论文信息 - Automated Malware Analysis System and Its Sandbox for Revealing Malware's Internal and External Activities

Automated Malware Analysis System and Its Sandbox for Revealing Malware's Internal and External Activities

Malware has been recognized as one of the major security threats in the Internet. Previous researches have mainly focused on malware's internal activity in a system. However, it is crucial that the malware analysis extracts a malware's external activity toward the network to correlate with a security incident. We propose a novel way to analyze malware: focus closely on the malware's external (i.e., network) activity. A malware sample is executed on a sandbox that consists of a real machine as victim and a virtual Internet environment. Since this sandbox environment is totally isolated from the real Internet, the execution of the sample causes no further unwanted propagation. The sandbox is configurable so as to extract specific activity of malware, such as scan behaviors. We implement a fully automated malware analysis system with the sandbox, which enables us to carry out the large-scale malware analysis. We present concrete analysis results that are gained by using the proposed system.

[1] Ian Welch,et al. Capture - A behavioral analysis tool for applications and documents , 2007 .

[2] Felix C. Freiling,et al. Toward Automated Dynamic Malware Analysis Using CWSandbox , 2007, IEEE Secur. Priv..

[3] Koji Nakao,et al. 招待講演 nicter: An Incident Analysis System for the Global Internet using Correlation between Network Monitoring and Malware Analysis , 2006 .

[4] R. Sekar,et al. On the Limits of Information Flow Techniques for Malware Analysis and Containment , 2008, DIMVA.

[5] David Moore,et al. Network Telescopes: Tracking Denial-of-Service Attacks and Internet Worms Around the Globe , 2003, LiSA.

[6] Farnam Jahanian,et al. The Internet Motion Sensor - A Distributed Blackhole Monitoring System , 2005, NDSS.

[7] U. Bayer,et al. TTAnalyze: A Tool for Analyzing Malware , 2006 .

[8] Van-Hau Pham,et al. on the Advantages of Deploying a Large Scale Distributed Honeypot Platform , 2005 .

[9] Fabrice Bellard,et al. QEMU, a Fast and Portable Dynamic Translator , 2005, USENIX ATC, FREENIX Track.

[10] Ryan Cunningham,et al. Honeypot-Aware Advanced Botnet Construction and Maintenance , 2006, International Conference on Dependable Systems and Networks (DSN'06).

[11] Felix C. Freiling,et al. The Nepenthes Platform: An Efficient Approach to Collect Malware , 2006, RAID.