Article ID | Journal | Published Year | Pages | File Type |
---|---|---|---|---|
6882848 | Computer Networks | 2017 | 37 Pages |
Abstract
Malware analysis systems are essential to characterize malware behavior and to improve defense mechanisms. In dynamic malware analysis, the actions performed by malware in a sandbox are highly dependent on the interactions with other hosts and services. However, the current solutions superficially deal with the network environment that surrounds the sandbox, exposing limitations to traffic containment and network resources reconfiguration. We have already shown how Software-Defined Networking (SDN) could enable network access policies changes and thus exposing distinct malware actions. In this paper, we investigate the malware analysis process by considering the entire analysis environment, including a sandbox and other components that comprise it. We developed a fully-automated malware analysis solution that uses network layer as a tool to reconfigure the analysis environment. In that way, it is possible to implement per-flow containment rules, dynamic resources configuration, and to manipulate network traffic to impersonate services. Our experiments show that it is feasible to identify behavioral deviations in different analysis scenarios and reveal many more malware behaviors than those revealed by the state-of-the-art analysis systems.
Related Topics
Physical Sciences and Engineering
Computer Science
Computer Networks and Communications
Authors
João Marcelo Ceron, CÃntia Borges Margi, Lisandro Zambenedetti Granville,