Proceedings 2021 Network and Distributed System Security Symposium 2021
DOI: 10.14722/ndss.2021.24475
|View full text |Cite
|
Sign up to set email alerts
|

Does Every Second Count? Time-based Evolution of Malware Behavior in Sandboxes

Abstract: The amount of time in which a sample is executed is one of the key parameters of a malware analysis sandbox. Setting the threshold too high hinders the scalability and reduces the number of samples that can be analyzed in a day; too low and the samples may not have the time to show their malicious behavior, thus reducing the amount and quality of the collected data. Therefore, an analyst needs to find the 'sweet spot' that allows to collect only the minimum amount of information required to properly classify e… Show more

Help me understand this report

Search citation statements

Order By: Relevance

Paper Sections

Select...
2
1
1
1

Citation Types

1
11
0

Year Published

2021
2021
2024
2024

Publication Types

Select...
3
3
1

Relationship

1
6

Authors

Journals

citations
Cited by 37 publications
(17 citation statements)
references
References 84 publications
1
11
0
Order By: Relevance
“…If we consider the most evasive families (>95%) and we assume that those samples were misclassified by our framework, our framework lost evasion techniques for at least 121 samples. Although, accordingly with Küchler et al [35], most malware samples execute within 2 minutes timeframe. This implies that the execution time should not have a significant effect on our results.…”
Section: Limitationsmentioning
confidence: 91%
See 1 more Smart Citation
“…If we consider the most evasive families (>95%) and we assume that those samples were misclassified by our framework, our framework lost evasion techniques for at least 121 samples. Although, accordingly with Küchler et al [35], most malware samples execute within 2 minutes timeframe. This implies that the execution time should not have a significant effect on our results.…”
Section: Limitationsmentioning
confidence: 91%
“…As done in the previous work [18], we let each sample run for up to 5 minutes, a reasonable time to trigger most of the evasive behaviors that our tool can detect. In fact, a recent study [35] showed that most of the behaviors manifested by malicious samples in a sandbox (and 98% of the executed basic blocks) are observed during the first two minutes of execution. Finally, following the best practices for malware experiments [36], we allowed the samples to communicate with their control servers and denied any potentially harmful traffic (e.g., spam) during the experiments.…”
Section: Datasets and Setupmentioning
confidence: 99%
“…We then discarded those samples that less than ten AV flagged as malicious. This choice is conservative compared to previous works (e.g., [43], [28] considered five detections as an indicator of maliciousness), assuring that the dataset is unlikely to contain false positives. We also ensured that no particular malware family was over-represented by limiting each strain to at most 5% of each year's total.…”
Section: A Datasetmentioning
confidence: 99%
“…A recent study by Kuechler et al [43] shows the amount of code executed by malware samples tends to plateau after only two minutes, and very little additional information can be gained by running samples for more extended periods of time. Therefore, we configured our sandbox to execute each sample for five minutes to err on the side of caution.…”
Section: B Analysis Environmentmentioning
confidence: 99%
See 1 more Smart Citation