its behavior, is one of the promising approaches to tackling the emerging threats of exploding malware. As a lot of recent malware actively communicates with remote hosts over the Internet, sandboxes should also support an Internet connection, otherwise important malware behavior may not be observed. In this paper, we propose a multi-pass sandbox analysis with a controlled Internet connection. In the proposed method, we start our analysis with an isolated sandbox and an emulated Internet that consists of a set of dummy servers and hosts that run vulnerable services, called Honeypots in the Sandbox (HitS). All outbound connections from the victim host are closely inspected to see if they could be connected to the real Internet. We iterate the above process until no new behaviors are observed. We implemented the proposed method in a completely automated fashion and evaluated it with malware samples recently captured in the wild. Using a simple containment policy that authorizes only certain application protocols, namely, HTTP, IRC, and DNS, we were able to observe a greater variety of behaviors compared with the completely isolated sandbox. Meanwhile, we confirmed that a noticeable number of IP scans, vulnerability exploitations, and DoS attacks are successfully contained in the sandbox. Additionally, a brief comparison with two existing sandbox analysis systems, Norman Sandbox and CWSandbox, are shown.},
keywords={},
doi={10.1587/transfun.E93.A.210},
ISSN={1745-1337},
month={January},}
Salinan
TY - JOUR
TI - Multi-Pass Malware Sandbox Analysis with Controlled Internet Connection
T2 - IEICE TRANSACTIONS on Fundamentals
SP - 210
EP - 218
AU - Katsunari YOSHIOKA
AU - Tsutomu MATSUMOTO
PY - 2010
DO - 10.1587/transfun.E93.A.210
JO - IEICE TRANSACTIONS on Fundamentals
SN - 1745-1337
VL - E93-A
IS - 1
JA - IEICE TRANSACTIONS on Fundamentals
Y1 - January 2010
AB - Malware sandbox analysis, in which a malware sample is actually executed in a testing environment (i.e. sandbox) to observe its behavior, is one of the promising approaches to tackling the emerging threats of exploding malware. As a lot of recent malware actively communicates with remote hosts over the Internet, sandboxes should also support an Internet connection, otherwise important malware behavior may not be observed. In this paper, we propose a multi-pass sandbox analysis with a controlled Internet connection. In the proposed method, we start our analysis with an isolated sandbox and an emulated Internet that consists of a set of dummy servers and hosts that run vulnerable services, called Honeypots in the Sandbox (HitS). All outbound connections from the victim host are closely inspected to see if they could be connected to the real Internet. We iterate the above process until no new behaviors are observed. We implemented the proposed method in a completely automated fashion and evaluated it with malware samples recently captured in the wild. Using a simple containment policy that authorizes only certain application protocols, namely, HTTP, IRC, and DNS, we were able to observe a greater variety of behaviors compared with the completely isolated sandbox. Meanwhile, we confirmed that a noticeable number of IP scans, vulnerability exploitations, and DoS attacks are successfully contained in the sandbox. Additionally, a brief comparison with two existing sandbox analysis systems, Norman Sandbox and CWSandbox, are shown.
ER -