2016年
SandPrint: Fingerprinting Malware Sandboxes to Provide Intelligence for Sandbox Evasion.
RESEARCH IN ATTACKS, INTRUSIONS, AND DEFENSES, RAID 2016
- 巻
- 9854
- 号
- 開始ページ
- 165
- 終了ページ
- 187
- 記述言語
- 英語
- 掲載種別
- 研究論文(国際会議プロシーディングス)
- DOI
- 10.1007/978-3-319-45719-2_8
- 出版者・発行元
- SPRINGER INT PUBLISHING AG
To cope with the ever-increasing volume of malware samples, automated program analysis techniques are inevitable. Malware sandboxes in particular have become the de facto standard to extract a program's behavior. However, the strong need to automate program analysis also bears the risk that anyone that can submit programs to learn and leak the characteristics of a particular sandbox.
We introduce SandPrint, a program that measures and leaks characteristics of Windows-targeted sandboxes. We submit our tool to 20 malware analysis services and collect 2666 analysis reports that cluster to 76 sandboxes. We then systemically assess whether an attacker can possibly find a subset of characteristics that are inherent to all sandboxes, and not just characteristic of a single sandbox. In fact, using supervised learning techniques, we show that adversaries can automatically generate a classifier that can reliably tell a sandbox and a real system apart. Finally, we show that we can use similar techniques to stealthily detect commercial malware security appliances of three popular vendors.
We introduce SandPrint, a program that measures and leaks characteristics of Windows-targeted sandboxes. We submit our tool to 20 malware analysis services and collect 2666 analysis reports that cluster to 76 sandboxes. We then systemically assess whether an attacker can possibly find a subset of characteristics that are inherent to all sandboxes, and not just characteristic of a single sandbox. In fact, using supervised learning techniques, we show that adversaries can automatically generate a classifier that can reliably tell a sandbox and a real system apart. Finally, we show that we can use similar techniques to stealthily detect commercial malware security appliances of three popular vendors.
- リンク情報
-
- DOI
- https://doi.org/10.1007/978-3-319-45719-2_8
- DBLP
- https://dblp.uni-trier.de/rec/conf/raid/YokoyamaITPYMKI16
- Web of Science
- https://gateway.webofknowledge.com/gateway/Gateway.cgi?GWVersion=2&SrcAuth=JSTA_CEL&SrcApp=J_Gate_JST&DestLinkType=FullRecord&KeyUT=WOS:000387955400008&DestApp=WOS_CPL
- URL
- https://dblp.uni-trier.de/conf/raid/2016
- URL
- https://dblp.uni-trier.de/db/conf/raid/raid2016.html#YokoyamaITPYMKI16
- ID情報
-
- DOI : 10.1007/978-3-319-45719-2_8
- ISSN : 0302-9743
- ISBN : 9783319457185
- DBLP ID : conf/raid/YokoyamaITPYMKI16
- Web of Science ID : WOS:000387955400008