Malware sandboxes are integral to security applications like intrusion detection, forensics, and threat intelligence, but using them correctly is challenging due to choices in implementations, monitoring techniques, and configurations.
Improper use can negatively impact applications through false positives, inconclusive analyses, and poor threat data.
Prior works survey dynamic analysis methods for building and improving sandboxes, evasion techniques, or experiment design but lack depth in understanding and configuring sandbox deployments for new applications.
This complexity dominates non-expert users across disciplines. The paper bridges this gap by studying over 350 papers across 20 years to systematize 84 representative works on using sandboxes.
It proposes a component framework simplifying deployments/configurations for detection, observational studies, and anti-analysis applications.
Guidelines are derived by the following security researchers from the Georgia Institute of Technology applying this framework to systematize prior works, helping users effectively incorporate sandboxes while avoiding pitfalls, unlike previous generalized surveys:-
- Omar Alrawi
- Miuyin Yong Wong
- Athanasios Avgetidis
- Kevin Valakuzhy
- Boladji Vinny Adjibi
- Konstantinos Karakatsanis
- Mustaque Ahamad
- Doug Blough
- Fabian Monrose
- Manos Antonakaki
Malware Sandbox Configuration
It appears that generic sandboxes are especially limited to famous malware families, while modern approaches do not always guarantee expected results.
Technically, it is worth noting that transparent monitoring commitment is closely related to this technique.
Besides this, the configured environments supported with user artifacts can be employed to improve research outcomes.
It would be important to mark the analysis space and threat model and understand how artifacts affect an application’s functioning.
Seven recommendations are given to enhance sandboxing based on block-listing, behavior extraction, and family classification from three experiments involving 1,471 malware samples.
.webp)
The researchers made sense of the sandbox literature by studying over 300 papers from the best security conferences in a period of 20 years.
They found relevant works by keyword searching for dynamic malware sandbox analysis, manually tracking citation chains, and iteratively developing the set of search terms.
Here below, we have mentioned all the methodologies:-
- Malware Code Execution Order
- Quantifying Malware Execution
- Identifying Malware Families
The experiments prove that guided sandbox artifacts improve classification accuracy compared to unguided methods.
However, there is no single solution is available when it comes to configuring the sandbox which underscores the importance of defining analysis scope, threat modeling, and admitting sandbox limitations.
