UBER: Combating Sandbox Evasion via User Behavior Emulators
2020; Springer Science+Business Media; Linguagem: Inglês
10.1007/978-3-030-41579-2_3
ISSN1611-3349
AutoresPengbin Feng, Jianhua Sun, Songsong Liu, Kun Sun,
Tópico(s)Digital and Cyber Forensics
ResumoSandbox-enabled dynamic malware analysis has been widely used by cyber security teams to handle the threat of malware. Correspondingly, malware authors have developed various anti-sandbox techniques to evade the analysis. Most of those evasion techniques are well studied and can be defeated with appropriate mitigation strategies. However, one particular technique is usually overlooked and can be extremely effective in defeating sandbox-based malware analysis, i.e., usage artifacts analysis. This technique leverages a variety of system artifacts that are expected to exist in a real system as a result of typical user activities for sandbox environment identification. To tackle this drawback of lacking authentic system artifacts in existing sandbox designs, in this paper we propose a novel system UBER for automatic artifact generation based on the emulation of real user behavior. Instead of cloning real usage artifacts or directly simulating user behaviors, UBER generalizes the user’s computer usage pattern with an abstract behavior profile, employs the profile to guide the simulation of user actions and the generation of artifacts, and then clones the system with generated artifacts into the sandbox environment. We implement a prototype of UBER and verify the effectiveness of the generated artifacts. The experimental results further demonstrate that UBER can effectively mitigate the system artifacts based sandbox evasion and significantly increase the difficulty for the attacker to distinguish the sandbox from the real user system.
Referência(s)