Research On Malicious Software Sandbox Escape Technology And Its Detection Mechanism

With the emergence of network threats and the emergence of APT attacks,the traditional malicious code detection means has been unable to meet the requirements of the current severe network environment,the new network threat has the characteristics of high concealment,escaping analysis and so on.Traditional anti-virus software and anti-virus engine use the signature detection as the most basic means to detect known types of viruses.However,due to malicious samples changes all the time,so the sample characteristics of the malware virus signature database are greatly increased,while the detection based on the signature is more easily targeted to bypass,and the recognition rate is relatively low.In order to overcome the shortcomings of static scanning methods,people began to use the dynamic analysis of software behavior to detect malicious software.Dynamic analysis measures includes behavior analysis,cloud anti-virus technology and sandbox analysis technology.Behavioral analysis of the sample is a basic measures for analysis,you can identify unknown malicious samples,but there are false positives.Cloud anti-virus technology upload the sample to the cloud,using the cloud server to conduct a comprehensive analysis of the sample technology,but only base on a large amount of users can the cloud anti-virus technology reflect the advantages,and the user privacy data has been violated Controversial.Sandbox technology is a secure dynamic analysis environment,can automate the analysis of unknown samples,record various acts of samples in the sandbox environment,including network communication,system call,registration Table modification and other operations,so as to determine the true intent of the sample,while the malicious sample in the sandbox operation will not make any changes to the real environment,it is more ideal for the analysis of the environment.However,with the development of malware,some malicious samples,including the special Trojans appearing in the APT attack,have the ability to escape the sandbox.Therefore,the problem of escaping the sandbox detection is the problem that the sandbox technology needs to be solved.Aiming at the problem that the single sandbox detection mode is fixed and there are many malicious samples escaping the detection of sandbox,this paper analyzes the details of the current malware escaping sandbox detection,and then proposes an analytical framework for monitoring the escape behavior of malicious samples.The system records the file operations,network communications,process operations,registry operations and other behaviors generated in a number of sandboxes at different levels and the real environment,and then processes the selection of features and regularization.This paper uses the Jaccard similarity algorithm to compare the similarity difference between the behaviors,then divides the hierarchies and determines whether there is escape behavior of malicious samples.The escape behavior is determined by the comparison of the system call sequences.Experimental results show that the overall accuracy rate can reach 95.6%,the recall can reach 90.1%,and the false positive is less than 5%.The system can detect multiple types and unknown escape behaviors,and further analysis of the sample can be targeted to specific escape behaviors.