A Study on Malware Analysis Leveraging Sandbox Evasive Behaviors

国立国会図書館永続的識別子: info:ndljp/pid/10168324

資料種別: 博士論文

著者: 笠間, 貴弘

出版者: -

出版年: 2014-03-26

資料形態: デジタル

ページ数・大きさ等: -

授与大学名・学位: 横浜国立大学,博士(工学)

すべて見る

国立国会図書館での利用に関する注記

本資料は、掲載誌(URI)等のリンク先にある学位授与機関のWebサイトやCiNii Dissertationsから、本文を自由に閲覧できる場合があります。

資料に関する注記

一般注記：: Internet security threats utilizing highly functional malicious programs called malware are recentlyon the rise, and extensive research efforts have b...

書店で探す

障害者向け資料で読む

障害者向け資料を見る（1種類）

書店で探す

障害者向け資料で読む

他サービス
- テキストデータ国立国会図書館デジタルコレクションで確認する

書誌情報

この資料の詳細や典拠（同じ主題の資料を指すキーワード、著者名）等を確認できます。

デジタル

資料種別: 博士論文
タイトル: A Study on Malware Analysis Leveraging Sandbox Evasive Behaviors
著者・編者: 笠間, 貴弘
著者標目: 笠間, 貴弘
出版年月日等: 2014-03-26
出版年（W3CDTF）: 2014-03-26
並列タイトル等: マルウェアの回避挙動を利用した動的解析に関する研究
授与機関名: 横浜国立大学
授与年月日: 2014-03-26
授与年月日（W3CDTF）: 2014-03-26
報告番号: 甲第1636号
学位: 博士(工学)
博論授与番号: 甲第1636号
本文の言語コード: eng
NDLC: UT51
対象利用者: 一般
一般注記: Internet security threats utilizing highly functional malicious programs called malware are recentlyon the rise, and extensive research efforts have been made to counter them. With this explosiveincrease of malware, it is becoming nearly impossible to manually analyze all its forms by reverseengineering. An effective countermeasure for this problem, malware sandbox analysis, in which amalware sample is executed in a testing environment (a sandbox) to observe its behaviors, has beenwidely studied. Malware authors have responded by making their work more sophisticated to evadethis analysis. One example is a type of malware called a bot, which changes its behaviors inaccordance with the behaviors of remote servers with which it interacts, such as Command andControl (C&C) servers and malware download servers. Since a bot does not work unless it meetsthe conditions for activation, it is difficult to analyze it sufficiently with traditional sandboxanalysis. Another example is a type of malware that stops or changes its behaviors when it detects asandbox environment by checking Internet connectivity, the existence of a virtual machine, etc. Sandbox analysis thus faces a serious problem in dealing with this evasive malware. This dissertation first describes techniques performed by malware and malware authors forevading analysis and detection, and categorized evasion techniques against sandbox analysis, intotwo approaches: making comprehension of malware behaviors more difficult and detectingsandboxes. Then this study indicates a direction on how to develop a countermeasure techniqueagainst evasive malware without being evaded by an attacker-leveraging differences betweenmalware and benign software that come from malware's mechanism for evading theanalysis/detection mechanism; that is, when proposing a new analysis method, the method ofdetecting malware that evades the analysis method should be considered. Consequently, the attackers can be given fewer choices.Chapter 4 proposes a novel sandbox analysis method that realizes better observability andefficiency against malware using techniques to make comprehension of malware behaviors moredifficult. The method focuses on a function of malware that changes its behaviors in accordancewith the behaviors of remote servers with which it interacts, such as C&C and malware downloadservers, and analyzes the server behaviors and corresponding malware behaviors. Experiments with samples captured in the wild confirm that the method can observe more variety in their behaviors.Chapter 5 clarifies targeted sandbox detection vulnerability in public malware sandbox analysis systems (public MSASs) for pursuing better observability. First, properties of sandboxinformation for decoy injection attack, in which an attacker detects the sandbox based on itssandbox information disclosed by submitting a decoy sample, are defined: stability, uniqueness,and stealthiness of collection. Then, 16 different kinds of characteristic information of the sandboxfor its detection are analyzed in terms of those properties. Experiments with real public MSASs inoperation confirm the broad applicability of the decoy injection attack as well as the need forcomprehensive countermeasures. Chapter 6 proposes a novel behavior-based malware-detection method using sandbox-evasivebehaviors. Malware authors have been embedding functions that act as countermeasures againstmalware analysis and detection that often change runtime behaviors in each execution. Theproposed method focuses on such characteristics. It conducts dynamic analysis on an executablefile multiple times in the same sandbox environment to obtain multiple logs of API call and traffic,and then compares them to find the difference between the multiple executions. Experiments withmalware samples captured in the wild and benign software samples confirm effectiveness of themethod.
国立国会図書館永続的識別子: info:ndljp/pid/10168324
https://dl.ndl.go.jp/pid/10168324
コレクション（共通）: 障害者向け資料
コレクション（障害者向け資料：レベル1）: テキストデータ
コレクション（個別）: 国立国会図書館デジタルコレクション > デジタル化資料 > 博士論文
https://dl.ndl.go.jp/collections/A00014
収集根拠: 博士論文（自動収集）
受理日（W3CDTF）: 2016-08-04T09:59:51+09:00
作成日（W3CDTF）: 2016-09-16
記録形式（IMT）: application/pdf
オンライン閲覧公開範囲: 国立国会図書館内限定公開
デジタル化資料送信: 図書館・個人送信対象外
遠隔複写可否（NDL）: 可
掲載誌（URI）: http://hdl.handle.net/10131/8598
https://ynu.repo.nii.ac.jp/records/4943
連携機関・データベース: 国立国会図書館 : 国立国会図書館デジタルコレクション
https://dl.ndl.go.jp