| Citation: | Guanghui LIANG, Jianmin PANG, Zheng SHAN. Malware Sandbox Evasion Detection Based on Code Evolution[J]. Journal of Electronics & Information Technology, 2019, 41(2): 341-347. doi: 10.11999/JEIT180257
|
In order to resist the malware sandbox evasion behavior, improve the efficiency of malware analysis, a code-evolution-based sandbox evasion technique for detecting the malware behavior is proposed. The approach can effectively accomplish the detection and identification of malware by first extracting the static and dynamic features of malware software and then differentiating the variations of such features during code evolution using sandbox evasion techniques. With the proposed algorithm, 240 malware samples with sandbox-bypassing behaviors can be uncovered successfully from 7 malware families. Compared with the JOE analysis system, the proposed algorithm improves the accuracy by 12.5% and reduces the false positive to 1%, which validates the proposed correctness and effectiveness.
|
ANUBIS: Analyzing unknown binaries[OL]. www.anubis.iseclab.org, 2015.
|
|
YIN Heng and SONG Dawn. Temu: Binary code analysis via whole-system layered annotative execution[R]. Submitted to Vee University of California, Berkeley, Tech Rep, 2010.
|
|
CUCKOO Sandbox. Automated malware analysis[OL]. www.cuckoosandbox.org, 2016.
|
|
RAIU C, HASBINI M, BEOLV S, et al. From Shamoon to Stonedrill-Wipers attacking Saudi organizations and beyond[R]. Kaspersky Lab, March, 2017.
|
|
YOKOYAMA A, ISHII K, and TANABE R. SandPrint: Fingerprinting malware sandboxes to provide intelligence for sandbox evasion[C]. International Symposium on Research in Attacks, Intrusions, and Defenses, SudParis, France, 2016: 165–187.
|
|
KIRAT D, VINGA G, and KRUEGEL C. Barebox: Efficient malware analysis on bare-metal[C]. Proceeding of the 27th Annual Computer Security Applications Conference, Orlando, USA, 2011: 403–412.
|
|
CRANDALL J R, WASSERMANN G, and OLIVEIRA D A S. Temporal search: Detecting hidden malware timebombs with virtual machines[J]. ACM SIGARCH Computer Architecture News, 2006, 34(5): 25–36. doi: 10.1145/1168919
|
|
KIRAT D and VIGNA G. MalGene: Automatic extraction of malware analysis evasion signature[C]. Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, Los Angeles, USA, 2015: 769–780.
|
|
GILBOY M R. Fighting evasive malware with DVasion[D]. [Master dissertation], University of Maryland, College Park, 2016: 31–44.
|
|
TANBE R. Evasive malware via identifier implanting[C]. International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, Pairs, France, 2018: 162–184.
|
|
KRUEGEL C. Evasive malware exposed and deconstructed[C]. RSA Conference, San Francisco, USA, 2015: 112–120.
|
|
MIRAMIRKHANI N, APPINI M P, and NIKIFORAKIS N. Spotless sandboxes: Evading malware analysis systems using wear-and-tear artifacts[C]. IEEE Symposium on Security and Privacy, San Jose, USA, 2017: 1009–1024.
|
|
BINDIFF[OL]. www.zynamics.com/bindiff.html. 2017.
|
|
张一弛. 基于反编译的恶意代码检测关键技术研究与实现[D]. [博士论文], 解放军信息工程大学, 2009: 22–39.
ZHANG Yichi. Research and Implementation of critical technology in malware detection based on decompilation[D]. [Ph.D. dissertation], PLA Information and Engineering University, 2009: 22–39.
|
|
KI Y, KIM E, and KIM H. A novel approach to detect malware based on API call sequence analysis[J]. International Journal of Distributed Sensor Networks, 2015, 58(7): 3201–3206.
|
|
MALWAREBENCHMARK[OL]. www.malwarebenchmark.org, 2018.
|
|
JOESECURITY Sandbox[OL]. www.joesandbox.com, 2018.
|
Figures(2) / Tables(5)
DownLoad:
