Abstract

Malware analysis systems are essential to characterize malware behavior and to improve defense mechanisms. In dynamic malware analysis, the actions performed by malware in a sandbox are highly dependent on the interactions with other hosts and services. However, the current solutions superficially deal with the network environment that surrounds the sandbox, exposing limitations to traffic containment and network resources reconfiguration. We have already shown how Software-Defined Networking (SDN) could enable network access policies changes and thus exposing distinct malware actions. In this paper, we investigate the malware analysis process by considering the entire analysis environment, including a sandbox and other components that comprise it. We developed a fully-automated malware analysis solution that uses network layer as a tool to reconfigure the analysis environment. In that way, it is possible to implement per-flow containment rules, dynamic resources configuration, and to manipulate network traffic to impersonate services. Our experiments show that it is feasible to identify behavioral deviations in different analysis scenarios and reveal many more malware behaviors than those revealed by the state-of-the-art analysis systems.

Talk to us

Join us for a 30 min session where you can share your feedback and ask us any queries you have

Schedule a call

Disclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.