Capítulo de livro Revisado por pares

UBER: Combating Sandbox Evasion via User Behavior Emulators

2020; Springer Science+Business Media; Linguagem: Inglês

10.1007/978-3-030-41579-2_3

ISSN

1611-3349

Autores

Pengbin Feng, Jianhua Sun, Songsong Liu, Kun Sun,

Tópico(s)

Digital and Cyber Forensics

Resumo

Sandbox-enabled dynamic malware analysis has been widely used by cyber security teams to handle the threat of malware. Correspondingly, malware authors have developed various anti-sandbox techniques to evade the analysis. Most of those evasion techniques are well studied and can be defeated with appropriate mitigation strategies. However, one particular technique is usually overlooked and can be extremely effective in defeating sandbox-based malware analysis, i.e., usage artifacts analysis. This technique leverages a variety of system artifacts that are expected to exist in a real system as a result of typical user activities for sandbox environment identification. To tackle this drawback of lacking authentic system artifacts in existing sandbox designs, in this paper we propose a novel system UBER for automatic artifact generation based on the emulation of real user behavior. Instead of cloning real usage artifacts or directly simulating user behaviors, UBER generalizes the user’s computer usage pattern with an abstract behavior profile, employs the profile to guide the simulation of user actions and the generation of artifacts, and then clones the system with generated artifacts into the sandbox environment. We implement a prototype of UBER and verify the effectiveness of the generated artifacts. The experimental results further demonstrate that UBER can effectively mitigate the system artifacts based sandbox evasion and significantly increase the difficulty for the attacker to distinguish the sandbox from the real user system.

Referência(s)