MARS: From traffic containment to network reconfiguration in malware-analysis systems

Abstract

Malware analysis systems are essential to characterize malware behavior and to improve defense mechanisms. In dynamic malware analysis, the actions performed by malware in a sandbox are highly dependent on the interactions with other hosts and services. However, the current solutions superficially deal with the network environment that surrounds the sandbox, exposing limitations to traffic containment and network resources reconfiguration. We have already shown how Software-Defined Networking (SDN) could enable network access policies changes and thus exposing distinct malware actions. In this paper, we investigate the malware analysis process by considering the entire analysis environment, including a sandbox and other components that comprise it. We developed a fully-automated malware analysis solution that uses network layer as a tool to reconfigure the analysis environment. In that way, it is possible to implement per-flow containment rules, dynamic resources configuration, and to manipulate network traffic to impersonate services. Our experiments show that it is feasible to identify behavioral deviations in different analysis scenarios and reveal many more malware behaviors than those revealed by the state-of-the-art analysis systems.