关键词: 沙箱检测, 动态分析, 行为逃逸, 层次差异

Abstract: Aiming at the problem that the single sandbox detection mode is fixed and there are many malicious samples escaping the detection of sandbox, this paper analyzes the details of the current malware escaping sandbox detection, and then proposes an analytical framework for monitoring the escape behavior of malicious samples. The system records the file operations, network communications, process operations, registry operations and other behaviors generated in a number of sandboxes at different levels and the real environment, and then processes the selection of features and regularization. This paper uses the Jaccard similarity algorithm to compare the similarity difference between the behavior, then divides the hierarchies and determines whether there is escape behavior of malicious samples. Experimental results show that the overall accuracy rate can reach 95.6%, the recall can reach 90.1%, and the false positive is less than 5%. The system can detect multiple types and unknown escape behaviors, and further analysis of the sample can be targeted to specific escape behaviors.

Key words: sandbox detection, dynamic analysis, behavioral escape, hierarchical differences