ログイン 新規登録
言語:

WEKO3
  • トップ
  • ランキング
To
lat lon distance
To

Field does not validate



インデックスリンク

インデックスツリー

メールアドレスを入力してください。

WEKO

One fine body…

WEKO

One fine body…

アイテム

  1. 論文誌(ジャーナル)
  2. Vol.53
  3. No.9

Malware Sandbox Analysis with Efficient Observation of Herder's Behavior

https://ipsj.ixsq.nii.ac.jp/records/83925
https://ipsj.ixsq.nii.ac.jp/records/83925
e989224e-ec1e-4024-af24-6eacd5dfba88
名前 / ファイル ライセンス アクション
IPSJ-JNL5309004.pdf IPSJ-JNL5309004 (1.5 MB)
Copyright (c) 2012 by the Information Processing Society of Japan
オープンアクセス
Item type Journal(1)
公開日 2012-09-15
タイトル
タイトル Malware Sandbox Analysis with Efficient Observation of Herder's Behavior
タイトル
言語 en
タイトル Malware Sandbox Analysis with Efficient Observation of Herder's Behavior
言語
言語 eng
キーワード
主題Scheme Other
主題 [特集:スマートな社会を実現するコンピュータセキュリティ技術] malware, sandbox analysis, dummy client
資源タイプ
資源タイプ識別子 http://purl.org/coar/resource_type/c_6501
資源タイプ journal article
著者所属
Yokohama National University/National Institute of Information and Communications Technology
著者所属
Yokohama National University
著者所属
Yokohama National University
著者所属
NEC Corporation
著者所属
National Institute of Information and Communications Technology
著者所属
National Institute of Information and Communications Technology
著者所属
National Institute of Information and Communications Technology
著者所属(英)
en
Yokohama National University / National Institute of Information and Communications Technology
著者所属(英)
en
Yokohama National University
著者所属(英)
en
Yokohama National University
著者所属(英)
en
NEC Corporation
著者所属(英)
en
National Institute of Information and Communications Technology
著者所属(英)
en
National Institute of Information and Communications Technology
著者所属(英)
en
National Institute of Information and Communications Technology
著者名 Takahiro, Kasama

× Takahiro, Kasama

Takahiro, Kasama
Search repository
Katsunari, Yoshioka

× Katsunari, Yoshioka

Katsunari, Yoshioka
Search repository
Tsutomu, Matsumoto

× Tsutomu, Matsumoto

Tsutomu, Matsumoto
Search repository
Masaya, Yamagata

× Masaya, Yamagata

Masaya, Yamagata
Search repository
Masashi, Eto

× Masashi, Eto

Masashi, Eto
Search repository
Daisuke, Inoue

× Daisuke, Inoue

Daisuke, Inoue
Search repository
Koji, Nakao

× Koji, Nakao

Koji, Nakao
Search repository
著者名(英) Takahiro, Kasama

× Takahiro, Kasama

en Takahiro, Kasama
Search repository
Katsunari, Yoshioka

× Katsunari, Yoshioka

en Katsunari, Yoshioka
Search repository
Tsutomu, Matsumoto

× Tsutomu, Matsumoto

en Tsutomu, Matsumoto
Search repository
Masaya, Yamagata

× Masaya, Yamagata

en Masaya, Yamagata
Search repository
Masashi, Eto

× Masashi, Eto

en Masashi, Eto
Search repository
Daisuke, Inoue

× Daisuke, Inoue

en Daisuke, Inoue
Search repository
Koji, Nakao

× Koji, Nakao

en Koji, Nakao
Search repository
論文抄録
内容記述タイプ Other
内容記述 Recent malware communicate with remote hosts in the Internet for receiving C&C commands and updating themselves, etc., and their behaviors can be diverse depending on the behaviors of the remote hosts. Thus, when analyzing these malware by sandbox analysis, it is important not only to focus behaviors of a malware sample itself but also those of the remote servers that are controlled by attackers. A simple solution to achieve this is to observe the live sample by an Internet-connected sandbox for a long period of time. However, since we do not know when these servers will send meaningful responses, we need to keep the sample being executed in the sandbox, which is indeed a costly operation. Also, leaving the live malware in the Internet-connected sandbox increases the risk that its attacks spill out of the sandbox and induce secondary infections. In this paper, we propose a novel sandbox analysis method using a dummy client, an automatically generated lightweight script to interact with the remote servers instead of the malware sample itself. In the proposed method, at first we execute a malware sample in the sandbox that is connected to the real Internet and Internet Emulator. Secondly, we inspect the traffic observed in the sandbox and filter out high-risk communications. The rest of the traffic data is then used by the dummy client to interact with the remote servers instead of the sample itself and effectively collects the responses from the servers. The collected server responses are then fed back to the Internet Emulator in the sandbox and will be used for improving observability of malware sandbox analysis. In the experiment with malware samples captured in the wild, we indeed observed a considerable number of changes in the responses from the remote servers that were obtained by our dummy client. Also, in comparison with the simple Internet-connected sandbox, the proposed sandbox could improve observability of malware sandbox analysis.

------------------------------
This is a preprint of an article intended for publication Journal of
Information Processing(JIP). This preprint should not be cited. This
article should be cited as: Journal of Information Processing Vol.20(2012) No.4 (online)
DOI http://dx.doi.org/10.2197/ipsjjip.20.835
------------------------------
論文抄録(英)
内容記述タイプ Other
内容記述 Recent malware communicate with remote hosts in the Internet for receiving C&C commands and updating themselves, etc., and their behaviors can be diverse depending on the behaviors of the remote hosts. Thus, when analyzing these malware by sandbox analysis, it is important not only to focus behaviors of a malware sample itself but also those of the remote servers that are controlled by attackers. A simple solution to achieve this is to observe the live sample by an Internet-connected sandbox for a long period of time. However, since we do not know when these servers will send meaningful responses, we need to keep the sample being executed in the sandbox, which is indeed a costly operation. Also, leaving the live malware in the Internet-connected sandbox increases the risk that its attacks spill out of the sandbox and induce secondary infections. In this paper, we propose a novel sandbox analysis method using a dummy client, an automatically generated lightweight script to interact with the remote servers instead of the malware sample itself. In the proposed method, at first we execute a malware sample in the sandbox that is connected to the real Internet and Internet Emulator. Secondly, we inspect the traffic observed in the sandbox and filter out high-risk communications. The rest of the traffic data is then used by the dummy client to interact with the remote servers instead of the sample itself and effectively collects the responses from the servers. The collected server responses are then fed back to the Internet Emulator in the sandbox and will be used for improving observability of malware sandbox analysis. In the experiment with malware samples captured in the wild, we indeed observed a considerable number of changes in the responses from the remote servers that were obtained by our dummy client. Also, in comparison with the simple Internet-connected sandbox, the proposed sandbox could improve observability of malware sandbox analysis.

------------------------------
This is a preprint of an article intended for publication Journal of
Information Processing(JIP). This preprint should not be cited. This
article should be cited as: Journal of Information Processing Vol.20(2012) No.4 (online)
DOI http://dx.doi.org/10.2197/ipsjjip.20.835
------------------------------
書誌レコードID
収録物識別子タイプ NCID
収録物識別子 AN00116647
書誌情報 情報処理学会論文誌

巻 53, 号 9, 発行日 2012-09-15
ISSN
収録物識別子タイプ ISSN
収録物識別子 1882-7764
戻る
0
views
See details
Views

Versions

Ver.1 2025-01-20 06:49:56.803378
Show All versions

Share

Mendeley Twitter Facebook Print Addthis

Cite as

エクスポート

OAI-PMH
  • OAI-PMH JPCOAR
  • OAI-PMH DublinCore
  • OAI-PMH DDI
Other Formats
  • JSON
  • BIBTEX

Confirm

Powered by WEKO3

Powered by WEKO3