Abstract
Due to the proliferated growth of malware programs on the Internet, a scalable system which could carry out dynamic malware analysis for large number of malware samples is essential. The two major categories to carry out dynamic malware analysis are out-of-box (Virtual Machine Introspection-based) and inside-the-box (Sandbox) techniques. In VMI-based, the control machine interacts with the analysis machine directly through a hypervisor, but in Sandbox, it is over a virtual network. Therefore, it is predicted that a VMI-based technique performs the dynamic malware analysis better compared to Sandbox technique. Based on this hypothesis, experiments were conducted and it is found that Drakvuf, a VMI-based technique performs malware analysis faster compared to Cuckoo Sandbox technique. Also, Drakvuf-VMI technique has the ability to trace out kernel-level and user-level malware, but Cuckoo Sandbox technique can only trace out user-level malware. The disk utilization between the two techniques is also discussed in this paper. Finally, a dataset was created based on the behavioral characteristics data generated by Drakvuf technique for the beneficial of researchers.KeywordsVirtual machine introspectionVirtual machine monitorDynamic malware analysisDrakvufCuckoo
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have